Skip to content

Commit b5583f3

Browse files
bug #29884 [Form] CsrfValidationListener marks the token as invalid if it is not a string (umpirsky)
This PR was squashed before being merged into the 3.4 branch (closes #29884). Discussion ---------- [Form] CsrfValidationListener marks the token as invalid if it is not a string | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #29882 | License | MIT Commits ------- deb8e95091 [Form] CsrfValidationListener marks the token as invalid if it is not a string
2 parents af7929c + ca7c7a8 commit b5583f3

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

Extension/Csrf/EventListener/CsrfValidationListener.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ public function preSubmit(FormEvent $event)
5959
if ($form->isRoot() && $form->getConfig()->getOption('compound') && !$postRequestSizeExceeded) {
6060
$data = $event->getData();
6161

62-
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
62+
if (!isset($data[$this->fieldName]) || !\is_string($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
6363
$errorMessage = $this->errorMessage;
6464

6565
if (null !== $this->translator) {

Tests/Extension/Csrf/EventListener/CsrfValidationListenerTest.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,16 @@ public function testStringFormData()
6464
$this->assertSame($data, $event->getData());
6565
}
6666

67+
public function testArrayCsrfToken()
68+
{
69+
$event = new FormEvent($this->form, ['csrf' => []]);
70+
71+
$validation = new CsrfValidationListener('csrf', $this->tokenManager, 'unknown', 'Invalid.');
72+
$validation->preSubmit($event);
73+
74+
$this->assertNotEmpty($this->form->getErrors());
75+
}
76+
6777
public function testMaxPostSizeExceeded()
6878
{
6979
$serverParams = $this

0 commit comments

Comments
 (0)