The menu callback "node/%node/moderation/%/change-state/%" is unprotected from a CSRF vulnerability where admins could be easily tricked into changing states on nodes. We need to use drupal_get_token() and drupal_valid_token() when creating links and in the callback itself.

This has not been reported to the security team as we do not yet have a final 1.0 release so this is cleared to be fixed publicly.

CommentFileSizeAuthor
#5 1260244-fix-moderation-state-change-csrf.patch4.67 KBdave reid
#4 1260244-fix-moderation-state-change-csrf.patch4.71 KBdave reid
#3 1260244-fix-moderation-state-change-csrf.patch3.37 KBdave reid
#2 1260244-fix-moderation-state-change-csrf.patch3.3 KBdave reid
#1 1260244-fix-moderation-state-change-csrf.patch1.86 KBdave reid

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Active » Needs review
StatusFileSize
new 1260244-fix-moderation-state-change-csrf.patch1.86 KB
dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
StatusFileSize
new 1260244-fix-moderation-state-change-csrf.patch3.3 KB
dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
StatusFileSize
new 1260244-fix-moderation-state-change-csrf.patch3.37 KB

Revised patch that ensure the token will always be set even after the array_merge() in workbench_moderation_get_moderation_links().

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
StatusFileSize
new 1260244-fix-moderation-state-change-csrf.patch4.71 KB

That was fun overcoming the broken-ness of DrupalWebTestCase::drupalGetToken().

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
StatusFileSize
new 1260244-fix-moderation-state-change-csrf.patch4.67 KB

Left one little debug() in. :/

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Needs review » Fixed

Committed #5 with some doc cleanups to Git!
http://drupalcode.org/project/workbench_moderation.git/commit/2afef61

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.