NotificationsYou must be signed in to change notification settings
Fork9.6k
Star30.3k

[Security] Use the session only if it is started when using`SameOriginCsrfTokenManager`#59146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

fabpot merged 1 commit intosymfony:7.2fromCrovitche-1623:fix_59092

Jan 2, 2025

Merged

[Security] Use the session only if it is started when using`SameOriginCsrfTokenManager`#59146

fabpot merged 1 commit intosymfony:7.2fromCrovitche-1623:fix_59092

Jan 2, 2025

Conversation

Copy link

Crovitche-1623 commentedDec 9, 2024•
edited
Loading

Q	A
Branch?	7.2
Bug fix?	yes
New feature?	no
Deprecations?	no
Issues	Fix#59092
License	MIT

If I understand well, theSameOriginCsrfTokenManager has been created to provide a stateless way of creating CSRF tokens and therefore allow pages with CSRF tokens to be cached.

When usingSymfony\Component\Security\Csrf\SameOriginCsrfTokenManager, I think an additionnal check must be done to ensure that the session is started in addition to verifying that it exists. If not, the CSRF strategy used will be persisted everytime in the session and the stateless check (used with the#[Route] attribute parameter) will therefore never pass.

Crovitche-1623 requested a review fromchalasr as acode owner

December 9, 2024 14:16

carsonbot added Status: Needs Review Bug Routing Security labels

Dec 9, 2024

carsonbot added this to the7.3 milestone

Dec 9, 2024

Copy link

carsonbot commentedDec 9, 2024

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has acontribution guide which I suggest you to read.

In short:

Always add tests
Keep backward compatibility (seehttps://symfony.com/bc).
Bug fixes must be submitted against the lowest maintained branch where they apply (seehttps://symfony.com/releases)
Features and deprecations must be submitted against the 7.3 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

carsonbot changed the title~~[Security][Routing] Use the session only if it is started when usingSameOriginCsrfTokenManager~~[Routing][Security] Use the session only if it is started when usingSameOriginCsrfTokenManager

Dec 9, 2024

Copy link

carsonbot commentedDec 9, 2024

Hey!

Thanks for your PR. You are targeting branch "7.3" but it seems your PR description refers to branch "7.2".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

Crovitche-1623 changed the base branch from7.3 to7.2

December 9, 2024 14:17

Copy link

Author

Crovitche-1623 commentedDec 20, 2024

Maybe you could you take a look@nicolas-grekas ? 🙏

nicolas-grekas modified the milestones:7.3,7.2

Jan 2, 2025

[Security] Use the session only if it is started when using `SameOrig…

1327e38

…inCsrfTokenManager`

nicolas-grekas removed the Routing label

Jan 2, 2025

carsonbot changed the title~~[Routing][Security] Use the session only if it is started when usingSameOriginCsrfTokenManager~~[Security] Use the session only if it is started when usingSameOriginCsrfTokenManager

Jan 2, 2025

nicolas-grekas force-pushed thefix_59092 branch from28ff65d to1327e38Compare

January 2, 2025 17:27