Problem/Motivation

Claro's claro_preprocess_form_element__password() uses in_array() in non strict mode. If the array parents have a 0 in it that means *any* string value will return TRUE.
This leads to incorrectly adding a class meant only for the confirm field to the primary field and totally breaks the element.

Steps to reproduce

Add a password_confirm form element to a render array rendered under Claro with an element in #array_parents having a value of TRUE.

Proposed resolution

Use strict mode.

Remaining tasks

Does this need a test?

User interface changes

None

API changes

None

Data model changes

None

Issue fork drupal-3247994

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

NickDickinsonWilde created an issue. See original summary.

NickDickinsonWilde opened merge request !1391

nickdickinsonwilde’s picture

nickdickinsonwilde
He/Him/His
Primary language English
Location Victoria, BC (T'So-uke lands)
commented
Assigned: nickdickinsonwilde » Unassigned
Status: Active » Needs review

If it doesn't need a test (I think this doesn't) then ready for review.

dqd’s picture

dqd
Location London | N.Y.C | Paris | Hamburg | Berlin
commented

I don't know why we do not use strict comparison for in_array checks using claro_preprocess_form_element__password() (anyone?), but after reviewing these 2 small code additions (2x , TRUE added), no code removals, and after testing local on latest 9.3.x dev Drupal core and on Tugboat with Claro set as default theme and using the project code of the project the OT worked on while detecting this behaviour, I can confirm that the patch provides the intended strict comparsion without breaking anything and the Drupal installation operates as expected without any flaws.

One last question, is the previous implementation the default, or does "Seven" admin theme behave different here? RTBC from me. But I would tend to say it needs one more review.

nickdickinsonwilde’s picture

nickdickinsonwilde
He/Him/His
Primary language English
Location Victoria, BC (T'So-uke lands)
commented

Thanks diqidoq
Re that last question: That is the only implementation of that preprocess hook (in core).

dqd’s picture

dqd
Location London | N.Y.C | Paris | Hamburg | Berlin
commented
Status: Needs review » Reviewed & tested by the community

Ok. So there is no "similar" issue possible in Seven etc. GTK...

To quote https://www.php.net/manual/de/function.in-array.php#106319:

Loose checking returns some crazy, counter-intuitive results when used with certain arrays. It is completely correct behaviour, due to PHP's leniency on variable types, but in "real-life" is almost useless. The solution is to use the strict checking option.

So - I would like to RTBC to speed things up, but I'll ping a maintainer to make sure it gets another eye on it.

  • bnjmnm committed 4cbbdb2 on 9.4.x 
    Issue #3247994 by NickDickinsonWilde, diqidoq: Claro's password element...
bnjmnm’s picture

bnjmnm
he/him
Primary language English
Location Ann Arbor, MI
commented
Issue summary: View changes

Committed 4cbbdb2 and pushed to 9.4.x. Thanks!

This doesn't need test coverage as doing so would effectively be testing PHP.
Running this PHP snippet demonstrates how in_array() can lead to unexpected positives when strict checking isn't enabled.

$variables = [];
$variables['element']['#array_parents'] = [
  'whatever' => true,
];

if(in_array('pass1', $variables['element']['#array_parents'], TRUE)) {
    echo 'strict true';
} else {
    echo 'strict false';
}
echo "\n";
if(in_array('pass1', $variables['element']['#array_parents'])) {
    echo 'relaxed true';
} else {
    echo 'relaxed false';
}

Leaving at RTBC and switching version to 9.3.x for potential backport after the code freeze.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented

I think this issue is good for backport because it seems low risk.

catch’s picture

catch
he/him
Primary language English
commented

+1 backporting this.

dqd’s picture

dqd
Location London | N.Y.C | Paris | Hamburg | Berlin
commented

+1 backporting this.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

  • lauriii committed c38760e on 9.3.x authored by bnjmnm 
    Issue #3247994 by NickDickinsonWilde, diqidoq: Claro's password element...
lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Version: 9.4.x-dev » 9.3.x-dev
Status: Reviewed & tested by the community » Fixed

Went ahead with the backport since this seems like a low-risk change and Claro is experimental.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.