Updated: Comment #N

Problem/Motivation

Now that we have initial patch for CSRF integration with the routing/access system it's evident that we should probably just dynamically create the value passed to CsrfTokenGenerator::get() so stuff like 'aggregator/update/' . $aggregator_feed->id()) would get taken care of automatically.

Proposed resolution

Amend the CsrfAccessCheck and RouteProcessorCsrf classes to use the route path. In the route processor we will have to cycle through the parameters and replace them in the path to generate the token. Initial patch attached with just the proposed idea.

Remaining tasks

Establish best way, patch, amend/add to test coverage

User interface changes

None

API changes

Possibly* _csrf_token: 'my-value-here' will just be replaced with _csrf_token 'TRUE' etc... as the value will become irrelevant.

CommentFileSizeAuthor
#5 interdiff-2133439-5.txt2.09 KBdamiankloip
#5 2133439-5.patch6.86 KBdamiankloip
#4 interdiff-2133439-4.txt4.75 KBdamiankloip
#4 2133439-4.patch6.56 KBdamiankloip
d8.csrf-dynamic-token-value.patch1.82 KBdamiankloip
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

damiankloip’s picture

damiankloip CreditAttribution: damiankloip commented
Related issues: +#1798296: Integrate CSRF link token directly into routing system
Crell’s picture

Crell CreditAttribution: Crell commented

Damian and I discussed this in IRC earlier. This gives us a small DX win (the user is no longer responsible for deciding on a token seed key) and reverts a slight security regression from D7. (The key in HEAD right now is only as unique as the route, not as the path; that's not a critical part of it's randomness which is based on the user and site key as well, but this neatly resolves that.)

+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -51,7 +51,7 @@ public function appliesTo() {
-      return $this->csrfToken->validate($request->query->get('token'), $route->getRequirement('_csrf_token')) ? static::ALLOW : static::KILL;
+      return $this->csrfToken->validate($request->query->get('token'), $request->getPathInfo()) ? static::ALLOW : static::KILL;

I think this needs to be checking the system path, not pathInfo. Remember, pathInfo is raw; system path is post-dealiasing.

Status: Needs review » Needs work

The last submitted patch, d8.csrf-dynamic-token-value.patch, failed testing.

damiankloip’s picture

damiankloip CreditAttribution: damiankloip commented
Status: Needs work » Needs review
FileSize
2133439-4.patch6.56 KB
interdiff-2133439-4.txt4.75 KB

Just fixing the tests now, do you mean the '_system_path' attribute from the request?

damiankloip’s picture

damiankloip CreditAttribution: damiankloip commented
FileSize
2133439-5.patch6.86 KB
interdiff-2133439-5.txt2.09 KB

Let's just add a patch with that change too.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Status: Needs review » Reviewed & tested by the community

Well, I don't really like that we deal with paths again internally but this is some sort of implementation detail.

Crell’s picture

Crell CreditAttribution: Crell commented

The path usage here is not exposed to the user. It's just used for a little extra entropy, which we'd been doing in D7 with a different string.

Agreed on the RTBC here.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented

5: 2133439-5.patch queued for re-testing.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Reviewed & tested by the community » Fixed

This looks fine. It's not a security issue not having it, but it means a stolen CSRF token could only be used for one link as opposed to all of them.

Committed/pushed to 8.x, thanks!

damiankloip’s picture

damiankloip CreditAttribution: damiankloip commented

Great, thank you!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.