SA-CORE-2021-007 by samuel.mortenson, Wim Leers, greggles, xjm, larowlan, vijaycs85, Heine, effulgentsia, phenaproxima, mcdruid, nod_

core/modules/quickedit/js/models/EntityModel.es6.js

@@ -526,6 +526,9 @@
             options.success.call(entityModel);
           }
         };
+        entitySaverAjax.options.headers = entitySaverAjax.options.headers || {};
+        entitySaverAjax.options.headers['X-Drupal-Quickedit-CSRF-Token'] =
+          drupalSettings.quickedit.csrf_token;
         // Trigger the AJAX request, which will return the quickeditEntitySaved
         // AJAX command to which we then react.
         entitySaverAjax.execute();

core/modules/quickedit/js/models/EntityModel.js

@@ -235,6 +235,8 @@
         }
       };
 
+      entitySaverAjax.options.headers = entitySaverAjax.options.headers || {};
+      entitySaverAjax.options.headers['X-Drupal-Quickedit-CSRF-Token'] = drupalSettings.quickedit.csrf_token;
       entitySaverAjax.execute();
     },
     validate: function validate(attrs, options) {

core/modules/quickedit/quickedit.module

@@ -53,6 +53,7 @@ function quickedit_page_attachments(array &$page) {
     return;
   }
 
+  $page['#attached']['drupalSettings']['quickedit']['csrf_token'] = \Drupal::csrfToken()->get('X-Drupal-Quickedit-CSRF-Token');
   $page['#attached']['library'][] = 'quickedit/quickedit';
 }
 

core/modules/quickedit/src/QuickEditController.php

@@ -6,10 +6,12 @@ use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Entity\EntityRepositoryInterface;
 use Drupal\Core\Form\FormState;
 use Drupal\Core\Render\RendererInterface;
+use Drupal\Core\Session\AccountInterface;
 use Drupal\Core\TempStore\PrivateTempStoreFactory;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Drupal\Core\Ajax\AjaxResponse;
 use Drupal\Core\Entity\EntityInterface;
@@ -157,6 +159,32 @@ class QuickEditController extends ControllerBase {
     return new JsonResponse($metadata);
   }
 
+  /**
+   * Throws an AccessDeniedHttpException if the request fails CSRF validation.
+   *
+   * This is used instead of \Drupal\Core\Access\CsrfAccessCheck, in order to
+   * allow access for anonymous users.
+   *
+   * @todo Refactor this to an access checker.
+   */
+  private static function checkCsrf(Request $request, AccountInterface $account) {
+    $header = 'X-Drupal-Quickedit-CSRF-Token';
+
+    if (!$request->headers->has($header)) {
+      throw new AccessDeniedHttpException();
+    }
+    if ($account->isAnonymous()) {
+      // For anonymous users, just the presence of the custom header is
+      // sufficient protection.
+      return;
+    }
+    // For authenticated users, validate the token value.
+    $token = $request->headers->get($header);
+    if (!\Drupal::csrfToken()->validate($token, $header)) {
+      throw new AccessDeniedHttpException();
+    }
+  }
+
   /**
    * Returns AJAX commands to load in-place editors' attachments.
    *
@@ -307,6 +335,8 @@ class QuickEditController extends ControllerBase {
    *   The Ajax response.
    */
   public function entitySave(EntityInterface $entity) {
+    self::checkCsrf(\Drupal::request(), \Drupal::currentUser());
+
     // Take the entity from PrivateTempStore and save in entity storage.
     // fieldForm() ensures that the PrivateTempStore copy exists ahead.
     $tempstore = $this->tempStoreFactory->get('quickedit');