Protect write operations from CRSF by requiring an token (when using cookie/session-based authentication) [#1891052]

Comment	File	Size	Author
#9	csrf-token-1891052-9.patch	15.92 KB	klausi

#8	csrf-token-1891052-8.patch	17.41 KB	klausi

#8	csrf-token-1891052-8-interdiff.txt	7.17 KB	klausi
#5	csrf-token-1891052-5.patch	13.38 KB	klausi

#5	csrf-token-1891052-5-interdiff.txt	7.75 KB	klausi
#3	csrf-token-1891052-3.patch	7.64 KB	klausi

Comment #1

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 17 January 2013 at 10:41

See also SA-CONTRIB-2013-003 for a similar vulnerability in RESTWS: http://drupal.org/node/1890222

We will need to do something similar: http://drupalcode.org/project/restws.git/commitdiff/dae7e2e

Log in or register to post comments

Comment #2

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 17 January 2013 at 10:55

Issue tags:

+Security improvements, +WSCCI

Tagging.

Log in or register to post comments

Comment #3

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 21 January 2013 at 16:52

Status:

Active

» Needs review

File	Size
csrf-token-1891052-3.patch	7.64 KB

Preliminary patch that tries to replicate the fixes from RESTWS in D7. Not finished yet, so this will fail.

Log in or register to post comments

Comment #4

21 January 2013 at 18:56

Status:

Needs review

» Needs work

The last submitted patch, csrf-token-1891052-3.patch, failed testing.

Log in or register to post comments

Comment #5

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 22 January 2013 at 12:44

Status:	Needs work	» Needs review
Issue tags:		+Stalking Crell

File	Size
csrf-token-1891052-5-interdiff.txt	7.75 KB
csrf-token-1891052-5.patch	13.38 KB

Fixed the simpletests. I also found the cURL quirk with ->drupalLogin(), that simplifies the simpletests a bit.

Question: do we want to check the CSRF token in the usual controller (as done in this patch) or do we want to implement a routing system access handler?

Log in or register to post comments

Comment #6

Crell CreditAttribution: Crell commented 23 January 2013 at 00:38

Status:

Needs review

» Needs work

+++ b/core/modules/rest/lib/Drupal/rest/RequestHandler.php
@@ -66,4 +71,43 @@ public function handle(Request $request, $id = NULL) {
+  public function csrfToken() {
+    return new Response(drupal_get_token('rest'), 200, array('Content-Type' => 'text/plain'));

Note to self for later: drupal_get_token() needs to turn into an injectable service.

+++ b/core/modules/rest/rest.routing.yml
@@ -0,0 +1,6 @@
+rest.csrftoken:

I don't believe we're using dots in route machine names.

I would say the token checking should be split out to an access checker object. That makes it flexible to be used beyond just rest module's own unified controller. We'll want to do something very similar for #1798296: Integrate CSRF link token directly into routing system

Log in or register to post comments

Comment #7

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 23 January 2013 at 10:01

I don't believe we're using dots in route machine names.

Yes we do, REST module uses dots for all of its routes. Route naming conventions should be discussed in another issue.

If we move the check to a routing AccessCheckInterface object how do we implement the applies() method? We could use an _access_rest_csrf requirement on the route. I'm only worried that resource plugins might forget to add that to their routes, so I guess it would be a good idea if the rest module route collector adds it.