Layout Builder move block and add section routes vulnerable to CSRF

Open on Drupal.org →

Created on 19 October 2023, over 1 year ago

Problem/Motivation

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue
Drupal Core's Layout Builder module has a mild CSRF vulnerability.

You can see this vulnerability by:
1. Enabling the layout builder module
2. As a malicious user, craft a url that matches the layout_builder.move_block route, i.e '/layout_builder/move/block/{section_storage_type}/{section_storage}/{delta_from}/{delta_to}/{region_to}/{block_uuid}/{preceding_block_uuid}
3. Trick a user with the ability to view layout builder for the given storage type (defaults, or overrides) and storage (a view display or a specific entity)
4. Note that the block is moved in the temp store for the given layout
5. The route layout_builder.add_section has the same issue

This is only a mild nuisance because it would require someone to save changes for the layout and commit the 'tempstore'. The action for that is behind a form, and hence not vulnerable to CSRF.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Needs review

Version

11.0 🔥

Component

Layout builder →

Last updated about 8 hours ago

Maintained by
🇺🇸United States @tedbow
🇺🇸United States @dyannenova
🇺🇸United States @tim.plunkett

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

!6059Layout Builder move block and add section routes vulnerable to CSRF
Open
🇮🇳India prashant.c
updated about 1 month ago

Comments & Activities

Issue created by @larowlan
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
37:45
36:45
Running
Status changed to Needs work over 1 year ago3:02pm 20 October 2023
Comment over 1 year ago →
🇺🇸United States smustgrave
Ran the attached patch but seemed to have failures.
Comment over 1 year ago →
🇮🇳India rksyravi New Delhi, 🇮🇳
Hi @larowlan

Please add the steps to reproduce.
Comment over 1 year ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
Move the steps under the heading, they were there :)
Comment over 1 year ago →
🇮🇳India prashant.c Dharamshala
Prashant.c → made their first commit to this issue’s fork.
Merge request !6059Layout Builder move block and add section routes vulnerable to CSRF → (Open) created by prashant.c
Comment over 1 year ago →
🇮🇳India prashant.c Dharamshala
Applied the patch provided patch → , added Dependency injection for the services, raised MR as well.

Thank you
Pipeline finished with Failed
over 1 year ago
Total: 632s
#73352
First commit to issue fork.
Pipeline finished with Failed
about 1 month ago
Total: 638s
#500376

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024