SA-CORE-2009-001: Missing validation for hook_user [#239676]

Only requirement to do this bug: have pictures for users activated.

Well when a user edits their profile, it should call hook_user where the first parameter is 'validate'. But it does not. So take like changing the name. When you register it checks if the name is valid. But when you edit your name and save with something invalid like double spaces, it does not validate.
Note: I only used edit name as an example, I was working on a module when this happened.

So I search through the code. It was this line in user.module:

    $form['#validate'][] = 'user_validate_picture';

What happens is that it overwrites the default validate function, user_profile_form_validate. Without calling user_profile_form_validate, then the hook_user would be called with 'validate'

Right now I only added in user.pages.inc:

  $form['#validate'][] = 'user_profile_form_validate';

After:

  $form['#attributes']['enctype'] = 'multipart/form-data';

Comment	File	Size	Author
#10	user-validate.patch	2.54 KB	mfb
#10
#3	user_validate_4.patch	807 bytes	pwolanin
#3
#1	user_validate.patch	807 bytes	v1nce
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

v1nce CreditAttribution: v1nce commented 19 December 2008 at 17:24

Version:	6.1	» 6.8
Priority:	Normal	» Critical

File	Size
user_validate.patch	807 bytes

I ran into this issue while updating Imagecache Profiles to the 6.x branch. It seems the default validate hook is not getting called for the user_profile_form. The user module is adding in a custom validation callback when profile pictures are enabled:

$form['#validate'][] = 'user_validate_picture';

By default, d5 forms would call a function if defined like $form_id_validate(), but user_profile_form_validate() is not getting executed. The only #validate element defined in the $form when pictures are enabled is 'user_validate_picture'. This means the default fields are not being validated and any additional fields that use the validate $op of hook_user() are also not getting run.

Looking at how a form is prepared in drupal_prepare_form() we see:

  if (!isset($form['#validate'])) {
    if (function_exists($form_id .'_validate')) {
      $form['#validate'] = array($form_id .'_validate');
    }
  }

So, since user.module is defining a #validate function to use in user_edit_form() when profile pictures are enabled, the default #validate function is not set. This is a critical security issue.

Comment #2

Dave Reid

he/him

English

Nebraska USA

CreditAttribution: Dave Reid commented 20 January 2009 at 19:57

Version:	6.8	» 6.9
Status:	Active	» Fixed

This has been fixed in the latest release. See http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/user/user.module?r...

Comment #3

pwolanin CreditAttribution: pwolanin commented 20 January 2009 at 20:46

Title:	Missing validation for hook_user	» SA-CORE-2009-001: Missing validation for hook_user
Version:	6.9	» 7.x-dev
Status:	Fixed	» Needs review

File	Size
user_validate_4.patch	807 bytes

This issue was fixed in the last core release and needs to be ported to HEAD. Hopefully the 6x patch applies.

Also, we should discuss for HEAD (and 6.x) as a separate issue whether the FAPI behavior of omitting the default validation function is correct/desirable.