Commit e4db5cd4 authored by catch's avatar catch
Browse files

Issue #576276 by tim.plunkett, larowlan: Abort validation when the token validation fails.

parent 4a689c59
......@@ -843,6 +843,12 @@ public function validateForm($form_id, &$form, &$form_state) {
// Setting this error will cause the form to fail validation.
$this->setErrorByName('form_token', $form_state, $this->t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
// Stop here and don't run any further validation handlers, because they
// could invoke non-safe operations which opens the door for CSRF
// vulnerabilities.
$this->validatedForms[$form_id] = TRUE;
return;
}
}
......
......@@ -224,6 +224,10 @@ private function formSubmitHelper($form, $edit) {
drupal_process_form($form_id, $form, $form_state);
// The form token CSRF protection should not interfere with this test, so we
// bypass it by marking this test form as programmed.
$form_state['programmed'] = TRUE;
$errors = form_get_errors($form_state);
// Clear errors and messages.
......
......@@ -110,6 +110,9 @@ function testRequiredFields() {
$form_state['input'][$element] = $empty;
$form_state['input']['form_id'] = $form_id;
$form_state['method'] = 'post';
// The form token CSRF protection should not interfere with this test,
// so we bypass it by marking this test form as programmed.
$form_state['programmed'] = TRUE;
drupal_prepare_form($form_id, $form, $form_state);
drupal_process_form($form_id, $form, $form_state);
$errors = form_get_errors($form_state);
......
......@@ -65,6 +65,18 @@ function testValidate() {
$this->drupalPostForm(NULL, array(), 'Save');
$this->assertNoFieldByName('name', 'Form element was hidden.');
$this->assertText('Name value: element_validate_access', 'Value for inaccessible form element exists.');
// Verify that #validate handlers don't run if the CSRF token is invalid.
$this->drupalLogin($this->drupalCreateUser());
$this->drupalGet('form-test/validate');
$edit = array(
'name' => 'validate',
'form_token' => 'invalid token'
);
$this->drupalPostForm(NULL, $edit, 'Save');
$this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
$this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
$this->assertText('The form has become outdated. Copy any unsaved work in the form below');
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment