Problem/Motivation

This module has a CSRF vulnerability.
The gaya_popup.enable_message and gaya_popup.disable_message routes are not protected against CSRF.

Steps to reproduce

1. Create at least one popup and enable it.
2. As a user that can insert img tag on the site, insert this HTML:

<img src="http://example.com/popup/disable/1">

3. If another user with the "view popup message entity" permission displays the page, the popup is disabled without a confirmation.

Proposed resolution

The routes should probably have the _csrf_token requirement: https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork gaya_popup-3562931

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

fabsgugu’s picture

fabsgugu commented

Hello,

Thank you for the issue, I will make a correction.

fabsgugu opened merge request !5

fabsgugu’s picture

fabsgugu commented
Status: Active » Needs review

  • fabsgugu committed 27d0dbec on 1.0.x 
    fix: #3562931 Enable/disable routes are not protected against CSRF
fabsgugu’s picture

fabsgugu commented
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.