summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathaniel Catchpole2016-05-23 10:15:39 (GMT)
committerNathaniel Catchpole2016-05-23 10:15:39 (GMT)
commit5735dfcbc6cd275563abb67e4d17ed0b2b72d012 (patch)
tree41289d2c6cefe278e091e1d5bee4f1e5b1381f39
parent2486f1069272a7f64bd1f574b355ab655fdd0b08 (diff)
Issue #2646328 by alexpott, Wim Leers, David_Rothstein, aaronott, Ayesh: CSRF in update module manual check links
-rw-r--r--core/modules/update/src/Tests/UpdateContribTest.php3
-rw-r--r--core/modules/update/src/Tests/UpdateCoreTest.php11
-rw-r--r--core/modules/update/src/Tests/UpdateTestBase.php3
-rw-r--r--core/modules/update/src/Tests/UpdateUploadTest.php3
-rw-r--r--core/modules/update/update.install17
-rw-r--r--core/modules/update/update.routing.yml1
6 files changed, 35 insertions, 3 deletions
diff --git a/core/modules/update/src/Tests/UpdateContribTest.php b/core/modules/update/src/Tests/UpdateContribTest.php
index 923b5d5..88cf378 100644
--- a/core/modules/update/src/Tests/UpdateContribTest.php
+++ b/core/modules/update/src/Tests/UpdateContribTest.php
@@ -345,6 +345,9 @@ class UpdateContribTest extends UpdateTestBase {
);
$this->config('update_test.settings')->set('system_info', $system_info)->save();
+ // Ensure that the update information is correct before testing.
+ $this->drupalGet('admin/reports/updates');
+
$xml_mapping = array(
'drupal' => '0.0',
'aaa_update_test' => '1_0',
diff --git a/core/modules/update/src/Tests/UpdateCoreTest.php b/core/modules/update/src/Tests/UpdateCoreTest.php
index 799d5a9..baecde8 100644
--- a/core/modules/update/src/Tests/UpdateCoreTest.php
+++ b/core/modules/update/src/Tests/UpdateCoreTest.php
@@ -65,11 +65,17 @@ class UpdateCoreTest extends UpdateTestBase {
*/
function testNormalUpdateAvailable() {
$this->setSystemInfo('8.0.0');
+
+ // Ensure that the update check requires a token.
+ $this->drupalGet('admin/reports/updates/check');
+ $this->assertResponse(403, 'Accessing admin/reports/updates/check without a CSRF token results in access denied.');
+
foreach (array(0, 1) as $minor_version) {
foreach (array('-alpha1', '-beta1', '') as $extra_version) {
$this->refreshUpdateStatus(array('drupal' => "$minor_version.1" . $extra_version));
$this->standardTests();
- $this->drupalGet('admin/reports/updates/check');
+ $this->drupalGet('admin/reports/updates');
+ $this->clickLink(t('Check manually'));
$this->assertNoText(t('Security update required!'));
$this->assertRaw(\Drupal::l("8.$minor_version.1" . $extra_version, Url::fromUri("http://example.com/drupal-8-$minor_version-1$extra_version-release")), 'Link to release appears.');
$this->assertRaw(\Drupal::l(t('Download'), Url::fromUri("http://example.com/drupal-8-$minor_version-1$extra_version.tar.gz")), 'Link to download appears.');
@@ -131,7 +137,8 @@ class UpdateCoreTest extends UpdateTestBase {
$this->setSystemInfo("8.$minor_version.$patch_version" . $extra_version);
$this->refreshUpdateStatus(array('drupal' => '9'));
$this->standardTests();
- $this->drupalGet('admin/reports/updates/check');
+ $this->drupalGet('admin/reports/updates');
+ $this->clickLink(t('Check manually'));
$this->assertNoText(t('Security update required!'));
$this->assertRaw(\Drupal::l('9.0.0', Url::fromUri("http://example.com/drupal-9-0-0-release")), 'Link to release appears.');
$this->assertRaw(\Drupal::l(t('Download'), Url::fromUri("http://example.com/drupal-9-0-0.tar.gz")), 'Link to download appears.');
diff --git a/core/modules/update/src/Tests/UpdateTestBase.php b/core/modules/update/src/Tests/UpdateTestBase.php
index de15b0b..9cb3c20 100644
--- a/core/modules/update/src/Tests/UpdateTestBase.php
+++ b/core/modules/update/src/Tests/UpdateTestBase.php
@@ -67,7 +67,8 @@ abstract class UpdateTestBase extends WebTestBase {
// Save the map for UpdateTestController::updateTest() to use.
$this->config('update_test.settings')->set('xml_map', $xml_map)->save();
// Manually check the update status.
- $this->drupalGet('admin/reports/updates/check');
+ $this->drupalGet('admin/reports/updates');
+ $this->clickLink(t('Check manually'));
}
/**
diff --git a/core/modules/update/src/Tests/UpdateUploadTest.php b/core/modules/update/src/Tests/UpdateUploadTest.php
index 1605f2e..39b6944 100644
--- a/core/modules/update/src/Tests/UpdateUploadTest.php
+++ b/core/modules/update/src/Tests/UpdateUploadTest.php
@@ -30,6 +30,9 @@ class UpdateUploadTest extends UpdateTestBase {
* Tests upload, extraction, and update of a module.
*/
public function testUploadModule() {
+ // Ensure that the update information is correct before testing.
+ update_get_available(TRUE);
+
// Images are not valid archives, so get one and try to install it. We
// need an extra variable to store the result of drupalGetTestFiles()
// since reset() takes an argument by reference and passing in a constant
diff --git a/core/modules/update/update.install b/core/modules/update/update.install
index b2223f1..e810129 100644
--- a/core/modules/update/update.install
+++ b/core/modules/update/update.install
@@ -148,3 +148,20 @@ function _update_requirement_check($project, $type) {
$requirement['value'] = \Drupal::l($requirement_label, new Url(_update_manager_access() ? 'update.report_update' : 'update.status'));
return $requirement;
}
+
+/**
+ * @addtogroup updates-8.1.x
+ * @{
+ */
+
+/**
+ * Rebuild the router to ensure admin/reports/updates/check has CSRF protection.
+ */
+function update_update_8001() {
+ // Empty update forces a call to drupal_flush_all_caches() which rebuilds the
+ // router.
+}
+
+/**
+ * @} End of "addtogroup updates-8.1.x".
+ */
diff --git a/core/modules/update/update.routing.yml b/core/modules/update/update.routing.yml
index 0049396..d5b79ea 100644
--- a/core/modules/update/update.routing.yml
+++ b/core/modules/update/update.routing.yml
@@ -21,6 +21,7 @@ update.manual_status:
_controller: '\Drupal\update\Controller\UpdateController::updateStatusManually'
requirements:
_permission: 'administer site configuration'
+ _csrf_token: 'TRUE'
update.report_install:
path: '/admin/reports/updates/install'