Use security tokens in admin links [#2855901]

These links should use tokens, I'll email why.

Comment	File	Size	Author
	biblio-publication-types-csfr-hide-show-links-1.patch	3.37 KB	Alan D.
	7.x-1.x: PHP 7.2 & MySQL 5.5, D7.64 24 pass PHP 5.6 & MySQL 5.5, D7.64 24 pass PHP 7.1 & MySQL 5.5, D7.64 24 pass PHP 7.1 & PostgreSQL 9.1, D7.64 24 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

25 February 2017 at 03:49

Alan D. created an issue. See original summary.

Comment #2

Alan D. CreditAttribution: Alan D. commented 2 February 2019 at 03:13

Priority:

Critical

» Normal

Since the security issues are all public... this is a Cross-Site Request Forgery (CSRF).

You could embed these links as image src attributes, get the admin to visit the page, and iff they are logged in, each would be actioned!

Comment #3

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 4 February 2019 at 19:33

Parent issue:

» #2856491: Biblio Security Vulnerabilities

Comment #4

8 February 2019 at 18:16

Liam Morland committed ee585a4 on 7.x-1.x authored by Alan D.

Issue #2855901 by Alan D., Liam Morland: Use security tokens in admin...

Liam Morland committed f2c93c7 on 7.x-1.x

Issue #2855901 by Liam Morland: Refactor visibility link generation

Comment #5

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 8 February 2019 at 18:16

Title:	Publication type links	» Use security tokens in admin links
Status:	Needs review	» Fixed

Comment #6

22 February 2019 at 18:19

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Use security tokens in admin links

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Parent issue

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community