Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the current 7.x version, we have a CSRF protection added using drupal_get/valid_token
functions. This prevents someone from tricking an administrator from enabling or disabling a country supported in uc_address module.
The attached patch sets _csrf_token
as a requirement, making the links carry a token, and the page callback checks for that key.
Comment | File | Size | Author |
---|---|---|---|
#18 | 2671048-18.patch | 5.63 KB | Ayesh |
| |||
#18 | interdiff-2671048-14-18.txt | 1.38 KB | Ayesh |
#14 | interdiff-2671048.txt | 1.95 KB | longwave |
#14 | 2671048-csrf.patch | 4.81 KB | longwave |
|
Comments
Comment #2
longwaveIt looks like this should also be added to other enable/disable links, such as the ones in uc_payment.
Comment #3
TR CreditAttribution: TR commentedComment #4
TR CreditAttribution: TR commentedYes, it should be added in a lot of places. It's on my to-do list to review all the routes to see which ones need tokens.
Comment #5
Ayesh CreditAttribution: Ayesh commentedYou are right there were some other places that needed a CSRF token as well.
Attached a patch suggestion, but please do focus on other important issues (as you have said it's already in your list).
Thanks.
Comment #6
Ayesh CreditAttribution: Ayesh commentedComment #8
longwave#5 looks like it was intended for #2662956: Do not show a country dropdown when only one is enabled !
Comment #9
Ayesh CreditAttribution: Ayesh commentedI'm terribly sorry it was a wrong patch, updated tests to use the new CSRF-token URL in the tests.
Comment #10
Ayesh CreditAttribution: Ayesh commentedComment #12
TR CreditAttribution: TR commentedTo be clear, my list says "Check all routes to see if CSRF token is needed". I don't currently have a list of known routes that need to be fixed.
So if you know of any other places, or if you're willing to look and find more of these, your input and patches would be welcome!
Comment #13
TR CreditAttribution: TR commented... let's make sure this gets done for the beta release.
Comment #14
longwaveFixed the test failures. This helper might be useful elsewhere in long tables of identical links!
Comment #15
TR CreditAttribution: TR commentedNice helper function. I wish I had that months ago ...
The only comments I have are we don't need this:
+use Drupal\Core\Url;
And the entity links in uc_tax also need the tokens (including the clone op).
Comment #16
Ayesh CreditAttribution: Ayesh commentedThanks @longwave! Tests passed!!
You are right @TR we are missing tokens in several of the routes from uc_tax module too. I don't know how I missed it from my last commit. Sorry I thought I had every route covered.
I will try to upload another patch after going the gh each of the routing files and with the new test class method to test them.
Comment #17
TR CreditAttribution: TR commentedAyesh, the routes in uc_tax are new, they were added after your original post.
Comment #18
Ayesh CreditAttribution: Ayesh commentedTrying with the
uc_tax
routes included (enable, disable and clone links).Comment #19
longwaveLooks good to me. Will commit it later unless TR beats me to it.
Comment #21
longwaveCommitted, thanks for working on this. Hopefully we remember to add _csrf_token to any similar links we add in the future.