From 81c436fb8ede77a655a79bca6d613e205b913e86 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Fri, 1 May 2009 14:51:41 +0000
Subject: - Patch #360128 by chx, quicksketch, Frando et al: security fix for
 simplified AHAH callbacks.

---
 includes/form.inc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/includes/form.inc b/includes/form.inc
index f47981a8f..481cd6173 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -1821,6 +1821,14 @@ function form_ahah_callback() {
 
   // Get the form from the cache.
   $form = form_get_cache($form_build_id, $form_state);
+  if (!$form) {
+    // If $form cannot be loaded from the cache, the form_build_id in $_POST must
+    // be invalid, which means that someone performed a POST request onto
+    // system/ahah without actually viewing the concerned form in the browser.
+    // This is likely a hacking attempt as it never happens under normal
+    // circumstances, so we just do nothing.
+    exit;
+  }
 
   // We will run some of the submit handlers so we need to disable redirecting.
   $form['#redirect'] = FALSE;
@@ -1840,7 +1848,9 @@ function form_ahah_callback() {
 
   // Get the callback function from the clicked button.
   $callback = $form_state['clicked_button']['#ahah']['callback'];
-  $callback($form, $form_state);
+  if (drupal_function_exists($callback)) {
+    $callback($form, $form_state);
+  }
 }
 
 /**
-- 
cgit v1.2.3