[BC] Unified CSRF configuration

README.md

@@ -272,7 +272,6 @@ If you see SQL errors after upgrading please remember to check for this specific
 - `catalog/product_image/progressive_threshold`
 - `catalog/search/search_separator`
 - `dev/log/max_level`
-- `newsletter/security/enable_form_key`
 - `sitemap/category/lastmod`
 - `sitemap/page/lastmod`
 - `sitemap/product/lastmod`

app/code/core/Mage/Adminhtml/Block/Checkout/Formkey.php

@@ -29,7 +29,7 @@ class Mage_Adminhtml_Block_Checkout_Formkey extends Mage_Adminhtml_Block_Templat
      */
     public function canShow()
     {
-        return !Mage::getStoreConfigFlag('admin/security/validate_formkey_checkout');
+        return !Mage::helper('core')->isFormKeyEnabled();
     }
 
     /**

app/code/core/Mage/Checkout/controllers/MultishippingController.php

@@ -227,7 +227,7 @@ public function addressesPostAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/addresses');
             return;
         }
@@ -348,7 +348,7 @@ public function backToShippingAction()
      */
     public function shippingPostAction()
     {
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/shipping');
             return;
         }
@@ -461,7 +461,7 @@ public function overviewAction()
             return $this;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/billing');
             return;
         }

app/code/core/Mage/Checkout/controllers/OnepageController.php

@@ -354,7 +354,7 @@ public function saveBillingAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -401,7 +401,7 @@ public function saveShippingAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -430,7 +430,7 @@ public function saveShippingMethodAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -470,7 +470,7 @@ public function savePaymentAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -553,7 +553,7 @@ protected function _initInvoice()
      */
     public function saveOrderAction()
     {
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*');
             return;
         }

app/code/core/Mage/Checkout/etc/system.xml

@@ -215,23 +215,5 @@
                 </payment_failed>
             </groups>
         </checkout>
-        <admin>
-            <groups>
-                <security>
-                    <fields>
-                        <validate_formkey_checkout translate="label">
-                            <label>Enable Form Key Validation On Checkout</label>
-                            <frontend_type>select</frontend_type>
-                            <source_model>adminhtml/system_config_source_yesno</source_model>
-                            <sort_order>4</sort_order>
-                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means
-                            that your custom templates used in checkout process contain form_key output.
-                            Otherwise checkout may not work.]]></comment>
-                            <show_in_default>1</show_in_default>
-                        </validate_formkey_checkout>
-                    </fields>
-                </security>
-            </groups>
-        </admin>
     </sections>
 </config>

app/code/core/Mage/Checkout/sql/checkout_setup/install-1.6.0.0.php

@@ -779,12 +779,4 @@
     }
 }
 
-$setup->insert(
-    $this->getTable('core_config_data'),
-    [
-        'path' => 'admin/security/validate_formkey_checkout',
-        'value' => '1'
-    ]
-);
-
 $installer->endSetup();

app/code/core/Mage/Core/Controller/Front/Action.php

@@ -177,16 +177,18 @@ protected function _validateFormKey()
      */
     protected function _isFormKeyEnabled()
     {
-        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
+        return Mage::helper('core')->isFormKeyEnabled();
     }
 
     /**
      * Check if form_key validation enabled on checkout process
      *
+     * @deprecated
+     * @see _isFormKeyEnabled
      * @return bool
      */
     protected function isFormkeyValidationOnCheckoutEnabled()
     {
-        return Mage::getStoreConfigFlag('admin/security/validate_formkey_checkout');
+        return $this->_isFormKeyEnabled();
     }
 }

app/code/core/Mage/Core/Helper/Data.php

@@ -1000,4 +1000,12 @@ public function unEscapeCSVData($data)
         }
         return $data;
     }
+
+    /**
+     * @return bool
+     */
+    public function isFormKeyEnabled(): bool
+    {
+        return Mage::getStoreConfigFlag(Mage_Core_Controller_Front_Action::XML_CSRF_USE_FLAG_CONFIG_PATH);
+    }
 }

app/code/core/Mage/Newsletter/controllers/SubscriberController.php

@@ -21,11 +21,6 @@
  */
 class Mage_Newsletter_SubscriberController extends Mage_Core_Controller_Front_Action
 {
-    /**
-     * Use CSRF validation flag from newsletter config
-     */
-    public const XML_CSRF_USE_FLAG_CONFIG_PATH = 'newsletter/security/enable_form_key';
-
     /**
       * New subscription action
       */
@@ -127,14 +122,4 @@ public function unsubscribeAction()
         }
         $this->_redirectReferer();
     }
-
-    /**
-     * Check if form key validation is enabled in newsletter config.
-     *
-     * @return bool
-     */
-    protected function _isFormKeyEnabled()
-    {
-        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
-    }
 }

app/code/core/Mage/Newsletter/etc/config.xml

@@ -185,9 +185,6 @@
             <sending>
                 <set_return_path>0</set_return_path>
             </sending>
-            <security>
-                <enable_form_key>0</enable_form_key>
-            </security>
         </newsletter>
     </default>
     <crontab>

app/code/core/Mage/Newsletter/etc/system.xml

@@ -105,25 +105,6 @@
                         </un_email_template>
                     </fields>
                 </subscription>
-                <security translate="label">
-                    <label>Security</label>
-                    <sort_order>1</sort_order>
-                    <show_in_default>1</show_in_default>
-                    <show_in_website>1</show_in_website>
-                    <show_in_store>1</show_in_store>
-                    <fields>
-                        <enable_form_key translate="label comment">
-                            <label>Enable Form Key Validation</label>
-                            <frontend_type>select</frontend_type>
-                            <source_model>adminhtml/system_config_source_yesno</source_model>
-                            <sort_order>1</sort_order>
-                            <show_in_default>1</show_in_default>
-                            <show_in_website>1</show_in_website>
-                            <show_in_store>1</show_in_store>
-                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work.]]></comment>
-                        </enable_form_key>
-                    </fields>
-                </security>
             </groups>
         </newsletter>
     </sections>

app/locale/en_US/Mage_Checkout.csv

@@ -120,7 +120,6 @@
 "Email Address","Email Address"
 "Empty Cart","Empty Cart"
 "Empty Shopping Cart Content Before","Empty Shopping Cart Content Before"
-"Enable Form Key Validation On Checkout","Enable Form Key Validation On Checkout"
 "Enable Onepage Checkout","Enable Onepage Checkout"
 "Enable Terms and Conditions","Enable Terms and Conditions"
 "Enabled","Enabled"

app/locale/en_US/Mage_Newsletter.csv

@@ -1,5 +1,4 @@
 " Copy"," Copy"
-"<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work.","<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work."
 "Action","Action"
 "Add New Template","Add New Template"
 "Add to Queue","Add to Queue"
@@ -89,7 +88,6 @@
 "Save Newsletter","Save Newsletter"
 "Save Template","Save Template"
 "Save and Resume","Save and Resume"
-"Security","Security"
 "Selected problem subscribers have been unsubscribed.","Selected problem subscribers have been unsubscribed."
 "Selected problems have been deleted.","Selected problems have been deleted."
 "Sender","Sender"