#319466: SA-2008-47 (#295053): CSRF in cached forms.

2 files changed, 6 insertions, 7 deletions

diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc
index c8bf5ecf8..6ec9ce00c 100644
--- a/modules/book/book.pages.inc
+++ b/modules/book/book.pages.inc
@@ -232,19 +232,16 @@ function book_remove_form_submit($form, &$form_state) {
  *   Prints the replacement HTML in JSON format.
  */
 function book_form_update() {
-  $cid = 'form_' . $_POST['form_build_id'];
+  $cached_form_state = array();
   $bid = $_POST['book']['bid'];
-  $cache = cache_get($cid, 'cache_form');
-  if ($cache) {
-    $form = $cache->data;
-
+  if ($form = form_get_cache($_POST['form_build_id'], $cached_form_state)) {
     // Validate the bid.
     if (isset($form['book']['bid']['#options'][$bid])) {
       $book_link = $form['#node']->book;
       $book_link['bid'] = $bid;
       // Get the new options and update the cache.
       $form['book']['plid'] = _book_parent_select($book_link);
-      cache_set($cid, $form, 'cache_form', $cache->expire);
+      form_set_cache($_POST['form_build_id'], $form, $cached_form_state);
       // Build and render the new select element, then return it in JSON format.
       $form_state = array();
       $form['#post'] = array();
diff --git a/modules/poll/poll.module b/modules/poll/poll.module
index 5dd356f1b..21d48cba2 100644
--- a/modules/poll/poll.module
+++ b/modules/poll/poll.module
@@ -366,7 +366,9 @@ function poll_choice_js() {
   // not process it. We retreive the cached form, add the element, and resave.
   $form_build_id = $_POST['form_build_id'];
   $form_state = array('submitted' => FALSE);
-  $form = form_get_cache($form_build_id, $form_state);
+  if (!$form = form_get_cache($form_build_id, $form_state)) {
+    exit();
+  }
 
   $delta = count($_POST['choice']);
   $key = isset($form['#node']->choice) ? 'new:'. ($delta - count($form['#node']->choice)) : 'new:'. $delta;