From 4440b887304fe80ca77366800457cbc2ac705654 Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dhensby@silverstripe.com>
Date: Fri, 11 Nov 2016 15:36:56 +0000
Subject: [PATCH] [SS-2016-010] FIX Form@httpSubmission will no longer load
 submitted data to disabled or readonly fields

---
 forms/Form.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/forms/Form.php b/forms/Form.php
index 769e6ece6..e21d9a6a0 100644
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -319,8 +319,21 @@ class Form extends RequestHandler {
 			$vars = $request->requestVars();
 		}
 
+		// construct an array of allowed fields that can be populated from request data.
+		// readonly or disabled fields should not be loading data from requests
+		$allowedFields = array();
+		$dataFields = $this->Fields()->dataFields();
+		if ($dataFields) {
+			/** @var FormField $field */
+			foreach ($this->Fields()->dataFields() as $name => $field) {
+				if (!$field->isReadonly() && !$field->isDisabled()) {
+					$allowedFields[] = $name;
+				}
+			}
+		}
+
 		// Populate the form
-		$this->loadDataFrom($vars, true);
+		$this->loadDataFrom($vars, true, $allowedFields);
 
 		// Protection against CSRF attacks
 		$token = $this->getSecurityToken();