Contrib.social

Protect type_tray.favorites route against CSRF attacks

Open on Drupal.org →
Created on 8 March 2025, about 2 months ago

Problem/Motivation

The type_tray.favorites route is not protected against CSRF attacks.
The impact is pretty limited since it only allows adding/removing favorite bundles.

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue.

Steps to reproduce

Send a GET request to http://example.com/type-tray/favorites-action/page/remove.
It does not require a CSRF token or a confirmation.

Proposed resolution

The route should use _csrf_token: 'TRUE'.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

1.3

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024