Skip to content

Commit

Permalink
Merge pull request #29 from silverstripe-security/patch/3.1/SS-2016-010
Browse files Browse the repository at this point in the history
[SS-2016-010] Prevent readonly fields loading submitted data
  • Loading branch information
dhensby committed Nov 15, 2016
2 parents c914dde + cc9d170 commit 8336cb9
Show file tree
Hide file tree
Showing 7 changed files with 149 additions and 77 deletions.
15 changes: 14 additions & 1 deletion forms/Form.php
Original file line number Diff line number Diff line change
Expand Up @@ -319,8 +319,21 @@ public function httpSubmission($request) {
$vars = $request->requestVars();
}

// construct an array of allowed fields that can be populated from request data.
// readonly or disabled fields should not be loading data from requests
$allowedFields = array();
$dataFields = $this->Fields()->dataFields();
if ($dataFields) {
/** @var FormField $field */
foreach ($this->Fields()->dataFields() as $name => $field) {
if (!$field->isReadonly() && !$field->isDisabled()) {
$allowedFields[] = $name;
}
}
}

// Populate the form
$this->loadDataFrom($vars, true);
$this->loadDataFrom($vars, true, $allowedFields);

// Protection against CSRF attacks
$token = $this->getSecurityToken();
Expand Down
8 changes: 8 additions & 0 deletions forms/FormField.php
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,14 @@ class FormField extends RequestHandler {
*/
protected $attributes = array();

/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'Text',
);

/**
* Takes a field name and converts camelcase to spaced words. Also resolves combined field
* names with dot syntax to spaced words.
Expand Down
8 changes: 8 additions & 0 deletions forms/HtmlEditorField.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,14 @@ class HtmlEditorField extends TextareaField {
*/
private static $sanitise_server_side = false;

/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'HTMLText',
);

protected $rows = 30;

/**
Expand Down
26 changes: 22 additions & 4 deletions forms/ReadonlyField.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* Read-only field to display a non-editable value with a label.
* Consider using an {@link LabelField} if you just need a label-less
* value display.
*
*
* @package forms
* @subpackage fields-basic
*/
Expand All @@ -19,13 +19,13 @@ class ReadonlyField extends FormField {

/**
* If true, a hidden field will be included in the HTML for the readonly field.
*
*
* This can be useful if you need to pass the data through on the form submission, as
* long as it's okay than an attacker could change the data before it's submitted.
*
* This is disabled by default as it can introduce security holes if the data is not
* allowed to be modified by the user.
*
*
* @param boolean $includeHiddenField
*/
public function setIncludeHiddenField($includeHiddenField) {
Expand All @@ -49,10 +49,28 @@ public function Field($properties = array()) {
}

public function Value() {
if($this->value) return $this->dontEscape ? $this->value : Convert::raw2xml($this->value);
if($this->value) return $this->value;
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
}

/**
* This is a legacy fix to ensure that the `dontEscape` flag has an impact on readonly fields
* now that we've moved to casting template values more rigidly
*
* @param string $field
* @return string
*/
public function castingHelper($field) {
if (
(strcasecmp($field, 'Value') === 0)
&& ($this->dontEscape || empty($this->value))
) {
// Value is either empty, or unescaped
return 'HTMLText';
}
return parent::castingHelper($field);
}

public function getAttributes() {
return array_merge(
parent::getAttributes(),
Expand Down
5 changes: 5 additions & 0 deletions forms/TextareaField.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@
* @subpackage fields-basic
*/
class TextareaField extends FormField {

private static $casting = array(
'Value' => 'HTMLText',
);

/**
* Visible number of text lines.
*
Expand Down
Loading

0 comments on commit 8336cb9

Please sign in to comment.