This module has a potential security issue. The submission confirmation endpoint only takes a submission UUID, which means that anyone who knows that UUID can confirm the submission. The UUID is not very secret information, in certain setups it might be exposed when creating the submission.
Create confirmation urls that contain the submission UUID, the submission created timestamp and a hash of both previous values combined, hashed using the site hash salt as secret key. This is similar to the way password reset links are constructed in Drupal. As an added benefit, we can add an option to the webform handler to make confirmation links expire, without much additional effort.
For end users, none. For webform editors, a new 'Expire after' option in the handler settings.
Active
1.0
Code
Issue #3482709 by dieterholvoet: Anyone who knows a submission's uuid...
Automatically closed - issue fixed for 2 weeks with no activity.