Skip to content

CsrfCounterMeasure: Only reject unsafe requests upon validation#396

Merged
nilmerg merged 1 commit into
mainfrom
properly-ignore-safe-methods-in-csrf-counter-measures
Jul 14, 2026
Merged

CsrfCounterMeasure: Only reject unsafe requests upon validation#396
nilmerg merged 1 commit into
mainfrom
properly-ignore-safe-methods-in-csrf-counter-measures

Conversation

@nilmerg

@nilmerg nilmerg commented Jul 13, 2026

Copy link
Copy Markdown
Member

Calling $form->isValid() explicitly right after construction throws an error as the csrf element is validated and has no value. Similarly, assembling a form with such an element should only fail if it is validated.

This does not fix an issue, it will only streamline the behavior. It also ensures expectations of poeple familiar with form request handling (like me) are met.

@nilmerg
nilmerg requested review from Al2Klimov and TheSyscall July 13, 2026 12:43
@cla-bot cla-bot Bot added the cla/signed label Jul 13, 2026
@nilmerg
nilmerg force-pushed the properly-ignore-safe-methods-in-csrf-counter-measures branch from dc04b57 to b1c3fde Compare July 13, 2026 12:46
Al2Klimov
Al2Klimov previously approved these changes Jul 13, 2026
Comment thread src/Common/CsrfCounterMeasure.php
TheSyscall
TheSyscall previously approved these changes Jul 13, 2026
Calling `$form->isValid()` explicitly right after construction
throws an error as the csrf element is validated and has no
value. Similarly, assembling a form with such an element should
only fail if it is validated.

This does not fix an issue, it will only streamline the
behavior. It also ensures expectations of poeple familiar
with form request handling (like me) are met.
@nilmerg
nilmerg force-pushed the properly-ignore-safe-methods-in-csrf-counter-measures branch from d1daf2a to 535b120 Compare July 14, 2026 10:49
@nilmerg
nilmerg merged commit e540ad7 into main Jul 14, 2026
14 checks passed
@nilmerg
nilmerg deleted the properly-ignore-safe-methods-in-csrf-counter-measures branch July 14, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants