The original issue is still stuck on 6.x, so splitting off the 8.x issue here #2380053: [core] Posting an array as value of a form element is allowed even when a string is expected (and bypasses #maxlength constraints) - first step: text fields

Transferring this issue from security.drupal.org

The Security Team considered including this in SA-2014-06, but after debate about unexpected side effects decide to have it as a public issue and commit the prepared patch soon after the SA.

catch agreed that this could be committed to 7.x and 6.x in advance of an 8.x patch, as if it had been part of the SA. That hasn't happened yet for 6.x, so this patch is to forward port the 7.x fix to 8.x


Commit credit: klausi, pwolanin, tsphethean, sun

Problem/Motivation

posting an array as value of a required and maxlength limited textfield will cause the field to pass both the #required => TRUE and #maxlength validation.

Proposed resolution

Enforce the expected data type in the Form API

Remaining tasks

Forward port 7.x fix to 8

User interface changes

n/a

API changes

FAPI change to enforce correct data type of certain fields

CommentFileSizeAuthor
#4 interdiff.txt8.27 KBdawehner
#4 2560137-4.patch13.45 KBdawehner
#2 2560137-2.patch5.17 KBpwolanin

Comments

pwolanin created an issue. See original summary.

pwolanin’s picture

pwolanin commented
Status: Active » Needs review
StatusFileSize
new 2560137-2.patch5.17 KB

First pass at forward port. Needs the tests ported also.

NR just for the bot.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Issue tags: +Needs tests

All of this could be unit tested.
Is this really a release blocker?

dawehner’s picture

dawehner
Primary language German
commented
Issue tags: +Security improvements
StatusFileSize
new 2560137-4.patch13.45 KB
new interdiff.txt8.27 KB

Its just fun to write them.

Given that the d6 and d7 issue has been critical I think this is also critical. This is also a security improvement ...

catch’s picture

catch
he/him
Primary language English
commented

So this is the first time we've skimped on the backport policy during nearly the entire 8.x cycle and it very nearly went horribly wrong. Just posting this as a marker for the next time that discussion comes up.

@pwolanin thanks for digging this one out!

catch’s picture

catch
he/him
Primary language English
commented
Status: Needs review » Reviewed & tested by the community

Also tests here look great, the password confirm code we could probably PHP 5.4-ify but I think we should get the straight forward-port in as is.

Generally security hardening is major, but had we fixed this before SA-CORE-2014-005 was discovered it would have severely mitigated the attack vectors for that and potentially lengthened the couple of hours window before sites got hacked in the wild. The only reason this wasn't included in that release was to avoid holding up the SQL injection fix going out asap.

RTBC for me.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

This is really nice security hardening. Hopefully in d9 we'll get to a place where FAPI ensures the type matches what you would expect but this is a great start and not disruptive at all.

Committed e513467 and pushed to 8.0.x. Thanks!

  • alexpott committed e513467 on 8.0.x 
    Issue #2560137 by dawehner, pwolanin, klausi, tsphethean, sun: Posting...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.