Change record status: 
Introduced in branch: 
Introduced in version: 

Drupal 7.36 introduces fixes to the form API to prevent malicious users from trying to inject unexpected arrays into form API callback functions via certain kinds of text fields that always expect a string to be received.

This is not a security fix on its own, but it fixes a vector by which attackers can attempt to exploit other security issues, and was a common avenue for exploiting SA-CORE-2014-005 (last year's critical SQL injection vulnerability in Drupal core) on sites that did not update following that security release.

Drupal 7.36 adds this fix to various common text-like form API elements provided by Drupal core (textfields, textareas, machine name fields, and password fields) by default. But it will not be added to other text-like form API elements provided by contributed modules, or to particular form elements which have been altered to add a custom #value_callback property.

To add this fix to your own form elements, form_type_textfield_value provides a good basis for code you might want to use in a custom #value_callback function to ensure that it always returns a string. In many cases, you can just reuse this #value_callback function by default when defining your own form element type. For example, Drupal core does this to add the relevant fix to the 'password' form API element:

 * Implements hook_element_info().
function system_element_info() {
  $types['password'] = array(
    '#input' => TRUE,
    '#size' => 60,
    '#maxlength' => 128,
    // Use the same value callback as for textfields; this ensures that we only
    // get string values.
    '#value_callback' => 'form_type_textfield_value',

  return $types;
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other updates done