Origin: https://git.drupalcode.org/project/drupal/-/commit/43c757167380643b5f73287a63a8739731a5b712
Forwarded: not-needed
From: ciss, xjm, larowlan, benjy, mcdruid, jenlampton, quicksketch, Fabianx, effulgentsia
Date: Wed Feb 16 12:43:40 PM CST
Subject: Fixes for SA-CORE-2022-003
 Fix improper input validation in Drupal's form API
Index: drupal7/includes/form.inc
===================================================================
--- drupal7.orig/includes/form.inc
+++ drupal7/includes/form.inc
@@ -2077,7 +2077,7 @@ function _form_builder_handle_input_elem
   // #access=FALSE on an element usually allow access for some users, so forms
   // submitted with drupal_form_submit() may bypass access restriction and be
   // treated as high-privilege users instead.
-  $process_input = empty($element['#disabled']) && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
+  $process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
 
   // Set the element's #value property.
   if (!isset($element['#value']) && !array_key_exists('#value', $element)) {
