Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If we add an extra arg to rss.xml - e.g. ?q=rss.xml/a, we get big flaming errors:
# Warning: array_flip(): The argument should be an array in DrupalDefaultEntityController->load() (line 109 of /drupal-7/includes/entity.inc).
# Warning: Invalid argument supplied for foreach() in DatabaseCondition->compile() (line 1271 of /drupal-7/includes/database/query.inc).
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2: SELECT revision.timestamp AS revision_timestamp, revision.uid AS revision_uid, revision.vid AS vid, revision.title AS title, revision.log AS log, revision.status AS status, revision.comment AS comment, revision.promote AS promote, revision.sticky AS sticky, base.nid AS nid, base.type AS type, base.language AS language, base.uid AS uid, base.created AS created, base.changed AS changed, base.tnid AS tnid, base.translate AS translate FROM {node} base INNER JOIN {node_revision} revision ON revision.vid = base.vid WHERE (base.nid IN ()) ; Array ( ) in DrupalDefaultEntityController->load() (line 127 of /drupal-7/includes/entity.inc).
and no output.
Comment | File | Size | Author |
---|---|---|---|
#13 | 622426-optionA.patch | 1.58 KB | mr.baileys |
#13 | 622426-optionB.patch | 1.96 KB | mr.baileys |
#5 | 622426-node-rss-errors-5t.patch | 1.55 KB | pwolanin |
#4 | 622426-drupal-node-feed-argument-validation.patch | 477 bytes | voxpelli |
#3 | 622426-node-rss-errors-D7.patch | 2.42 KB | Dave Reid |
Comments
Comment #1
chx CreditAttribution: chx commentedgarbage in, garbage out. That's just good.
Comment #2
pwolanin CreditAttribution: pwolanin commentedI disagree - user input triggering a SQL error is a form of SQL injection
Comment #3
Dave ReidComment #4
voxpelli CreditAttribution: voxpelli commentedAn alternate patch to Dave Reids - should we really return anything but a 404 for a subpath to rss.xml?
Also - can't see why this is a critical issue - no SQL injection possible.
Comment #5
pwolanin CreditAttribution: pwolanin commentedMany places in Drupal extra path parts are just ignored - I'd expect that instead of a 404.
Here's the no-WS change version of Dave's patch plus regression tests.
Comment #6
webchickCan someone explain why we need to fix this this way when we don't have to add those weird page arguments to any other menu callback? Should we not address this in node_feed()?
Comment #7
pwolanin CreditAttribution: pwolanin commented@webchick - the issue is that we are using an API function directly as the page callback without wrapping it - so we are essentially just provding correct/safe arguments rather than allowing the menu system to pass in arbitrary arguments. The alternative is to do more parameter checking in node_feed, but this seems simpler.
A couple other existing examples from core:
Comment #8
webchickHm. I think my preference would actually be for a "buffer" function between the two (node_feed_page?). That array(FALSE, array()) thing seems pretty weird.
Comment #9
pwolanin CreditAttribution: pwolanin commented@webchick - well, that
array(FALSE, array())
is just doing exactly what the wrapper function would do....Comment #10
ksenzeeIf we add a wrapper function, we can at least document the
array(FALSE, array())
thing.Comment #11
MichaelCole CreditAttribution: MichaelCole commented#5: 622426-node-rss-errors-5t.patch queued for re-testing.
Comment #13
mr.baileysRe-rolled against HEAD. I think adding a wrapper function for this is overkill.
Well, we might just as well document the
array(FALSE, array())
innode_menu
, we don't need to add a function just for documentation purposes.2 patches attached:
Comment #14
drbeaker CreditAttribution: drbeaker commentedI've tried both of these patches and still get the issue. Any ideas?
Comment #15
mr.baileys@drbeaker: did you rebuild the menu after applying the patches? (Administer > Configuration > Performance > Clear All Caches should do the trick).
Comment #16
gregglesI don't know it's a form of "sql injection" but it is often flagged as such by automated scanners.
It's just an error, imo, and certainly one worth fixing.
Comment #17
Dave ReidReviewing the option A patch as that's the one I prefer. People should always be in the habit of providing default parameters in their menu callbacks.
I don't see why we are redeclaring $rss_only_content twice again when it is already defined earlier in the test and doesn't need to be changed.
We could probably simplify this by just doing $this->drupalGet('rss.xml/a/b'). Doing so tests $this->drupalGet('rss.xml/a') as well.
"Check that content added in 'rss' build mode
appearappears in RSS feed."Comment #18
xjmClosing as duplicate of #1410260: rss.xml/whatever triggers PHP error.