We should add a token to the link output by theme_token_tree_link() based on the serialized token tree options and check that token in the callback of token_page_output_tree(). This will prevent random people from accessing the /token/tree page and being able to see what tokens are available on a site.
This issue was cleared by the security team to be fixed publicly since no actual private information (i.e. token values) is disclosed, only the available tokens themselves.
Comment | File | Size | Author |
---|---|---|---|
#1 | 1764024-secure-token-tree-page-callback.patch | 2.69 KB | Dave Reid |
Comments
Comment #1
Dave ReidPlease test the following patch.
Comment #2
Dave ReidTested and confirmed with the token dialog link used by the Metatag module.
Comment #3
Dave ReidCommitted #1 to Git: http://drupalcode.org/project/token.git/commit/c1f18d2