Magento2: Backend Security key broken for controllers with frontname not equal to route ID

Created on 24 Nov 2016 · 12Comments · Source: magento/magento2

Preconditions

The Magento used is the "develop" branch.
PHP: PHP 7.0.10-1+deb.sury.org~xenial+1

Steps to reproduce

Create a new module with a controller usable in the backend.
Define a new route for the controller (new adminhtml/routes.xml file) with a frontname different from the route ID.
Add the new controller to the menu and add the appropriate item to the ACL.
Log into the backend, locate the new item and click on it.

Expected result

The new controller is executed.

Actual result

The user is redirected back to the dashboard.

After a debugging session, it appears that the security key is incorrectly generated during either the creation of backend URLs or the security key validation.

If you place a breakpoint at the last line of \Magento\Backend\Model\Url::getSecretKey(), you'll notice the following discrepancy:

While generating the security key used during the creation of the URL, the "$secret" string (the one that is hashed to form the security key) starts with the frontname.
While checking the security key after having clicked on the link, the "$secret" string starts with the route ID instead.

Fixed in 2.2.x Fixed in 2.3.x Clear Description Confirmed Format is valid Ready for Work PR Created Reproduced on 2.1.x Reproduced on 2.2.x Reproduced on 2.3.x bug report

Source

AlexandreKhayrullin

Most helpful comment

Fix is wrong in 2.2.8.
code in 2.2.8
protected function _callbackSecretKey($match)
{
$routeId = $this->routeConfig->getRouteByFrontName($match[1]);
return \Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME . '/' . $this->_url->getSecretKey(
$routeId,
$match[2],
$match[3]
);
}

code in 2.3
protected function _callbackSecretKey($match)
{
$routeId = $this->routeConfig->getRouteByFrontName($match[1]);
return \Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME . '/' . $this->_url->getSecretKey(
$routeId?:$match[1],
$match[2],
$match[3]
);
}

romanrabotaet on 3 Apr 2019

👍6

All 12 comments

These are stack traces and secret sources for hashing in my case (Magento ver. 2.2.0-rc30).

Secret key generation for navigation links:
secret_generate

Secret key validation on route action:
secret_validate

My module's descriptors for routes & menu:

./etc/adminhtml/routes.xml

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="admin">

        <route id="fl32_login_as_route" frontName="loginas">
            <module name="Flancer32_LoginAs"/>
        </route>

    </router>
</config>

./etc/adminhtml/menu.xml

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Backend:etc/menu.xsd">
    <menu>
        <add id="Flancer32_LoginAs::customer_logged"
                module="Flancer32_LoginAs"
                action="loginas/logged"/>
    </menu>
</config>

flancer64 on 25 Sep 2017

@AlexandreKhayrullin, thank you for your report.
We've created internal ticket(s) MAGETWO-81949 to track progress on the issue.

magento-engcom-team on 13 Oct 2017

Hi @AlexandreKhayrullin

This ticket has been marked as "Triage Wanted" due to low user involvement over time. Over the next 2 weeks we are looking for additional community feedback to decide if it should be archived or not. More information on this is available on the GitHub wiki.

Thank you for collaboration.

magento-engcom-team on 30 Jul 2018

I have a commit that I'm testing, please don't close this.

lfolco on 16 Aug 2018

👍1

Hi @AlexandreKhayrullin. Thank you for your report.
The issue has been fixed in magento/magento2#17650 by @lfolco in 2.3-develop branch
Related commit(s):

The fix will be available with the upcoming 2.3.0 release.

ishakhsuvarov on 11 Sep 2018

Hi @AlexandreKhayrullin. Thank you for your report.
The issue has been fixed in magento/magento2#18018 by @lfolco in 2.2-develop branch
Related commit(s):

The fix will be available with the upcoming 2.2.8 release.

sidolov on 22 Sep 2018

romanrabotaet on 3 Apr 2019

👍6

Had this issue after upgrading to 2.2.8. Caused problems if the admin/startup/menu_item_id is set to redirect to a specific page after login, I was unable to access any of the adminhtml routes and was redirected back to the page defined in admin/startup/menu_item_id.

richardgrey-netxtra on 3 Apr 2019

Definitely still broken in 2.2.8 - can this be re-opened @sidolov ?

chrisputnam9 on 12 Jun 2019

Hi @chrisputnam9 , yes, we should reopen it if the issue still reproducing

sidolov on 12 Jun 2019

Still is being reproduced on 2.3.1.

I`ll reopen and fix it when I have some time.

novikor on 3 Sep 2019

Hi @novikor. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

[ ] 1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

[ ] 2. Verify that the issue is reproducible on 2.3-develop branch
Details
- Add the comment @magento give me 2.3-develop instance to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
[ ] 3. If the issue is not relevant or is not reproducible any more, feel free to close it.