Permalink
Show file tree
Hide file tree
125 changes: 66 additions & 59 deletions
125
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
12 changes: 12 additions & 0 deletions
12
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
6 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Enable CSRF in FORM by default
- Loading branch information
Showing
5 changed files
with
108 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
...mfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_default_csrf.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| <?php | ||
|
|
||
| $container->loadFromExtension('framework', [ | ||
| 'form' => [ | ||
| 'legacy_error_messages' => false, | ||
| ], | ||
| 'session' => [ | ||
| 'storage_factory_id' => 'session.storage.factory.native', | ||
| 'handler_id' => null, | ||
| ], | ||
| ]); |
13 changes: 13 additions & 0 deletions
13
...mfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_default_csrf.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| <?xml version="1.0" ?> | ||
|
|
||
| <container xmlns="http://symfony.com/schema/dic/services" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns:framework="http://symfony.com/schema/dic/symfony" | ||
| xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd | ||
| http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd"> | ||
|
|
||
| <framework:config> | ||
| <framework:form enabled="true" legacy-error-messages="false" /> | ||
| <framework:session storage-factory-id="session.storage.factory.native" handler-id="null"/> | ||
| </framework:config> | ||
| </container> |
6 changes: 6 additions & 0 deletions
6
...mfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_default_csrf.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| framework: | ||
| form: | ||
| legacy_error_messages: false | ||
| session: | ||
| storage_factory_id: session.storage.factory.native | ||
| handler_id: null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops
f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Symfony 4.3 is not affected, correct @fabpot?
GHSA-vvmr-8829-6whx
Because then the CPE-entry (in the "Known Affected Software Configurations" section) "up to 5.3.15" is misleading and confuses multiple scanners, which ultimately leads to false-positives.
https://nvd.nist.gov/vuln/detail/CVE-2022-23601#VulnChangeHistorySection
f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DanielRuf there are only 3 affected versions (see the GHSA link you gave, which contains the right info)
f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stof correct. But then the CPE entries at https://nvd.nist.gov/vuln/detail/CVE-2022-23601 are wrong, which ultimately leads to false-positives caused by scanners.
Especially this one here:

f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the CNA is GitHub Inc., who could escalate this to them to fix the CPE entries?
Update: I have sent an email to nvd@nist.gov to let them know, that the CPE entries are not correct.
f0ffb77There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still wrong CPE entries. GitHub support told me weeks / months ago, that they wrote NIST to fix the CPE entries. Seems there was no progress.