Validate toolbar subtrees hash in AJAX responses

core/modules/toolbar/src/Controller/ToolbarController.php

@@ -37,10 +37,13 @@ public function __construct(
    *
    * @return \Drupal\Core\Ajax\AjaxResponse
    */
-  public function subtreesAjax() {
+  public function subtreesAjax($hash) {
     [$subtrees] = toolbar_get_rendered_subtrees();
+    $expected_hash = _toolbar_get_subtrees_hash()[0];
     $response = new AjaxResponse();
+    if (hash_equals($expected_hash, $hash)) {
       $response->addCommand(new SetSubtreesCommand($subtrees));
+    }
 
     // The Expires HTTP header is the heart of the client-side HTTP caching. The
     // additional server-side page cache only takes effect when the client
@@ -67,8 +70,7 @@ public function subtreesAjax() {
    *   The access result.
    */
   public function checkSubTreeAccess($hash) {
-    $expected_hash = _toolbar_get_subtrees_hash()[0];
-    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar') && hash_equals($expected_hash, $hash))->cachePerPermissions();
+    return AccessResult::allowedIf($this->currentUser()->hasPermission('access toolbar'))->cachePerPermissions();
   }
 
   /**

core/modules/toolbar/toolbar.module

@@ -293,6 +293,6 @@ function toolbar_get_rendered_subtrees() {
  */
 function _toolbar_get_subtrees_hash() {
   [$subtrees, $cacheability] = toolbar_get_rendered_subtrees();
-  $hash = Crypt::hashBase64(serialize($subtrees));
+  $hash = Crypt::hashBase64(serialize(array_keys($subtrees)));
   return [$hash, $cacheability];
 }