Fix EZP-20289 Symfony CSRF protection not integrated with legacy

doc/bc/5.1/changes-5.1.txt

@@ -12,6 +12,16 @@ Change of behavior
   only if at least one selection is made, otherwise FALSE. In previous releases
   this method always returned TRUE
 
+- Fixed EZP-20289: Symfony CSRF protection not integrated with legacy
+
+  Changed ezFormToken to do csrf protection in same way as Symfony meaning
+  there is now a new setting that must be set pr project to accomplish good
+  security, set site.ini\[HTMLForms]\Secret on pure legacy/4.x setup.
+
+  If your running eZ Publish 5.x, the already existing yml parameter %secret%
+  will be automatically injected to eZFormToke for you, assuming
+  config.yml framework.csrf_protection is set to true (enabled).
+
 
 Removed features
 ----------------

extension/ezformtoken/event/ezxformtoken.php

@@ -27,6 +27,79 @@ class ezxFormToken
 
     const REPLACE_KEY = '@$ezxFormToken@';
 
+    /**
+     * @var string|null
+     */
+    static protected $secret;
+
+    /**
+     * @var string
+     */
+    static protected $intention = 'legacy';
+
+    /**
+     * @var string
+     */
+    static protected $formField = self::FORM_FIELD;
+
+    /**
+     * @var string
+     */
+    static protected $token;
+
+    /**
+     * @return string
+     */
+    static protected function getSecret()
+    {
+        if ( self::$secret === null )
+        {
+            self::$secret = eZINI::instance( 'site.ini' )->variable( 'HTMLForms', 'Secret' );
+        }
+
+        return self::$secret;
+    }
+
+    /**
+     * @param string $secret
+     */
+    static public function setSecret( $secret )
+    {
+        self::$secret = $secret;
+    }
+
+    /**
+     * @return string
+     */
+    static protected function getIntention()
+    {
+        return self::$intention;
+    }
+
+    /**
+     * @param string $intention
+     */
+    static public function setIntention( $intention )
+    {
+        self::$intention = $intention;
+    }
+
+    /**
+     * @return string
+     */
+    static protected function getFormField()
+    {
+        return self::$formField;
+    }
+
+    /**
+     * @param string $formField
+     */
+    static public function setFormField( $formField )
+    {
+        self::$formField = $formField;
+    }
+
     /**
      * request/input event listener
      * Checks if form token is valid if user is logged in.
@@ -55,9 +128,9 @@ static public function input( eZURI $uri )
             return null;
         }*/
 
-        if ( !empty( $_POST[self::FORM_FIELD] ) )
+        if ( !empty( $_POST[self::getFormField()] ) )
         {
-            $token = $_POST[self::FORM_FIELD];
+            $token = $_POST[self::getFormField()];
         }
         // allow ajax calls using POST with other formats than forms (such as
         // json or xml) to still validate using a custom http header
@@ -107,7 +180,7 @@ static public function output( $templateResult )
         }
 
         $token = self::getToken();
-        $field = self::FORM_FIELD;
+        $field = self::getFormField();
         $replaceKey = self::REPLACE_KEY;
 
         eZDebugSetting::writeDebug( 'ezformtoken', 'Output protected (all forms will be modified)', __METHOD__ );
@@ -149,7 +222,7 @@ static public function output( $templateResult )
     static public function reset()
     {
         eZDebugSetting::writeDebug( 'ezformtoken', 'Reset form token', __METHOD__ );
-        eZSession::unsetkey( self::SESSION_KEY, false );
+        self::$token = null;
     }
 
     /**
@@ -160,12 +233,12 @@ static public function reset()
      */
     static public function getToken()
     {
-        if ( eZSession::issetkey( self::SESSION_KEY ) )
-            return eZSession::get( self::SESSION_KEY );
+        if ( self::$token === null )
+        {
+            self::$token = sha1( self::getSecret() . self::getIntention() . session_id() );
+        }
 
-        $token = md5( uniqid( self::SESSION_KEY, true ) );
-        eZSession::set( self::SESSION_KEY, $token );
-        return $token;
+        return self::$token;
     }
 
     /**

settings/site.ini

@@ -313,6 +313,11 @@ QuickSettingsList[]=TemplateSettings;ShowXHTMLCode;site.ini;Inline template debu
 QuickSettingsList[]=TemplateSettings;ShowUsedTemplates;site.ini;List of used templates
 QuickSettingsList[]=DatabaseSettings;SQLOutput;site.ini;SQL debug output
 
+[HTMLForms]
+## Settings dealing with HTML forms and security aspects of it.
+# Setting to specify a secret for the csrf protection, it
+# is highly recommended that you specify this pr project.
+Secret=ThisTokenIsNotSoSecretChangeIt
 
 [URLTranslator]
 # Controls whether the url translation is enabled or not.