From with 'research_' in machine name is not protected [#2912575]

Any forms with the machine names wrapping the 'system_', 'search_', 'views_exposed_form_' wording will not be protected because the code considers them as system forms. But if we have form machine names like 'subsystem_', 'research_', 'xxxviews_exposed_form_' which are not really system forms, the code will not alter them according to:

if (strpos($form_id, 'system_') === FALSE && strpos($form_id, 'search_') === FALSE && strpos($form_id, 'views_exposed_form_') === FALSE) {}

in line 81 honeypot.module. This is causing security issue for us as we have 'research_' in our form machine name unfortunately. We need to rule out this case.

Comment	File	Size	Author
#8	form_not_protected_if_machinename_wrapping_specific_word-2912575-8.patch	872 bytes	geerlingguy
#8	8.x-1.x: PHP 7 & MySQL 5.5, D8.7 22 pass
#3	form_not_protected_if_machinename_wrapping_specific_word-2912575-3.patch	886 bytes	rli
#3	7.x-1.x: PHP 5.6 & MySQL 5.5, D7 21 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

29 September 2017 at 00:45

rli created an issue. See original summary.

Comment #2

rli

English

Canberra

CreditAttribution: rli commented 29 September 2017 at 00:47

Issue summary:

View changes

Comment #3

rli

English

Canberra

CreditAttribution: rli as a volunteer commented 29 September 2017 at 00:53

Status:

Active

» Needs review

File	Size
form_not_protected_if_machinename_wrapping_specific_word-2912575-3.patch	886 bytes
7.x-1.x: PHP 5.6 & MySQL 5.5, D7 21 pass

Changed strpos to preg_match to include [a-zA-Z]search_ for example.

Comment #4

tobybellwood CreditAttribution: tobybellwood at govCMS (Australian Government Department of Finance) for govCMS (Australian Government Department of Finance) commented 22 December 2017 at 23:57

Status:

Needs review

» Reviewed & tested by the community

We've reviewed, tested and deployed this at https://github.com/govCMS/govCMS/pull/581

Comment #5

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented 9 August 2018 at 20:53

Priority:

Major

» Normal

This would also apply to forms with names like `solarsystem_` :D

Thanks for the patch, looks good! I'll also port it to 8.x.

Comment #6

9 August 2018 at 20:54

geerlingguy committed d38be2d on 7.x-1.x authored by rli

Issue #2912575 by rli: From with 'research_' in machine name is not...

Comment #7

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented 9 August 2018 at 20:56

Version:	7.x-1.x-dev	» 8.x-1.x-dev
Status:	Reviewed & tested by the community	» Patch (to be ported)

Comment #8

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented 9 August 2018 at 20:57

Status:

Patch (to be ported)

» Needs review

File	Size
form_not_protected_if_machinename_wrapping_specific_word-2912575-8.patch	872 bytes
8.x-1.x: PHP 7 & MySQL 5.5, D8.7 22 pass

Comment #9

9 August 2018 at 21:03

geerlingguy committed 336bafa on 8.x-1.x

Issue #2912575 by rli, geerlingguy: From with 'research_' in machine...

Comment #10

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented 9 August 2018 at 21:04

Status:

Needs review

» Fixed

Comment #11

23 August 2018 at 21:09

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Comment #12

ciss CreditAttribution: ciss at yousign GmbH commented 2 October 2019 at 15:19

+++ b/honeypot.module
@@ -64,7 +64,7 @@ function honeypot_form_alter(&$form, FormStateInterface $form_state, $form_id) {
+    if (preg_match('/[^a-zA-Z]system_/', $form_id) === 0 && preg_match('/[^a-zA-Z]search_/', $form_id) === 0 && preg_match('/[^a-zA-Z]views_exposed_form_/', $form_id) === 0) {

Late to the party, but wouldn't it be more efficient to group the terms inside a single pattern:

if (preg_match('/[^a-zA-Z](?:system_|search_|views_exposed_form_)/', $form_id) === 0) {

Also, which cases are covered by "[^a-zA-Z]"? Shouldn't we explicitely match either the beginning of the string or an underscore?

Comment #13

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented 2 October 2019 at 15:22

@ciss - Since this issue is closed, an optimization to the regex would be good to add to a follow-up feature request issue.

Comment #14

ciss CreditAttribution: ciss at yousign GmbH commented 2 October 2019 at 17:42

@geerlingguy I created the follow-up #3085291: Lock down $form_id matching. I'd be grateful if you could take a quick look and confirm the overall premise before I start working on a patch.