EZP-30161: Handle form token in both custom and also for historical r…

…easons default value (#1431) * EZP-30161: Handle form token in both custom and also for historical reasons default value Since 5.0 FormToken code has been operating in two modes: - Default pure legacy mode using `ezxform_token` as form name - Symfony mode using `_token` as form name Hoewever quite some legacy code hard codes the default name. In 5.x this inconsistancy was solved by setting Symfony to use `field_name: ezxform_token` For Platform + legacy bridge that is no longer a good default, so this changes the logic so that ezxFormToken is cable of handling both at the same time. * Apply suggestions from code review Co-Authored-By: Gunnstein Lye <gunnstein.lye@ez.no>
ezsystems · May 14, 2019 · fd3b34c · fd3b34c
1 parent c6f37e6
commit fd3b34c
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/extension/ezformtoken/event/ezxformtoken.php b/extension/ezformtoken/event/ezxformtoken.php
@@ -38,7 +38,7 @@ class ezxFormToken
     static protected $intention = 'legacy';
 
     /**
-     * @var string
+     * @var string Custom Form field, by default set to system default form field (self::FORM_FIELD).
      */
     static protected $formField = self::FORM_FIELD;
 
@@ -90,6 +90,8 @@ static public function setIntention( $intention )
     }
 
     /**
+     * Get the custom form field.
+     *
      * @return string
      */
     static protected function getFormField()
@@ -98,6 +100,8 @@ static protected function getFormField()
     }
 
     /**
+     * Set the custom form field.
+     *
      * @param string $formField
      */
     static public function setFormField( $formField )
@@ -137,6 +141,11 @@ static public function input( eZURI $uri )
         {
             $token = $_POST[self::getFormField()];
         }
+        // For historical reasons also check the system default form field
+        else if ( !empty( $_POST[self::FORM_FIELD] ) )
+        {
+            $token = $_POST[self::FORM_FIELD];
+        }
         // allow ajax calls using POST with other formats than forms (such as
         // json or xml) to still validate using a custom http header
         else if ( !empty( $_SERVER['HTTP_X_CSRF_TOKEN'] ) )
@@ -188,19 +197,22 @@ static public function output( $templateResult, $filterForms = true )
         }
 
         $token = self::getToken();
-        $field = self::getFormField();
+        $customfield = self::getFormField();
+        $defaultField = self::FORM_FIELD;
         $replaceKey = self::REPLACE_KEY;
 
         eZDebugSetting::writeDebug( 'ezformtoken', 'Output protected (all forms will be modified)', __METHOD__ );
 
+        // Inject token for programmatical use (also system default for historical reasons)
         // If document has head tag, insert in a html5 valid and semi standard way
         if ( strpos( $templateResult, '<head>' ) !== false )
         {
             $templateResult = str_replace(
                 '<head>',
                 "<head>\n"
-                . "<meta name=\"csrf-param\" content=\"{$field}\" />\n"
-                . "<meta name=\"csrf-token\" id=\"{$field}_js\" title=\"{$token}\" content=\"{$token}\" />\n",
+                . "<meta name=\"csrf-param\" content=\"{$customfield}\" />\n"
+                . "<meta name=\"csrf-token\" id=\"{$customfield}_js\" title=\"{$token}\" content=\"{$token}\" />\n"
+                . ($defaultField !== $customfield ? "<meta name=\"csrf-token-x\" id=\"{$defaultField}_js\" title=\"{$token}\" content=\"{$token}\" />\n" : ''),
                 $templateResult
             );
         }
@@ -209,16 +221,18 @@ static public function output( $templateResult, $filterForms = true )
         {
             $templateResult = preg_replace(
                 '/(<body[^>]*>)/i',
-                '\\1' . "\n<span style='display:none;' id=\"{$field}_js\" title=\"{$token}\"></span>\n",
+                '\\1' . "\n<span style='display:none;' id=\"{$customfield}_js\" title=\"{$token}\"></span>\n"
+                . ($defaultField !== $customfield ? "\n<span style='display:none;' id=\"{$defaultField}_js\" title=\"{$token}\"></span>\n" : ''),
                 $templateResult
             );
         }
 
+        // For forms we set the custom field which will be sent back to this class and evaluated
         if ( $filterForms )
         {
             $templateResult = preg_replace(
                 '/(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i',
-                '\\1' . "\n<input type=\"hidden\" name=\"{$field}\" value=\"{$token}\" />\n",
+                '\\1' . "\n<input type=\"hidden\" name=\"{$customfield}\" value=\"{$token}\" />\n",
                 $templateResult
             );
         }