Actualización

vendor/symfony/form/Extension/Csrf/CsrfExtension.php

@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf;
+
+use Symfony\Component\Form\AbstractExtension;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Translation\TranslatorInterface;
+
+/**
+ * This extension protects forms by using a CSRF token.
+ *
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+class CsrfExtension extends AbstractExtension
+{
+    /**
+     * @var CsrfTokenManagerInterface
+     */
+    private $tokenManager;
+
+    /**
+     * @var TranslatorInterface
+     */
+    private $translator;
+
+    /**
+     * @var null|string
+     */
+    private $translationDomain;
+
+    /**
+     * Constructor.
+     *
+     * @param CsrfTokenManagerInterface $tokenManager      The CSRF token manager
+     * @param TranslatorInterface       $translator        The translator for translating error messages
+     * @param null|string               $translationDomain The translation domain for translating
+     */
+    public function __construct(CsrfTokenManagerInterface $tokenManager, TranslatorInterface $translator = null, $translationDomain = null)
+    {
+        $this->tokenManager = $tokenManager;
+        $this->translator = $translator;
+        $this->translationDomain = $translationDomain;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function loadTypeExtensions()
+    {
+        return array(
+            new Type\FormTypeCsrfExtension($this->tokenManager, true, '_token', $this->translator, $this->translationDomain),
+        );
+    }
+}

vendor/symfony/form/Extension/Csrf/EventListener/CsrfValidationListener.php

@@ -0,0 +1,116 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Form\FormEvents;
+use Symfony\Component\Form\FormError;
+use Symfony\Component\Form\FormEvent;
+use Symfony\Component\Form\Util\ServerParams;
+use Symfony\Component\Security\Csrf\CsrfToken;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Translation\TranslatorInterface;
+
+/**
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+class CsrfValidationListener implements EventSubscriberInterface
+{
+    /**
+     * The name of the CSRF field.
+     *
+     * @var string
+     */
+    private $fieldName;
+
+    /**
+     * The generator for CSRF tokens.
+     *
+     * @var CsrfTokenManagerInterface
+     */
+    private $tokenManager;
+
+    /**
+     * A text mentioning the tokenId of the CSRF token.
+     *
+     * Validation of the token will only succeed if it was generated in the
+     * same session and with the same tokenId.
+     *
+     * @var string
+     */
+    private $tokenId;
+
+    /**
+     * The message displayed in case of an error.
+     *
+     * @var string
+     */
+    private $errorMessage;
+
+    /**
+     * @var TranslatorInterface
+     */
+    private $translator;
+
+    /**
+     * @var null|string
+     */
+    private $translationDomain;
+
+    /**
+     * @var ServerParams
+     */
+    private $serverParams;
+
+    public static function getSubscribedEvents()
+    {
+        return array(
+            FormEvents::PRE_SUBMIT => 'preSubmit',
+        );
+    }
+
+    public function __construct($fieldName, CsrfTokenManagerInterface $tokenManager, $tokenId, $errorMessage, TranslatorInterface $translator = null, $translationDomain = null, ServerParams $serverParams = null)
+    {
+        $this->fieldName = $fieldName;
+        $this->tokenManager = $tokenManager;
+        $this->tokenId = $tokenId;
+        $this->errorMessage = $errorMessage;
+        $this->translator = $translator;
+        $this->translationDomain = $translationDomain;
+        $this->serverParams = $serverParams ?: new ServerParams();
+    }
+
+    public function preSubmit(FormEvent $event)
+    {
+        $form = $event->getForm();
+        $postRequestSizeExceeded = $form->getConfig()->getMethod() === 'POST' && $this->serverParams->hasPostMaxSizeBeenExceeded();
+
+        if ($form->isRoot() && $form->getConfig()->getOption('compound') && !$postRequestSizeExceeded) {
+            $data = $event->getData();
+
+            if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
+                $errorMessage = $this->errorMessage;
+
+                if (null !== $this->translator) {
+                    $errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
+                }
+
+                $form->addError(new FormError($errorMessage));
+            }
+
+            if (is_array($data)) {
+                unset($data[$this->fieldName]);
+                $event->setData($data);
+            }
+        }
+    }
+}

vendor/symfony/form/Extension/Csrf/Type/FormTypeCsrfExtension.php

@@ -0,0 +1,137 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf\Type;
+
+use Symfony\Component\Form\AbstractTypeExtension;
+use Symfony\Component\Form\Extension\Csrf\EventListener\CsrfValidationListener;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\Form\FormInterface;
+use Symfony\Component\Form\Util\ServerParams;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Translation\TranslatorInterface;
+
+/**
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+class FormTypeCsrfExtension extends AbstractTypeExtension
+{
+    /**
+     * @var CsrfTokenManagerInterface
+     */
+    private $defaultTokenManager;
+
+    /**
+     * @var bool
+     */
+    private $defaultEnabled;
+
+    /**
+     * @var string
+     */
+    private $defaultFieldName;
+
+    /**
+     * @var TranslatorInterface
+     */
+    private $translator;
+
+    /**
+     * @var null|string
+     */
+    private $translationDomain;
+
+    /**
+     * @var ServerParams
+     */
+    private $serverParams;
+
+    public function __construct(CsrfTokenManagerInterface $defaultTokenManager, $defaultEnabled = true, $defaultFieldName = '_token', TranslatorInterface $translator = null, $translationDomain = null, ServerParams $serverParams = null)
+    {
+        $this->defaultTokenManager = $defaultTokenManager;
+        $this->defaultEnabled = $defaultEnabled;
+        $this->defaultFieldName = $defaultFieldName;
+        $this->translator = $translator;
+        $this->translationDomain = $translationDomain;
+        $this->serverParams = $serverParams;
+    }
+
+    /**
+     * Adds a CSRF field to the form when the CSRF protection is enabled.
+     *
+     * @param FormBuilderInterface $builder The form builder
+     * @param array                $options The options
+     */
+    public function buildForm(FormBuilderInterface $builder, array $options)
+    {
+        if (!$options['csrf_protection']) {
+            return;
+        }
+
+        $builder
+            ->addEventSubscriber(new CsrfValidationListener(
+                $options['csrf_field_name'],
+                $options['csrf_token_manager'],
+                $options['csrf_token_id'] ?: ($builder->getName() ?: get_class($builder->getType()->getInnerType())),
+                $options['csrf_message'],
+                $this->translator,
+                $this->translationDomain,
+                $this->serverParams
+            ))
+        ;
+    }
+
+    /**
+     * Adds a CSRF field to the root form view.
+     *
+     * @param FormView      $view    The form view
+     * @param FormInterface $form    The form
+     * @param array         $options The options
+     */
+    public function finishView(FormView $view, FormInterface $form, array $options)
+    {
+        if ($options['csrf_protection'] && !$view->parent && $options['compound']) {
+            $factory = $form->getConfig()->getFormFactory();
+            $tokenId = $options['csrf_token_id'] ?: ($form->getName() ?: get_class($form->getConfig()->getType()->getInnerType()));
+            $data = (string) $options['csrf_token_manager']->getToken($tokenId);
+
+            $csrfForm = $factory->createNamed($options['csrf_field_name'], 'Symfony\Component\Form\Extension\Core\Type\HiddenType', $data, array(
+                'mapped' => false,
+            ));
+
+            $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function configureOptions(OptionsResolver $resolver)
+    {
+        $resolver->setDefaults(array(
+            'csrf_protection' => $this->defaultEnabled,
+            'csrf_field_name' => $this->defaultFieldName,
+            'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
+            'csrf_token_manager' => $this->defaultTokenManager,
+            'csrf_token_id' => null,
+        ));
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getExtendedType()
+    {
+        return 'Symfony\Component\Form\Extension\Core\Type\FormType';
+    }
+}