Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Per #2239009: Remove public direct usage of the '_system_path' request attribute, _system_path is an internal concept that nothing other than collaborators of the router itself should deal with.
CsrfAccessCheck::access() needs to validate a token generated by RouteProcessorCsrf::processOutbound(). The extra string passed to the token generator/validator doesn't need to be a _system_path; it could be $route_name and $route_parameters serialized in any other desired way.
Comment | File | Size | Author |
---|---|---|---|
#12 | 2293501-remove-system-path-from-csrf-access-check-12.patch | 5.35 KB | Wim Leers |
Comments
Comment #1
xjmComment #2
dawehnerThere we go.
Comment #4
dawehnerThe access manager seems to be not aware of route matches.
Comment #6
alexpottThis was resolved by #2331079: Use RouteMatch in access-checks and remove RequestHelper::duplicate()
Comment #7
alexpottMeh ... I was looking at the wrong CSRFAccessCheck class.
Comment #8
dawehnerMeh alex, I gave you the other issue in IRC. #2302065: Be able to pull of the current path from the request/route match
Comment #9
znerol CreditAttribution: znerol commentedReopening this, because this is not resolved with #2331079: Use RouteMatch in access-checks and remove RequestHelper::duplicate().
Comment #10
Wim LeersLooks good to me.
Comment #11
alexpottNeeds a reroll due to AccessResult in #2340507: Make the new AccessResult API and implementation even better
Comment #12
Wim LeersStraight reroll.
Comment #14
catchCommitted/pushed to 8.0.x, thanks!