Commit 81c436fb authored by Dries's avatar Dries

- Patch #360128 by chx, quicksketch, Frando et al: security fix for simplified AHAH callbacks.

parent c1e05db9
......@@ -1821,6 +1821,14 @@ function form_ahah_callback() {
// Get the form from the cache.
$form = form_get_cache($form_build_id, $form_state);
if (!$form) {
// If $form cannot be loaded from the cache, the form_build_id in $_POST must
// be invalid, which means that someone performed a POST request onto
// system/ahah without actually viewing the concerned form in the browser.
// This is likely a hacking attempt as it never happens under normal
// circumstances, so we just do nothing.
// We will run some of the submit handlers so we need to disable redirecting.
$form['#redirect'] = FALSE;
......@@ -1840,7 +1848,9 @@ function form_ahah_callback() {
// Get the callback function from the clicked button.
$callback = $form_state['clicked_button']['#ahah']['callback'];
$callback($form, $form_state);
if (drupal_function_exists($callback)) {
$callback($form, $form_state);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment