Origin:
    https://github.com/drupal/drupal/commit/f0027e05b4787bc49f102295c4662db550e9b461
Forwarded: not-needed
From: samuel.mortenson, DorTumarkin, greggles, xjm, larowlan, webchick, pwolanin, dawehner, mcdruid, alexpott, dsnopek
Date: Thu Jun 18 12:54:50 CDT 2020
Subject: Fixes for SA-CORE-2020-004
 Backported the diff between 7.71 and 7.72, applying it to the
 version in the Old-stable Debian release (7.52)
 .
 SA-CORE-2020-002 deals with a CSRF due to incomplete validation of file uploads in form input.
Index: drupal7/includes/form.inc
===================================================================
--- drupal7.orig/includes/form.inc
+++ drupal7/includes/form.inc
@@ -1133,12 +1133,8 @@ function drupal_prepare_form($form_id, &
  * Helper function to call form_set_error() if there is a token error.
  */
 function _drupal_invalid_token_set_form_error() {
-  $path = current_path();
-  $query = drupal_get_query_parameters();
-  $url = url($path, array('query' => $query));
-
   // Setting this error will cause the form to fail validation.
-  form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
+  form_set_error('form_token', t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.'));
 }
 
 /**
@@ -1179,6 +1175,11 @@ function drupal_validate_form($form_id,
   if (isset($form['#token'])) {
     if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) {
       _drupal_invalid_token_set_form_error();
+      // Ignore all submitted values.
+      $form_state['input'] = array();
+      $_POST = array();
+      // Make sure file uploads do not get processed.
+      $_FILES = array();
       // Stop here and don't run any further validation handlers, because they
       // could invoke non-safe operations which opens the door for CSRF
       // vulnerabilities.
@@ -1844,6 +1845,9 @@ function form_builder($form_id, &$elemen
           _drupal_invalid_token_set_form_error();
           // This value is checked in _form_builder_handle_input_element().
           $form_state['invalid_token'] = TRUE;
+          // Ignore all submitted values.
+          $form_state['input'] = array();
+          $_POST = array();
           // Make sure file uploads do not get processed.
           $_FILES = array();
         }
Index: drupal7/modules/file/tests/file.test
===================================================================
--- drupal7.orig/modules/file/tests/file.test
+++ drupal7/modules/file/tests/file.test
@@ -409,7 +409,7 @@ class FileManagedFileElementTestCase ext
           'form_token' => 'invalid token',
         );
         $this->drupalPost($path, $edit, t('Save'));
-        $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
+        $this->assertText('The form has become outdated.');
         $last_fid = $this->getLastFileId();
         $this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');
 
Index: drupal7/modules/simpletest/tests/form.test
===================================================================
--- drupal7.orig/modules/simpletest/tests/form.test
+++ drupal7/modules/simpletest/tests/form.test
@@ -521,6 +521,9 @@ class FormsTestCase extends DrupalWebTes
     $form_state['values'] = array();
     drupal_prepare_form($form_id, $form, $form_state);
 
+    // Set the CSRF token in the user-provided input.
+    $form_state['input']['form_token'] = $form['form_token']['#default_value'];
+
     // This is the main function we want to test: it is responsible for
     // populating user supplied $form_state['input'] to sanitized
     // $form_state['values'].
@@ -687,7 +690,7 @@ class FormValidationTestCase extends Dru
     $this->drupalPost(NULL, $edit, 'Save');
     $this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
     $this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
-    $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
+    $this->assertText('The form has become outdated.');
   }
 
   /**
