Closed (cannot reproduce)
Project:
Date
Version:
6.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
2 Apr 2009 at 16:39 UTC
Updated:
27 Apr 2012 at 13:09 UTC
This is my first issue report so please bear with me if Im not following proper procedures.
I didnt read the fine print and notice that capital letters were not acceptable in the "Date Field Name" field and called my field "Event". Which worked fine for a while until I decided to edit my "Event" content type which *did* check if I had capital letters, and forced me to change it to small letters. So now the calendar created by the Date Tools wizard doesnt allow me to add (Im sure this is a simple fix, I just havent dug into it yet).
So it says under the field:
Machine-readable name. Allowed values: (a-z, 0-9, _) Must not be an existing field name.
And I see here in /date_tools/date_tools.module where it checks to see if the field exists but not if the field contains the allowed values.
Line 300:
function date_tools_wizard_form_validate(&$form, &$form_state) {
$type_name = $form_state['values']['type_name'];
$field_name = 'field_'. $form_state['values']['field_name'];
if (db_result(db_query("SELECT type FROM {node_type} WHERE type='%s'", $type_name))) {
drupal_set_message(t('This content type name already exists, adding new field to existing content type.'));
}
if (db_result(db_query("SELECT field_name FROM {content_node_field_instance} WHERE field_name='%s' AND type_name='%s'", $field_name, $type_name))) {
form_set_error('field_name', t('This field name already exists.'));
}
if (!date_has_time($form_state['values']['granularity']) && $form_state['values']['tz_handling'] != 'none') {
form_set_error('tz_handling', t('Timezone handling must be none for granularity without time.'));
}
I dug around in the cck module and found this function in cck/includes/content.admin.inc that should probably handle validation of this field:
line 358:
/**
* Helper function for content_field_overview_form_validate.
*
* Validate the 'add new field' row.
*/
function _content_field_overview_form_validate_add_new($form, &$form_state) {
$field = $form_state['values']['_add_new_field'];
// Validate if any information was provided in the 'add new field' row.
if (array_filter(array($field['label'], $field['field_name'], $field['type'], $field['widget_type']))) {
// No label.
if (!$field['label']) {
form_set_error('_add_new_field][label', t('Add new field: you need to provide a label.'));
}
// No field name.
if (!$field['field_name']) {
form_set_error('_add_new_field][field_name', t('Add new field: you need to provide a field name.'));
}
// Field name validation.
else {
$field_name = $field['field_name'];
// Add the 'field_' prefix.
if (substr($field_name, 0, 6) != 'field_') {
$field_name = 'field_'. $field_name;
form_set_value($form['_add_new_field']['field_name'], $field_name, $form_state);
}
// Invalid field name.
if (!preg_match('!^field_[a-z0-9_]+$!', $field_name)) {
form_set_error('_add_new_field][field_name', t('Add new field: the field name %field_name is invalid. The name must include only lowercase unaccentuated letters, numbers, and underscores.', array('%field_name' => $field_name)));
}
if (strlen($field_name) > 32) {
form_set_error('_add_new_field][field_name', t('Add new field: the field name %field_name is too long. The name is limited to 32 characters, including the \'field_\' prefix.', array('%field_name' => $field_name)));
}
// A field named 'field_instance' would cause a tablename clash with {content_field_instance}
if ($field_name == 'field_instance') {
form_set_error('_add_new_field][field_name', t("Add new field: the name 'field_instance' is a reserved name."));
}
// Field name already exists.
// We need to check inactive fields as well, so we can't use content_fields().
module_load_include('inc', 'content', 'includes/content.crud');
$fields = content_field_instance_read(array(), TRUE);
$used = FALSE;
foreach ($fields as $existing_field) {
$used |= ($existing_field['field_name'] == $field_name);
}
if ($used) {
form_set_error('_add_new_field][field_name', t('Add new field: the field name %field_name already exists.', array('%field_name' => $field_name)));
}
}
// No field type.
if (!$field['type']) {
form_set_error('_add_new_field][type', t('Add new field: you need to select a field type.'));
}
// No widget type.
if (!$field['widget_type']) {
form_set_error('_add_new_field][widget_type', t('Add new field: you need to select a widget.'));
}
// Wrong widget type.
elseif ($field['type']) {
$widget_types = content_widget_type_options($field['type']);
if (!isset($widget_types[$field['widget_type']])) {
form_set_error('_add_new_field][widget_type', t('Add new field: invalid widget.'));
}
}
}
}
I tried entering some oddball values like "This is a Test" and got some sql errors like this:
* user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'is a Test ( `vid` INT unsigned NOT NULL DEFAULT 0, `nid` INT unsigned NOT NULL ' at line 1 query: CREATE TABLE content_type_This is a Test ( `vid` INT unsigned NOT NULL DEFAULT 0, `nid` INT unsigned NOT NULL DEFAULT 0, PRIMARY KEY (vid), INDEX nid (nid) ) /*!40100 DEFAULT CHARACTER SET UTF8 */ in /home/eatpdx/public_html/includes/database.inc on line 515.
* Change the calendar as needed and save the view.
Which I suppose allows for a sql injection attack, though its probably unlikely that that interface would be publicly exposed..
Im using PHP 5.2 btw.
Thanks!
Comments
Comment #1
arlinsandbulte commentedThis may have been fixed with the latest security release:
http://drupal.org/node/1401434
Please, re-confirm this issue.
Thanks.
Comment #2
arlinsandbulte commentedNo followup after a few months of sitting at "postponed (maintainer needs more info)"