Skip to content

Commit

Permalink
Update to Drupal 7.72. For more information, see https://www.drupal.o…
Browse files Browse the repository at this point in the history
  • Loading branch information
Pantheon Automation authored and greg-1-anderson committed Jun 17, 2020
1 parent 5efd37e commit 853d658
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 8 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
Drupal 7.72, 2020-06-17
-----------------------
- Fixed security issues:
- SA-CORE-2020-004

Drupal 7.71, 2020-06-03
-----------------------
- Fix for jQuery Form bug in Chromium-based browsers
Expand Down
2 changes: 1 addition & 1 deletion includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.71');
define('VERSION', '7.72');

/**
* Core API compatibility.
Expand Down
14 changes: 9 additions & 5 deletions includes/form.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1135,12 +1135,8 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
* Helper function to call form_set_error() if there is a token error.
*/
function _drupal_invalid_token_set_form_error() {
$path = current_path();
$query = drupal_get_query_parameters();
$url = url($path, array('query' => $query));

// Setting this error will cause the form to fail validation.
form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
form_set_error('form_token', t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.'));
}

/**
Expand Down Expand Up @@ -1181,6 +1177,11 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
if (!empty($form['#token'])) {
if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) {
_drupal_invalid_token_set_form_error();
// Ignore all submitted values.
$form_state['input'] = array();
$_POST = array();
// Make sure file uploads do not get processed.
$_FILES = array();
// Stop here and don't run any further validation handlers, because they
// could invoke non-safe operations which opens the door for CSRF
// vulnerabilities.
Expand Down Expand Up @@ -1848,6 +1849,9 @@ function form_builder($form_id, &$element, &$form_state) {
_drupal_invalid_token_set_form_error();
// This value is checked in _form_builder_handle_input_element().
$form_state['invalid_token'] = TRUE;
// Ignore all submitted values.
$form_state['input'] = array();
$_POST = array();
// Make sure file uploads do not get processed.
$_FILES = array();
}
Expand Down
2 changes: 1 addition & 1 deletion modules/file/tests/file.test
Original file line number Diff line number Diff line change
Expand Up @@ -409,7 +409,7 @@ class FileManagedFileElementTestCase extends FileFieldTestCase {
'form_token' => 'invalid token',
);
$this->drupalPost($path, $edit, t('Save'));
$this->assertText('The form has become outdated. Copy any unsaved work in the form below');
$this->assertText('The form has become outdated.');
$last_fid = $this->getLastFileId();
$this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');

Expand Down
5 changes: 4 additions & 1 deletion modules/simpletest/tests/form.test
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,9 @@ class FormsTestCase extends DrupalWebTestCase {
$form_state['values'] = array();
drupal_prepare_form($form_id, $form, $form_state);

// Set the CSRF token in the user-provided input.
$form_state['input']['form_token'] = $form['form_token']['#default_value'];

// This is the main function we want to test: it is responsible for
// populating user supplied $form_state['input'] to sanitized
// $form_state['values'].
Expand Down Expand Up @@ -687,7 +690,7 @@ class FormValidationTestCase extends DrupalWebTestCase {
$this->drupalPost(NULL, $edit, 'Save');
$this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
$this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
$this->assertText('The form has become outdated. Copy any unsaved work in the form below');
$this->assertText('The form has become outdated.');
}

/**
Expand Down

0 comments on commit 853d658

Please sign in to comment.