This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use the new forum.
Home » support » symfony 1.3 and 1.4 » CSRF attack detected
CSRF attack detected [message #102996] Fri, 23 July 2010 13:52 Go to next message
ssssss  is currently offline ssssss
Messages: 1
Registered: July 2010
Junior Member
CSRF attack detected appears when logging in, in what could be a problem.

field hidden CSRF is present.

trace:

# at ()
in SF_SYMFONY_LIB_DIR\validator\sfValidatorSchema.class.php line 110 ...
       107.
       108.     $clean  = array();
       109.     $unused = array_keys($this->fields);
       110.     $errorSchema = new sfValidatorErrorSchema($this);
       111.
       112.     // check that post_max_size has not been reached
       113.     if (isset($_SERVER['CONTENT_LENGTH']) && (int) $_SERVER['CONTENT_LENGTH'] > $this->getBytes(ini_get('post_max_size')))
# at sfValidatorSchema->doClean(array('login' => 'loginname', 'password' => '12345', '_csrf_token' => '6e2cdf6d4a6bc8383c3523c9109640d1'))
in SF_SYMFONY_LIB_DIR\validator\sfValidatorSchema.class.php line 90 ...
        87.    */
        88.   public function clean($values)
        89.   {
        90.     return $this->doClean($values);
        91.   }
        92.
        93.   /**
# at sfValidatorSchema->clean(array('login' => 'loginname', 'password' => '12345', '_csrf_token' => '6e2cdf6d4a6bc8383c3523c9109640d1'))
in SF_SYMFONY_LIB_DIR\form\sfForm.class.php line 248 ...
       245.    */
       246.   protected function doBind(array $values)
       247.   {
       248.     $this->values = $this->validatorSchema->clean($values);
       249.   }
       250.
       251.   /**
# at sfForm->doBind(array('login' => 'loginname', 'password' => '12345', '_csrf_token' => '6e2cdf6d4a6bc8383c3523c9109640d1'))
in SF_SYMFONY_LIB_DIR\form\addon\sfFormSymfony.class.php line 75 ...
        72.
        73.     try
        74.     {
        75.       parent::doBind($values);
        76.     }
        77.     catch (sfValidatorError $error)
        78.     {
# at sfFormSymfony->doBind(array('login' => 'loginname', 'password' => '12345', '_csrf_token' => '6e2cdf6d4a6bc8383c3523c9109640d1'))


cookie:
  symfony: likks4vlsqht8bos05t8brbgl5
env: {  }
files: {  }
get: {  }
post:
  user: { login: loginname, password: '12345', _csrf_token: 193884464b9ec1dbd988508a3ecd0d04 }



renderHidenFields called.

Please help.

[Updated on: Fri, 23 July 2010 14:18]

Re: CSRF attack detected [message #103113 is a reply to message #102996 ] Tue, 27 July 2010 01:36 Go to previous messageGo to next message
midfielder100  is currently offline midfielder100
Messages: 15
Registered: June 2006
Location: Santa Monica, CA USA
Junior Member
Clear your cookies. Symfony's CSRF protection is more trouble than it's worth. Unless you're doing banking or something similar, I'd disable it.
Re: CSRF attack detected [message #103186 is a reply to message #103113 ] Wed, 28 July 2010 13:19 Go to previous message
kumar.anuj8
Messages: 1
Registered: July 2010
Location: India
Junior Member
To disable this go to settings.yml and remove that csrf_secret line form it and you are done.
Previous Topic:sf_environment setting gets lost if all unit tests are executed
Next Topic:Validate get params
Goto Forum:
  

powered by FUDforum - copyright ©2001-2004 FUD Forum Bulletin Board Software