Field values violating #maxlength are passed to validators

Created on 5 January 2015, almost 10 years ago
Updated 20 October 2024, 10 days ago

This issue was reported in private to the security team, but it has been decided to handle this in public as security hardening.

Problem/Motivation

The form API checks the #maxlength property of elements, but it will always execute form validation handlers afterwards even if the maximum length of a field is exceeded. This can lead to DoS problems such as SA-CORE-2014-006 where very long password submissions cause the form validation handler to eat up a lot of resources.

Proposed resolution

Stop calling form validation callbacks when we have #maxlength and #required errors before that (and illegal choices for #options in select boxes). That should not cause many usability regressions since modern browsers check #maxlength and #options on the client side anyway before submitting.

Remaining tasks

Explore the feasibility of this with a a patch and tests.

User interface changes

none.

API changes

none.

🐛 Bug report
Status

Postponed: needs info

Version

11.0 🔥

Component

forms system

Created by

🇦🇹Austria klausi 🇦🇹 Vienna

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand quietone

    It has been quite here for 8 years. Does this problem exist on a currently supported version of Drupal?

    Since we need more information to move forward with this issue, I am setting the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks

Production build 0.71.5 2024