问题描述

限时删除！！

我正在看Magento中的自定义表格。我看过这些教程

I am looking at custom forms in Magento. I saw these tutorials

我没有看到任何有关CSRF预防的内容，例如使用用户会话中存储的客户端令牌检查客户端令牌。我还查看了Magento与我们联系的表单，看到了这一点，但我认为它与CSRF不相关：

I did not see any mention of CSRF prevention, like checking a client token with one stored in a user session. I also looked in the Magento Contact Us form, and saw this but I do not think it relates to CSRF:

<input type="text" name="hideit" id="hideit" value="" style="display:none !important;">

Magento是否有用于防止CSRF的默认代码？ Mage_Core_Controller_Front_Action的$ this-> getRequest（）-> getParams（）方法是否可以自动执行任何操作以防止可能丢失的CSRF？

Does Magento have any default code for preventing CSRF? Does the $this->getRequest()->getParams() method of Mage_Core_Controller_Front_Action do anything automatically to prevent CSRF that I may be missing?

推荐答案

最终程序员用户可以使用自己的CSFR /即时保护方案，除非，否则他们将在后端管理控制台中创建页面/表单。默认情况下，Magento管理控制台应用程序对其所有页面/网址具有此保护。

It's on the end programmer user to use their own CSFR/nonce protection scheme, unless they're creating a page/form in the backend admin console. The Magento admin console application has this protection for all its pages/urls by default.

在 app / code / core / Mage / Adminhtml / Controller /中检出 _validateSecretKey app / code / core / Mage / Adminhtml / Model / Url.php 和 getSecretKey 方法。可以很容易地将其扩展到您自己的前端表单上。

Check out _validateSecretKey in app/code/core/Mage/Adminhtml/Controller/Action.php and the getSecretKey method in app/code/core/Mage/Adminhtml/Model/Url.php. This could easily be extended to your own forms on the frontend.