An unused AJAX callback lets visitors see all fields available on that entity.
This problems exists in Drupal 7 and 8/9.
A potential mitigation for this bug would be to add _csrf_token, same as for the token tree route. Then at least only users can access this callback that get the autocomplete route rendered somewhere in the Drupal UI where they can input tokens. All other users that do not get a form with autocomplete tokens cannot guess the CSRF token.
That then still leaves the issue that untrusted users with token input access can see all of your field names.
DamienMcKenna said: I scanned my local git checkout of nearly 1,000 D7 contrib projects and none referenced "token/autocomplete", so this might be something that could be just dropped.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | token-n3241330-4-d8.patch | 5 KB | damienmckenna |
| #2 | token-n3241330-3-d7.patch | 3.19 KB | damienmckenna |
Comments
Comment #2
damienmckennaThis removes the callback in the D7 module.
Comment #3
damienmckennaThe same change for the D8 version.
Comment #4
klausiThanks, makes sense to me.
I also checked our Drupal 7 and Drupal 9 code bases and could not find references to "token/autocomplete" and "token.autocomplete" except for the instances that you remove here. Seems to be totally unused.
The autocomplete was introduced 11 years ago in #821008: Add token devel pages to inspect tokens on nodes, comments, users, etc with Devel module integration, so I think it really is unused otherwise.
Comment #6
berdirCommitted to 8.x, but I haven't ever done anything with 7.x
Comment #7
gregglesThis seems good to me for D7 so I plan to commit it shortly.
Comment #9
gregglesThanks, all! I will see about making a new release.
Comment #10
gregglesNew release coming at https://www.drupal.org/project/token/releases/7.x-1.9
Comment #12
joseph.olstad@greggles @DamienMcKenna,
this change may have broken Media automated testing.
Automated testing is failing on tokens tests
?
https://www.drupal.org/pift-ci-job/2348359
The media module relies on a tagged version of token for it's automated tests.
Comment #13
joseph.olstadVery strange, last known passed test in media was around this time
9 Apr 2021 at 18:44 UTC - D7 62 pass
no code changes were made since other than what I reverted
Comment #14
joseph.olstadah, nevermind, it looks like it's related to a 'core' change.. :(
Thanks again DamianMcKenna was already on this.
#3271006: Tests break due to change in core's default file field path settings
unfortunately now I have to deal with it for 'media'
but good to see fix for 'metatag'
Comment #15
damienmckennaJust to be clear - Metatag has a workaround, but it's ultimately a core bug.
Comment #16
joseph.olstad@DamienMcKenna,
Thanks for reminding me, yes that's what I understood from your notes. I've tried doing a similar workaround in the media module but I had to revert it all none of what I tried worked.
I guess if it's a core but I could just ignore it but it'd be nice to see green again.
Comment #17
joseph.olstad#3272112: MEDIA - Tests break due to change in core's default file field path settings
**update** down to only one test fail (from 4)