Feature #47252
Skip CSRF protection and persistence for "safe" request methods
| Status: | Resolved | Start date: | 2013-04-15 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Robert Lemke | % Done: | 100% |
|
| Category: | MVC | |||
| Target version: | TYPO3 Flow Base Distribution - 2.0 | |||
| PHP Version: | 5.4 | Complexity: | medium | |
| Has patch: | No |
Description
By definition, GET / HEAD requests should be considered "safe", that is, they should only be used for retrieval and not have any state side effects on the server side (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html).
We should support and enforce this principle by turning off the automatic persistAll() call and skip CSRF protection for GET requests.
In later versions we can further optimize Flow to take advantage of the knowledge that a request is considered to be read-only (possibly speeding up persistence, security etc.).
Associated revisions
[!!!][FEATURE] Skip automatic persistence and CSRF protection for "safe" requests
This change set introduces an important behavior for Flow applications:
HTTP request methods which are, by definition, considered to be "safe"
(that is, "read-only") are now treated as such.
In practice it means that GET requests will not trigger a persistAll() call
anymore and CSRF protection for actions is not checked anymore if
the request is a GET request.
Please adjust your applications to cleanly observe this principle since
more optimizations in this direction are planned for later versions of
TYPO3 Flow.
This patch contains the corresponding documentation.
Resolves: #47252
Releases: 2.0, master
Change-Id: I9d667aa451a7510cf12ab13be745fed1f7ca477e
[!!!][FEATURE] Skip automatic persistence and CSRF protection for "safe" requests
This change set introduces an important behavior for Flow applications:
HTTP request methods which are, by definition, considered to be "safe"
(that is, "read-only") are now treated as such.
In practice it means that GET requests will not trigger a persistAll() call
anymore and CSRF protection for actions is not checked anymore if
the request is a GET request.
Please adjust your applications to cleanly observe this principle since
more optimizations in this direction are planned for later versions of
TYPO3 Flow.
This patch contains the corresponding documentation.
Resolves: #47252
Releases: 2.0, master
Change-Id: I9d667aa451a7510cf12ab13be745fed1f7ca477e
[!!!][BUGFIX] Skip automatic persistence for updated entities
When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::
Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"including details on how to work around this.
This currently only works if entities have been added or removed.
With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.
This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.
Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.2, 2.1
Fixes: FLOW-84
Related: #47252
Related: #51570
[!!!][BUGFIX] Skip automatic persistence for updated entities
When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::
Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"including details on how to work around this.
This currently only works if entities have been added or removed.
With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.
This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.
Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.3, 2.2
Fixes: FLOW-84
Related: #47252
Related: #51570
[!!!][BUGFIX] Skip automatic persistence for updated entities
When trying to persist changes in a "safe request" (e.g. ``GET``) Flow
throws an exception::
Detected modified or new objects [...] to be persisted which is not
allowed for "safe requests"including details on how to work around this.
This currently only works if entities have been added or removed.
With this change also updates to entities are tracked correctly so
that automatic persistence is skipped for modified objects for safe
requests.
This is a breaking change when code relied on the incorrect behavior of
automatically persisting changes even for safe requests.
In this case make sure to trigger updates only via unsafe requests (e.g.
``POST`` or ``PUT``).
If that's not an option, the issue can be worked around with a manual
call to ``PersistenceManager::persistAll()``.
Change-Id: I9eb781c54c608c867a45206f64b6baf98c3d07f2
Releases: master, 2.3, 2.2
Fixes: FLOW-84
Related: #47252
Related: #51570
History
#1 Updated by Gerrit Code Review over 2 years ago
- Status changed from Accepted to Under Review
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#2 Updated by Gerrit Code Review over 2 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#3 Updated by Gerrit Code Review over 2 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#4 Updated by Gerrit Code Review over 2 years ago
Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#5 Updated by Gerrit Code Review over 2 years ago
Patch set 6 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#6 Updated by Gerrit Code Review over 2 years ago
Patch set 7 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#7 Updated by Gerrit Code Review over 2 years ago
Patch set 8 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#8 Updated by Gerrit Code Review over 2 years ago
Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010
#9 Updated by Gerrit Code Review over 2 years ago
Patch set 9 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989
#10 Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010
#11 Updated by Anonymous over 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f3d285c368ce916765721cde523c4b023375f76a.