We should add a token to the link output by theme_token_tree_link() based on the serialized token tree options and check that token in the callback of token_page_output_tree(). This will prevent random people from accessing the /token/tree page and being able to see what tokens are available on a site.

This issue was cleared by the security team to be fixed publicly since no actual private information (i.e. token values) is disclosed, only the available tokens themselves.

Files: 
CommentFileSizeAuthor
#1 1764024-secure-token-tree-page-callback.patch2.69 KBDave Reid
PASSED: [[SimpleTest]]: [MySQL] 345 pass(es).
[ View ]

Comments

Dave Reid’s picture

Status:Active» Needs review
StatusFileSize
new2.69 KB
PASSED: [[SimpleTest]]: [MySQL] 345 pass(es).
[ View ]

Please test the following patch.

Dave Reid’s picture

Tested and confirmed with the token dialog link used by the Metatag module.

Dave Reid’s picture

Status:Needs review» Fixed

Automatically closed -- issue fixed for 2 weeks with no activity.