Bug #103481
open
Honeypot / From EmptyValidator does not work at all ?!
0%
Description
I failed when I tried to test the "HoneyPot" function - as far as I can see it doesn't work.
The cause also seems pretty clear - but what surprises me is that this can never have worked before. The code, which was installed 11 years ago, somehow doesn't make sense - or i urgently need a vacation. To be honest, I can't imagine that this has never been noticed before.
As a test, I have also just sent 2 requests to https://typo3.org/contact and filled in the HoneyPot field. I would have expected the form not to be sent - but it was.
The cause is as follows:
The "EmptyValidator" has set $acceptsEmptyValues = true; - means it should be executed even if the value is empty, right?
This option is checked in
here is the error or not?
It says if ($this->acceptsEmptyValues === false || $this->isEmpty($value) === false) {. Shouldn't that be if ($this->acceptsEmptyValues === true || $this->isEmpty($value) === false) {, or am I stupid?
Because of the banality, I really can't imagine that this bug exists and hasn't been found yet. But there is also no UnitTest for it. I can gladly make a patch for it but I am still trying to believe that I am wrong.
Updated by
Updated by Benjamin Franzke about 1 month ago
Hi Sascha, we will move this ticket to the security tracker. We must not discuss possible security issues in public.
Updated by Benjamin Franzke about 1 month ago
- Project changed from TYPO3 Core to 1716
- Category deleted (
Form Framework) - Complexity deleted (
easy)
Updated by Helmut Hummel about 1 month ago
· Edited
I haven't looked into the honeypot code, but the abstract validator code is definitely correct!
This is for validators to be able to validate e.g. an email address, when a value is given, but email address field is optional.
The empty validator is definitely wrong though:
/**
* This validator always needs to be executed even if the given value is empty.
* See AbstractValidator::validate()
*
* @var bool
*/
protected $acceptsEmptyValues = true;
acceptsEmpty value means exactly the opposite! It means, that the validator is bypassed when the value is empty!
Uhm, but the validator itself returns true anyway if the value is empty, so this should not matter at all for the honeypot
Updated by Oliver Hader 17 days ago
- https://forge.typo3.org/issues/93435 - HoneyPot in public
- https://forge.typo3.org/issues/98336 - revert of previous preparation work for the HoneyPot functionality
→ From my POV this should be handled in public (due to the session issues). Besides that, it seems NotEmptyValidator should have been used...
Updated by Oliver Hader 4 days ago
- Related to Bug #93435: Honeypot validation fails if no session data exists added
Updated by Oliver Hader about 19 hours ago
- Project changed from 1716 to TYPO3 Core
→ Moving back to public issue tracker