Logout route is not protected against CSRF

Created on 19 June 2025, 3 months ago

Problem/Motivation

The basicshib.logout route is vulnerable to CSRF attacks.

Steps to reproduce

If an attacker can insert this kind of HTML in a page:

<img src="http://example.com/basicshib/logout">

Any user that displays the page will be logged out without a confirmation.

Proposed resolution

The route should probably have the _csrf_token requirement: https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

3.0

Component

Documentation

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024