Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I only checked a single function and found 2 security issues. I haven't check the rest of the code, there is probably more like this.
* IMPORTANT *
When creating a SQL query, URL query, outputting a URL parameter in the page, etc., the variables MUST BE sanitized! Drupal offer many function to do this. Use them to avoid serious security issues.
https://api.drupal.org/api/drupal/includes!common.inc/group/sanitization/7
File: biblio.crossref.client.php
Function: fetch()
URL INJECTION!!!
Line: 56
CHANGE THIS:
$this->query = $this->url . '?pid=' . $this->pid . '&noredirect=true&format=unixref&id=doi%3A' . $this->doi;
TO THIS:
$this->query = url($this->url, array('query' => array(
'pid' => $this->pid,
'noredirect' => 'true',
'format' => 'unixref',
'id' => 'doi:' . $this->doi
)));
--------------------
HTML INJECTION!!!
Line: 71
CHANGE THIS:
drupal_set_message(t('Failed to retrieve data for doi ') . $this->doi, 'error');
TO THIS:
drupal_set_message(t('Failed to retrieve data for doi !doi', array('!doi' => check_plain($this->doi))), 'error');
Comments
Comment #1
gaellafond CreditAttribution: gaellafond commentedI also found several cases of SQL injection in the install file. Those can't easily be exploited, but there is no excuses for a SQL injection!!!
Example:
Comment #2
rjerome CreditAttribution: rjerome commentedThank you for you comments @gaellafond, it's always good to have some extra eyes reviewing the code.
If you would like to submit some patches to fix the issues you mentioned, I would be happy to commit them and attribute the work to you. I couldn't help but notice that after more than 5 years in the Drupal community, you don't have any commits to your credit, so this might be an excellent opportunity...
Comment #3
karenann CreditAttribution: karenann as a volunteer commentedI've converted this to a patch and am queueing for test and further review. I only did the 2 fixes mentioned in the original post, to the
modules/crossref/biblio.crossref.client.php
file. I did not review any of the other code.Comment #4
discipolo CreditAttribution: discipolo commentedjust a quick note that automatic review also finds a lot of problems:
http://pareview.sh/pareview/httpsgitdrupalorgprojectbibliogit-7x-1x
Comment #5
discipolo CreditAttribution: discipolo commentedas far as drupalSecure standards go here is what phpcs says
Name
biblio_handler_argument_many_to_one.inc
Location
file [biblio] - .../views/biblio_handler_argument_many_to_one.inc
Problem synopsis
phpcs: Possible SQL injection in db_query() via variable $this (at line 19)
Name
biblio.install
Location
file [biblio] - .../biblio.install
Problem synopsis
phpcs: Possible SQL injection in db_query() via variable implode (at line 1513)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1517)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1521)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1524)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1540)
phpcs: Possible SQL injection in db_query() via variable $build (at line 1786)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1961)
Comment #6
Alan D. CreditAttribution: Alan D. commented!doi = check_plain() was a bit redundant, re-rolled.
@ and % both use check_plain(), % also wraps it in EM tags
Also missed that the CrossRef error text was not sanitized.
Personally, use % @ for all message variables, even if they are trust worthy, it is simpler to check / test for these issues.
Safe data in these two too, but I would also do:
Note that these are not overly critical (excluding discipolo's ones) unless crossRef itself get's hacked. i think we need a critical security meta issue for this module while it is in RC....
Comment #7
Alan D. CreditAttribution: Alan D. commentedI think this is ok, no followup issue created (feel free to is some one does consider this a risk)
False hits...
Think this is a false hit too, _id_by_name() appears to use internal data only.
Actual security issue if an untrusted user was allowed to set the block title...
I created this patch. #2856487: Drupal 7 biblio_update_6026() is broken, but non-critical as the DB table blocks doesn't exist and can never be reached from a D7 site!
Another false hit, self defined data again in biblio_update_6031().
Comment #8
Alan D. CreditAttribution: Alan D. commentedThis one adds the error message, closing off #1556516: HTTP error: 500 when trying to contact crossref.org for XML input by providing as much info as possible about a failed request. :)
Comment #9
Liam MorlandComment #11
Liam MorlandThanks!
Comment #12
Liam Morland