Problem/Motivation
I was constructing some test cases for a custom form #process callback when I was shocked - shocked! - to discover two things:
- DrupalWebTestCase::drupalPost not allow me to submit purposefully invalid values for
<select> fields.
- There are no test cases for input forgery on
<select> fields!
Just to be clear, I'm not saying that isn't handled correctly. I've tested that it is, and if it weren't I'd be treating this as a security issue instead. However, <select> field validation could become broken in the future without tests in place. In fact, because I'm messing with the Form API in my own code (custom #process callback for the date element), I have no way to verify with automated tests that I'm not exposing date fields to uncaught validation errors.
Proposed resolution
The operative code is in modules/simpletest/drupal_web_test_case.php on line 2420:
case 'select':
$new_value = $edit[$name];
$options = $this->getAllOptions($element);
if (is_array($new_value)) {
// Multiple select box.
if (!empty($new_value)) {
$index = 0;
$key = preg_replace('/\[\]$/', '', $name);
foreach ($options as $option) {
$option_value = (string) $option['value'];
if (in_array($option_value, $new_value)) {
$post[$key . '[' . $index++ . ']'] = $option_value;
$done = TRUE;
unset($edit[$name]);
}
}
}
else {
// No options selected: do not include any POST data for the
// element.
$done = TRUE;
unset($edit[$name]);
}
}
else {
// Single select box.
foreach ($options as $option) {
if ($new_value == $option['value']) {
$post[$name] = $new_value;
unset($edit[$name]);
$done = TRUE;
break;
}
}
}
break;
This code refuses to include in the POST data any options for a <select> field which wouldn't be allowed in a browser. But that doesn't mean the server couldn't receive such data from a hacker. I believe most of he above code should be removed in favor of the following:
case 'select':
if (is_array($edit[$name])) {
// Include POST data for each option selected, but do not include
// any POST data if no options were selected.
$index = 0;
$key = preg_replace('/\[\]$/', '', $name);
foreach ($edit[$name] as $option_value) {
$post[$key . '[' . $index++ . ']'] = $option_value;
}
}
else {
$post[$name] = $edit[$name];
}
unset($edit[$name]);
$done = TRUE;
break;
This should not break any existing tests; the issue only concerns tests that would always fail already because DrupalWebTestCase::drupalPost will on line 2095 fail automatically if DrupalWebTestCase::handleForm wouldn't use the invalid values. Furthermore, if a test case uses purposefully invalid values like I'm trying to do, form validation should fail and print the "An illegal choice has been detected" message. If it doesn't, well, that would be a problem.
Remaining tasks
In addition to the above changes, some additional assertions should be added to simpletest/tests/form.test (possibly under FormsTestCase::testSelect or FormsTestCase::testInputForgery) to test input forgery for <select> fields.