Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The menu callback "node/%node/moderation/%/change-state/%" is unprotected from a CSRF vulnerability where admins could be easily tricked into changing states on nodes. We need to use drupal_get_token() and drupal_valid_token() when creating links and in the callback itself.
This has not been reported to the security team as we do not yet have a final 1.0 release so this is cleared to be fixed publicly.
Comments
Comment #1
Dave ReidComment #2
Dave ReidComment #3
Dave ReidRevised patch that ensure the token will always be set even after the array_merge() in workbench_moderation_get_moderation_links().
Comment #4
Dave ReidThat was fun overcoming the broken-ness of DrupalWebTestCase::drupalGetToken().
Comment #5
Dave ReidLeft one little debug() in. :/
Comment #6
Dave ReidCommitted #5 with some doc cleanups to Git!
http://drupalcode.org/project/workbench_moderation.git/commit/2afef61