Skip to content

Initialize token var

JonGold requested to merge JonGold/formprotection:init-token into main

Some spam posters submit an empty ReCAPTCHA value. E.g. here's a POST request I received this morning (see the very end):

qfKey=CRMProfileFormEdit1y9ay1gf14g04owookw8k4k0w80k4o4ws0csk8cccoso880ccc_7161&entryURL=https%3A%2F%2Fmysite.org%2Fcivicrm%2Fprofile%2Fcreate%3Fgid%3D82%26amp%3Breset%3D1&gid=82&_qf_default=Edit%3Anext&first_name=KizGZ&last_name=KizGZ&current_employer=google&email-Primary=vypwxkrs%40yahoo.com&custom_5[Editorial submissions]=&custom_5[Internship opportunities]=&custom_5[Coalition membership]=&custom_5[Donations]=&email_home=vypwxkrs%40yahoo.com&custom_5[Sponsorship opportunities]=&custom_5[Schools]=&custom_5[Events]=&custom_5[Other]=&custom_6=Hi%2C+this+is+Jenny.+I+am+sending+you+my+intimate+photos+as+I+promised.+https%3A%2F%2Ftinyurl.com%2F2aw4dp6o&_qf_Edit_next=1&g-recaptcha-token=

On PHP 8, this results in a fatal error because Civi/Formprotection/Recaptcha::validate() expects the token to be a string, but the variable is still NULL.

Merge request reports

Loading