- Issue created by @SenthilMohith
- 🇮🇳India SenthilMohith Chennai
Please refer the attached patch will resolve this issue.
- Status changed to Needs review
11 months ago 7:42am 1 July 2024 - Status changed to RTBC
11 months ago 8:34am 1 July 2024 - 🇮🇳India nanny1979
This patch is tested and working as expected.
Screenshots attached.
1. Before applying the patch
2. When patch is applied
3. After applying patch - Status changed to Needs work
11 months ago 12:29pm 1 July 2024 Please open a merge request against the 11.x-dev branch. We can't test patches here any more.
"Other then" should be "other than".
- First commit to issue fork.
- Merge request !9193issue:3458218 X-CSRF-Token request header is missing issue fixed → (Open) created by shalini_jha
- Status changed to Needs review
10 months ago 12:04pm 13 August 2024 - 🇮🇳India shalini_jha
I have added a merge request against the 11.x branch, including the existing patch changes,
and also fixed the typo issue. Please review. - Status changed to Needs work
10 months ago 3:01pm 13 August 2024 - First commit to issue fork.
- Status changed to Needs review
10 months ago 11:55am 14 August 2024 - 🇮🇳India arunkumark Coimbatore
Added test case for the new changes of
Bearer
check. Moving to NR. - 🇮🇳India shalini_jha
@arunkumark FYI, I 'm already working on this issue , but feedback added here is not complete 24 hrs you should wait at least 24 hrs if someone already working .
I hope you 'll understand my concerns. - 🇺🇸United States smustgrave
@shallini_jha if you were working on should assign to yourself
- 🇮🇳India shalini_jha
Thank you @smustgrave for providing this info I 'm not aware about it, from next time I 'll assign it to myself.
- Status changed to RTBC
10 months ago 2:44pm 20 August 2024 - Status changed to Needs work
9 months ago 10:34pm 13 September 2024 - 🇬🇧United Kingdom catch
This would allow anyone to bypass REST module's CSRF protection just by adding 'bearer' in the header. I think this needs to be fixed in simple_oauth module, for example replacing the access check.
- Status changed to Postponed: needs info
9 months ago 7:15am 14 September 2024 - 🇬🇧United Kingdom catch
Moving to needs more info. If this is a bug at all, it would be against simple_oauth, but it sounds like it might be a client implementation issue (see above).
- 🇪🇸Spain rodrigoaguilera Barcelona
Given the last comment I don't think is a novice issue anymore and is up to the reporter to clarify
I was testing my API with Bruno when this became an issue for me too. In my case at least, the comment at https://drupal.stackexchange.com/a/307648 led me to the solution, i.e. Bruno now stored the Drupal session cookie and because of this, also expected the CSRF in the header, even though it didn't before when using Oauth.