Page style can be set remotely, without user's intention

Posted by coltrane on September 5, 2009 at 2:21pm

Issue Summary

pagestyle.module uses the raw POST to set the style so it is possible your page style can be changed without your own action. This is effectively a CSRF though the action is not dangerous at all. A possible solution is to use core's token generation and check before altering the style.

Comments

#1

Posted by Christian Zwahlen on December 28, 2009 at 1:09pm

Status:

active

» postponed (maintainer needs more info)

Hi coltrane

You mean hook_submit()? This is possible for the forms, but for links?

#2

Posted by Christian Zwahlen on February 19, 2011 at 11:02pm

Status:

postponed (maintainer needs more info)

» closed (won't fix)

Project:	Page Style
Version:	6.x-1.x-dev
Component:	Code
Category:	task
Priority:	normal
Assigned:	Unassigned
Status:	closed (won't fix)

Page style can be set remotely, without user's intention

Jump to:

Issue Summary

Comments

#1

#2