#66264 by boombatower, grendzy, et al: Remove CSRF vulnerability from comment module.

3 files changed, 8 insertions, 0 deletions

diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index ab71b724b..aa66c9f87 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -991,6 +991,7 @@ function comment_links($comment, $node) {
           'title' => t('approve'),
           'href' => "comment/$comment->cid/approve",
           'html' => TRUE,
+          'query' => array('token' => drupal_get_token("comment/$comment->cid/approve")),
         );
       }
     }
diff --git a/modules/comment/comment.pages.inc b/modules/comment/comment.pages.inc
index 4156beb18..948fcad11 100644
--- a/modules/comment/comment.pages.inc
+++ b/modules/comment/comment.pages.inc
@@ -107,6 +107,9 @@ function comment_reply($node, $pid = NULL) {
  *   A comment identifier.
  */
 function comment_approve($cid) {
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], "comment/$cid/approve")) {
+    return MENU_ACCESS_DENIED;
+  }
   if ($comment = comment_load($cid)) {
     $comment->status = COMMENT_PUBLISHED;
     comment_save($comment);
diff --git a/modules/comment/comment.test b/modules/comment/comment.test
index ec355a13c..f9d151ea7 100644
--- a/modules/comment/comment.test
+++ b/modules/comment/comment.test
@@ -954,6 +954,10 @@ class CommentApprovalTest extends CommentHelperCase {
 
     // Approve comment.
     $this->drupalLogin($this->admin_user);
+    $this->drupalGet('comment/1/approve');
+    $this->assertResponse(403, t('Forged comment approval was denied.'));
+    $this->drupalGet('comment/1/approve', array('query' => array('token' => 'forged')));
+    $this->assertResponse(403, t('Forged comment approval was denied.'));
     $this->drupalGet('node/' . $this->node->nid);
     $this->clickLink(t('approve'));
     $this->drupalLogout();