[BC] Unified CSRF configuration

app/code/core/Mage/Adminhtml/Block/Checkout/Formkey.php

@@ -30,7 +30,7 @@ class Mage_Adminhtml_Block_Checkout_Formkey extends Mage_Adminhtml_Block_Templat
      */
     public function canShow()
     {
-        return !Mage::getStoreConfigFlag('admin/security/validate_formkey_checkout');
+        return !Mage::helper('core')->isFormKeyEnabled();
     }
 
     /**

app/code/core/Mage/Checkout/controllers/MultishippingController.php

@@ -228,7 +228,7 @@ public function addressesPostAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/addresses');
             return;
         }
@@ -349,7 +349,7 @@ public function backToShippingAction()
      */
     public function shippingPostAction()
     {
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/shipping');
             return;
         }
@@ -462,7 +462,7 @@ public function overviewAction()
             return $this;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*/billing');
             return;
         }

app/code/core/Mage/Checkout/controllers/OnepageController.php

@@ -355,7 +355,7 @@ public function saveBillingAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -402,7 +402,7 @@ public function saveShippingAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -431,7 +431,7 @@ public function saveShippingMethodAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -471,7 +471,7 @@ public function savePaymentAction()
             return;
         }
 
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             return;
         }
 
@@ -554,7 +554,7 @@ protected function _initInvoice()
      */
     public function saveOrderAction()
     {
-        if ($this->isFormkeyValidationOnCheckoutEnabled() && !$this->_validateFormKey()) {
+        if (!$this->_validateFormKey()) {
             $this->_redirect('*/*');
             return;
         }

app/code/core/Mage/Checkout/etc/system.xml

@@ -215,23 +215,5 @@
                 </payment_failed>
             </groups>
         </checkout>
-        <admin>
-            <groups>
-                <security>
-                    <fields>
-                        <validate_formkey_checkout translate="label">
-                            <label>Enable Form Key Validation On Checkout</label>
-                            <frontend_type>select</frontend_type>
-                            <source_model>adminhtml/system_config_source_yesno</source_model>
-                            <sort_order>4</sort_order>
-                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means
-                            that your custom templates used in checkout process contain form_key output.
-                            Otherwise checkout may not work.]]></comment>
-                            <show_in_default>1</show_in_default>
-                        </validate_formkey_checkout>
-                    </fields>
-                </security>
-            </groups>
-        </admin>
     </sections>
 </config>

app/code/core/Mage/Checkout/sql/checkout_setup/install-1.6.0.0.php

@@ -779,12 +779,4 @@
     }
 }
 
-$setup->insert(
-    $this->getTable('core_config_data'),
-    [
-        'path' => 'admin/security/validate_formkey_checkout',
-        'value' => '1'
-    ]
-);
-
 $installer->endSetup();

app/code/core/Mage/Core/Controller/Front/Action.php

@@ -178,16 +178,18 @@ protected function _validateFormKey()
      */
     protected function _isFormKeyEnabled()
     {
-        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
+        return Mage::helper('core')->isFormKeyEnabled();
     }
 
     /**
      * Check if form_key validation enabled on checkout process
      *
+     * @deprecated
+     * @see _isFormKeyEnabled
      * @return bool
      */
     protected function isFormkeyValidationOnCheckoutEnabled()
     {
-        return Mage::getStoreConfigFlag('admin/security/validate_formkey_checkout');
+        return $this->_isFormKeyEnabled();
     }
 }

app/code/core/Mage/Core/Helper/Data.php

@@ -1001,4 +1001,12 @@ public function unEscapeCSVData($data)
         }
         return $data;
     }
+
+    /**
+     * @return bool
+     */
+    public function isFormKeyEnabled()
+    {
+        return Mage::getStoreConfigFlag(Mage_Core_Controller_Front_Action::XML_CSRF_USE_FLAG_CONFIG_PATH);
+    }
 }

app/code/core/Mage/Newsletter/controllers/SubscriberController.php

@@ -22,11 +22,6 @@
  */
 class Mage_Newsletter_SubscriberController extends Mage_Core_Controller_Front_Action
 {
-    /**
-     * Use CSRF validation flag from newsletter config
-     */
-    public const XML_CSRF_USE_FLAG_CONFIG_PATH = 'newsletter/security/enable_form_key';
-
     /**
       * New subscription action
       */
@@ -128,14 +123,4 @@ public function unsubscribeAction()
         }
         $this->_redirectReferer();
     }
-
-    /**
-     * Check if form key validation is enabled in newsletter config.
-     *
-     * @return bool
-     */
-    protected function _isFormKeyEnabled()
-    {
-        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
-    }
 }

app/code/core/Mage/Newsletter/etc/config.xml

@@ -185,9 +185,6 @@
             <sending>
                 <set_return_path>0</set_return_path>
             </sending>
-            <security>
-                <enable_form_key>0</enable_form_key>
-            </security>
         </newsletter>
     </default>
     <crontab>

app/code/core/Mage/Newsletter/etc/system.xml

@@ -105,25 +105,6 @@
                         </un_email_template>
                     </fields>
                 </subscription>
-                <security translate="label">
-                    <label>Security</label>
-                    <sort_order>1</sort_order>
-                    <show_in_default>1</show_in_default>
-                    <show_in_website>1</show_in_website>
-                    <show_in_store>1</show_in_store>
-                    <fields>
-                        <enable_form_key translate="label comment">
-                            <label>Enable Form Key Validation</label>
-                            <frontend_type>select</frontend_type>
-                            <source_model>adminhtml/system_config_source_yesno</source_model>
-                            <sort_order>1</sort_order>
-                            <show_in_default>1</show_in_default>
-                            <show_in_website>1</show_in_website>
-                            <show_in_store>1</show_in_store>
-                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work.]]></comment>
-                        </enable_form_key>
-                    </fields>
-                </security>
             </groups>
         </newsletter>
     </sections>