This issue was reported in private to the security team, but it has been decided to handle this in public as security hardening.
The form API checks the #maxlength property of elements, but it will always execute form validation handlers afterwards even if the maximum length of a field is exceeded. This can lead to DoS problems such as SA-CORE-2014-006 → where very long password submissions cause the form validation handler to eat up a lot of resources.
Stop calling form validation callbacks when we have #maxlength and #required errors before that (and illegal choices for #options in select boxes). That should not cause many usability regressions since modern browsers check #maxlength and #options on the client side anyway before submitting.
Explore the feasibility of this with a a patch and tests.
none.
none.
Postponed: needs info
11.0 🔥
forms system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
It has been quite here for 8 years. Does this problem exist on a currently supported version of Drupal?
Since we need more information to move forward with this issue, I am setting the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.
Thanks
