Currently, if a form token fails to validate, the user is shown a warning message, but there is nothing in the watchdog to help a site admin track down the problem or even know it's occurring. The attached patches log a message to the with a link to the path causing the error.

CommentFileSizeAuthor
#28 interdiff.txt1.2 KBmohit_aghera
#28 740986-28-form_token_error_watchdog.patch2.08 KBmohit_aghera
#26 740986-26-form_token_error_watchdog.patch2.1 KBmohit_aghera
#20 740986.20-form_token_error_watchdog.patch3.7 KBdeviantintegral
#19 740986.19-form_token_error_watchdog.patch3.69 KBdeviantintegral
#17 form_token_error_watchdog-740986-17.patch892 bytesnoisetteprod
#13 form_token_error_watchdog-740986-13.patch868 bytesZenDoodles
#3 740986_form_token_error_watchdog_7.x_3.patch1.03 KBdeviantintegral
#1 form_token_error_watchdog_6.x.patch2.06 KBdeviantintegral
#1 form_token_error_watchdog_7.x.patch1.04 KBdeviantintegral

Comments

deviantintegral’s picture

deviantintegral commented
Status: Active » Needs review
StatusFileSize
new form_token_error_watchdog_7.x.patch1.04 KB
new form_token_error_watchdog_6.x.patch2.06 KB

My patches look to have vanished, lets try this again.

dries’s picture

dries commented

I don't think %user is necessary as the watchdog automatically captures the username. Just not in the description.

deviantintegral’s picture

deviantintegral commented
StatusFileSize
new 740986_form_token_error_watchdog_7.x_3.patch1.03 KB

Here's an update changing the text to just 'Form token %sent_token was sent, %expected_token was expected.'.

alexjarvis’s picture

alexjarvis commented
Status: Needs review » Reviewed & tested by the community

Looks good.

deviantintegral’s picture

deviantintegral commented
Issue tags: -Newbie

#3: 740986_form_token_error_watchdog_7.x_3.patch queued for re-testing.

marcingy’s picture

marcingy commented

#3: 740986_form_token_error_watchdog_7.x_3.patch queued for re-testing.

aspilicious’s picture

aspilicious commented
Issue tags: +Newbie

#3: 740986_form_token_error_watchdog_7.x_3.patch queued for re-testing.

dries’s picture

dries commented
Status: Reviewed & tested by the community » Needs work

I think the watchdog message should be clarified so that non-developers can make sense of it.

deviantintegral’s picture

deviantintegral commented

Anyone know of a handbook entry that has information about debugging token issues? I think if we want to make it clearer we don't want to have a several sentence error message.

deviantintegral’s picture

deviantintegral commented

How's this?

Form token validation failed during form submission. %sent_token was sent, %expected_token was expected. The form submission has been ignored. This could be caused by a malicious user or a misconfigured proxy. For information on debugging this issue, see the <a href="http://drupal.org/support">support page</a> on drupal.org.

deviantintegral’s picture

deviantintegral commented
Version: 7.x-dev » 8.x-dev

This needs to happen in 8.x first.

xjm’s picture

xjm
she/her
Primary language English
commented
Issue tags: -Newbie +Novice

zendoodles and I spoke about this on IRC. I think #10 is a bit too long for watchdog, and the link to the d.o support page probably isn't a good idea. However, the first part is much improved.

I would suggest only:

Form token validation failed during form submission. %sent_token was sent, but %expected_token was expected. The form submission has been ignored.

because malicious users and misconfigured proxies aren't the only reasons it might fail.

ZenDoodles’s picture

ZenDoodles commented
Assigned: Unassigned » ZenDoodles
Status: Needs work » Needs review
StatusFileSize
new form_token_error_watchdog-740986-13.patch868 bytes

Updated patch for Drupal 8 and used new text.

xjm’s picture

xjm
she/her
Primary language English
commented

This looks good to me. However, there's one thing I didn't notice before, that we should potentially change... should we use request_path() in place of $_GET['q']?

Also, note that the Drupal 8.x patch will need to be rerolled, because the core directory structure for Drupal 8 has now changed. (For more information, see #22336: Move all core Drupal files under a /core folder to improve usability and upgrades). When the patch has been rerolled, please set the issue back to "Needs Review."

If you need help rerolling this patch, you can come to core office hours or ask in #drupal-gitsupport on IRC.

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Needs review » Needs work

Oops, forgot to set status again.

xjm’s picture

xjm
she/her
Primary language English
commented

Hi @ZenDoodles,

Thanks for taking this on. Are you still working on this issue? If not, we'll unassign it in a day or two so that someone else can give it a try. (Feel free to assign it back to yourself if you'd still like to work on it, as well.) Thanks!

noisetteprod’s picture

noisetteprod commented
Assigned: ZenDoodles » Unassigned
Status: Needs work » Needs review
StatusFileSize
new form_token_error_watchdog-740986-17.patch892 bytes

Updated path with the new core directory and switch $_GET['q'] with request_path()

xjm’s picture

xjm
she/her
Primary language English
commented
Issue tags: +Needs tests

Thanks @noisetteprod! The reroll looks great.

Should we add an automated test asserting that the message gets logged?

deviantintegral’s picture

deviantintegral commented
Issue tags: -Needs tests
StatusFileSize
new 740986.19-form_token_error_watchdog.patch3.69 KB

Here's an updated patch that tests for both the watchdog() call as well as the form error itself.

deviantintegral’s picture

deviantintegral commented
StatusFileSize
new 740986.20-form_token_error_watchdog.patch3.7 KB

Oops, missed updating the namespace when I copied from FormTest.

socketwench’s picture

socketwench commented
Issue summary: View changes
Issue tags: -Novice

Novice issue cleanup.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Version: 8.1.x-dev » 8.2.x-dev
Status: Needs review » Needs work
Issue tags: +Needs reroll

Sadly this needs yet another reroll.

heykarthikwithu’s picture

heykarthikwithu
Primary language English
Location Bengaluru 🌍
commented
Assigned: Unassigned » heykarthikwithu
druprad’s picture

druprad
Primary language English
commented
Assigned: heykarthikwithu » Unassigned

unassigned due to no update since long time

mohit_aghera’s picture

mohit_aghera commented
Status: Needs work » Needs review
StatusFileSize
new 740986-26-form_token_error_watchdog.patch2.1 KB

Initial attempt to re-roll patch for 8.2.x branch.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Status: Needs review » Needs work
Issue tags: -Needs reroll 
  1. +++ b/core/modules/system/src/Form/FormTokenTest.php
@@ -0,0 +1,48 @@
+/**
+ * @file
+ * Definition of Drupal\system\Tests\Form\FormTokenTest.
+ */

    Coding standards have removed @file docblocks from class/interface/trait files. 

  2. +++ b/core/modules/system/src/Form/FormTokenTest.php
@@ -0,0 +1,48 @@
+  public static function getInfo() {
+    return array(
+    'name' => 'Form token validation',
+    'description' => 'Tests validation of Form API tokens.',
+    'group' => 'Form API',
+    );
+  }

    This information is now conveyed using @group in the class docblock, and the method is no longer called. 

  3. +++ b/core/modules/system/src/Form/FormTokenTest.php
@@ -0,0 +1,48 @@
+  function testInvalidFormToken() {

    It's odd that this test is passing since the patch contains none of the functional changes from the previous patch in #20.

mohit_aghera’s picture

mohit_aghera commented
StatusFileSize
new 740986-28-form_token_error_watchdog.patch2.08 KB
new interdiff.txt1.2 KB

@jhedstrom
updated doc block comments and few issues from other test cases related to form.

mohit_aghera’s picture

mohit_aghera commented
Status: Needs work » Needs review

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative, +Needs issue summary update

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.

I feel this is probably still relevant in D10 (could be wrong).

Looking at the patches though and starting at #26 appears the fix is just including the test and not the fix (was the fix not needed anymore). And if the fix was not needed are the tests still needed?

Think with the confusion this could use an IS update.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.