See https://drupal.org/SA-CORE-2014-002 and https://drupal.org/node/2242663 for details.

This affects field collection widgets when they are displayed to anonymous users on cached pages (possibly only in the middle of a multi-step form, although not positive).

CommentFileSizeAuthor
#1 field-collection-drupal-7.27-2242751-1.patch1.12 KBDavid_Rothstein

Comments

David_Rothstein’s picture

David_Rothstein commented
Status: Active » Needs review
StatusFileSize
new field-collection-drupal-7.27-2242751-1.patch1.12 KB

Untested patch.

nhck’s picture

nhck commented
Status: Needs review » Reviewed & tested by the community
Related issues: +#2238691: Field Collection Leaks Server Side Data

This patch introduces the following:

The primary use case for this Ajax command is to serve a new build ID to a form served from the cache to an anonymous user, preventing one anonymous user from accessing the form state of another anonymous users on Ajax enabled forms.

It is possible in the current state to remove an element (2) and re-add another one (3). When you add 3 it could be pre-filled with values from a different anonymous user as described in #2238691: Field Collection Leaks Server Side Data

I've applied it and the patch seems to be okay as in: The module still works and it implements SA-CORE-2014-002. Also described in #2238691 this issue seems hard to test though; this means I have found no way to tell if it solves the actual problem.

  • jmuzz committed 9b507ac on 7.x-1.x authored by David_Rothstein 
    Issue #2242751 by David_Rothstein: Implemented #2242663 for SA-CORE-2014...
jmuzz’s picture

jmuzz commented
Status: Reviewed & tested by the community » Fixed

Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.