My specific problem surfaces when a user is logging into my Durpal website with a long-ish URL. Specifically, the URL is 92 characters long. After entering login information, a watchdog message is sent stating that my legacy password was edited. Watchdog then creates the location and referrer data to insert into the database. These fields are 128 characters each, causing the location field to overflow and put up warnings coming from the database module.

Normally I would just expand the field in the database or update the code to have a maximum length, but these both fall under the Drupal Core. It would be great to see one of these two options be put into Drupal Core.

Thanks!

Comments

maastrix’s picture

maastrix commented

Yeah, the urls should have some kind of wordwrap so it can be managed how long they are allowed to be. Some design require smaller widths than others so this should be a setting or so. It can't be changed by css because only IE provides an word-wrap or word-break option.

magico’s picture

magico commented
Version: 4.7.2 » x.y.z

Checked.

bdragon’s picture

bdragon commented
Version: x.y.z » 6.x-dev
Status: Active » Postponed (maintainer needs more info)

In HEAD, location is now a 'text' field in the db, so length should no longer be a problem..

Referrer is still 128 long though...

Is this sufficient?

fractile81’s picture

fractile81 commented

Interesting solution. A couple of points:

  • Extra-long Location and Referrer fields are probably the exception rather than the rule. Is using a TEXT type in the database going to work alright like that?
  • The Referrer field can be just as long as the Location field in my experience. Since I posted this bug, I changed my copy of the Watchdog module to cap the length of both fields before inserting into the database. In my opinion, the Referrer field should have the same fix applied to it as the Location field, whatever that fix is.

The biggest offenders on my site now are search result pages. The amount of GET data that an advanced search can put out tends to make my search-related URLs rather long. Start clicking through pages, and you can see why I had problems with the referrer as well.

After looking around, TEXT probably is the right type for the fields. I only hesitate because I'm uncertain as to the performance impact that type might have on such a heavily utilized table.

damiancugley’s picture

damiancugley commented

This is also an issue

(1) when logging in with OpenID, since OpenID involves very long URLs,

(2) when a security tester attempts a cross-site scripting attack.

One of the side effects of the error message being issued is that the names of one of the tables in the database is revealed; while this is not exactly secret (Drupal being free software), our customer feels it is a security concern.

URLs in general are officially allowed to be of arbitrary length; Internet Explorer imposes a limit of 2083 characters. So 128 characters is a fairly low limit. Either the watchdog module should clip values (if the assumption is that long URLs are not worth recording) or the database limits need changing.

bdragon’s picture

bdragon commented
Status: Postponed (maintainer needs more info) » Closed (duplicate)

location was fixed by #98551: regression (default TEXT) by too long file urls causes watchdog errors. (pre drupal 5.0-beta2.)
referer was fixed by #107824: Convert {watchdog}.referer and {accesslog}.url from VARCHAR to TEXT. (during d6 maintenance cycle)