"Heine Deelstra" wrote:
2. 4.7 modules and themes that rely on a defined set of form fields to be present
Certain modules and themes output only specific form fields. As they do not output the form_token, the form will always fail validation for authenticated users.
In addition, certain modules unset a few form fields, then save the remainder of the form. These modules need to account for the new field.
Is there some method for knowing _which_ modules will be affected? Is there some specific API/function/code which these affected modules use (and which can be searched/determined in the module files)? A security fix which breaks existing installations is rather, um, difficult to embrace. (Especially given that the security alerts are so vague that it's very hard to know if any given site is vulnerable. Security alerts with statements like "a site with a specially crafted URL" is too vague to assess the potential impact...what kind of "specially crafted site" or "specially crafted RSS feed" or "specially crafted URL"?) I'd be happy to apply the 4.7.4 update, but not before I know which modules (of the dozens we use) will be lost to this "fix". Any methods suggested for determining which modules will break is appreciated. -- inkfree