Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There is a know CSRF weakness in the logout
menu link. This menu link performs an action (logout the user) without any confirmation or protection. The core issue is #144538: User logout is vulnerable to CSRF.
Due to a bug in the Drupal 6 menu system (#204077: Allow menu links pointing to dynamic paths), it is unlikely that a proper fix will land in D6 in a reasonable period of time. I still have hope that we will fix Drupal 7 menu system and implement a fix against the CSRF properly there. This is a Drupal 6 specific feature request to implement the same CSRF protection in logintoboggan.
Comment | File | Size | Author |
---|---|---|---|
#1 | 620280-logout-link-csrf.patch | 4.43 KB | Damien Tournoud |
Comments
Comment #1
Damien Tournoud CreditAttribution: Damien Tournoud commentedAnd here is the trivial patch that does just that. The protection is enabled by default, but can be manually disabled in the logintobbogan settings form.
Comment #2
Damien Tournoud CreditAttribution: Damien Tournoud commentedComment #3
andypostSuppose this is a better place
Comment #4
pwolanin CreditAttribution: pwolanin commentedIt's certainly possible to add a dynamic token to a link in Drupal 6/7 via hook_translated_menu_link_alter(), which I see DamZ used in the patch above.
This looks like the right approach, so this code would jsut need to be ported to paranioa.
Comment #5
gregglesThere's also http://drupal.org/sandbox/davereid/1332490 which does this.
I think this issue should become a docs issue to point to that sandbox (and maybe we can get dave to make it a full project).
Comment #6
gregglesI think this is the right status.