- last update
10 months ago Patch Failed to Apply
Drupal adds tokens to forms for cross-site request forgery protection, but unconditionally skips doing so for anonymous users.
In most cases this does not matter (because if an anonymous user can submit a form, a potential attacker can just submit it themselves anyway), but in some cases where sites are displaying pages differently to different anonymous users (based on IP address or session information), it can matter, and it would be useful to have the option to add a form token in those cases.
This issue was discussed internally in the Drupal Security Team first, and we felt it could be a public issue due to its unusual nature and limited impact.
As for possible solutions, Heine, for example (who originally reported the issue related to this) suggested that if caching is disabled, that would be one case where we could easily add the token even if the form is being viewed by an anonymous user.
Needs work
11.0 π₯
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
The patch will have to be re-rolled with new suggestions/changes described in the comments in the issue.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.