[Backport] Added form key validation to Contacts form (#4610)

sreichel · web-flow · commit ddec00628914 · 2025-02-17T10:54:53.000+02:00
* added form_key to templates

* added config option

* added translation

* added validation

* added ddev cypress commands

* added simple cypress test

* updated .gitignore

* added ddev cypress commands

* doc

* removed cypress for now
diff --git a/.cypress.config.js b/.cypress.config.js
@@ -0,0 +1,8 @@
+module.exports = {
+  e2e: {
+    setupNodeEvents(on, config) {
+      // implement node event listeners here
+    },
+    baseUrl: 'https://magento-lts.ddev.site'
+  },
+};
diff --git a/.gitignore b/.gitignore
@@ -97,10 +97,13 @@ phpunit.xml
 
 # DDEV
 .ddev/.sampleData
+.ddev/addon-metadata
 .ddev/config.yaml
 .ddev/config.*.yaml
 .ddev/xhgui
 .ddev/xhprof
-.ddev/docker-compose.xhgui.yaml
-.ddev/docker-compose.xhgui_norouter.yaml
+.ddev/docker-compose.*.yaml
 app/etc/includes/ddev.xhgui.php
+
+# local development
+.localdev
diff --git a/app/code/core/Mage/Contacts/controllers/IndexController.php b/app/code/core/Mage/Contacts/controllers/IndexController.php
@@ -22,6 +22,10 @@
  */
 class Mage_Contacts_IndexController extends Mage_Core_Controller_Front_Action
 {
+    /**
+     * Use CSRF validation flag from contacts config
+     */
+    public const XML_CSRF_USE_FLAG_CONFIG_PATH       = 'contacts/security/enable_form_key';
     public const XML_PATH_ENABLED                    = 'contacts/contacts/enabled';
     public const XML_PATH_EMAIL_SENDER               = 'contacts/email/sender_email_identity';
     public const XML_PATH_EMAIL_RECIPIENT            = 'contacts/email/recipient_email';
@@ -61,6 +65,10 @@ public function postAction()
             /** @var Mage_Core_Model_Translate $translate */
             $translate->setTranslateInline(false);
             try {
+                if (!$this->_validateFormKey()) {
+                    Mage::throwException($this->__('Invalid Form Key. Please submit your request again.'));
+                }
+
                 $postObject = new Varien_Object();
                 $postObject->setData($post);
 
@@ -112,16 +120,26 @@ public function postAction()
 
                 $translate->setTranslateInline(true);
                 Mage::getSingleton('customer/session')->addSuccess($this->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
-            } catch (Mage_Core_Exception $e) {
+            } catch (Mage_Core_Exception $exception) {
                 $translate->setTranslateInline(true);
-                Mage::logException($e);
-                Mage::getSingleton('customer/session')->addError($e->getMessage());
-            } catch (Exception $e) {
-                Mage::logException($e);
+                Mage::logException($exception);
+                Mage::getSingleton('customer/session')->addError($exception->getMessage());
+            } catch (Throwable $throwable) {
+                Mage::logException($throwable);
                 Mage::getSingleton('customer/session')->addError($this->__('Unable to submit your request. Please, try again later'));
             }
         }
 
         $this->_redirect('*/*/');
     }
+
+    /**
+     * Check if form key validation is enabled in contacts config.
+     *
+     * @return bool
+     */
+    protected function _isFormKeyEnabled()
+    {
+        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
+    }
 }
diff --git a/app/code/core/Mage/Contacts/etc/config.xml b/app/code/core/Mage/Contacts/etc/config.xml
@@ -91,6 +91,9 @@
                 <sender_email_identity>custom2</sender_email_identity>
                 <email_template>contacts_email_email_template</email_template>
             </email>
+            <security>
+                <enable_form_key>0</enable_form_key>
+            </security>
         </contacts>
     </default>
 </config>
diff --git a/app/code/core/Mage/Contacts/etc/system.xml b/app/code/core/Mage/Contacts/etc/system.xml
@@ -107,6 +107,25 @@
                         </email_template>
                     </fields>
                 </auto_reply>
+                <security translate="label">
+                    <label>Security</label>
+                    <sort_order>100</sort_order>
+                    <show_in_default>1</show_in_default>
+                    <show_in_website>1</show_in_website>
+                    <show_in_store>1</show_in_store>
+                    <fields>
+                        <enable_form_key translate="label comment">
+                            <label>Enable Form Key Validation</label>
+                            <frontend_type>select</frontend_type>
+                            <source_model>adminhtml/system_config_source_yesno</source_model>
+                            <sort_order>1</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <show_in_store>1</show_in_store>
+                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work.]]></comment>
+                        </enable_form_key>
+                    </fields>
+                </security>
             </groups>
         </contacts>
     </sections>
diff --git a/app/design/frontend/base/default/template/contacts/form.phtml b/app/design/frontend/base/default/template/contacts/form.phtml
@@ -20,6 +20,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <ul class="form-list">
diff --git a/app/design/frontend/rwd/default/template/contacts/form.phtml b/app/design/frontend/rwd/default/template/contacts/form.phtml
@@ -20,6 +20,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post" class="scaffold-form">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <p class="required"><?php echo Mage::helper('contacts')->__('* Required Fields') ?></p>
diff --git a/app/locale/en_US/Mage_Contacts.csv b/app/locale/en_US/Mage_Contacts.csv
@@ -1,4 +1,5 @@
 "* Required Fields","* Required Fields"
+"<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work.","<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work."
 "Auto Reply","Auto Reply"
 "Warning! Enabling this feature may cause unwanted messages to be sent to people whose email addresses are being used abusively. Please make sure that you have implemented security measures before enabling (e.g. CAPTCHA, HoneySpam).","Warning! Enabling this feature may cause unwanted messages to be sent to people whose email addresses are being used abusively. Please make sure that you have implemented security measures before enabling (e.g. CAPTCHA, HoneySpam)."
 "Comment","Comment"
@@ -14,9 +15,10 @@
 "Email Template","Email Template"
 "Enable Contact Us","Enable Contact Us"
 "Enable Auto Reply","Enable Auto Reply"
+"Invalid Form Key. Please submit your request again.","Invalid Form Key. Please submit your request again."
 "Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.","Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us."
 "Name","Name"
 "Send Emails To","Send Emails To"
 "Submit","Submit"
 "Telephone","Telephone"
-"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later"
+"Unable to submit your request. Please, try again later","Unable to submit your request. Please try again later."
diff --git a/docs/content/developers/changelog/index.md b/docs/content/developers/changelog/index.md
@@ -110,7 +110,6 @@ UPS shut down their old CGI APIs, so we removed the support for it from the `Mag
 - PHP 8.1 as minimum required version
 - Removed `scriptaculous/dragdrop.js` ([#3215](https://github.com/OpenMage/magento-lts/pull/3215))
 - RWD theme: updated jQuery to 3.7.0 ([#3204](https://github.com/OpenMage/magento-lts/pull/3204))
-- Unified CSRF configuration ([#3147](https://github.com/OpenMage/magento-lts/pull/3147)) and added form key validation to Contacts form ([#3146](https://github.com/OpenMage/magento-lts/pull/3146))
 - Removed double span element from HTML buttons ([#3123](https://github.com/OpenMage/magento-lts/pull/3123))
 - Removed all deprecated `Mysql4_` classes ([#2730](https://github.com/OpenMage/magento-lts/pull/2730)). If there are any old modules/extensions in your installation that use such classes, you must run `shell/rename-mysql4-class-to-resource.php` in the command line in order to convert them. Backup all files before running the script
 - Removed "admin routing compatibility mode" ([#1551](https://github.com/OpenMage/magento-lts/pull/1551))
