Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We have just realized that Drupal has big bug in comment module. When several users can moderate comments and one user delete one comment and second user is also on the menu for comment moderating but still sees that comment that has been deleted by the other user and he also check that comment for deletion, ALL COMMENTS in Drupal will be deleted!
Are you aware of this bug and is there some patch for that?
Comment | File | Size | Author |
---|---|---|---|
#9 | comment.module_1.459_patch04 | 3.42 KB | AjK |
#8 | comment.module_1.459_patch03 | 3.47 KB | AjK |
#7 | comment.module_1.459_patch02 | 2.64 KB | AjK |
#3 | comment.module_1.459_patch01 | 1.23 KB | AjK |
Comments
Comment #1
Cainan CreditAttribution: Cainan commentedmoved to drupal project, as this is a core issue, not my poor lil module.
Comment #2
beginner CreditAttribution: beginner commentedthe bug should be fixed in cvs first and backported soon after.
Comment #3
AjK CreditAttribution: AjK commentedThe actual reason all comments are deleted is that a empty value gets passed to _comment_delete_thread() for the ->cid value. The API states that "NOTE: using this syntax will cast NULL and FALSE values to decimal 0, and TRUE values to decimal 1."
So, the WHERE clause gets translated to "WHERE pid = 0" and this, recursively, ends up wiping all the comments.
The attached patch stops this happening in _comment_delete_thread() so will at least protect your site against this type of "race condition".
However, the UI should detect it eariler in the process before calling _comment_delete_thread()
I haven't looked at doing that just yet. I thought I would get this minor patch out for those that "want it now" to at least provide protection.
regards
--AjK
Comment #4
beginner CreditAttribution: beginner commentedComment #5
drummI'd rather see a fix in the calling code
There should probably be something right next to where $comment is set, since it may be NULL and is used as an object on the next line (we should never use undefined variables as objects).
The watchdog message needs some help as well. People are going to be reading it, not programmers.
Comment #6
AjK CreditAttribution: AjK commented>> "code needs work" for sure. I didn't intend that patch for core but was meant for worried admins who wanted to effect at least protection from what is effectively "delete from comments;" when a null value is passed. Sorry I didn't set the status of the issue correctly.
I have actually started looking at the fix in the calling section so that it shouldn't even occur however, because db_query() casts a NULL or FALSE to 0 for %d type, I belive checking the value before calling db_query() is important. I actually thought there was a bug in db_query() until I re-read the API doc where it's plain to see it's a feature.
On a side note, I have seen a few issues regarding the loss of the UID = 0 account (anon). This as actually happened to me once and I put it down to "finger problems" in our London office. However, now understanding db_query()'s cast to zero feature, I'm not so sure. So I may go looking for "unprotected" sql where a zero might not have been expected and db_query()'s subsequent effects not noticed.
I must say, although db_query()'s effetcs are documented in the API, I can't help thinking that this often goes unnoticed. It may be that for %d type vars passed, db_query() should do is_int($...) || ctype_digit($...) and enforce a number for %d (ie change the feature from "casting to zero" to "error"). But that may cause more problems that it solves. Depends on how the many people have been using db_query() and if people have actually relied on this feature (it would break their code to change it). But I'd be surprised to learn that people have actually "relied" on this for operational code.
best regards
--AjK
Comment #7
AjK CreditAttribution: AjK commentedOK, here's my patch that catches comments that have been deleted during this "race condition" bewteen two or more administrators that are deleting comments.
I've tested it under a number of conditions and it appears to do what's required. Over for review.
best regards
--AjK
Comment #8
AjK CreditAttribution: AjK commentedI should have taken drumm's advice a bit more. Here's a patch as above, however, as drumm suggests, this checks the $comment for object type and cid validity.
best regards
--AjK
Comment #9
AjK CreditAttribution: AjK commentedhaving chatted by drumm on IRC he made some recommendations. I have applied these and retested and it all appears ok to me now (and hopefully to drimm ;)
Patch attached.
best regards
--AjK
Comment #10
Dries CreditAttribution: Dries commentedIs it me or does this patch more than what is strictly necessary. Please provide a minimal patch that we can backport to DRUPAL-4-7.
Aren't many of these ctype_digit($comment->cid) checks redundant/excessive? It's not something we do in other modules?
Also, why do we use ctype_digit()? Can't we use is_numeric() like we use elsewhere?
Comment #11
AjK CreditAttribution: AjK commentedThe patch does two things.
So, the patch is, imho, doing realistically the minimal amount to fix the problem.
As for your other comments, I have sent an email to yourself, "killes" and "heine" as it's all sometwhat long winded explanation. However, if there exists "a way thing are to be done" I'm happy to do things "that way".
I will look at DRUPAL-4-7 shortly. Sorry, being new to core patching, I forgot that a bug fix needs backporting.
best regards,
--AjK
Comment #12
Dries CreditAttribution: Dries commentedAjK: I'm currently traveling and somewhat behind e-mail.
Comment #13
AjK CreditAttribution: AjK commentedDries, yes, saw your blog so appreciate the delay.
Have a good trip (and sorry for the off topic issue post)
best regards
--AjK
Comment #14
chx CreditAttribution: chx commentedDries, actually we should use ctype_digit everywhere because it is faster than is_numeric
Comment #15
AjK CreditAttribution: AjK commentedchx,
thanks for the follow up. I sent Dries an rather long winded email regarding ctype_digit() amoungst other things. It's true the ctype_digit() is faster than is_numeric() but this is only true if the var being passed is a string representation of a decimal digit. If the var being passed is a true int (zval->type == IS_LONG) then is_numeric() turns out to be faster than ctype_digit().
It's all about knowing what type of $var you are working with.
I used ctype_digit() as I know it was a string representation being tested and not a true int.
best regards
--AjK
Comment #16
drummI'm recompiling my PHP (on Gentoo) to support ctype_*().
Maybe in the future we will need a ctype gap-filler if it isn't installed, like MediaWiki apparently has and like we have done for unicode support.
Comment #17
drummCommitted to HEAD.
Comment #18
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedCtype functions are available on drupal.org. According to php.net they are enabled by default from 4.2.0 on.
backported to 4.7.
Comment #19
(not verified) CreditAttribution: commented