Contrib.social

include more specific information in tokens, validate blocks on save

Open on Drupal.org β†’
Created on 22 September 2011, over 13 years ago
Updated 31 October 2023, over 1 year ago

I noticed two related problems:

1. The token for adding a block is just based on "homebox-$page->name" which means it is the same for adding any block. Ideally tokens are based on something unique to the site (private key) something unique to the user (session id) and something unique to the action being taken (e.g. a form ID if the form is only shown once on a page). drupal_get_token takes care of the first two parts, so it's up to homebox to use something like "homebox-$page->name-$block_module-$delta" as the token when building up the links for adding a block.

2. Once you have a token it's possible to request other blocks. So, I have a homebox at "funtimes" and I look at the source and find my token, I can make a request like:

http://d6.local/homebox/js/funtimes/add/user/3?token=95203e742a24ecec09e...

And now I add the "who's online" block to my dashboard settings. Note that it doesn't actually show me that block because homebox_build helpfully confirms the list of available blocks and sanity checks my list against that list before displaying them.

So, adding more unique information to the token would prevent me from doing item 2 (it would also complicate the access callback slightly). Problem 2 could also be solved by moving the " $allowed_blocks" check out of homebox_build to a helper function and using that helper function in _homebox_save_user_settings

πŸ› Bug report
Status

Closed: outdated

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica
  • Status changed to Active about 2 years ago
  • Comment about 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    7.x-2.x is still supported on the project page. Looking at the code it seems it's still present in homebox_get_token which I think is the relevant function, but I could be confused.

    Can you give some more insight into that status change?

    Re-opening for now.

  • Comment about 2 years ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Thanks @greggles, sorry. I did a cleanup of all long inactive issues. The maintainers won't work on such issues for Drupal 7 anymore, focusing on 3.0.x.

    We can keep this open, if anyone would like to work on this and provides a patch.

    As this might have security implications, let's leave this open indeed.

  • Status changed to Closed: outdated over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    12y old

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024