Mercurial > hg > isophonics-drupal-site

diff core/modules/contextual/src/ContextualController.php @ 17:129ea1e6d783

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update, including to Drupal core 8.6.10
author Chris Cannam
date Thu, 28 Feb 2019 13:21:36 +0000
parents 4c8ae668cc8c
children
line wrap: on
line diff
--- a/core/modules/contextual/src/ContextualController.php	Tue Jul 10 15:07:59 2018 +0100
+++ b/core/modules/contextual/src/ContextualController.php	Thu Feb 28 13:21:36 2019 +0000
@@ -2,8 +2,10 @@
 
 namespace Drupal\contextual;
 
+use Drupal\Component\Utility\Crypt;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
 use Drupal\Core\Render\RendererInterface;
+use Drupal\Core\Site\Settings;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -16,12 +18,13 @@
 
   /**
    * The renderer.
+   *
    * @var \Drupal\Core\Render\RendererInterface
    */
-  protected $render;
+  protected $renderer;
 
   /**
-   * Constructors a new ContextualController
+   * Constructors a new ContextualController.
    *
    * @param \Drupal\Core\Render\RendererInterface $renderer
    *   The renderer.
@@ -45,10 +48,16 @@
    * Given a list of contextual links IDs, render them. Hence this must be
    * robust to handle arbitrary input.
    *
-   * @see contextual_preprocess()
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The Symfony request object.
    *
    * @return \Symfony\Component\HttpFoundation\JsonResponse
    *   The JSON response.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
+   *   Thrown when the request contains no ids.
+   *
+   * @see contextual_preprocess()
    */
   public function render(Request $request) {
     $ids = $request->request->get('ids');
@@ -56,8 +65,16 @@
       throw new BadRequestHttpException(t('No contextual ids specified.'));
     }
 
+    $tokens = $request->request->get('tokens');
+    if (!isset($tokens)) {
+      throw new BadRequestHttpException(t('No contextual ID tokens specified.'));
+    }
+
     $rendered = [];
-    foreach ($ids as $id) {
+    foreach ($ids as $key => $id) {
+      if (!isset($tokens[$key]) || !Crypt::hashEquals($tokens[$key], Crypt::hmacBase64($id, Settings::getHashSalt() . \Drupal::service('private_key')->get()))) {
+        throw new BadRequestHttpException('Invalid contextual ID specified.');
+      }
       $element = [
         '#type' => 'contextual_links',
         '#contextual_links' => _contextual_id_to_links($id),