Issue #576276 by tim.plunkett, larowlan: Abort validation when the token validation fails.

e4db5cd4 · catch · 4a689c59 · e4db5cd4 · e4db5cd4 · e4db5cd4
Commit e4db5cd4 authored 11 years ago by catch
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -843,6 +843,12 @@ public function validateForm($form_id, &$form, &$form_state) {
        // Setting this error will cause the form to fail validation.
        $this->setErrorByName('form_token', $form_state, $this->t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
+        // Stop here and don't run any further validation handlers, because they
+        // could invoke non-safe operations which opens the door for CSRF
+        // vulnerabilities.
+        $this->validatedForms[$form_id] = TRUE;
+        return;
      }
    }

--- a/core/modules/system/lib/Drupal/system/Tests/Form/ElementsTableSelectTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Form/ElementsTableSelectTest.php
@@ -224,6 +224,10 @@ private function formSubmitHelper($form, $edit) {
    drupal_process_form($form_id, $form, $form_state);
+    // The form token CSRF protection should not interfere with this test, so we
+    // bypass it by marking this test form as programmed.
+    $form_state['programmed'] = TRUE;
    $errors = form_get_errors($form_state);
    // Clear errors and messages.

--- a/core/modules/system/lib/Drupal/system/Tests/Form/FormTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Form/FormTest.php
@@ -110,6 +110,9 @@ function testRequiredFields() {
          $form_state['input'][$element] = $empty;
          $form_state['input']['form_id'] = $form_id;
          $form_state['method'] = 'post';
+          // The form token CSRF protection should not interfere with this test,
+          // so we bypass it by marking this test form as programmed.
+          $form_state['programmed'] = TRUE;
          drupal_prepare_form($form_id, $form, $form_state);
          drupal_process_form($form_id, $form, $form_state);
          $errors = form_get_errors($form_state);

--- a/core/modules/system/lib/Drupal/system/Tests/Form/ValidationTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Form/ValidationTest.php
@@ -65,6 +65,18 @@ function testValidate() {
    $this->drupalPostForm(NULL, array(), 'Save');
    $this->assertNoFieldByName('name', 'Form element was hidden.');
    $this->assertText('Name value: element_validate_access', 'Value for inaccessible form element exists.');
+    // Verify that #validate handlers don't run if the CSRF token is invalid.
+    $this->drupalLogin($this->drupalCreateUser());
+    $this->drupalGet('form-test/validate');
+    $edit = array(
+      'name' => 'validate',
+      'form_token' => 'invalid token'
+    );
+    $this->drupalPostForm(NULL, $edit, 'Save');
+    $this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
+    $this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
+    $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
  }
  /**