Go to admin page, login and got the error "Invalid security or form key. Please refresh the page."
Solution:
This is content of the patch file. Let's follow it
.../module-backend/App/Action/Plugin/Authentication.php | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/vendor/magento/module-backend/App/Action/Plugin/Authentication.php
b/vendor/magento/module-backend/App/Action/Plugin/Authentication.php
index 8227966e..0cdd9f12 100644
--- a/vendor/magento/module-backend/App/Action/Plugin/Authentication.php
+++ b/vendor/magento/module-backend/App/Action/Plugin/Authentication.php
@@ -102,6 +102,8 @@ class Authentication
/**
+ * Ensures user is authenticated before accessing backend action controllers.
+ *
* @param \Magento\Backend\App\AbstractAction $subject
* @param \Closure $proceed
* @param \Magento\Framework\App\RequestInterface $request
@@ -225,10 +227,9 @@ class Authentication
// Checks, whether secret key is required for admin access or request
// uri is explicitly set
if ($this->_url->useSecretKey()) {
- $requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
- $baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
- $routeIndex = empty($baseUrlPath) ? 0 : 1;
- $requestUri = $this->_url->getUrl($requestParts[$routeIndex]);
+ // The requested URL has an invalid secret key and therefore redirecting
+ // to this URL will cause a security vulnerability.
+ $requestUri = $this->_url->getUrl($this->_url->getStartupPageUrl());
} elseif ($request) {
$requestUri = $request->getRequestUri();
}
No comments:
Post a Comment