Only requirement to do this bug: have pictures for users activated.
Well when a user edits their profile, it should call hook_user where the first parameter is 'validate'. But it does not. So take like changing the name. When you register it checks if the name is valid. But when you edit your name and save with something invalid like double spaces, it does not validate.
Note: I only used edit name as an example, I was working on a module when this happened.
So I search through the code. It was this line in user.module:
$form['#validate'][] = 'user_validate_picture';
What happens is that it overwrites the default validate function, user_profile_form_validate. Without calling user_profile_form_validate, then the hook_user would be called with 'validate'
Right now I only added in user.pages.inc:
$form['#validate'][] = 'user_profile_form_validate';
After:
$form['#attributes']['enctype'] = 'multipart/form-data';
Comment | File | Size | Author |
---|---|---|---|
#10 | user-validate.patch | 2.54 KB | mfb |
#3 | user_validate_4.patch | 807 bytes | pwolanin |
#1 | user_validate.patch | 807 bytes | v1nce |
Comments
Comment #1
v1nce CreditAttribution: v1nce commentedI ran into this issue while updating Imagecache Profiles to the 6.x branch. It seems the default validate hook is not getting called for the user_profile_form. The user module is adding in a custom validation callback when profile pictures are enabled:
$form['#validate'][] = 'user_validate_picture';
By default, d5 forms would call a function if defined like $form_id_validate(), but user_profile_form_validate() is not getting executed. The only #validate element defined in the $form when pictures are enabled is 'user_validate_picture'. This means the default fields are not being validated and any additional fields that use the validate $op of hook_user() are also not getting run.
Looking at how a form is prepared in
drupal_prepare_form()
we see:So, since user.module is defining a #validate function to use in
user_edit_form()
when profile pictures are enabled, the default #validate function is not set. This is a critical security issue.Comment #2
Dave ReidThis has been fixed in the latest release. See http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/user/user.module?r...
Comment #3
pwolanin CreditAttribution: pwolanin commentedThis issue was fixed in the last core release and needs to be ported to HEAD. Hopefully the 6x patch applies.
Also, we should discuss for HEAD (and 6.x) as a separate issue whether the FAPI behavior of omitting the default validation function is correct/desirable.
Comment #4
Dave ReidWe should probably just fix the FAPI behavior instead of a temporary fix.
Comment #5
pwolanin CreditAttribution: pwolanin commentedWell, I'd agree, but others may not. In any case, the 1-line fix above will do no harm in either case.
Comment #6
Dave ReidFair enough. I've posted my fix in #361702: drupal_prepare_form() should always add default validate and submit handlers. Either way, the important thing is that this SA gets fixed. :)
Comment #8
pwolanin CreditAttribution: pwolanin commentedtagging
Comment #9
mfbMarked #549726: user_profile_form_validate() not called when submitting user_profile_form as duplicate
Comment #10
mfbUpdated above patch and added a test.
Comment #11
r.villetet CreditAttribution: r.villetet commentedThe last submitted patch works great!
Comment #12
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks!