Updated: Comment #N
Problem/Motivation
Now that we have initial patch for CSRF integration with the routing/access system it's evident that we should probably just dynamically create the value passed to CsrfTokenGenerator::get() so stuff like 'aggregator/update/' . $aggregator_feed->id())
would get taken care of automatically.
Proposed resolution
Amend the CsrfAccessCheck and RouteProcessorCsrf classes to use the route path. In the route processor we will have to cycle through the parameters and replace them in the path to generate the token. Initial patch attached with just the proposed idea.
Remaining tasks
Establish best way, patch, amend/add to test coverage
User interface changes
None
API changes
Possibly* _csrf_token: 'my-value-here' will just be replaced with _csrf_token 'TRUE' etc... as the value will become irrelevant.
Related Issues
Comment | File | Size | Author |
---|---|---|---|
#5 | interdiff-2133439-5.txt | 2.09 KB | damiankloip |
#5 | 2133439-5.patch | 6.86 KB | damiankloip |
#4 | interdiff-2133439-4.txt | 4.75 KB | damiankloip |
#4 | 2133439-4.patch | 6.56 KB | damiankloip |
d8.csrf-dynamic-token-value.patch | 1.82 KB | damiankloip | |
Comments
Comment #1
damiankloip CreditAttribution: damiankloip commentedComment #2
Crell CreditAttribution: Crell commentedDamian and I discussed this in IRC earlier. This gives us a small DX win (the user is no longer responsible for deciding on a token seed key) and reverts a slight security regression from D7. (The key in HEAD right now is only as unique as the route, not as the path; that's not a critical part of it's randomness which is based on the user and site key as well, but this neatly resolves that.)
I think this needs to be checking the system path, not pathInfo. Remember, pathInfo is raw; system path is post-dealiasing.
Comment #4
damiankloip CreditAttribution: damiankloip commentedJust fixing the tests now, do you mean the '_system_path' attribute from the request?
Comment #5
damiankloip CreditAttribution: damiankloip commentedLet's just add a patch with that change too.
Comment #6
dawehnerWell, I don't really like that we deal with paths again internally but this is some sort of implementation detail.
Comment #7
Crell CreditAttribution: Crell commentedThe path usage here is not exposed to the user. It's just used for a little extra entropy, which we'd been doing in D7 with a different string.
Agreed on the RTBC here.
Comment #8
Xano5: 2133439-5.patch queued for re-testing.
Comment #9
catchThis looks fine. It's not a security issue not having it, but it means a stolen CSRF token could only be used for one link as opposed to all of them.
Committed/pushed to 8.x, thanks!
Comment #10
damiankloip CreditAttribution: damiankloip commentedGreat, thank you!