Bug #25859

CSRF protection does not work for methods that contain upper case characters

Added by Bastian Waidelich over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Must have
Category:
Security
Target version:
-
Start date:
2011-04-08
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

I'm trying to protect all methods of certain controllers with following policy rule:

resources:
  methods:
    F3_BccVoting_RestrictedControllers: 'class(F3\BccVoting\Controller\(Circular|Elector|Electorate)Controller)'

For some reason the FLOW3-CSRF-TOKEN is not attached to links pointing to F3\BccVoting\Controller\Elector::deleteAll(). When clicking the link, the "You are not allowed to perform this action." exception though.

The problem is probably, that the policy service does not detect the method in the CsrfProtectionAspect because it is lowercased somewhere.

Also available in: Atom PDF