Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.If the admin selects "clone without confirmation" they in fact are vulnerable to CSRF. Since this is not the default setting, and doesn't cause data loss, this is approved as a public issue by the Drupal security team.
This issue was reported by Jonathan Hedstrom.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | 1217966-5.patch | 3.59 KB | pwolanin |
| #3 | 1217966-3.patch | 3.74 KB | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedComment #2
pwolanin CreditAttribution: pwolanin commentedThis doesn't look very easy to do - core doesn't offer much facility for appending a query string to contextual links (or tabs). Might be able to use a to_arg function and put a token in the path?
Comment #3
pwolanin CreditAttribution: pwolanin commentedKinda ugly, but here's a 1st pass.
Maybe the token should depend on the node ID too?
Comment #4
pwolanin CreditAttribution: pwolanin commentedAn alternative to actually changing the path for the "normal" case would be to swap out the router item depending on the setting, which means forcing a menu rebuild if the setting changes. That's maybe ok, but not so nice either.
Comment #5
pwolanin CreditAttribution: pwolanin commentedSimplified logic makes the patch much smaller.
Comment #6
pwolanin CreditAttribution: pwolanin commentedneeds to be backported.
Comment #6.0
pwolanin CreditAttribution: pwolanin commentedadding credit to the reporter: Jonathan Hedstrom