We should add a token to the link output by theme_token_tree_link() based on the serialized token tree options and check that token in the callback of token_page_output_tree(). This will prevent random people from accessing the /token/tree page and being able to see what tokens are available on a site.

This issue was cleared by the security team to be fixed publicly since no actual private information (i.e. token values) is disclosed, only the available tokens themselves.

#1 1764024-secure-token-tree-page-callback.patch2.69 KBDave Reid
PASSED: [[SimpleTest]]: [MySQL] 345 pass(es). View


Dave Reid’s picture

Status: Active » Needs review
2.69 KB
PASSED: [[SimpleTest]]: [MySQL] 345 pass(es). View

Please test the following patch.

Dave Reid’s picture

Tested and confirmed with the token dialog link used by the Metatag module.

Dave Reid’s picture

Status: Needs review » Fixed

Automatically closed -- issue fixed for 2 weeks with no activity.