The module is 100% complete and functional. I have run it through Coder to ensure Drupal coding standards compliance and all reported issues have been fixed. I would like to contribute this module back to the community. I have a D6 version right now and will start work on updating and testing on D7 soon.
I had considered whether this functionality should be provided as a patch to Token Filter considering the small size of that module and the dependency on that module. However, I think it should probably remain discrete functionality, since there may be other use cases requiring these tokens outside of the concerns of Token Filter. I believe there is a valid separation of concerns. As far as I know there is no similar project available. If there is, I am more than willing to submit a patch. I asked around on #drupal-support IRC if anyone knew of a similar project.
Thanks!
| Comment | File | Size | Author |
|---|---|---|---|
| #14 | token_request_params.6.x.0.1.2beta.zip | 5.06 KB | atheneus |
| #9 | token_request_params.6.x-0_1_1_beta.zip | 3.98 KB | atheneus |
| #2 | token_request_params.zip | 2.51 KB | atheneus |
Comments
Comment #1
sunThis sounds scary from a security point of view, but I'll wait for the archive.
Comment #2
atheneus commentedComment #3
atheneus commentedYes - any feedback on security issues are certainly welcome. I am providing raw as well as cleaned (check_plain()) variables. I think there may be a need to restrict the size and number of parameters that can be tokenized. Ultimately, this is addressing a security concern of using $_GET in PHP filtered blocks.
My main security concern is with introducing a vector for a DoS attack, particularly with POST parameters.
Comment #4
atheneus commentedFYI: I am currently working on this module to add the ability for site owners to restrict what parameters will be available for tokenizing. They will be able to specify the full match of the parameter name or use a wildcard - so they would be able to tokenize only parameters with a particular prefix or suffix. For example: 'myparams_*' will tokenize only those parameters that begin with 'myparams_'.
I am also adding a limit on the number of parameters that can be tokenized, with the limit configurable by the site owner. For example the default might be the first 10 parameters, but the site owner would be able to raise or lower this limit.
Comment #5
sun$key needs to be check_plain()'ed in any case here.
I'm very nervous about the -raw tokens. It's not like other tokens couldn't contain totally unsafe values too, but these tokens here make a couple of attacks very very easy. Too easy, IMHO.
Comment #6
atheneus commentedThanks for the review and feedback sun. I caught the omission of the check on the key a couple of days ago, while working on adding the extra settings for restricting what parameters will be tokenized.
I share the concern about the -raw. As I continue to think about it, I can't see any legitimate use cases that would require access to the unfiltered values.
I will fix and reupload the latest version: unless, you think the whole concept completely stinks. I'm fine with that. Though, suggestions as to an alternative approach to satisfy the same use case would be highly valued.
Thanks.
Comment #9
atheneus commentedAttached is an updated version of this module. I removes the '-raw' tokens, adds a check_plain() to the parameter key and also forces users to specify the parameters that will be tokenized in site configuration as well as limiting the availability of parameter tokens to specific user-defined pages.
I have also made the help page text more comprehensive and useful.
Comment #10
sunThis needs an additional security review from someone else than me.
@atheneus: Sorry - if this code wouldn't have potential impacts on site security, then this application process wouldn't take so long.
Comment #11
atheneus commented@sun: no worries. It's always better to err on the side of caution. Is there any way to refer this issue to the security team to get a security review?
Comment #12
atheneus commentedComment #13
avpadernoI am adding the review tags.
Comment #14
atheneus commentedUploading the latest version:
Fixed bug in POST / GET settings.
Added configuration option to restrict the size of values that can be tokenized.
Comment #15
atheneus commentedSince there's little interest in this module, I'm going to go ahead and close this, to reduce the noise.
Comment #16
avpaderno@atheneus: It's not true there is little interest in this module; as reported from sun, it needs a more detailed review from somebody who can make a security review of the code.
Comment #17
avpadernoWhy is the module requiring also token_filter.module?
Comment #18
atheneus commentedOh ok - wasn't getting upset or anything. I just didn't want to be cluttering up the queue.
As for the token_filter dependency, that is an artifact of the original deployment to the specific use-case where this was derived. Since the client was going to install & configure, I wanted to make sure they had everything installed that needed to be installed for all the components to work. It was in there as a hint more than anything.
This module actually has no direct dependency on token_filter, only on Token. It could easily be used by any other module that uses tokens.
I'll remove it from the .info file.
Comment #19
gregglesI'm not sure why the key needs to be check_plained. They key is referenced, but never inserted. The only place that keys are listed is in hook_token_list which this module doesn't provide (and if it did, the values would come from the token_request_params_filter variable which of course should be filtered in that case). It doesn't hurt to check_plain those values, though.
There is some existing work in #550164: Query string tokens but I think this is fine as a separate project because the need for it is so specialized.
three nitpicks:
// END foreachIMO, the design of the module where admins have to set which tokens are allowed and the proper use of check_plain make this a reasonable module. Another security point would be to add to the README.txt for the module that admins should put the token filter BEFORE the HTML filter.
Comment #20
gregglesAnd to be clear: the nitpicks should not hold back approval of the module.
I also suggest to @athenus that you leave this module in a dev state for a while (like a few months) before releasing a 1.0 version.
Comment #21
avpadernoAs far as I can see, I don't see any security problems with the module, and I think it can be useful.
Comment #23
avpadernoBasing on what reported from greggles, and what I have seen in the code, I am marking this report as fixed.
Comment #24
greggles*fixed* ;)
Comment #25
atheneus commentedThat's great! I appreciate you guys taking the time to provide a review and great feedback. All the points mentioned are well taken and will be included before the first release.
Again I really appreciate your efforts!
Comment #28
avpaderno