Feature #47252

Skip CSRF protection and persistence for "safe" request methods

Added by Robert Lemke over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
MVC
Start date:
2013-04-15
Due date:
% Done:

100%

PHP Version:
5.4
Has patch:
No
Complexity:
medium

Description

By definition, GET / HEAD requests should be considered "safe", that is, they should only be used for retrieval and not have any state side effects on the server side (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html).

We should support and enforce this principle by turning off the automatic persistAll() call and skip CSRF protection for GET requests.

In later versions we can further optimize Flow to take advantage of the knowledge that a request is considered to be read-only (possibly speeding up persistence, security etc.).

Associated revisions

Revision f3d285c3 (diff)
Added by Robert Lemke over 6 years ago

[!!!][FEATURE] Skip automatic persistence and CSRF protection for "safe" requests

This change set introduces an important behavior for Flow applications:
HTTP request methods which are, by definition, considered to be "safe"
(that is, "read-only") are now treated as such.

In practice it means that GET requests will not trigger a persistAll() call
anymore and CSRF protection for actions is not checked anymore if
the request is a GET request.

Please adjust your applications to cleanly observe this principle since
more optimizations in this direction are planned for later versions of
TYPO3 Flow.

This patch contains the corresponding documentation.

Resolves: #47252
Releases: 2.0, master
Change-Id: I9d667aa451a7510cf12ab13be745fed1f7ca477e

Revision e9d2336c (diff)
Added by Robert Lemke over 6 years ago

[!!!][FEATURE] Skip automatic persistence and CSRF protection for "safe" requests

This change set introduces an important behavior for Flow applications:
HTTP request methods which are, by definition, considered to be "safe"
(that is, "read-only") are now treated as such.

In practice it means that GET requests will not trigger a persistAll() call
anymore and CSRF protection for actions is not checked anymore if
the request is a GET request.

Please adjust your applications to cleanly observe this principle since
more optimizations in this direction are planned for later versions of
TYPO3 Flow.

This patch contains the corresponding documentation.

Resolves: #47252
Releases: 2.0, master
Change-Id: I9d667aa451a7510cf12ab13be745fed1f7ca477e

Revision ad0c7178 (diff)
Added by Alexander Stehlik almost 5 years ago

[!!!][BUGFIX] Skip automatic persistence for updated entities

When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::

Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"

including details on how to work around this.

This currently only works if entities have been added or removed.

With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.

This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.

Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.2, 2.1
Fixes: FLOW-84
Related: #47252
Related: #51570

Revision bfffa3c5 (diff)
Added by Alexander Stehlik over 4 years ago

[!!!][BUGFIX] Skip automatic persistence for updated entities

When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::

Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"

including details on how to work around this.

This currently only works if entities have been added or removed.

With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.

This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.

Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.3, 2.2
Fixes: FLOW-84
Related: #47252
Related: #51570

Revision a0b36f97 (diff)
Added by Alexander Stehlik over 4 years ago

[!!!][BUGFIX] Skip automatic persistence for updated entities

When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::

Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"

including details on how to work around this.

This currently only works if entities have been added or removed.

With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.

This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.

Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.3, 2.2
Fixes: FLOW-84
Related: #47252
Related: #51570

History

#1 Updated by Gerrit Code Review over 6 years ago

  • Status changed from Accepted to Under Review

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#2 Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#3 Updated by Gerrit Code Review over 6 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#4 Updated by Gerrit Code Review over 6 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#5 Updated by Gerrit Code Review over 6 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#6 Updated by Gerrit Code Review over 6 years ago

Patch set 7 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#7 Updated by Gerrit Code Review over 6 years ago

Patch set 8 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#8 Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010

#9 Updated by Gerrit Code Review over 6 years ago

Patch set 9 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#10 Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010

#11 Updated by Anonymous over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF