CSRF token on routes with default parameters fails the validation

Created on 28 February 2018, almost 7 years ago
Updated 30 January 2023, almost 2 years ago

Problem/Motivation

If there is a route with a default parameter and a csrf token requirement and the default parameter is not set during the url generation, then the generated csrf will not be properly validated.

The problem is that when the token is generated the UrlGenerator will pass to the route processors only the provided parameters without the merged default ones, but when the csrf token is being validated on the incoming request all the parameters are provided, which leads to using a different value for generating the token in both cases.

Proposed resolution

Pass the merged parameters to the route processors.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Needs work

Version

10.1 ✨

Component
RoutingΒ  β†’

Last updated 3 days ago

Created by

πŸ‡©πŸ‡ͺGermany hchonov πŸ‡ͺπŸ‡ΊπŸ‡©πŸ‡ͺπŸ‡§πŸ‡¬

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

Production build 0.71.5 2024