Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
All forms under https page should be secured, but the flow code snippet on securepages.module line 111 will cause forms' action attribute on a mismatched secure page point to a unsecured location:
elseif ($page_match === 0 && $is_https && variable_get('securepages_switch', FALSE)) {
$url['https'] = FALSE;
$url['absolute'] = TRUE;
$form['#action'] = url($url['path'], $url);
}
// Check to see if this form needs to be secured.
$secure_form = securepages_match_form($form_id, $form_state['build_info']['args']);
if (!$is_https && $secure_form) {
$form['#https'] = TRUE;
}
The fix is simple, just change this snippet to the follow, which force all forms on a secure page to be secured:
elseif ($page_match === 0 && $is_https && variable_get('securepages_switch', FALSE)) {
$url['https'] = FALSE;
$url['absolute'] = TRUE;
$form['#action'] = url($url['path'], $url);
}
// Check to see if this form needs to be secured.
$secure_form = securepages_match_form($form_id, $form_state['build_info']['args']);
if ($secure_form) {
$form['#https'] = TRUE;
}
Patch attached.
Comment | File | Size | Author |
---|---|---|---|
0001-Fix-non-secure-form-on-a-secure-page.patch | 988 bytes | weynhamz |
Comments
Comment #1
minorOffense CreditAttribution: minorOffense at Coldfront Labs Inc. commentedI was having a similar issue. But do you have
set in your settings.php file?
Or you can try
variable_set('https', TRUE);
ordrush vset https 1
and try again?Drupal's form.inc will only flip the form action to but an absolute path (with https) if that variable is set as well has having the
$form['#https'] = TRUE;
See form.inc