Issue #2431283 by willzyx, David_Rothstein: Cron CSRF vulnerability

core/modules/locale/src/Tests/LocaleUpdateCronTest.php

@@ -102,7 +102,7 @@ public function testUpdateCron() {
     sleep(1);
     // Test: Execute cron and check if tasks are executed correctly.
     // Run cron to process the tasks in the queue.
-    $this->drupalGet('admin/reports/status/run-cron');
+    $this->cronRun();
 
     drupal_static_reset('locale_translation_get_file_history');
     $history = locale_translation_get_file_history();

core/modules/system/src/Tests/System/CronRunTest.php

@@ -106,4 +106,20 @@ function testCronUI() {
     // the time will start at 1 January 1970.
     $this->assertNoText('years');
   }
+
+  /**
+   * Ensure that the manual cron run is working.
+   */
+  public function testManualCron() {
+    $admin_user = $this->drupalCreateUser(array('administer site configuration'));
+    $this->drupalLogin($admin_user);
+
+    $this->drupalGet('admin/reports/status/run-cron');
+    $this->assertResponse(403);
+
+    $this->drupalGet('admin/reports/status');
+    $this->clickLink(t('run cron manually'));
+    $this->assertResponse(200);
+    $this->assertText(t('Cron ran successfully.'));
+  }
 }

core/modules/system/system.routing.yml

@@ -219,6 +219,7 @@ system.run_cron:
     _controller: '\Drupal\system\CronController::runManually'
   requirements:
     _permission: 'administer site configuration'
+    _csrf_token: 'TRUE'
 
 entity.date_format.collection:
   path: '/admin/config/regional/date-time'