Updated Drupal to 8.6. This goes with the following updates because it's possible...

[yaffs-website] / web / core / modules / contextual / src / ContextualController.php

diff --git a/web/core/modules/contextual/src/ContextualController.php b/web/core/modules/contextual/src/ContextualController.php
index 59a2ba0f9512f2874d1de40da9ce6a77bf8164b9..d05c6a852726e0f5c220de88b9b65de1cd48da45 100644 (file)
--- a/web/core/modules/contextual/src/ContextualController.php
+++ b/web/core/modules/contextual/src/ContextualController.php
@@ -2,8 +2,10 @@
 
 namespace Drupal\contextual;
 
+use Drupal\Component\Utility\Crypt;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
 use Drupal\Core\Render\RendererInterface;
+use Drupal\Core\Site\Settings;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -16,12 +18,13 @@ class ContextualController implements ContainerInjectionInterface {
 
   /**
    * The renderer.
+   *
    * @var \Drupal\Core\Render\RendererInterface
    */
-  protected $render;
+  protected $renderer;
 
   /**
-   * Constructors a new ContextualController
+   * Constructors a new ContextualController.
    *
    * @param \Drupal\Core\Render\RendererInterface $renderer
    *   The renderer.
@@ -45,10 +48,16 @@ class ContextualController implements ContainerInjectionInterface {
    * Given a list of contextual links IDs, render them. Hence this must be
    * robust to handle arbitrary input.
    *
-   * @see contextual_preprocess()
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The Symfony request object.
    *
    * @return \Symfony\Component\HttpFoundation\JsonResponse
    *   The JSON response.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
+   *   Thrown when the request contains no ids.
+   *
+   * @see contextual_preprocess()
    */
   public function render(Request $request) {
     $ids = $request->request->get('ids');
@@ -56,8 +65,16 @@ class ContextualController implements ContainerInjectionInterface {
       throw new BadRequestHttpException(t('No contextual ids specified.'));
     }
 
+    $tokens = $request->request->get('tokens');
+    if (!isset($tokens)) {
+      throw new BadRequestHttpException(t('No contextual ID tokens specified.'));
+    }
+
     $rendered = [];
-    foreach ($ids as $id) {
+    foreach ($ids as $key => $id) {
+      if (!isset($tokens[$key]) || !Crypt::hashEquals($tokens[$key], Crypt::hmacBase64($id, Settings::getHashSalt() . \Drupal::service('private_key')->get()))) {
+        throw new BadRequestHttpException('Invalid contextual ID specified.');
+      }
       $element = [
         '#type' => 'contextual_links',
         '#contextual_links' => _contextual_id_to_links($id),