re-crawl after seeding?
greggles - October 30, 2008 - 22:06
| Project: | Security scanner component for SimpleTest module |
| Version: | 6.x-1.0-beta1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
The talk module SA - http://drupal.org/node/309758 - is a fairly simple one. Create a node with javascript in the title, visit the node/NID/talk page, and the javascript is executed.
I wanted to see if the tool could detect this weakness and it seems that it can't. I believe the problem is that for some reason the crawler doesn't find the Talk link.
mysql> select * from crawler_links where path like '%talk' limit 10;
+----+-------------------------------------+------------+--------+
| id | path | crawler_id | status |
+----+-------------------------------------+------------+--------+
| 71 | http://localhost/6d/admin/help/talk | 3 | 6 |
+----+-------------------------------------+------------+--------+
1 row in set (0.00 sec)After running the Seed section, I visited admin/content/node and found several nodes which have the testing XSS in the title and if I few the talk page on those nodes the JS is executed.
As a test, I ran the Crawl and Seed steps and then manually added a record:
insert into crawler_links (path, crawler_id, status) values ('http://localhost/6d/node/5/talk', 2, 4);But that didn't seem to change the detection of the problem.
Am I using the software wrong?
#1
I take it back - inserting the item into the database did work.
The other explanation is that the node/NID/talk paths never make it into the database, even if they already exist. So, perhaps the parser isn't able to find links in the "tabs" on a node?