routes for processing links are vulnerable to CSRF

Created on 14 May 2025, 8 days ago

Problem/Motivation

This module provides two routes for fixing links in nodes and block content. These routes have controllers which immediate start a batch process.

This makes them vulnerable to CSRF attacks.

redirects_fixer.fix_node_links:
  path: '/admin/config/system/fix_node_links'
  defaults:
    _controller: '\Drupal\redirects_fixer\Controller\FixLinksController::fixInNodes'
  requirements:
    _permission: 'administer site configuration'

redirects_fixer.fix_block_links:
  path: '/admin/config/system/fix_block_links'
  defaults:
    _controller: '\Drupal\redirects_fixer\Controller\FixLinksController::fixInBlocks'
  requirements:
    _permission: 'administer site configuration'

Steps to reproduce

Install the module, and go to admin/config/system/fix_node_links

Proposed resolution

Change the links to be form submit buttons.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇬🇧United Kingdom joachim

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @joachim

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024