Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.#1 - formsapi does not check to match form_id value between $_POST['edit'] and the form_id of the form being built. This can cause values from the posted form to populate an unrelated form's fields if the names are the same. This also causes the form_id of a posted form to replace the form_id of any form on the destination page. This is bad. This patch adds $form_id to the parameters for _form_builder, so we check to make sure that $_POST['edit']['form_id'] matches with it before populating from $_POST['edit'].
#2 - formsapi validation happens based on a comparison of $form_fields['form_id'] with $callback and $form_id to determine if it should validate. However, $form_fields['form_id'] changes with every _form_builder call to the current form, so this always validates as TRUE, causing every form being rendered to validate against the $_POST['edit'] data. This patch changes it to compare against $_POST['edit']['form_id'] instead of $form_fields['form_id'] so only the posted form is validated against $_POST['edit'].
| Comment | File | Size | Author |
|---|---|---|---|
| form.inc_1.patch | 1.9 KB | crunchywelch | |
Comments
Comment #1
adrian CreditAttribution: adrian commented+1 it's definitely critical and required.
Comment #2
Steven CreditAttribution: Steven commentedCommitted to HEAD.
Comment #3
(not verified) CreditAttribution: commented