Hello all,i have made this lil patch to enable fixable dynamic calls for arg()

all u have to add fill the input box with the "arg(n)" with any mixed string and integer.

please give me a feedback.

CommentFileSizeAuthor
#4 arg-urls-0.2.diff1.13 KB3emad
arg-urls.diff1.6 KB3emad

Comments

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

the problem with this patch is that you are allowing almost any php code written into the views argument field, which might be a security risk.

3emad’s picture

3emad commented

the arguments should be passed through by configuration for quick tabbing......
admin decides which variables are passed...
let say the admin put "arg(0),awsome" and it was given by the value....

we will have an array with two arguments strings..if the "(" exists in any value of the array,it will eval it as a php code...which is although given by the quick tabs configuration.

BRIEFLY:
arg() functions are secured,cause i'm evaling the string passed from the configuration of arguments in quicktabs,so its up to the own super-admin to kill his own website :P

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

maybe it is super-admin on your site, but it can be a simple user with 'administer blocks' permission on other sites.
who just write a simple view argument like:

0;db_query('UPDATE users SET pass = MD5("x") WHERE uid = 1')

and you know what comes next..

it would better without the eval(). check how the %X arguments are replaced in the 6.x-2.x version..

3emad’s picture

3emad commented
StatusFileSize
new arg-urls-0.2.diff1.13 KB

you totally got a point there Pasqualle so i have done the following

removed eval and have implemented more strict to call the number of arguments on using a prefix of "%" along with the number.

3emad’s picture

3emad commented
Status: Needs review » Reviewed & tested by the community

i guess we can call it for a ported patch?

3emad’s picture

3emad commented
Category: support » task
Status: Reviewed & tested by the community » Patch (to be ported)
pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented
Status: Patch (to be ported) » Needs review

I need to review this, as this is not the direct backport from 6.x-2.x, and I remember there were some real problems with the implementation of argument handling..

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented
Status: Needs review » Closed (fixed)

Drupal 5 version of the Quick Tabs module is no longer supported. Closing.
If you have this same problem with later versions, feel free to reopen this issue.

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented
Status: Closed (fixed) » Closed (won't fix)