bug #62037 Fix generating logout link with stateless csrf (pierredup)

nicolas-grekas · nicolas-grekas · commit c1e91c555b8e · 2025-10-13T11:30:16.000+02:00
This PR was squashed before being merged into the 7.3 branch. Discussion ---------- Fix generating logout link with stateless csrf | Q | A | ------------- | --- | Branch? | 7.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | N/A | License | MIT When using the `logout_path` (or `logout_url`) twig function with stateless csrf, the generator creates a link with an invalid CSRF token parameter (`/logout?_csrf_token=csrf-token`), which then causes an error during logout (`Invalid CSRF token`), since the LogoutListener reads the token from the query parameter first. Reproducer: ```yaml framework: csrf_protection: stateless_token_ids: ['logout'] ``` ```twig <form method="post" action="{{ logout_path() }}"> <input type="hidden" data-controller="csrf-protection" name="_csrf_token" value="{{ csrf_token('logout') }}"/> <button type="submit">Logout</button> </form> ``` Commits ------- 9e5e32b Fix generating logout link with stateless csrf
diff --git a/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php b/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
@@ -69,7 +69,7 @@ public function authenticate(RequestEvent $event): void
         $request = $event->getRequest();
 
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter'], $request->request->all());
 
             if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\LogoutException;
+use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\Firewall\LogoutListener;
@@ -88,6 +89,49 @@ public function testHandleMatchedPathWithCsrfValidation()
         $this->assertSame($response, $event->getResponse());
     }
 
+    public function testHandleMatchedPathWithCsrfInQueryParamAndBody()
+    {
+        $tokenManager = $this->getTokenManager();
+        $dispatcher = $this->getEventDispatcher();
+
+        [$listener, $tokenStorage, $httpUtils, $options] = $this->getListener($dispatcher, $tokenManager);
+
+        $request = new Request();
+        $request->query->set('_csrf_token', 'token');
+        $request->request->set('_csrf_token', 'token2');
+
+        $httpUtils->expects($this->once())
+            ->method('checkRequestPath')
+            ->with($request, $options['logout_path'])
+            ->willReturn(true);
+
+        $tokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with($this->callback(function ($token) {
+                return $token instanceof CsrfToken && 'token2' === $token->getValue();
+            }))
+            ->willReturn(true);
+
+        $response = new Response();
+        $dispatcher->addListener(LogoutEvent::class, function (LogoutEvent $event) use ($response) {
+            $event->setResponse($response);
+        });
+
+        $tokenStorage->expects($this->once())
+            ->method('getToken')
+            ->willReturn($token = $this->getToken());
+
+        $tokenStorage->expects($this->once())
+            ->method('setToken')
+            ->with(null);
+
+        $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $listener($event);
+
+        $this->assertSame($response, $event->getResponse());
+    }
+
     public function testHandleMatchedPathWithoutCsrfValidation()
     {
         $dispatcher = $this->getEventDispatcher();
