You are here

Home » API reference » Paranoia 7 » paranoia.module

function paranoia_form_alter in Paranoia 7

Same name and namespace in other branches
  1. 8 paranoia.module \paranoia_form_alter()
  2. 5 paranoia.module \paranoia_form_alter()
  3. 6 paranoia.module \paranoia_form_alter()

Implements hook_form_alter().

Hides forms that allow php arrays for importing to avoid RCE.

See also

http://heine.familiedeelstra.com/security/unserialize

File

./paranoia.module, line 378
Paranoia module file. Provides various extra security features.

Code

function paranoia_form_alter(&$form, &$form_state, $form_id) {
  $forms_to_disable = module_invoke_all('paranoia_risky_forms');
  $forms_to_disable = drupal_map_assoc($forms_to_disable);
  if (array_key_exists($form_id, $forms_to_disable)) {
    $form['#access'] = FALSE;
    $form['#validate'][] = 'paranoia_form_validate_always_fail';
    $message = variable_get('paranoia_form_disabled_message', 'This form is disabled for security reasons. See <a href="https://www.drupal.org/node/2313945">details</a> on why this form is disabled.');
    drupal_set_message($message, 'error');
  }
  if ($form_id == "views_ui_config_item_form") {

    // Block VBO's "Execute arbitrary PHP script" operation.
    $form['options']['vbo_operations']['action::views_bulk_operations_script_action']['selected']['#default_value'] = FALSE;
    $form['options']['vbo_operations']['action::views_bulk_operations_script_action']['selected']['#disabled'] = TRUE;

    // Block Draggable Views's "Prepare arguments with PHP code" option.
    unset($form['options']['draggableviews_setting_arguments']['#options']['php']);
  }

  // Disable Automatic Nodetitles's "Evaluate PHP in pattern" setting.
  if ($form_id == "node_type_form") {
    $form['auto_nodetitle']['ant_php']['#default_value'] = FALSE;
    $form['auto_nodetitle']['ant_php']['#disabled'] = TRUE;
  }

  // Disable Custom Breadcrumbs's ability to use PHP to determine breadcrumb visibility.
  if ($form_id == "custom_breadcrumbs_form") {
    unset($form['visibility_php']);
  }

  // Disable the ability to use PHP in Views Contextual Filters.
  // See https://www.drupal.org/docs/7/modules/views/views-howtos/php-contextual-filters for example use cases.
  if ($form_id == "views_ui_config_item_form") {
    unset($form['options']['default_argument_type']['#options']['php']);
    unset($form['options']['validate']['type']['#options']['php']);
    unset($form['options']['validate']['options']['php']);
  }
}