Security Issue: All forms are vulnerable to CSRF #29

deanc · 2014-12-23T21:15:01Z

Right now this is a security issue, as CSRF can occur.

You should consider moving decoupling all forms into an AbstractType and using the SF2 Form component.

One benefit of this is you can re-use forms elsewhere (and so can people who use the library). Also if you bump up the dependency to SF2.6 you can also use bootstrap form theme out the box, so the templates will also be a lot simpler.

deanc · 2014-12-25T19:19:26Z

Another issue that I stumbled upon today which could be solved by doing this, is that the custom profile fields are only available after account creation. In theory if the registration form were its own type, you could inject the $app object into the AbstractType for the registration form in the constructor, and therefore dynamically add some custom fields based on the available custom fields.

deanc changed the title ~~Change all hard-coded forms to use SF2 form component~~ Security Issue: Change all hard-coded forms to use SF2 form component (avoid CSRF) Dec 23, 2014

deanc changed the title ~~Security Issue: Change all hard-coded forms to use SF2 form component (avoid CSRF)~~ Security Issue: All forms are vulnerable to CSRF Dec 23, 2014

deanc mentioned this issue Jan 1, 2015

Fix: fixed security issue where login form is not protected against CSRF attacks #30

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Issue: All forms are vulnerable to CSRF #29

Security Issue: All forms are vulnerable to CSRF #29

deanc commented Dec 23, 2014

deanc commented Dec 25, 2014

Security Issue: All forms are vulnerable to CSRF #29

Security Issue: All forms are vulnerable to CSRF #29

Comments

deanc commented Dec 23, 2014

deanc commented Dec 25, 2014