Backend Security key broken for controllers with frontname not equal to route ID

[AlexandreKhayrullin]

Preconditions

The Magento used is the "develop" branch.
PHP: PHP 7.0.10-1+deb.sury.org~xenial+1

Steps to reproduce

1. Create a new module with a controller usable in the backend.
2. Define a new route for the controller (new adminhtml/routes.xml file) with a frontname different from the route ID.
3. Add the new controller to the menu and add the appropriate item to the ACL.
4. Log into the backend, locate the new item and click on it.

Expected result

1. The new controller is executed.

Actual result

1. The user is redirected back to the dashboard.

After a debugging session, it appears that the security key is incorrectly generated during either the creation of backend URLs or the security key validation.

If you place a breakpoint at the last line of \Magento\Backend\Model\Url::getSecretKey(), you'll notice the following discrepancy:

• While generating the security key used during the creation of the URL, the "$secret" string (the one that is hashed to form the security key) starts with the frontname.
• While checking the security key after having clicked on the link, the "$secret" string starts with the route ID instead.

[flancer64]

These are stack traces and secret sources for hashing in my case (Magento ver. 2.2.0-rc30).

Secret key generation for navigation links:

Secret key validation on route action:

My module's descriptors for routes & menu:

./etc/adminhtml/routes.xml

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="admin">

        <route id="fl32_login_as_route" frontName="loginas">
            <module name="Flancer32_LoginAs"/>
        </route>

    </router>
</config>

./etc/adminhtml/menu.xml

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Backend:etc/menu.xsd">
    <menu>
        <add id="Flancer32_LoginAs::customer_logged"
                module="Flancer32_LoginAs"
                action="loginas/logged"/>
    </menu>
</config>

[magento-engcom-team]

@AlexandreKhayrullin, thank you for your report.
We've created internal ticket(s) MAGETWO-81949 to track progress on the issue.

[magento-engcom-team]

Hi @AlexandreKhayrullin

This ticket has been marked as "Triage Wanted" due to low user involvement over time. Over the next 2 weeks we are looking for additional community feedback to decide if it should be archived or not. More information on this is available on the GitHub wiki.

Thank you for collaboration.

[lfolco]

I have a commit that I'm testing, please don't close this.

[ishakhsuvarov]

Hi @AlexandreKhayrullin. Thank you for your report.
The issue has been fixed in #17650 by @lfolco in 2.3-develop branch
Related commit(s):

• 2662dfaa3e6cf6c0131a6eea098631099e7683bc
• a0dfb6de5ea98d7586a30cfebdbfd4d78c0e104b
• 35eba04973e3a9b32715038843acfba9d52bca6d
• 600a18593b7c08601bf9e9c1841d538f6df4361d
• 062286ef1ea841289d3a1cdf862e5f2daa8954f9
• c3d700aad6fe574c4f8c3b15c556c69a93fa0e30
• be7c9614c66d6618d783a00adf0d9207aca259f3
• fa8a222e8ea787ea1cc07e45ea0c00ea34459377
• b738ce6ba67548db35ead1d1e622bfa1b4647cdc
• af3507a9af254b3b723a66af52625cdbd48f8243

The fix will be available with the upcoming 2.3.0 release.

[sidolov]

Hi @AlexandreKhayrullin. Thank you for your report.
The issue has been fixed in #18018 by @lfolco in 2.2-develop branch
Related commit(s):

• 719f7b34dc1c297cfd3748bf3920f68d881ae3f2
• a0f38af994c0f40b773ed7be9711ec481b3147d0
• 2b4384c603c0add4c56a29b41b6c0bb71a713b8a
• 19aa0fdc12ca9085ba18e2eb6d919c0a503d5b44
• 184f67fb0f29738273cf9a8c470e8115fc6bd3d2
• 600a4b0f452eaf7aeae411198cdda873238d7a40
• 11d05fd96adedf2d5ee8ef5f5c2a07ecc1f38076
• d935078abefb4742dac09bece446a6514364473d
• 27aeecb114b0b7ef247d8e958a53bd9fe35e1a7d
• b08e8173ef58852fd816a30b95e92a5d2dfcd5c3
• ba5b8cb2099e82ef94d29caaad3739cda946268a
• ccbb792ce3dccd39e67b7b5cf11e6241a11e7633

The fix will be available with the upcoming 2.2.8 release.

[romanrabotaet]

Fix is wrong in 2.2.8.
code in 2.2.8
protected function _callbackSecretKey($match)
{
$routeId = $this->routeConfig->getRouteByFrontName($match[1]);
return \Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME . '/' . $this->_url->getSecretKey(
$routeId,
$match[2],
$match[3]
);
}

code in 2.3
protected function _callbackSecretKey($match)
{
$routeId = $this->routeConfig->getRouteByFrontName($match[1]);
return \Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME . '/' . $this->_url->getSecretKey(
$routeId?:$match[1],
$match[2],
$match[3]
);
}

[richardgrey-netxtra]

Had this issue after upgrading to 2.2.8. Caused problems if the admin/startup/menu_item_id is set to redirect to a specific page after login, I was unable to access any of the adminhtml routes and was redirected back to the page defined in admin/startup/menu_item_id.

[chrisputnam9]

Definitely still broken in 2.2.8 - can this be re-opened @sidolov ?

[sidolov]

Hi @chrisputnam9 , yes, we should reopen it if the issue still reproducing

[novikor]

Still is being reproduced on 2.3.1.

I`ll reopen and fix it when I have some time.

[m2-assistant]

Hi @novikor. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

• 1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 2. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 3. If the issue is not relevant or is not reproducible any more, feel free to close it.

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[vasilii-b]

2024, Magento 2.4.6-p6 - same dam issue!

The issue is reproducible when creating urls from the UI Components.

Example

<column name="download" class="Vendor\Name\Ui\Component\Listing\Columns\Download">
            <argument name="data" xsi:type="array">
                <item name="config" xsi:type="array">
                    <item name="bodyTmpl" xsi:type="string">ui/grid/cells/html</item>                 
                    <item name="label" xsi:type="string" translate="true">Download Link</item>
                </item>
            </argument>
        </column>

<?php

declare(strict_types=1);

namespace Vendor\Name\Ui\Component\Listing\Columns;

use Magento\Framework\UrlInterface;
use Magento\Ui\Component\Listing\Columns\Column;
use Magento\Framework\View\Element\UiComponentFactory;
use Vendor\Name\Data\QueueInterface;
use Magento\Framework\View\Element\UiComponent\ContextInterface;

class Download extends Column
{
    /**
     * @var UrlInterface
     */
    private $urlBuilder;

    private const URL_PATH_EDIT = 'order_history/export/download';

    /**
     * Download constructor.
     *
     * @param ContextInterface $context
     * @param UiComponentFactory $uiComponentFactory
     * @param UrlInterface $urlBuilder
     * @param array $components
     * @param array $data
     */
    public function __construct(
        ContextInterface $context,
        UiComponentFactory $uiComponentFactory,
        UrlInterface $urlBuilder,
        array $components = [],
        array $data = []
    ) {
        parent::__construct($context, $uiComponentFactory, $components, $data);
        $this->urlBuilder = $urlBuilder;
    }

    /**
     * Prepare Data Source
     *
     * @param array $dataSource
     * @return array
     */
    public function prepareDataSource(array $dataSource): array
    {
        if (isset($dataSource['data']['items'])) {
            foreach ($dataSource['data']['items'] as &$item) {
                $name = $this->getData('name');
                if (isset($item[QueueInterface::IS_GENERATED]) && $item[QueueInterface::IS_GENERATED] == 1) {
                    $item[$name] = html_entity_decode(sprintf(
                        "<a href='%s' target='_blank'>%s</a>",
                        $this->urlBuilder->getUrl(
                            self::URL_PATH_EDIT,
                            ['filename' => $item['filename']]
                        ),
                        __('Download')
                    ));
                } else {
                    $item[$name] = '';
                }
            }
        }
        return $dataSource;
    }
}

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="admin">
        <route id="digital_order_history" frontName="order_history">
            <module name="Vendor_Name" before="Magento_Backend" />
        </route>
    </router>
</config>

When adding the custom URL in the admin menu, for example, it works w/o problems.

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Backend:etc/menu.xsd">
    <menu>
        <add
            id="Vendor_Name::order_history_export"
            title="Export Queue"
            module="Vendor_Name"
            sortOrder="20"
            parent="Vendor_Name::order_history_operation"
            action="order_history/export/queue"
            resource="Magento_Sales::sales_order"
        />
    </menu>
</config>

cc @sidolov

[tufahu]

Yes the problem is with \Magento\Backend\Model\Url::getUrl() uses frontName for secretKey generation and when we want to call the controller action secretKey validation runs with router id , so mismatch happens.

The only solution is to use same id and frontName at backend :\ good to know