Harden access to the token/tree page callback

We should add a token to the link output by theme_token_tree_link() based on the serialized token tree options and check that token in the callback of token_page_output_tree(). This will prevent random people from accessing the /token/tree page and being able to see what tokens are available on a site.

This issue was cleared by the security team to be fixed publicly since no actual private information (i.e. token values) is disclosed, only the available tokens themselves.

Comment	File	Size	Author
#1	1764024-secure-token-tree-page-callback.patch	2.69 KB	dave reid

Comments

Comment #1

he/him

English

Nebraska USA

commented 30 August 2012 at 15:58

Status:

Active

» Needs review

Status	File	Size
new	1764024-secure-token-tree-page-callback.patch	2.69 KB

Please test the following patch.

Log in or register to post comments

Comment #2

he/him

English

Nebraska USA

commented 30 August 2012 at 16:02

Tested and confirmed with the token dialog link used by the Metatag module.

Log in or register to post comments

Comment #3

he/him

English

Nebraska USA

commented 30 August 2012 at 16:57

Status:

Needs review

» Fixed

Committed #1 to Git: http://drupalcode.org/project/token.git/commit/c1f18d2

Log in or register to post comments

Comment #4

13 September 2012 at 17:01

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments