Protection against forgery of input selection value doesn't work with checkboxes [#803212]

Select box and radio button selection have protection against forgery of value of input selection. However for checkboxes, the form still submits the fake value of checkbox selection, which expected to be failed in validation and should return a message:
"An illegal choice has been detected. Please contact the site administrator."

Same with disabled input elements, making the "#disabled" property of any element to TRUE should prohibit the user from submitting the form but by editing the HTML code to remove the disabled="disabled" property of any input element and submit this form, Drupal does not validate this kind of forgery and still accept the submitted disabled input form.

I'm using D7 CVS updated.

Comment	File	Size	Author
#20	checkboxes_forgery_fix-803212-21.patch	4.14 KB	Heine
#20
#12	issue.zip	835 bytes	arpeggio
#9	checkboxes_forgery_fix-803212-9.patch	4.18 KB	effulgentsia
#9
#8	checkboxes_forgery_fix-803212-8.patch	3.45 KB	effulgentsia
#8

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

arpeggio CreditAttribution: arpeggio commented 21 May 2010 at 03:47

Priority:

Normal

» Critical

This is a security issue, I think this is critical.

Comment #2

Heine CreditAttribution: Heine commented 21 May 2010 at 05:33

To reproduce:

function scratch_form(&$form_state) {
	$form = array();

	$options = array(
		'one' => 'One',
		'two' => 'Two',
	);

	$form['secissue'] = array(
		'#type' => 'checkboxes',
		'#options' => $options,
	);

	$form['submit'] = array(
		'#type' => 'submit',
		'#value' => t('Submit'),
	);
	return $form;
}

function scratch_form_submit($form, &$form_state) {
	drupal_set_message('<pre>'. check_plain(print_r($form_state['values'], TRUE)) .'</pre>');
}

When checking the checkboxes, results in (only relevant key given):

[secissue] => Array
        (
            [one] => one
            [two] => two
        )

Whe modifying the value of $_POSTed secissue[two] to FOO:

[secissue] => Array
        (
            [one] => one
            [two] => FOO
        )

Only the value is affected; when you try to add another key, the "Illegal option" error message is given. This is not an issue on Drupal 6.

Comment #3

Heine CreditAttribution: Heine commented 21 May 2010 at 05:39

See #426056: Server-side enforcement of #disabled is inconsistent for more info about #disabled.

Comment #4

arpeggio CreditAttribution: arpeggio commented 21 May 2010 at 22:27

Thank you for providing how to reproduce the issue. BTW, yesterday I've already sent the full details to security@drupal.org about this issue because Nathaniel suggested me that'll help you to track this. Thanks.

Comment #5

arpeggio CreditAttribution: arpeggio commented 23 May 2010 at 14:06

I would like to suggest the following patch (for includes/form.inc) to solve the checkboxes input selection value forgery issue:

--- form.inc   19 May 2010 19:22:24 -0000   1.464
+++ form.inc   23 May 2010 12:51:48 -0000
@@ -941,7 +941,7 @@
           $options = $elements['#options'];
         }
         if (is_array($elements['#value'])) {
-          $value = $elements['#type'] == 'checkboxes' ? array_keys(array_filter($elements['#value'])) : $elements['#value'];
+          $value = $elements['#type'] == 'checkboxes' ? array_filter($elements['#value']) : $elements['#value'];               
           foreach ($value as $v) {
             if (!isset($options[$v])) {
               form_error($elements, $t('An illegal choice has been detected. Please contact the site administrator.'));

I removed the array_keys() because the suspected fake value/s is/are not in the array key/s but in the array value/s. Thanks.

Comment #6

Heine CreditAttribution: Heine commented 23 May 2010 at 14:47

I've traced this back to #414424: Introduce Form API #type 'text_format'.

In Drupal 6, checkboxes behaviour results in:

array(
  'key' => 'key', // For checked boxes
  'key' => 0,     // For unchecked boxes
);

regardless of the 'value' posted for the element.

What happens in D6 is that the "input" from the checkboxes element is added to form_state, and later overwritten by the child checkboxes; they always return the correct return_value. The following check that was added by the referenced issue prevents this overwriting by the child elements:

3f587416 (webchick 2010-03-07 23:14:20 +0000 1561)   // Set the element's value in $form_state['values'], but only, if its key
3f587416 (webchick 2010-03-07 23:14:20 +0000 1562)   // does not exist yet (a #value_callback may have already populated it).
3f587416 (webchick 2010-03-07 23:14:20 +0000 1563)   $values = $form_state['values'];
3f587416 (webchick 2010-03-07 23:14:20 +0000 1564)   foreach ($element['#parents'] as $key) {
3f587416 (webchick 2010-03-07 23:14:20 +0000 1565)     $values = (isset($values[$key]) ? $values[$key] : NULL);
3f587416 (webchick 2010-03-07 23:14:20 +0000 1566)   }
3f587416 (webchick 2010-03-07 23:14:20 +0000 1567)   if (!isset($values)) {
3f587416 (webchick 2010-03-07 23:14:20 +0000 1568)     form_set_value($element, $element['#value'], $form_state);
3f587416 (webchick 2010-03-07 23:14:20 +0000 1569)   }

This _could_ be handled by the checkboxes value callback, or process handler, but I doubt that it is the correct approach; the behaviour of the processed element should depend on the children, and should not be coded entirely in the parent process / value callbacks.

Comment #7

Heine CreditAttribution: Heine commented 23 May 2010 at 14:49

Comment #8

effulgentsia CreditAttribution: effulgentsia commented 25 May 2010 at 00:11

Status:

Active

» Needs review

File	Size
checkboxes_forgery_fix-803212-8.patch	3.45 KB

Thanks. This fixes form_type_checkboxes_value() to be consistent with form_type_select_value().

Comment #9

effulgentsia CreditAttribution: effulgentsia commented 25 May 2010 at 00:18

File	Size
checkboxes_forgery_fix-803212-9.patch	4.18 KB

This also fixes drupal_map_assoc() to handle empty arrays.

Comment #10

rfay

English

Palisade, CO, USA

CreditAttribution: rfay commented 25 May 2010 at 00:26

Comment #11

effulgentsia CreditAttribution: effulgentsia commented 25 May 2010 at 00:26

@arpeggio: In the original issue description, you write:

Same with disabled input elements, making the "#disabled" property of any element to TRUE should prohibit the user from submitting the form but by editing the HTML code to remove the disabled="disabled" property of any input element and submit this form, Drupal does not validate this kind of forgery and still accept the submitted disabled input form.

This is true for D6, but was fixed for D7: #426056: Server-side enforcement of #disabled is inconsistent. If you can find a use-case where that bug remains, please post the steps to reproduce it. Thanks. Note, for D6, since #disabled isn't enforced server-side, if your module needs such enforcement, you need to set #value. See the linked issue.

Comment #12

arpeggio CreditAttribution: arpeggio commented 25 May 2010 at 14:36

File	Size
issue.zip	835 bytes

Actually I have sent the detailed steps to security@drupal.org. Anyway here are the steps I sent and the attachment is the module I created:

I have created a simple module that can aid the security team to simulate the issue. Here are the steps:
1. Enable the devel and issue modules.
2. Go to http://localhost/admin/config/development/issue
3. The submit button is disabled and it means the user is prohibited to submit this form. We will try to hack the form so we can submit this disabled form. Edit the HTML code (its easier if using Chrome browser, just right click the element and select "Inspect element" from the pop-up menu and editing the DOM is a breeze) to remove the disabled="disabled" property of submit button.
4. Then we will try to hack one of the value of checkboxes, again by editing the HTML code and change the value of "anonymous user" which is value="1" to value="hacked".
5. Click the "Apply" button.
We can see that we have successfully submitted this disabled form without error and in the devel debug message box we clearly see that the value of "anonymous user" ($form_state['values]['access_roles_checkbox'][1]) changed to "hacked".

Comment #13

Heine CreditAttribution: Heine commented 25 May 2010 at 14:40

Can we please discuss the disabled issue elsewhere? edit; Maybe reopen #426056: Server-side enforcement of #disabled is inconsistent ?

Comment #14

Heine CreditAttribution: Heine commented 25 May 2010 at 14:46

As of #9; I find it odd that an element type processed into simpler types has no access to values of that type, but has to reimplement such functionality on raw $_POST data.

I would expect the following flow of information:

- type checkboxes -> processed into multiple checkbox elements
- value of all checkbox elements is set _individually_ in form_type_checkbox_value
- form_type_checkboxes_value runs later & receives these values, then returns the appropriate value for the checkboxes element.
- this value lands in form_state['values']

Unfortunately, it seems to late to do this in D7.

Comment #15

arpeggio CreditAttribution: arpeggio commented 25 May 2010 at 15:15

@Heine: I reopened your suggested thread about disabled issue.

Comment #16

effulgentsia CreditAttribution: effulgentsia commented 25 May 2010 at 15:19

Thanks for #12. #736298: Refactor file.module to use proper button click detection, enabling FAPI to improve button click detection security fixes that problem (see comment #46 on that issue): I'll try to roll in a test into that issue's patch with your use-case. So as per #13, this issue is now strictly about checkbox value forgery.

Re #14:

Unfortunately, it seems too late to do this in D7.

I agree that it is too late for that for D7. _form_builder_handle_input_element() runs in pre-order traversal (i.e., form_builder() calls it before recursing). This has been the case since FAPI was first introduced, and changing it to post-order traversal will have many side effects that are way out of scope for D7.

Comment #17

moshe weitzman CreditAttribution: moshe weitzman commented 4 June 2010 at 04:35

anyone available to slay this critical?

Comment #18

effulgentsia CreditAttribution: effulgentsia commented 4 June 2010 at 05:24

#9 slays this as far as I'm concerned. Comments after it have been answered or relegated to other issues. Anyone available to RTBC this issue?

Comment #19

catch

he/him

English

CreditAttribution: catch commented 4 June 2010 at 05:33

Status:

Needs review

» Reviewed & tested by the community

Patch is only a couple of lines and the test looks good, it would be nice to see another FAPI maintainer or Heine take a look at this before commit, maybe marking RTBC will encourage that second look.

Comment #20

Heine CreditAttribution: Heine commented 4 June 2010 at 07:42

Status:

Reviewed & tested by the community

» Needs review

File	Size
checkboxes_forgery_fix-803212-21.patch	4.14 KB

Patch itself is RTBC would it not for the options checker allowing the insertion of 0 keys:

$value = $elements['#type'] == 'checkboxes' ? array_keys($elements['#value']) : $elements['#value'];

Comment #21

effulgentsia CreditAttribution: effulgentsia commented 4 June 2010 at 15:13

I think I agree with the change in #20, but I'm not sure it belongs in this issue. #654796: Identify fix bugs with checkbox element is still a critical issue for D7, and if the line in #20 has unwanted side-effects, that would be the issue to catch it. @Heine: what's your thinking for including it here?

Comment #22

Dries CreditAttribution: Dries commented 5 June 2010 at 13:18

Status:

Needs review

» Fixed

I reviewed this patch -- it fixes the problem. Committed to CVS HEAD. Thanks Heine and effulgentsia -- great job.

Comment #23

David_Rothstein CreditAttribution: David_Rothstein commented 14 June 2010 at 22:41

The change introduced in #20 did indeed have an unwanted side effect: It prevents drupal_form_submit() from programmatically turning off a checkbox by submitting a NULL value for it.

I posted a patch which fixes it here (not a simple rollback, since for everything but checkboxes I think #20 is probably correct):

#827430: drupal_form_submit() no longer works with checkboxes

It could be pulled into #654796: Identify fix bugs with checkbox element instead, but I think probably not, since this really is just about NULL values rather than other things which also evaluate to empty.