Details
Description
AbstractTextComponent overrides isInputNullable to return false, instead of the default true, defined in FormComponent. FormComponent#checkRequired uses isInputNullable to check if an input was disabled. That makes it possible to submit a form with a required field without that field, completely skipping the validation (forms onSubmit is called). We consider this a wide open security hole, as basically any form with a required text field, relying on the required-validation, is affected.
The hole can easily be exploited by not removing certain fields from a form submit, eg. by removing them from the DOM via Firebug (then doing a regular submit), or forging the complete request with an appropriate tool.
From what is commented on isInputNullable, it seems like the check should actually be replaced with an actual check of enabled/disabled methods/properties. A required input is only optional, when it is actually not enabled (on the serverside), not just because its key/value pair is missing in the request.
I''ll attach a test application.