Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By David_Rothstein on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x
Introduced in version:
7.36
Issue links:
Description:
Drupal 7.36 introduces fixes to the form API to prevent malicious users from trying to inject unexpected arrays into form API callback functions via certain kinds of text fields that always expect a string to be received.
This is not a security fix on its own, but it fixes a vector by which attackers can attempt to exploit other security issues, and was a common avenue for exploiting SA-CORE-2014-005 (last year's critical SQL injection vulnerability in Drupal core) on sites that did not update following that security release.
Drupal 7.36 adds this fix to various common text-like form API elements provided by Drupal core (textfields, textareas, machine name fields, and password fields) by default. But it will not be added to other text-like form API elements provided by contributed modules, or to particular form elements which have been altered to add a custom #value_callback property.
To add this fix to your own form elements, form_type_textfield_value provides a good basis for code you might want to use in a custom #value_callback function to ensure that it always returns a string. In many cases, you can just reuse this #value_callback function by default when defining your own form element type. For example, Drupal core does this to add the relevant fix to the 'password' form API element:
/**
* Implements hook_element_info().
*/
function system_element_info() {
....
$types['password'] = array(
'#input' => TRUE,
'#size' => 60,
'#maxlength' => 128,
.....
// Use the same value callback as for textfields; this ensures that we only
// get string values.
'#value_callback' => 'form_type_textfield_value',
);
return $types;
}
Impacts:
Module developers
