Remove the ability of registered users to change the sender name or email address in contact forms.

Created on 11 October 2009, about 15 years ago
Updated 1 October 2024, 28 days ago

Problem/Motivation

The contact form allows users to change the name and mail fields. This can be considered a security issue in that recipients of the message may be tricked into communicating with an impostor.

Proposed resolution

Remove the ability for logged in users to change name and email address on the contact form.

Remaining tasks

  • Minor cleanups.
  • Manually test the email sent for both the sitewide and personal contact forms for both anonymous and authenticated users.

User interface changes

Only anonymous users will be allowed to enter a name and email address on the contact form. Users with an account will be forced to use the settings from their user data. Text will alert recipients of the sent emails that the anonymous users are not verified.

Before patch

After patch

String addition

The string t('Unverified') is added to contact form emails sent by anonymous users.

API changes

The structures of contact_site_form() and contact_personal_formm() change for authenticated users (replacing text fields with read-only values).

Original report by Dave Reid

Currently, both the site-wide and personal contact forms allow registered users to change the values of the 'name' and 'mail' fields. So I could submit a user's personal contact form with the name 'Dries' and 'dries-not-valid-mail@drupal.org' and it would look to the user like this e-mail actually came from Dries, which is a bad thing.

These forms should both remove the fields when a non-anonymous user is using them, and instead use theme_username() to display that the e-mail will be 'sent' from the current user.

πŸ“Œ Task
Status

Needs work

Version

7.0 ⚰️

Component

contact.module

Created by

πŸ‡ΊπŸ‡ΈUnited States dave reid Nebraska USA

Live updates comments and jobs are added and updated live.
  • Needs backport to D6

    After being applied to the 7.x branch, it should be considered for backport to the 6.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024