diff --git a/core/core.services.yml b/core/core.services.yml index 82dad15..5ae13f5 100644 --- a/core/core.services.yml +++ b/core/core.services.yml @@ -490,10 +490,9 @@ services: arguments: ['@state'] csrf_token: class: Drupal\Core\Access\CsrfTokenGenerator - arguments: ['@private_key'] + arguments: ['@private_key', '@request_stack', '@settings'] calls: - [setCurrentUser, ['@?current_user']] - - [setRequest, ['@?request']] access_manager: class: Drupal\Core\Access\AccessManager arguments: ['@router.route_provider', '@url_generator', '@paramconverter_manager'] diff --git a/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php index 0a2d2a1..a70bda9 100644 --- a/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php +++ b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php @@ -11,7 +11,7 @@ use Drupal\Component\Utility\Settings; use Drupal\Core\PrivateKey; use Drupal\Core\Session\AccountInterface; -use Symfony\Component\HttpFoundation\Request; +use \Symfony\Component\HttpFoundation\RequestStack; /** * Generates and validates CSRF tokens. @@ -28,6 +28,13 @@ class CsrfTokenGenerator { protected $privateKey; /** + * Whether both secure and insecure session cookies can be used simultaneously. + * + * @var bool + */ + protected $mixedModeSessions; + + /** * The current user. * * @var \Drupal\Core\Session\AccountInterface @@ -35,20 +42,24 @@ class CsrfTokenGenerator { protected $currentUser; /** - * The current request. + * The request stack. * - * @var \Symfony\Component\HttpFoundation\Request + * @var \Symfony\Component\HttpFoundation\RequestStack */ - protected $request; + protected $requestStack; /** * Constructs the token generator. * * @param \Drupal\Core\PrivateKey $private_key * The private key service. + * @param \Drupal\Component\Utility\Settings $settings + * The read only settings. */ - public function __construct(PrivateKey $private_key) { + public function __construct(PrivateKey $private_key, RequestStack $request_stack, Settings $settings) { $this->privateKey = $private_key; + $this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE); + $this->requestStack = $request_stack; } /** @@ -62,16 +73,6 @@ public function setCurrentUser(AccountInterface $current_user = NULL) { } /** - * Sets the current request. - * - * @param \Symfony\Component\HttpFoundation\Request $request - * The current request. - */ - public function setRequest(Request $request) { - $this->request = $request; - } - - /** * Generates a token based on $value, the user session, and the private key. * * The generated token is based on the session ID of the current user. Normally, @@ -94,10 +95,11 @@ public function get($value = '') { // For mixed HTTP(S) sessions, use a constant identifier so that tokens can // be shared between protocols. $identifier = NULL; - if ($this->request->isSecure() && Settings::get('mixed_mode_sessions', FALSE)) { + $request = $this->requestStack->getCurrentRequest(); + if ($request->isSecure() && $this->mixedModeSessions) { $insecure_session_name = substr(session_name(), 1); - if ($this->request->cookies->has($insecure_session_name)) { - $identifier = $this->request->cookies->get($insecure_session_name); + if ($request->cookies->has($insecure_session_name)) { + $identifier = $request->cookies->get($insecure_session_name); } } diff --git a/core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php b/core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php index d120171..7736a7f 100644 --- a/core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php +++ b/core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php @@ -51,10 +51,10 @@ function setUp() { $settings = new Settings(array()); - $this->generator = new CsrfTokenGenerator($private_key, $settings); + $request_stack = new RequestStack(); + + $this->generator = new CsrfTokenGenerator($private_key, $request_stack, $settings); - $request = new Request(); - $this->generator->setRequest($request); } /**