Issue #3130197: Faulty toolbar subtree hash breaks asynchonous loading of admin menu content

core/modules/toolbar/src/Controller/ToolbarController.php

@@ -31,13 +31,19 @@ public function __construct(
   /**
    * Returns an AJAX response to render the toolbar subtrees.
    *
+   * @param string $hash
+   *   The hash of the toolbar subtrees.
+   *
    * @return \Drupal\Core\Ajax\AjaxResponse
    */
-  public function subtreesAjax() {
+  public function subtreesAjax($hash) {
     [$subtrees] = toolbar_get_rendered_subtrees();
-    $response = new AjaxResponse();
-    $response->addCommand(new SetSubtreesCommand($subtrees));
+    $expected_hash = _toolbar_get_subtrees_hash()[0];
 
+    $response = new AjaxResponse();
+    if (hash_equals($expected_hash, $hash)) {
+      $response->addCommand(new SetSubtreesCommand($subtrees));
+    }
     // The Expires HTTP header is the heart of the client-side HTTP caching. The
     // additional server-side page cache only takes effect when the client
     // accesses the callback URL again (e.g., after clearing the browser cache
@@ -63,8 +69,7 @@ public function subtreesAjax() {
    *   The access result.
    */
   public function checkSubTreeAccess($hash) {
-    $expected_hash = _toolbar_get_subtrees_hash()[0];
-    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar') && hash_equals($expected_hash, $hash))->cachePerPermissions();
+    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar'))->cachePerPermissions();
   }
 
   /**

core/modules/toolbar/toolbar.module

@@ -165,6 +165,6 @@ function toolbar_get_rendered_subtrees() {
  */
 function _toolbar_get_subtrees_hash() {
   [$subtrees, $cacheability] = toolbar_get_rendered_subtrees();
-  $hash = Crypt::hashBase64(serialize($subtrees));
+  $hash = Crypt::hashBase64(serialize(array_keys($subtrees)));
   return [$hash, $cacheability];
 }