Problem/Motivation

The function jquery_update_library_alter() uses the POST variable $_POST['ajax_page_state']['jquery_version']. We should always treat POST variables with suspicion.

Proposed resolution

The core function ajax_base_page_theme() (in includes/ajax.inc) does this check:

    $token = $_POST['ajax_page_state']['theme_token'];
    if ($theme === variable_get('theme_default', 'bartik') || drupal_valid_token($token, $theme)) {
      return $theme;
    }

Let's do something similar here.

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

CommentFileSizeAuthor
#11 3317298-11.patch4.66 KBmcdruid
#8 jquery_update-3317298-8-test-only.patch2.57 KBbenjifisher
#6 jquery_update-3317298-6-test-only.patch4.78 KBbenjifisher

Issue fork jquery_update-3317298

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

benjifisher created an issue. See original summary.

benjifisher opened merge request !3

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented
Assigned: benjifisher » Unassigned
Status: Active » Needs review

Even though the changes are pretty small (+10/-2) I think they are easier to understand as a series of small commits, so I opened a MR for this issue.

I confess that I have not tested this at all, except that I installed the module and did not get a WSOD. Testing is the reviewer's job, right? ;)

mcdruid’s picture

mcdruid commented

Thanks, I think this looks pretty good but in the absence of tests it's a bit hard to know for sure!

We have started adding tests recently but there's nothing that would cover this functionality yet.

    $token = $_POST['ajax_page_state']['jquery_version_token'];

I think we should probably check whether this element exists before using it to avoid PHP warnings etc.. (keeping in mind that we need to use e.g. the traditional long-winded ternary syntax etc.. if that's the approach we took).

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented

Good points in #4.

I did the easy part, adding a check for !empty(...) before using the POST variable. If the check is to provide any protection, we have to ignore the jQuery version in the AJAX request unless it comes with a token.

This means we have to invalidate any cached pages that have set jquery_version but not jquery_version_token in Drupal.settings. Can we just advise site owners to clear caches when upgrading to the next release, or do we have to write an update function?

I may not have time today to add anything to the tests. I do not see any AJAX tests in the module, but maybe I can use ajax.test in the core simpletest module as a guide.

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented
StatusFileSize
new jquery_update-3317298-6-test-only.patch4.78 KB

I struggled for a while, trying to come up with an integration test. If you really want, then I can keep trying.

What I have now is more like a unit test. It directly calls jquery_update_library_alter() three times: the second time, it sets jquery_version in a POST variable, and the third time it also sets a token in a POST variable.

    $libraries = drupal_get_library('system');
    // ... assertions ...
    jquery_update_library_alter($libraries, 'system');
    // ... assertions ...

That is not ideal. Since this is really a functional test, not a unit test, the alter function is already applied in the first line. So these assertions are redundant. I could leave out the second set of assertions, or I could replace the first line with an explicit array. The second option would make it more like a unit test.

Maybe, instead of altering the same $libraries variable three times (since it is passed by reference to the alter function) I should do something like

    $original_libraries = drupal_get_library('system');
    $libraries = $original_libraries;
    // ... assertions ...
    $libraries = $original_libraries;
    jquery_update_library_alter($libraries, 'system');
    // ... assertions ...

I am attaching the new commit as a test-only patch. I expect it to fail when applying the alter function with just jquery_version set in the POST variable (two assertions).

Status: Needs review » Needs work

The last submitted patch, 6: jquery_update-3317298-6-test-only.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented
Status: Needs work » Needs review
StatusFileSize
new jquery_update-3317298-8-test-only.patch2.57 KB

I broke a long line in order to keep CodeSniffer happy.

Here is a version of the test-only patch that includes that fix and also removes some WIP changes that I accidentally included in #6.

The testbot will set this issue back to NW because of the test-only patch.

Status: Needs review » Needs work

The last submitted patch, 8: jquery_update-3317298-8-test-only.patch, failed testing. View results

benjifisher’s picture

benjifisher
he/him or they/them
Primary language English
Location Boston area
commented
Status: Needs work » Needs review
mcdruid’s picture

mcdruid commented
StatusFileSize
new 3317298-11.patch4.66 KB

Needed a reroll after #3317322: jQuery version for theme not loading as selected if custom path is set added to jquery_update.test.

I am happy with this patch if the testbot is.

  • mcdruid committed d4d43bb on 7.x-4.x 
    Issue #3317298 by benjifisher, mcdruid: Add a check before using...
mcdruid’s picture

mcdruid commented
Status: Needs review » Fixed

Thanks @benjifisher!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.