[dev] horde_form patch

[Chuck Hagenbuch]

Quoting Marko <marko at oblo.com>:

> the idea is to fix the lack of cgi sending of the checkbox fields by
> checking against what the form class should have set (to avoid having a 
> large number of hidden fields, potential security risk?)

There is no potential security risk. Please, please, please try and think
through these things before crying wolf.

Someone trying to mess with form data this way has 2 options:

1. Claim that a variable should have been that that isn't (of course, they
could also just add this variable). Result: the variable (if it is ever
tested for - unlikely, if it wasn't supposed to be there) gets a null value.

 a. null values are acceptable for that variable - well, then it's accepted 
    as a null value, but the user could have entered that anyway.
 b. null values are not acceptable - form is marked as invalid.

2. Remove a hidden variable so that a form variable does not show up in
_setvars, and effectively disappears. Of course, they could remove form
values if they're messing with the form this way anyway.

 a. The variable is not a checkbox or select multiple, and so it shows up in 
    the $_GET or $_POST data anyways. Result - the variable is validated 
    like any input.
 b. The script thinks the variable wasn't in the form. It gets a null value, 
    or possibly the default value for the form. Result - null value is 
    either accepted or form is invalid, depending on validation; or, default
    value is used (form being valid unless other vars are wrong) and the 
    attacker has managed to create perfectly valid (though perhaps
    non-sensical or "wrong") data.

Basically - since all validation is server-side, the best you can do is what
you can do through the form itself anyways.

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
must ... find ... acorns ... *thud*