Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
the login link on the forum doesn't really do what it insinuates it does.
Comment | File | Size | Author |
---|---|---|---|
#23 | forum_url_1.patch | 605 bytes | chx |
#22 | forum_url_0.patch | 1.31 KB | chx |
#21 | forum_url.patch | 1.31 KB | chx |
#12 | forum_issue40751.patch | 2.05 KB | puregin |
#5 | loginlinkredirect_2.patch | 751 bytes | torgeirb |
Comments
Comment #1
Dries CreditAttribution: Dries commentedIncorrect use of url(). Does $tid need to be escaped?
Comment #2
Wesley Tanaka CreditAttribution: Wesley Tanaka commented$tid is not escaped elsewhere in the function either because it is expected to be an integer.
Comment #3
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedComment #4
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedpatch still applies against 4.7.0-test2
Comment #5
torgeirb CreditAttribution: torgeirb commentedIf user does not actually have access to post in the forum, they are treated to a big fat 'access denied'. I'd rather they be redirected to the page they came from.
Alternatively, the login prompt on the forum needs to be removed if authenticated users are not allowed to create new forum topics.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedthat $tid looks dangerous to me. url() does not sanitize input. has the tid been sanitized already? otherwise, the intent of the patch is nice.
Comment #7
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedSee comment #2:
Comment #8
moshe weitzman CreditAttribution: moshe weitzman commentedthat comment says nothing. "it is expected" does not cut it. we have to be sure that this input has been sanitized. this patch won't be accepted without proving that.
Comment #9
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedwell, then the patch would need to be expanded to include all other times in the function that $tid is printed.
Comment #10
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedbecause the pre-existing code already assumes that $tid has been sanitized
Comment #11
puregin CreditAttribution: puregin commentedAdded code to ensure
$tid
is a numeric integer in this function; 'Login' link is generated according to torgeirb's patch.Comment #12
puregin CreditAttribution: puregin commentedOops, here's the patch
Comment #13
moshe weitzman CreditAttribution: moshe weitzman commentedi think a simple check_plain() solves the sanitizing need ... there is a line of debug code in there.
Comment #14
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedalso the last change where you get rid of the check on $tid looks weird.
Comment #15
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedsettype($tid, 'integer') would also work
Comment #16
puregin CreditAttribution: puregin commentedI find typecasting and settype() have behaviours which don't seem appropriate here.
It looks like there are other places in the code where ensuring a given parameter is an integer is important, e.g.
http://drupal.org/node/41369
Is it best to clean up the parameters, or ignore them and just check_plain() the generated links?
Comment #17
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedsettype would actually do a reasonable thing -- if the user created a url with a $tid that was completely not integer, settype would cast it to 0 which would give you the forum listing.
anyway, like i said back in comment #2, the original non-checking patch doesn't do any worse than the current code.
i don't care how it's done, and if it gives a better feeling of consensus, do check_plain like suggested in comment #13
Comment #18
Zen CreditAttribution: Zen commentedDowngrading priority. Can someone provide a patch and get this rolling again?
Cheers
-K
Comment #19
Wesley Tanaka CreditAttribution: Wesley Tanaka commentedthere are several patches that haven't been reviewed yet.
Comment #20
Dries CreditAttribution: Dries commentedThere is debug information in the last patch.
How about using intval() instead?
Comment #21
chx CreditAttribution: chx commentedUsually this is what we do.
Comment #22
chx CreditAttribution: chx commentedhmmm, this time i did not want to double post.
Comment #23
chx CreditAttribution: chx commenteddefinitely not three times. what's going on here?? what gets uploaded is not what i see.
Comment #24
gopherspidey CreditAttribution: gopherspidey commentedBefore the Patch was applied the login link returned you to the begining of the site.
After the patch was applied it returned you to the same forum page so that I could post.
It applied cleanly to HEAD as of today
Comment #25
drummCommitted to HEAD.
Comment #26
(not verified) CreditAttribution: commented