Description

This module provides integration between the Alfahosting.de SMS Gateway and the SMS framework project.

D7 branch has the same code as the D6 branch. Difference is only in the sms_alfahosting.info file.

Requirements

  • SMS Framework module
  • An Alfahosting customer center account

Sandbox project

http://drupal.org/sandbox/NBZ4live/1441380

Drupal core

6.x

Git access

git clone --branch 6.x-1.x http://git.drupal.org/sandbox/NBZ4live/1441380.git sms_alfahosting

PAReview.sh is clean

D6: http://ventral.org/pareview/httpgitdrupalorgsandboxnbz4live1441380git-6x-1x
D7: http://ventral.org/pareview/httpgitdrupalorgsandboxnbz4live1441380git-7x-1x

Reviews of other projects

http://drupal.org/node/1304910#comment-5619944
http://drupal.org/node/1431790#comment-5619980
http://drupal.org/node/1444652#comment-5620420

CommentFileSizeAuthor
#7 drupalcs-result.txt1017 bytesklausi

Comments

misc’s picture

misc commented
Status: Needs work » Needs review

Welcome with your application.

I think that you should choose which branch you would like to get reviewed, it is hard to do a application review of two branches. I have done a manual review of the D 7 branch.

I guess there are no similar modules?

You have some security issues (http://drupal.org/writing-secure-code), about your usage of t(), you should not use variables directly into t(), use variable substitution like this:
$text = t("Your @name", array('@name' => $name));

Also you have configuration that you do not filter:

$xml->addAttribute('user', $config['sms_alfahosting_user']);

I think you should use a function like check_plain() here

This:

$xml = sms_alfahosting_format_xml('+4934567890123', 'ConfigValidation', $config + array('fake' => TRUE));

Why is the number hardcoded in the module, is that a value that never changes, some formatting string or something?

misc’s picture

misc commented
Status: Needs review » Needs work
NBZ4live’s picture

NBZ4live commented

Hello,

thank you for reviewing.

About the branches: The code in both branches is the same, because I use only hooks provided by the SMS Framework and there is no difference between the Drupal major versions. The difference is only in the core parameter of the sms_alfahosting.info file.

About the t() usage:
I am using @varname in all messages used with t()
The only place that is looks strange at the first look is the line 80. t($response['message'], $response['variables'])
But this is because I am using there the return of a function that returns an array for the SMS Framework.
Here are example values of this variables from the line 154:

$response = array('status' => FALSE, 'message' => 'The Gateway respond with an error: @errno - @error', 'variables' => array('@errno' => intval($xml_object->error->code), '@error' => strval($xml_object->error->message)));

About the security issue
I pass the values of the admin form directly into the XML building function of the API request. In that line I pass them to make a fake request to validate all the parameters with an example/fake request to the API. The settings will be saved only if the API successfully validates these parameters and responds with a success message like this:

<?xml version="1.0"?>
<alfasms><success><message>SMS would have been sent; aborted due to fake mode.</message></success></alfasms>

I haven't use check_plain() because if there is something wrong with the values of the admin form fields, then the API fake call will fail and the admin form will display an error message and will not save the values to the variables.

For building the XML I am using SimpleXML, so the values of the admin form fields can not brake the XML itself, because they become automatically escaped by SimpleXML if they contain illegal signs.

About the hardcoded number
This is not a real number. It's a fake number used for the validation/fake request to the Gateway API. In this step I am validating the admin form values over an Gateway API fake call. The admin form values are "Username", "Key" and "Sender". The reciver don't need to be validated in this step so I hardcoded this fake number.

misc’s picture

misc commented
Status: Needs review » Needs work

I know that the branches is the same, because you wrote that in the first issue :-), but choose one for the review. There is no problem in having booth in the repo in the review process, but it will help you, and us, to just have one branch up for review.

I do not understand the explanation about why you do not filter the user input, and there are still questions raised that are not answered, so please keep the need work status.

NBZ4live’s picture

NBZ4live commented
Status: Needs review » Needs work

Ok. Let's say it is the 6.x-1.x branch (I used D6 and smsframework-6.x-1.0 for the development) ;)

About the user input

check_plain() should be used to filter user entered values, but: In this case the values of the form fields are not displayed in the HTML of Drupal pages (only s #default_value) and are not used in SQL queries.
In the form validation function I pass the values to the XML building function. The XML building function is using SimpleXML to get valid XML. So SimpleXML is escaping everything that needs to be escaped to get a valid XML. After that I send this XML to the Gateway API for validation.
So if there are some illegal characters transferred to the API, the validation will fail and they will not be saved.
To get the values to be saved to the variable the admin of the site need to enter a valid username, valid key (the key can contain many special characters like <>,'`´$%&) and a valid sender.

I analyzed many cases and didn't found a way to pass the validation with invalid data or manipulate the validation process.

NBZ4live’s picture

NBZ4live commented
Status: Needs work » Needs review
klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs work » Reviewed & tested by the community
Issue tags: -PAreview: review bonus
StatusFileSize
new drupalcs-result.txt1017 bytes

Review of the 7.x-1.x branch:

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Get a review bonus and we will come back to your application sooner.

manual review:

  • '+4934567890123': please document in a comment why this hard coded number is there and that it is a fake.
  • sms_alfahosting_process_request(): why don't you do the translation of messages directly there? The problem with passing variables to t() is that translation extraction tools are not able to pick up the string literal then.

But that are just minor issues, otherwise this looks RTBC to me. Removing review bonus tag, if there are still changes required you can add it again if you have done another 3 reviews of other projects.

NBZ4live’s picture

NBZ4live commented

I pushed everything found by DrupalCS and added an inline comment to the validation.

About the t() usage
This module is a submodule for the SMS Framework module and the return value of the sms_alfahosting_process_request() function is used as the return value of the sms_alfahosting_send_sms() callback function. Regarding to the SMS Framework documentation (Create the custom send function) :

  • The callback should return an array indicating the result of the send.
  • status - Set to TRUE if the send was successful, FALSE if it was not.
  • message - If 'status' is FALSE, you may provide more details about the error.
    See t() for documentation on how 'message' and 'variables' interact. Keep 'message' translatable by not concatenating dynamic values into it!
  • variables - Array of variables to replace in the message or NULL if message is already translated or not possible to translate.

So I can't use t(), because the SMS Framework module will use it again.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Status: Reviewed & tested by the community » Fixed

Thanks for your contribution! Welcome to the community of project contributors on drupal.org.

I've granted you the git vetted user role which will let you promote this to a full project and also create new projects as either sandbox or "full" projects depending on which you feel is best.

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

As you continue to work on your module, keep in mind: Commit messages - providing history and credit and Release naming conventions.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Removed D7 version