Attached patch is a port that went into 4.7. We can polish / modify a bit more though.

Patch introduces tokens for form requested by authenticated users. During validation, the token field is checked to make sure this user requested the form previously during his/her session. This defends against cross site request forgeries where a users visits an external form that posts to Drupal.

CommentFileSizeAuthor
#7 form_token_1.patch.txt7.04 KBheine
#2 form_token_0.patch.txt6.99 KBheine
form_token.patch.txt6.89 KBheine

Comments

heine’s picture

heine commented
Status: Active » Needs review

Note: I'd rather keep the rewriting of node revisions / menu disable to use $_POST and the rewriting of some old style (4.6) forms to other issues.

heine’s picture

heine commented
Category: task » bug
StatusFileSize
new form_token_0.patch.txt6.99 KB

Modified to prevent XHTML validation errors (as in http://drupal.org/node/90635)

eaton’s picture

eaton commented
Status: Needs review » Reviewed & tested by the community

Just ran this through its paces on a fresh install. Some forms, like poll.module's voting, aren't fully FAPI-ified and thus are unaffected by this security check. Others, like commenting and node creation, properly throw a validation error when submitting a form with a tainted or missing token.

drumm’s picture

drumm
he/him
Location NY, US
commented

This is a big patch, any other reviews? Anything different from the 4.7 version?

Jo Wouters’s picture

Jo Wouters commented

I'm not sure if this is a security issue, but it is relatively easy to get to know the 'drupal_private_key':

The token (which is publicly shown in every form) is calculated with this function:

function drupal_get_token($value = '') {
  $private_key = drupal_get_private_key();
  return md5(session_id() . $value . $private_key);

The session_id is know to the user, $value is the forum_id.
$private_key is the only unknown part.
And since $private_key = mt_rand() (a number between 0 and 2147483647 on my machine) it is relatively easy to get to know the drupal_private_key.

(it costed me less then 40 minutes to find 2 different drupal_private_keys)

Apart from that, this patch seems to be working on head.

Jo Wouters’s picture

Jo Wouters commented

note: that should be "$value is the form_id" of course.

We should put the issue about the 'drupal_private_key' in a seperate issue. I'll open one, and attach a patch.

heine’s picture

heine commented
StatusFileSize
new form_token_1.patch.txt7.04 KB

Changed into a 256 bits key.

heine’s picture

heine commented
Status: Reviewed & tested by the community » Needs review
Kjartan’s picture

Kjartan commented

Been using this patch on my site for a few days now and haven't had any troubles yet.

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Needs review » Fixed

Committed to HEAD>

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)