Project

General

Profile

Actions

Bug #103481

open

Honeypot / From EmptyValidator does not work at all ?!

Added by Sascha Egerer 3 months ago. Updated about 1 month ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2024-03-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I failed when I tried to test the "HoneyPot" function - as far as I can see it doesn't work.

The cause also seems pretty clear - but what surprises me is that this can never have worked before. The code, which was installed 11 years ago, somehow doesn't make sense - or i urgently need a vacation. To be honest, I can't imagine that this has never been noticed before.

As a test, I have also just sent 2 requests to https://typo3.org/contact and filled in the HoneyPot field. I would have expected the form not to be sent - but it was.

The cause is as follows:
The "EmptyValidator" has set $acceptsEmptyValues = true; - means it should be executed even if the value is empty, right?

This option is checked in

https://github.com/TYPO3/typo3/blob/e444d4492ec188d1ef996ae413a296e34850c4ec/typo3/sysext/extbase/Classes/Validation/Validator/AbstractValidator.php#L98. And

here is the error or not?

It says if ($this->acceptsEmptyValues === false || $this->isEmpty($value) === false) {. Shouldn't that be if ($this->acceptsEmptyValues === true || $this->isEmpty($value) === false) {, or am I stupid?

Because of the banality, I really can't imagine that this bug exists and hasn't been found yet. But there is also no UnitTest for it. I can gladly make a patch for it but I am still trying to believe that I am wrong.


Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Bug #93435: Honeypot validation fails if no session data existsUnder Review2021-02-04

Actions
Actions #1

Updated by Sascha Egerer 3 months ago

  • Description updated (diff)
Actions #2

Updated by Benjamin Franzke 3 months ago

Hi Sascha, we will move this ticket to the security tracker. We must not discuss possible security issues in public.

Actions #3

Updated by Benjamin Franzke 3 months ago

  • Project changed from TYPO3 Core to 1716
  • Category deleted (Form Framework)
  • Complexity deleted (easy)
Actions #4

Updated by Helmut Hummel 3 months ago · Edited

I haven't looked into the honeypot code, but the abstract validator code is definitely correct!

This is for validators to be able to validate e.g. an email address, when a value is given, but email address field is optional.

The empty validator is definitely wrong though:


   /**
     * This validator always needs to be executed even if the given value is empty.
     * See AbstractValidator::validate()
     *
     * @var bool
     */
    protected $acceptsEmptyValues = true;

acceptsEmpty value means exactly the opposite! It means, that the validator is bypassed when the value is empty!

Uhm, but the validator itself returns true anyway if the value is empty, so this should not matter at all for the honeypot

Actions #5

Updated by Oliver Hader 2 months ago

→ From my POV this should be handled in public (due to the session issues). Besides that, it seems NotEmptyValidator should have been used...

Actions #6

Updated by Oliver Hader about 2 months ago

  • Related to Bug #93435: Honeypot validation fails if no session data exists added
Actions #7

Updated by Oliver Hader about 1 month ago

  • Project changed from 1716 to TYPO3 Core

→ Moving back to public issue tracker

Actions #8

Updated by Oliver Hader about 1 month ago

  • Category set to Form Framework
Actions

Also available in: Atom PDF