From 05a236bdd8361ea4690c2243231c20730a707662 Mon Sep 17 00:00:00 2001
From: Nicolas Brassard <nitriques@users.noreply.github.com>
Date: Mon, 13 May 2019 16:27:43 -0400
Subject: [PATCH] Make sure we generate a XSRF token for events

This commit simply checks, for each event attached to the page, if there
is a filter with `xsrf` in its name. If so, it will make sure that the
token is generated.

Hopefully, this fixes #2173 for good.
---
 symphony/lib/toolkit/class.frontendpage.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/symphony/lib/toolkit/class.frontendpage.php b/symphony/lib/toolkit/class.frontendpage.php
index 9a4d6ef1d..b3faa0253 100644
--- a/symphony/lib/toolkit/class.frontendpage.php
+++ b/symphony/lib/toolkit/class.frontendpage.php
@@ -745,6 +745,20 @@ private function processEvents($events, XMLElement &$wrapper)
 
             foreach ($events as $handle) {
                 $pool[$handle] = EventManager::create($handle, array('env' => $this->_env, 'param' => $this->_param));
+                // Make sure that filters requiring XSRF token to work are getting a valid XSRF token.
+                // We do not always create it, because that would create useless sessions
+                if (
+                    Symphony::isXSRFEnabled() && !XSRF::getSessionToken() &&
+                    isset($pool[$handle]->eParamFILTERS) &&
+                    is_array($pool[$handle]->eParamFILTERS)
+                ) {
+                    $xsrfFilters = array_filter($pool[$handle]->eParamFILTERS, function ($filter) {
+                        return strpos($filter, 'xsrf') !== false;
+                    });
+                    if (!empty($xsrfFilters)) {
+                        $this->_param['cookie-xsrf-token'] = XSRF::getToken();
+                    }
+                }
             }
 
             uasort($pool, array($this, '__findEventOrder'));