Please sign in to comment.
Backport f23d811 to 1.3
Use the form action URL in generated form hashes. By including the URL in generated hash for secured forms we prevent a class of abuse where a user uses one secured form to post into a controller action the form was not originally intended for. These cross action requests could potentially violate developer's mental model of how SecurityComponent works and produce unexpected/undesirable outcomes. Due to the limitations of 1.3, only the *path* is used as a hash input. This is slightly less hard than the 2.x implementation but should be enough to prevent most forms of misuse. Thanks to Kurita Takashi for pointing this issue out, and suggesting a fix.
- Loading branch information...
Showing with 41 additions and 8 deletions.