Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Any forms with the machine names wrapping the 'system_', 'search_', 'views_exposed_form_' wording will not be protected because the code considers them as system forms. But if we have form machine names like 'subsystem_', 'research_', 'xxxviews_exposed_form_' which are not really system forms, the code will not alter them according to:
if (strpos($form_id, 'system_') === FALSE && strpos($form_id, 'search_') === FALSE && strpos($form_id, 'views_exposed_form_') === FALSE) {}
in line 81 honeypot.module. This is causing security issue for us as we have 'research_' in our form machine name unfortunately. We need to rule out this case.
Comment | File | Size | Author |
---|---|---|---|
#8 | form_not_protected_if_machinename_wrapping_specific_word-2912575-8.patch | 872 bytes | geerlingguy |
| |||
#3 | form_not_protected_if_machinename_wrapping_specific_word-2912575-3.patch | 886 bytes | rli |
|
Comments
Comment #2
rliComment #3
rliChanged
strpos
topreg_match
to include[a-zA-Z]search_
for example.Comment #4
tobybellwood CreditAttribution: tobybellwood at govCMS (Australian Government Department of Finance) for govCMS (Australian Government Department of Finance) commentedWe've reviewed, tested and deployed this at https://github.com/govCMS/govCMS/pull/581
Comment #5
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedThis would also apply to forms with names like `solarsystem_` :D
Thanks for the patch, looks good! I'll also port it to 8.x.
Comment #7
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedComment #8
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedComment #10
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedComment #12
ciss CreditAttribution: ciss at yousign GmbH commentedLate to the party, but wouldn't it be more efficient to group the terms inside a single pattern:
Also, which cases are covered by "[^a-zA-Z]"? Shouldn't we explicitely match either the beginning of the string or an underscore?
Comment #13
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented@ciss - Since this issue is closed, an optimization to the regex would be good to add to a follow-up feature request issue.
Comment #14
ciss CreditAttribution: ciss at yousign GmbH commented@geerlingguy I created the follow-up #3085291: Lock down $form_id matching. I'd be grateful if you could take a quick look and confirm the overall premise before I start working on a patch.