Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.mr.baileys had spotted a CSRF vulnerability in the task manager some time ago, that we fixed.
Unfortunately, this broke mass migration: #1111532: Mass Migrate fails in Aegir 1.0 RC3. I consider the latter more important than the CSRF, because all the CSRF can do is fire up tasks that can be rolled back. It also requires the user to visit a malicious site while being logged into Aegir.
I am therefore opening this issue so that the CSRF eventually gets fixed, the proper way.
Comments
Comment #1
anarcat commentedHere is the revert commit: http://drupalcode.org/project/hostmaster.git/commitdiff/c6a8406b7010ea96...
Comment #2
anarcat commentedalright, i have done a more proper fix by re-importing mr.baileys patch and then doing the CSRF check only on non-interactive tasks.