Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Attached patch is a port that went into 4.7. We can polish / modify a bit more though.
Patch introduces tokens for form requested by authenticated users. During validation, the token field is checked to make sure this user requested the form previously during his/her session. This defends against cross site request forgeries where a users visits an external form that posts to Drupal.
Comment | File | Size | Author |
---|---|---|---|
#7 | form_token_1.patch.txt | 7.04 KB | Heine |
#2 | form_token_0.patch.txt | 6.99 KB | Heine |
form_token.patch.txt | 6.89 KB | Heine |
Comments
Comment #1
Heine CreditAttribution: Heine commentedNote: I'd rather keep the rewriting of node revisions / menu disable to use $_POST and the rewriting of some old style (4.6) forms to other issues.
Comment #2
Heine CreditAttribution: Heine commentedModified to prevent XHTML validation errors (as in http://drupal.org/node/90635)
Comment #3
eaton CreditAttribution: eaton commentedJust ran this through its paces on a fresh install. Some forms, like poll.module's voting, aren't fully FAPI-ified and thus are unaffected by this security check. Others, like commenting and node creation, properly throw a validation error when submitting a form with a tainted or missing token.
Comment #4
drummThis is a big patch, any other reviews? Anything different from the 4.7 version?
Comment #5
Jo Wouters CreditAttribution: Jo Wouters commentedI'm not sure if this is a security issue, but it is relatively easy to get to know the 'drupal_private_key':
The token (which is publicly shown in every form) is calculated with this function:
The session_id is know to the user, $value is the forum_id.
$private_key is the only unknown part.
And since $private_key = mt_rand() (a number between 0 and 2147483647 on my machine) it is relatively easy to get to know the drupal_private_key.
(it costed me less then 40 minutes to find 2 different drupal_private_keys)
Apart from that, this patch seems to be working on head.
Comment #6
Jo Wouters CreditAttribution: Jo Wouters commentednote: that should be "$value is the form_id" of course.
We should put the issue about the 'drupal_private_key' in a seperate issue. I'll open one, and attach a patch.
Comment #7
Heine CreditAttribution: Heine commentedChanged into a 256 bits key.
Comment #8
Heine CreditAttribution: Heine commentedComment #9
Kjartan CreditAttribution: Kjartan commentedBeen using this patch on my site for a few days now and haven't had any troubles yet.
Comment #10
drummCommitted to HEAD>
Comment #11
(not verified) CreditAttribution: commented