Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See https://drupal.org/SA-CORE-2014-002 and https://drupal.org/node/2242663 for details.
This affects field collection widgets when they are displayed to anonymous users on cached pages (possibly only in the middle of a multi-step form, although not positive).
Comment | File | Size | Author |
---|---|---|---|
#1 | field-collection-drupal-7.27-2242751-1.patch | 1.12 KB | David_Rothstein |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedUntested patch.
Comment #2
nhck CreditAttribution: nhck commentedThis patch introduces the following:
It is possible in the current state to remove an element (2) and re-add another one (3). When you add 3 it could be pre-filled with values from a different anonymous user as described in #2238691: Field Collection Leaks Server Side Data
I've applied it and the patch seems to be okay as in: The module still works and it implements SA-CORE-2014-002. Also described in #2238691 this issue seems hard to test though; this means I have found no way to tell if it solves the actual problem.
Comment #4
jmuzz CreditAttribution: jmuzz commentedThanks!