Some ISP's, like AOL, change a user's IP address from one page view to the next. This will cause a problem with the new forms API. Here's how:

1) When a form is first displayed, the IP address is used to create an MD5 token (TOKEN1) in the drupal_get_from() function.

2) When the form gets submitted, another MD5 token is created (TOKEN2) when in the drupal_validate_form() function.

3) TOKEN2 is compared to TOKEN1. If the two don't match, an error occurs.

4) The problem is, of course, an AOL user could have an IP address of 12.12.12.12 when viewing the form but an IP address of 12.12.12.99 when submitting it. Now the form will not validate.

Someone has suggested using the Drupal session ID. But I'll let someone else figure out the details.

CommentFileSizeAuthor
#3 token.patch594 byteschx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kbahey’s picture

kbahey CreditAttribution: kbahey commented

Some entire countries are behind proxies and each page view will get a different IP address.

Here is a related issue in e-commerce

http://drupal.org/node/35344

dopry’s picture

dopry CreditAttribution: dopry commented
Version: x.y.z » 4.7.0-beta3

This seems to apply to form.inc token still seems to be checked against IP...
updating version to match.

chx’s picture

chx CreditAttribution: chx commented
Assigned: Unassigned » chx
Status: Active » Reviewed & tested by the community
FileSize
token.patch594 bytes

Let's use the session_id then. (Note: this is not a form API bug.)

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to HEAD. Thanks.

varunvnair’s picture

varunvnair CreditAttribution: varunvnair commented
Title: From validation won't work for user's on some ISP's » Form validation won't work for users on some ISPs

Errr... corrected minor typos in the title.

tomsys’s picture

tomsys CreditAttribution: tomsys commented

..jummmmmmmmmm,

there is a small bug, in the form.inc you should adjust function drupal_validate_form(.... to something like this to make this .patch work properly.

function drupal_validate_form($form_id, &$form, $callback = NULL) {
  global $form_values;

  if (isset($form['#token'])) {
    if ($form_values['form_token'] != md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))) {
      // setting this error will cause the form to fail validation
      form_set_error('form_token', t('Validation error, please try again.  If this error persists, please contact the site administrator.'))
    }
  }

  _form_validate($form, $form_id);
}

..otherewise it will never validate the form, you have forgot there previos IP address validation conditions ... $_SERVER['REMOTE_ADDR']

 if ($form_values['form_token'] != md5($_SERVER['REMOTE_ADDR'] . $form['#token'] . variable_get('drupal_private_key', ''))) {

.. now shoud be session_id() as well

Regards,
T.

archetwist’s picture

archetwist CreditAttribution: archetwist commented

token.patch did the job. I've successfully posted a test comment using Tor to change my IP before clicking the Preview button.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)