developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 8 years ago

Closed 8 years ago

#1465 closed bug (fixed)

jForms: issue with refcount and CSRF token

Reported by: michelma Owned by: laurentj
Priority: normal Milestone: Jelix 1.2.9
Component: jelix:forms Version: 1.3.1
Severity: normal Keywords: jforms
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

jForms::create($selector[, $id])

When creating form using an $id as a string, we should not get refCount >= 1. Line 63, jForms.class.php :

self::DEFAULT_ID = 0;
...
...
if ($formId == self::DEFAULT_ID) {
    $dc->refcount = 1;
}

This condition is always true when using a string because of type comparison and conversion in PHP https://bugs.php.net/bug.php?id=54625&edit=1

Don't know if this was intentionnal for jForms. If not we should use "===" operator.

Change History (4)

comment:1 Changed 8 years ago by foxmask

Hi,

If you could submit a pull request on github of your patch it will be very usefull and welcome :)

Thanks.

comment:2 Changed 8 years ago by laurentj

  • Summary changed from jForms to jForms: issue with refcount and CSRF token

Comment from Michel on the pull request:

In fact refcount is not the problem, it is just a part of. When creating a form with a string as an Id, we always got refCount == 1, and the behavior makes that the CSRF token stay unchanged. When using an integer, refCount == 0 then the token changes every time the form is get. But i just discovered that the new token must be generated in jFormsBuilder. I wanted to not generate a new one to allow user to have multiple tab and keep the form working.

comment:3 Changed 8 years ago by laurentj

  • Milestone changed from Jelix 1.3.3 to Jelix 1.2.9
  • Owner set to laurentj
  • Status changed from new to assigned

I fixed the issue with the token generated every time.

https://github.com/jelix/jelix/commit/4ea644db179e94eb7cf677282b4b3f55887d12cf

comment:4 Changed 8 years ago by laurentj

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed also the difference in behavior, between numerical id and non numerical ids.

https://github.com/jelix/jelix/commit/eb8df7b9f82e3e21b69e344fc5d7ff84ffd8b7b0

Note: See TracTickets for help on using tickets.