SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid, jenlampton,...

SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid, jenlampton, quicksketch, Fabianx, effulgentsia

SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid, jenlampton,...
SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid, jenlampton, quicksketch, Fabianx, effulgentsia
7401e2ad · xjm · d42b0a45 · 7401e2ad
Commit 7401e2ad authored Feb 15, 2022 by xjm
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -1218,7 +1218,7 @@ protected function handleInputElement($form_id, &$element, FormStateInterface &$
    // #access=FALSE on an element usually allow access for some users, so forms
    // submitted with self::submitForm() may bypass access restriction and be
    // treated as high-privilege users instead.
-    $process_input = empty($element['#disabled']) && (($form_state->isProgrammed() && $form_state->isBypassingProgrammedAccessChecks()) || ($form_state->isProcessingInput() && (!isset($element['#access']) || $element['#access'])));
+    $process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state->isProgrammed() && $form_state->isBypassingProgrammedAccessChecks()) || ($form_state->isProcessingInput() && (!isset($element['#access']) || $element['#access'])));

    // Set the element's #value property.
    if (!isset($element['#value']) && !array_key_exists('#value', $element)) {