Contrib.social

_csrf_token is broken due to cacheability metadata integration, results in rendered links without valid CSRF tokens

Open on Drupal.org β†’
Created on 8 December 2015, almost 10 years ago
Updated 10 May 2023, over 2 years ago

Problem/Motivation

Let's assume we have the following routing definition:

features.export_download:
  path: '/admin/config/development/configuration/features/download/{uri}'
  defaults:
    _controller: 'Drupal\features\Controller\FeaturesController::downloadExport'
  requirements:
    _permission: 'export configuration'
    _csrf_token: 'TRUE'

And the following code in a form submit function:

  public function exportFormSubmit(array &$form, FormStateInterface $form_state) {
    // Redirect to the archive file download.
    $form_state->setRedirect('features.export_download', ['uri' => $this->archiveName]);
  }

Result: The token has the sha1 hash, not the actual CSRF token

Proposed resolution

  • Apply the CSRF token replacement in \Drupal\Core\Form\FormSubmitter::redirectForm (sounds wrong)
  • Provide a way to generate the URL with the CSRF token (seems impossible at the moment, we always pass along GeneratedUrl)

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Needs work

Version

9.5

Component
RenderΒ  β†’

Last updated 8 days ago

Created by

πŸ‡©πŸ‡ͺGermany dawehner

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • Triaged core major

    There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.

  • Contributed project blocker

    It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 2 years ago β†’
    πŸ‡ΊπŸ‡¦Ukraine ollie-db

    Is this the reason why I can not download the archive? I get 404 Not Found error in Docker container

  • Status changed to Postponed: needs info 12 days ago
  • Comment 12 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This came up as a daily BSI target

    Reading the comments sounds like we need to add the test patch from #48 but for solution not 100% sure the older patches still apply here. Not just physically but with todays core infrastructure.

    But think it would be good to get concrete steps to reproduce.

    Thanks all

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024