Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
D
drupal
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Locked Files
Custom Issue Tracker
Custom Issue Tracker
Labels
Merge Requests
294
Merge Requests
294
Requirements
Requirements
List
Security & Compliance
Security & Compliance
Dependency List
License Compliance
Analytics
Analytics
Code Review
Insights
Issue
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
project
drupal
Commits
a416e9a8
Commit
a416e9a8
authored
Sep 27, 2015
by
catch
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Issue
#2571995
by borisson_, Wim Leers: GET forms shouldn't have CSRF tokens by default
parent
a1826842
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
81 additions
and
8 deletions
+81
-8
core/lib/Drupal/Core/Form/FormBuilder.php
core/lib/Drupal/Core/Form/FormBuilder.php
+9
-0
core/modules/search/src/Form/SearchBlockForm.php
core/modules/search/src/Form/SearchBlockForm.php
+0
-1
core/modules/system/src/Tests/Form/FormTest.php
core/modules/system/src/Tests/Form/FormTest.php
+12
-0
core/modules/system/tests/modules/form_test/form_test.routing.yml
...ules/system/tests/modules/form_test/form_test.routing.yml
+7
-0
core/modules/system/tests/modules/form_test/src/Form/FormTestGetForm.php
...stem/tests/modules/form_test/src/Form/FormTestGetForm.php
+44
-0
core/modules/views/src/Tests/Plugin/ExposedFormTest.php
core/modules/views/src/Tests/Plugin/ExposedFormTest.php
+0
-1
core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
+9
-6
No files found.
core/lib/Drupal/Core/Form/FormBuilder.php
View file @
a416e9a8
...
...
@@ -679,6 +679,15 @@ public function prepareForm($form_id, &$form, FormStateInterface &$form_state) {
$form
[
'#method'
]
=
'get'
;
}
// GET forms should not use a CSRF token.
if
(
isset
(
$form
[
'#method'
])
&&
$form
[
'#method'
]
===
'get'
)
{
// Merges in a default, this means if you've explicitly set #token to the
// the $form_id on a GET form, which we don't recommend, it will work.
$form
+=
[
'#token'
=>
FALSE
,
];
}
// Generate a new #build_id for this form, if none has been set already.
// The form_build_id is used as key to cache a particular build of the form.
// For multi-step forms, this allows the user to go back to an earlier
...
...
core/modules/search/src/Form/SearchBlockForm.php
View file @
a416e9a8
...
...
@@ -89,7 +89,6 @@ public function buildForm(array $form, FormStateInterface $form_state) {
$route
=
'search.view_'
.
$entity_id
;
$form
[
'#action'
]
=
$this
->
url
(
$route
);
$form
[
'#token'
]
=
FALSE
;
$form
[
'#method'
]
=
'get'
;
$form
[
'keys'
]
=
array
(
...
...
core/modules/system/src/Tests/Form/FormTest.php
View file @
a416e9a8
...
...
@@ -294,6 +294,18 @@ public function testInputWithInvalidToken() {
$this
->
assertFieldByName
(
'url'
,
$edit
[
'url'
]);
}
/**
* CSRF tokens for GET forms should not be added by default.
*/
public
function
testGetFormsCsrfToken
()
{
// We need to be logged in to have CSRF tokens.
$account
=
$this
->
createUser
();
$this
->
drupalLogin
(
$account
);
$this
->
drupalGet
(
Url
::
fromRoute
(
'form_test.get_form'
));
$this
->
assertNoRaw
(
'form_token'
);
}
/**
* Tests validation for required textfield element without title.
*
...
...
core/modules/system/tests/modules/form_test/form_test.routing.yml
View file @
a416e9a8
...
...
@@ -473,3 +473,10 @@ form_test.form_storage_page_cache:
_title
:
'
Form
storage
with
page
cache
test'
requirements
:
_access
:
'
TRUE'
form_test.get_form
:
path
:
'
/form-test/get-form'
defaults
:
_form
:
'
\Drupal\form_test\Form\FormTestGetForm'
requirements
:
_access
:
'
TRUE'
core/modules/system/tests/modules/form_test/src/Form/FormTestGetForm.php
0 → 100644
View file @
a416e9a8
<?php
/**
* @file
* Contains \Drupal\form_test\Form\FormTestGetForm.
*/
namespace
Drupal\form_test\Form
;
use
Drupal\Core\Form\FormBase
;
use
Drupal\Core\Form\FormStateInterface
;
/**
* Form to test whether GET forms have a CSRF token.
*/
class
FormTestGetForm
extends
FormBase
{
/**
* {@inheritdoc}
*/
public
function
getFormId
()
{
return
'form_test_get_form'
;
}
/**
* {@inheritdoc}
*/
public
function
buildForm
(
array
$form
,
FormStateInterface
$form_state
)
{
$form
[
'#method'
]
=
'get'
;
$form
[
'submit'
]
=
[
'#type'
=>
'submit'
,
'#value'
=>
'Save'
,
];
return
$form
;
}
/**
* {@inheritdoc}
*/
public
function
submitForm
(
array
&
$form
,
FormStateInterface
$form_state
)
{
drupal_set_message
(
'The form_test_get_form form has been submitted successfully.'
);
}
}
core/modules/views/src/Tests/Plugin/ExposedFormTest.php
View file @
a416e9a8
...
...
@@ -232,7 +232,6 @@ public function testExposedSortAndItemsPerPage() {
'entity_test_view_grants'
,
'theme'
,
'url.query_args'
,
'user.roles:authenticated'
,
'languages:language_content'
];
...
...
core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
View file @
a416e9a8
...
...
@@ -773,7 +773,7 @@ public function providerTestInvalidToken() {
*
* @dataProvider providerTestFormTokenCacheability
*/
function
testFormTokenCacheability
(
$token
,
$is_authenticated
,
$expected_form_cacheability
,
$expected_token_cacheability
)
{
public
function
testFormTokenCacheability
(
$token
,
$is_authenticated
,
$expected_form_cacheability
,
$expected_token_cacheability
,
$method
)
{
$user
=
$this
->
prophesize
(
AccountProxyInterface
::
class
);
$user
->
isAuthenticated
()
->
willReturn
(
$is_authenticated
);
...
...
@@ -782,6 +782,7 @@ function testFormTokenCacheability($token, $is_authenticated, $expected_form_cac
$form_id
=
'test_form_id'
;
$form
=
$form_id
();
$form
[
'#method'
]
=
$method
;
if
(
isset
(
$token
))
{
$form
[
'#token'
]
=
$token
;
...
...
@@ -797,7 +798,7 @@ function testFormTokenCacheability($token, $is_authenticated, $expected_form_cac
$form_state
=
new
FormState
();
$built_form
=
$this
->
formBuilder
->
buildForm
(
$form_arg
,
$form_state
);
if
(
!
isset
(
$expected_form_cacheability
))
{
if
(
!
isset
(
$expected_form_cacheability
)
||
(
$method
==
'get'
&&
!
is_string
(
$token
))
)
{
$this
->
assertFalse
(
isset
(
$built_form
[
'#cache'
]));
}
else
{
...
...
@@ -820,10 +821,12 @@ function testFormTokenCacheability($token, $is_authenticated, $expected_form_cac
*/
function
providerTestFormTokenCacheability
()
{
return
[
'token:none,authenticated:true'
=>
[
NULL
,
TRUE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
[
'max-age'
=>
0
]],
'token:false,authenticated:true'
=>
[
FALSE
,
TRUE
,
NULL
,
NULL
],
'token:none,authenticated:false'
=>
[
NULL
,
FALSE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
NULL
],
'token:false,authenticated:false'
=>
[
FALSE
,
FALSE
,
NULL
,
NULL
],
'token:none,authenticated:true'
=>
[
NULL
,
TRUE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
[
'max-age'
=>
0
],
'post'
],
'token:none,authenticated:false'
=>
[
NULL
,
FALSE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
NULL
,
'post'
],
'token:false,authenticated:false'
=>
[
FALSE
,
FALSE
,
NULL
,
NULL
,
'post'
],
'token:false,authenticated:true'
=>
[
FALSE
,
TRUE
,
NULL
,
NULL
,
'post'
],
'token:none,authenticated:false,method:get'
=>
[
NULL
,
FALSE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
NULL
,
'get'
],
'token:test_form_id,authenticated:false,method:get'
=>
[
'test_form_id'
,
TRUE
,
[
'contexts'
=>
[
'user.roles:authenticated'
]],
[
'max-age'
=>
0
],
'get'
],
];
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment