The menu callback "node/%node/moderation/%/change-state/%" is unprotected from a CSRF vulnerability where admins could be easily tricked into changing states on nodes. We need to use drupal_get_token() and drupal_valid_token() when creating links and in the callback itself.

This has not been reported to the security team as we do not yet have a final 1.0 release so this is cleared to be fixed publicly.

CommentFileSizeAuthor
#5 1260244-fix-moderation-state-change-csrf.patch4.67 KBDave Reid
#4 1260244-fix-moderation-state-change-csrf.patch4.71 KBDave Reid
#3 1260244-fix-moderation-state-change-csrf.patch3.37 KBDave Reid
#2 1260244-fix-moderation-state-change-csrf.patch3.3 KBDave Reid
#1 1260244-fix-moderation-state-change-csrf.patch1.86 KBDave Reid
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Status: Active » Needs review
FileSize
1260244-fix-moderation-state-change-csrf.patch1.86 KB
Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1260244-fix-moderation-state-change-csrf.patch3.3 KB
Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1260244-fix-moderation-state-change-csrf.patch3.37 KB

Revised patch that ensure the token will always be set even after the array_merge() in workbench_moderation_get_moderation_links().

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1260244-fix-moderation-state-change-csrf.patch4.71 KB

That was fun overcoming the broken-ness of DrupalWebTestCase::drupalGetToken().

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1260244-fix-moderation-state-change-csrf.patch4.67 KB

Left one little debug() in. :/

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Status: Needs review » Fixed

Committed #5 with some doc cleanups to Git!
http://drupalcode.org/project/workbench_moderation.git/commit/2afef61

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.