Field values violating #maxlength are passed to validators

Created on 5 January 2015, over 10 years ago
Updated 20 October 2024, 6 months ago

This issue was reported in private to the security team, but it has been decided to handle this in public as security hardening.

Problem/Motivation

The form API checks the #maxlength property of elements, but it will always execute form validation handlers afterwards even if the maximum length of a field is exceeded. This can lead to DoS problems such as SA-CORE-2014-006 where very long password submissions cause the form validation handler to eat up a lot of resources.

Proposed resolution

Stop calling form validation callbacks when we have #maxlength and #required errors before that (and illegal choices for #options in select boxes). That should not cause many usability regressions since modern browsers check #maxlength and #options on the client side anyway before submitting.

Remaining tasks

Explore the feasibility of this with a a patch and tests.

User interface changes

none.

API changes

none.

🐛 Bug report
Status

Postponed: needs info

Version

11.0 🔥

Component

forms system

Created by

🇦🇹Austria klausi 🇦🇹 Vienna

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand quietone

    It has been quite here for 8 years. Does this problem exist on a currently supported version of Drupal?

    Since we need more information to move forward with this issue, I am setting the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks

  • Status changed to Closed: outdated about 1 month ago
  • 🇦🇺Australia acbramley

    Closing as per #16

    Please feel free to reopen if this is still an issue.

Production build 0.71.5 2024