Skip to content

Commit

Permalink
Merge pull request from GHSA-m5vx-8chx-qvmm
Browse files Browse the repository at this point in the history 
BUGFIX: Don't skip validators for GET requests
  • Loading branch information
@bwaidelich
bwaidelich committed Jun 21, 2021
2 parents dbbb58e + d731659 commit 69de421
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Classes/Core/Runtime/FormRuntime.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ public function initializeObject()
$this->initializeFormStateFromRequest();
$this->initializeCurrentPageFromRequest();

if (!$this->isFirstRequest() && $this->getRequest()->getHttpRequest()->getMethod() === 'POST') {
if (!$this->isFirstRequest()) {
$this->processSubmittedFormValues();
}
}
Expand Down
25 changes: 25 additions & 0 deletions Tests/Functional/SimpleFormTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,30 @@ public function goingForthAndBackStoresFormValuesOfSecondPageAndTriggersValidati
$this->assertSame('', $form['--three-page-form-with-validation']['text3-1']->getValue());
}

/**
* @test
* Thanks to Anian Weber for reporting that issue!
*/
public function validationIsNotSkippedForGetRequests()
{
$this->browser->request('http://localhost/test/form/simpleform/ThreePageFormWithValidation');

// Navigate to 2nd form page
$this->gotoNextFormPage($this->browser->getForm());

$form = $this->browser->getForm();
// Change form method to "GET"
ObjectAccess::setProperty($form, 'method', 'GET', true);

// Set invalid value (field "text2-1" has an IntegerValidator assigned)
$form['--three-page-form-with-validation']['text2-1']->setValue('My Text on the second page');

// Submit form
$this->gotoNextFormPage($form);

// Expect validation errors
$this->assertSame(' error', $this->browser->getCrawler()->filterXPath('//*[contains(@class,"error")]//input[@id="three-page-form-with-validation-text2-1"]')->attr('class'));
}

/**
* This is an edge-case which occurs if somebody makes the formState persistent, which can happen when subclassing the FormRuntime.
Expand All @@ -93,6 +117,7 @@ public function goingForthAndBackStoresFormValuesOfSecondPageAndTriggersValidati
*/
public function goingForthAndBackStoresFormValuesOfSecondPageEvenWhenSecondPageIsManuallyCalledAsGetRequest()
{
$this->markTestSkipped('This test is skipped because we no longer allow Form validators to be skipped, see https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm');
// 1. TEST SETUP: FORM STATE PREPARATION
// - go to the 2nd page of the form, and fill in text2-1.
$this->browser->request('http://localhost/test/form/simpleform/ThreePageFormWithValidation');
Expand Down

0 comments on commit 69de421

Please sign in to comment.