Request::enableHttpMethodParameterOverride()

static enableHttpMethodParameterOverride()

Enables support for the _method request parameter to determine the intended HTTP method.

Be warned that enabling this feature might lead to CSRF issues in your code. Check that you are using CSRF tokens when required. If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered and used to send a "PUT" or "DELETE" request via the _method request parameter. If these methods are not protected against CSRF, this presents a possible vulnerability.

The HTTP method can only be overridden when the real HTTP method is POST.

Links:

http://api.symfony.com/master/Symfony/Component/HttpFoundation/Request.html#method_enableHttpMethodParameterOverride

doc_Symfony

2016-10-28 06:29:19

Comments