Closed (fixed)
Project:
Coder
Version:
6.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
8 Jan 2008 at 23:34 UTC
Updated:
28 Jan 2008 at 12:22 UTC
Getting form values directly from $_POST bypasses the FAPI security checks entirely, and so is a security problem (in theory, at least - obviously not a critical thing for a dev module like this).
Drupal 5 and 6 both have their own (different, of course!) FAPI-ish ways of doing this, using the multistep forms toolkit. Not the most intuative thing, but if you think of it right all this form is is a multistep form that doesn't care about what 'step' it is on - just a continuous submission process.
Anyway, here are 2 patches for both the Drupal 5 2.x branch and the Drupal 6 branch.
| Comment | File | Size | Author |
|---|---|---|---|
| coder_security_6.patch | 2.25 KB | owen barton | |
| coder_security_5.patch | 1.26 KB | owen barton |
Comments
Comment #1
douggreen commentedThe 5.x version works just fine. I had to make one fix to the 6.x version (so that it worked on admin/settings/coder), and I also had to reroll it because of a recent documentation commit. Thanks for the help!
Comment #2
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.