The attached patch adds token verification for the SA-CONTRIB-2012-006 CSRF vulnerability. This method was chosen so as not to change the flow of the module, in case others were depending upon this behaviour. An alternative patch is available that uses a confirmation dialogue instead. Comments, criticism welcome.

CommentFileSizeAuthor
admin_hover-csrf-sa-contrib-2012-006.patch1.47 KBajdonnison

Comments

ajdonnison’s picture

ajdonnison commented
Version: » 6.x-1.x-dev
Status: Needs review » Fixed

Patch added to 6.x-1.x tree, waiting on security review before releasing new version.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

sittard’s picture

sittard commented
Status: Closed (fixed) » Active

Did this patch ever get reviewed by the security team? The project status page is still showing 'abandoned'.

Thanks.

ajdonnison’s picture

ajdonnison commented
Status: Active » Needs review

I sent details based on the abandoned projects process, but didn't hear back. Setting back to needs review. This of course could be my fault for not fully understanding the process rather than the process itself.

hansrossel’s picture

hansrossel commented

Did you send an email to security@drupal.org with the patch? They normally reply very quickly. Did you follow the procedure http://drupal.org/node/101497?

Seems like a misunderstanding here as you a few days after the security bug posted a patch here while it should have been sent to the security team instead and the patch discussed and agreed with them. I suppose an email to them should be enough to clarify this misunderstanding and get the module up again.