diff --git a/core/includes/common.inc b/core/includes/common.inc index bb14e95..0f52ef3 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -4731,7 +4731,15 @@ function drupal_get_private_key() { * 'drupal_private_key' configuration variable. */ function drupal_get_token($value = '') { - return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt()); + // For mixed HTTP(S) sessions, use a constant identifier so that tokens can be + // shared between protocols. + if (variable_get('https', FALSE) && $GLOBALS['is_https'] && isset($_COOKIE[substr(session_name(), 1)])) { + $session_id = $_COOKIE[substr(session_name(), 1)]; + } + else { + $session_id = session_id(); + } + return drupal_hmac_base64($value, $session_id . drupal_get_private_key() . drupal_get_hash_salt()); } /** diff --git a/core/includes/form.inc b/core/includes/form.inc index 2659d06..0a83d30 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -1150,6 +1150,11 @@ function drupal_validate_form($form_id, &$form, &$form_state) { } } + // Ensure the correct protocol when #https is set. + if (!empty($form['#https']) && variable_get('https', FALSE) && !$GLOBALS['is_https']) { + form_set_error('', t('This form must be submitted over a secure connection.')); + } + _form_validate($form, $form_state, $form_id); $validated_forms[$form_id] = TRUE; diff --git a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php index 6e41540..a058b96 100644 --- a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php +++ b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php @@ -3099,4 +3099,32 @@ protected function verboseEmail($count = 1) { $this->verbose(t('Email:') . '
' . print_r($mail, TRUE) . '
'); } } + + /** + * Builds a URL for submitting a mock HTTPS request to HTTP test environments. + * + * @param $url + * A Drupal path such as 'user'. + * + * @return + * An absolute URL. + */ + protected function httpsUrl($url) { + global $base_url; + return $base_url . '/core/modules/system/tests/https.php/' . $url; + } + + /** + * Builds a URL for submitting a mock HTTP request to HTTPS test environments. + * + * @param $url + * A Drupal path such as 'user'. + * + * @return + * An absolute URL. + */ + protected function httpUrl($url) { + global $base_url; + return $base_url . '/core/modules/system/tests/http.php/' . $url; + } } diff --git a/core/modules/system/lib/Drupal/system/Tests/Form/FormHttpsOnlyTest.php b/core/modules/system/lib/Drupal/system/Tests/Form/FormHttpsOnlyTest.php new file mode 100644 index 0000000..019dcf2 --- /dev/null +++ b/core/modules/system/lib/Drupal/system/Tests/Form/FormHttpsOnlyTest.php @@ -0,0 +1,51 @@ + 'Form HTTPS only', + 'description' => 'Tests form API handling of #https.', + 'group' => 'Form API', + ); + } + + function testHttpsOnly() { + $path = 'form-test/https-only'; + $edit = array('textfield' => '123'); + $submit = 'Submit'; + + $this->drupalGet($path); + $this->assertText(t('FAPI test for mixed-mode sessions'), 'Correct form loaded.'); + $form = $this->xpath('//form[@id="form-test-https-only"]'); + $form[0]['action'] = $this->httpsUrl($path); + $this->drupalPost(NULL, $edit, $submit); + $this->assertText(t('The form has been successfully submitted.'), 'Form submission succeeded over HTTPS.'); + + $this->drupalGet($path); + $this->assertText(t('FAPI test for mixed-mode sessions'), 'Correct form loaded.'); + $form = $this->xpath('//form[@id="form-test-https-only"]'); + $form[0]['action'] = $this->httpUrl($path); + $this->drupalPost(NULL, $edit, $submit); + $this->assertText(t('This form must be submitted over a secure connection.'), 'Form submission failed over HTTP.'); + } +} diff --git a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php index 0ab45a9..c37926b 100644 --- a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php @@ -223,32 +223,4 @@ protected function assertSessionIds($sid, $ssid, $assertion_text) { ); return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text); } - - /** - * Builds a URL for submitting a mock HTTPS request to HTTP test environments. - * - * @param $url - * A Drupal path such as 'user'. - * - * @return - * An absolute URL. - */ - protected function httpsUrl($url) { - global $base_url; - return $base_url . '/core/modules/system/tests/https.php/' . $url; - } - - /** - * Builds a URL for submitting a mock HTTP request to HTTPS test environments. - * - * @param $url - * A Drupal path such as 'user'. - * - * @return - * An absolute URL. - */ - protected function httpUrl($url) { - global $base_url; - return $base_url . '/core/modules/system/tests/http.php/' . $url; - } } diff --git a/core/modules/system/tests/modules/form_test/form_test.module b/core/modules/system/tests/modules/form_test/form_test.module index 1801809..e60e368 100644 --- a/core/modules/system/tests/modules/form_test/form_test.module +++ b/core/modules/system/tests/modules/form_test/form_test.module @@ -219,6 +219,14 @@ function form_test_menu() { 'type' => MENU_CALLBACK, ); + $items['form-test/https-only'] = array( + 'title' => 'FAPI test for mixed-mode sessions', + 'page callback' => 'drupal_get_form', + 'page arguments' => array('form_test_https_only'), + 'access callback' => TRUE, + 'type' => MENU_CALLBACK, + ); + $items['form-test/form-rebuild-preserve-values'] = array( 'title' => 'Form values preservation during rebuild test', 'page callback' => 'drupal_get_form', @@ -2318,6 +2326,32 @@ function form_test_html_id($form, &$form_state) { } /** + * Provides a page callback and form to test the form #https-attribute. + * + * @see \Drupal\system\Tests\Form\FormHttpsOnlyTest + */ +function form_test_https_only($form, &$form_state) { + $form['textfield'] = array( + '#type' => 'textfield', + '#title' => t('Textfield'), + ); + $form['submit'] = array( + '#type' => 'submit', + '#value' => t('Submit'), + ); + $form['#https'] = TRUE; + return $form; +} + +/** + * Submit handler for the #https-test form. + */ +function form_test_https_only_submit($form, &$form_state) { + drupal_set_message('The form has been successfully submitted.'); + $form_state['redirect'] = FALSE; +} + +/** * Builds a simple form to test form button classes. */ function form_test_button_class($form, &$form_state) {