In #2431283: Cron CSRF vulnerability we are planning to add CSRF protection to cron in the core.
Since admin_menu exposes a link for running cron manually, which points to the core menu callback, its code should be amended to reflect those changes.
We must coordinate and find ways to release this security improvement in the less disruptive way possible.
Please follow the core issue

Comments

willzyx’s picture

truls1502’s picture

Status: Active » Postponed (maintainer needs more info)
Issue tags: +postponed2w

I am sorry for no reply until now.

There are many issues regarding this module admin_menu which is a bit difficult for us to follow up since some of the issues might be already outdated, or is already fixed by the module or any other modules or itself core which means that the problem might no longer need to be fixed.

We can see that the issue has been created for a few years ago, I hope it is okay for you that I am postponing the issue, and give you around two weeks. If you still face the problem, could you tell us the step by step when until you get the error message or what is frustrated you, and a list of modules you are using related to admin_menu and a screenshot that might help us? So it makes us easier to reproduce your issue.

However, after two weeks with no feedback - we will close this issue. So in case, you noticed it after the issue is closed, do not hesitate to reopen it like and fill information which is mentioned above.

So before giving us a feedback, do you mind to test it again with our latest 7.x-3.x-dev?

Thank you for understanding! :)

truls1502’s picture

Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)
Issue tags: -postponed2w

This issue has been automatically marked as closed because it has not had recent activity after the last post.

However, if you or someone is still facing the same issue as described to the issue, could you please to re-open the issue by changing the status of the issue, and add an explanation with more details which can help us to reproduce your situation.

Again, thank you for your contributions! :)

salvis’s picture

Status: Closed (cannot reproduce) » Needs review

Yes, we should look into fixing this finally. Let's start by checking the patch.

salvis’s picture

Status: Needs review » Reviewed & tested by the community

I've just committed the patch in Devel and I suggest to commit this one, as explained in #2411615-24: CSRF vulnerabilities in menu callbacks.

You already have token protection for the other relevant menu items, and this one should follow, too, then #2431283-39: Cron CSRF vulnerability in Core can be reviewed and committed.

thalles’s picture

Thanks @salvis!

  • thalles committed 30c1048 on 7.x-3.x authored by willzyx
    Issue #2443855 by willzyx, truls1502, salvis, thalles: Add CSFR...
thalles’s picture

Status: Reviewed & tested by the community » Fixed

Fixed!

salvis’s picture

Thank you, thalles!

Would you care to review #2431283-39: Cron CSRF vulnerability?

salvis’s picture

Can you set it RTBC? I can't because I touched it (even though for for re-rolling), but AFAICS it's working for both Admin Menu and Devel.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

subir_ghosh’s picture

Tha patch works. Thank you.

awasson’s picture

Any thoughts on when or if this will be rolled to the Stable or Dev versions of Admin Menu?

solideogloria’s picture

Title: Add CSFR protection to cron » Add CSRF protection to cron
Issue summary: View changes