diff --git c/core/modules/system/lib/Drupal/system/Controller/ThemeController.php w/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
index f8068f2..aa9a6be 100644
--- c/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
+++ w/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
@@ -7,40 +7,43 @@
 
 namespace Drupal\system\Controller;
 
-use Drupal\Core\Config\Config;
 use Drupal\Core\Controller\ControllerBase;
-use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
+use Drupal\Core\Config\ConfigFactory;
+use Drupal\Core\Access\CsrfTokenGenerator;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Controller for theme handling.
  */
-class ThemeController extends ControllerBase implements ContainerInjectionInterface {
+class ThemeController extends ControllerBase {
 
   /**
-   * The system.theme config object.
+   * The config factory service.
    *
-   * @var \Drupal\Core\Config\Config
+   * @var \Drupal\Core\Config\ConfigFactory
    */
-  protected $config;
+  protected $configFactory;
 
   /**
-   * The url generator.
+   * The CSRF Token Generator Service.
    *
-   * @var \Drupal\Core\Routing\PathBasedGeneratorInterface
+   * @var \Drupal\Core\Access\CsrfTokenGenerator
    */
-  protected $urlGenerator;
+  protected $tokenGenerator;
 
   /**
    * Constructs a ThemeController object.
    *
-   * @param \Drupal\Core\Config\Config $config
-   *   Configuration object.
+   * @param \Drupal\Core\Config\ConfigFactory $config_factory
+   *   Config Factory Service.
+   * @param \Drupal\Core\Access\CsrfTokenGenerator
+   *   Token Generator Service.
    */
-  public function __construct(Config $config) {
-    $this->config = $config;
+  public function __construct(ConfigFactory $config_factory, CsrfTokenGenerator $token_generator) {
+    $this->configFactory = $config_factory;
+    $this->tokenGenerator = $token_generator;
   }
 
   /**
@@ -48,7 +51,8 @@ public function __construct(Config $config) {
    */
   public static function create(ContainerInterface $container) {
     return new static(
-      $container->get('config.factory')->get('system.theme')
+      $container->get('config.factory'),
+      $container->get('csrf_token')
     );
   }
 
@@ -66,17 +70,18 @@ public static function create(ContainerInterface $container) {
    *   the token is invalid.
    */
   public function disable(Request $request) {
+    $config = $this->configFactory->get('system.theme');
     $theme = $request->get('theme');
     $token = $request->get('token');
 
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->tokenGenerator->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes();
 
       // Check if the specified theme is one recognized by the system.
       if (!empty($themes[$theme])) {
         // Do not disable the default or admin theme.
-        if ($theme === $this->config->get('default') || $theme === $this->config->get('admin')) {
+        if ($theme === $config->get('default') || $theme === $config->get('admin')) {
           drupal_set_message($this->t('%theme is the default theme and cannot be disabled.', array('%theme' => $themes[$theme]->info['name'])), 'error');
         }
         else {
@@ -88,7 +93,7 @@ public function disable(Request $request) {
         drupal_set_message($this->t('The %theme theme was not found.', array('%theme' => $theme)), 'error');
       }
 
-      return $this->redirect($this->urlGenerator->generateFromPath('admin/appearance', array('absolute' => TRUE)));
+      return $this->redirect($this->urlGenerator()->generateFromPath('admin/appearance', array('absolute' => TRUE)));
     }
 
     throw new AccessDeniedHttpException();
@@ -111,7 +116,7 @@ public function enable(Request $request) {
     $theme = $request->get('theme');
     $token = $request->get('token');
 
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->tokenGenerator->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes(TRUE);
 
@@ -124,7 +129,7 @@ public function enable(Request $request) {
         drupal_set_message($this->t('The %theme theme was not found.', array('%theme' => $theme)), 'error');
       }
 
-      return $this->redirect($this->urlGenerator->generateFromPath('admin/appearance', array('absolute' => TRUE)));
+      return $this->redirect($this->urlGenerator()->generateFromPath('admin/appearance', array('absolute' => TRUE)));
     }
 
     throw new AccessDeniedHttpException();
@@ -144,9 +149,10 @@ public function enable(Request $request) {
    *   the token is invalid.
    */
   public function defaultTheme(Request $request) {
+    $config = $this->configFactory->get('system.theme');
     $theme = $request->query->get('theme');
     $token = $request->query->get('token');
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->tokenGenerator->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes();
 
@@ -158,7 +164,7 @@ public function defaultTheme(Request $request) {
         }
 
         // Set the default theme.
-        $this->config->set('default', $theme)
+        $config->set('default', $theme)
           ->save();
 
         // Rebuild the menu. This duplicates the menu_router_rebuild() in
@@ -172,7 +178,7 @@ public function defaultTheme(Request $request) {
         // The status message depends on whether an admin theme is currently in
         // use. A value of 0 means the admin theme is set to be the default
         // theme.
-        $admin_theme = $this->config->get('admin');
+        $admin_theme = $config->get('admin');
         if ($admin_theme != 0 && $admin_theme != $theme) {
           drupal_set_message($this->t('Please note that the administration theme is still set to the %admin_theme theme; consequently, the theme on this page remains unchanged. All non-administrative sections of the site, however, will show the selected %selected_theme theme by default.', array(
             '%admin_theme' => $themes[$admin_theme]->info['name'],
@@ -186,7 +192,7 @@ public function defaultTheme(Request $request) {
       else {
         drupal_set_message($this->t('The %theme theme was not found.', array('%theme' => $theme)), 'error');
       }
-      return $this->redirect($this->urlGenerator->generateFromPath('admin/appearance', array('absolute' => TRUE)));
+      return $this->redirect($this->urlGenerator()->generateFromPath('admin/appearance', array('absolute' => TRUE)));
     }
     throw new AccessDeniedHttpException();
   }