Add CSRF protection for the enable/disable client routes

Open on Drupal.org →

Created on 13 February 2025, 3 months ago

Problem/Motivation

Originally reported on security.drupal.org, but was deemed ok to discuss in public.

The enable/disable client routes provide an AJAX callback that allows the clients to be enabled/disabled. These routes are vulnerable to CSRF.

Proposed resolution

Add CSRF requirement to the routes.

🐛 Bug report

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States pfrilling Minster, OH

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!141Add CSRF protection for the enable/disable client routes
Merged
🇺🇸United States pfrilling
updated 3 months ago

Comments & Activities

Issue created by @pfrilling
Merge request !141Added CSRF route protection → (Merged) created by pfrilling
Comment 3 months ago →
🇳🇿New Zealand ericgsmith
pfrilling → credited ericgsmith → .
Comment 3 months ago →
🇵🇹Portugal jcnventura
pfrilling → credited jcnventura → .
Comment 3 months ago →
🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)
pfrilling → credited mr.baileys → .
Comment 3 months ago →
🇦🇺Australia mstrelan
pfrilling → credited mstrelan → .
Comment 3 months ago →
🇺🇸United States pfrilling Minster, OH
Marking this as RTBC as the code was already reviewed in a patch on s.d.o.
Comment 3 months ago →
System Message

pfrilling → committed 8f96b4f0 on 3.x
Issue #3506413 by pfrilling, ericgsmith, jcnventura, mr.baileys,...
Comment 3 months ago →
🇺🇸United States pfrilling Minster, OH
Comment 2 months ago →
🇨🇦Canada joseph.olstad
Alpha6 → causes an issue in keycloak reported by two others

I'm not sure which change in alpha6 is causing this.
Comment 2 months ago →
🇦🇺Australia mstrelan
Doesn't make sense for that to be the parent issue, removing.
Comment about 2 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024