Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
For now ctools_context_entity_convert() don't use sanitize option with token_generate().
token_generate() add the sanitize option to TRUE as default value.
Some modules (ex: panel_breadcrumb) use the token's values directly in the l() function where values are sanitized again.
So string like : L'Apostrophe
show as : L'Apostrophe
Comment | File | Size | Author |
---|---|---|---|
#16 | 1334020_ctools_sanitize_bugfix.patch | 2.92 KB | bennetteson |
#9 | 1334020_ctools_sanitize_bugfix.patch | 2.96 KB | bennetteson |
#4 | 1334020_ctools_sanitize_bugfix.patch | 3.25 KB | bennetteson |
ctools_sanitize_bugfix.patch | 3.42 KB | bennetteson |
Comments
Comment #1
Damien Tournoud CreditAttribution: Damien Tournoud commentedSo, the problem here is that it's very unclear what the result of ctools_context_keyword_substitute() is: an HTML string or plaintext?
In the current situation, ctools_context_entity_convert() calls token_generate() without 'sanitize' => FALSE, which means that the result is going to be returned as an HTML string, and then potentially double encoded when used in a title or in the breadcrumb links generated by panels_breadcrumb.
In the patch attached in the original post, @bennetteson suggests that
ctools_context_keyword_substitute()
should return a plain-text string by default, but supports an option that allow the caller to decide it wants to process the string as plaintext.Could we get a review on the principle of this patch?
Comment #2
merlinofchaos CreditAttribution: merlinofchaos commentedOk, the principle of the patch is okay.
We have to be very careful in checking all uses of this function to see if there is a potential security issue, which is going to be somewhat time consuming, but luckily I think it is not actually called in that many places so it hopefully will not be a big deal. And I believe most of the places we are seeing this we will see it already sanitized. The idea is that anything that can have a token in it is user input, and therefore MUST be sanitized after the token replacement. This is perfectly valid behavior and I think is the correct behavior.
In a minor nit, this patch unnecessarily removes whitespace that I prefer. I tend to add a lot of extra CRs between code blocks in order to facilitate readability.
Comment #3
merlinofchaos CreditAttribution: merlinofchaos commentedComment #4
bennetteson CreditAttribution: bennetteson commentedResend the patch without removing the whitespaces.
For the security issue I thinks you're write but this patch don't change the current behavior of the tokken engine. All input will be sanitized unless you give the option you're self to not do the sanitize at your own risk.
This is useful sometime to have the original string without sanitization and in fact I have to get this work like that.
Remember this patch dosen't had a security issue but give a way to add a security issue but the security issue will be in other module than your.
Comment #5
Damien Tournoud CreditAttribution: Damien Tournoud commentedActually, I now realize this is not the proper approach.
The token system in Drupal 7 does *not* support returning plaintext tokens. It only support two things:
'sanitize' = TRUE
)'sanitize' = FALSE
), which is *not* plaintext but rather "whatever form the source thing is stored in")Which means that if you want plaintext, you don't have any other solution then calling
token_replace()
with'sanitize' = TRUE
and you need to convert the resulting HTML to plaintext yourself (whether usingdrupal_html_to_text()
orstrip_tags(decode_entities($text))
).Comment #6
bennetteson CreditAttribution: bennetteson commentedYes and I don't want to get plain text bug only get a tokens replacement option to
array('sanitize' => FALSE)
to get the raw tokens.Comment #7
LCG CreditAttribution: LCG commentedHello,
using the "Menu Token" module, i have the same problem with my user menu.
This menu is something like : "Hello Bob El'roy".
Could this patch do something for me or must I look in another way?
Thanks.
Comment #8
bennetteson CreditAttribution: bennetteson commented@LCG Not directly. This patch only add a the ability to a module to add some options to ctools_context_entity_convert().
Comment #9
bennetteson CreditAttribution: bennetteson commentedOK, my bad...
Now I got it !
See the new patch.
Comment #10
bennetteson CreditAttribution: bennetteson commented@LCG With the good patch you still need to patch again, see my exemple with panel_breadcrumbs http://pastebin.com/4VypnP04
Comment #11
LCG CreditAttribution: LCG commentedI'm not sure to understand.
After aplying the patch in #9 to ctools, I still need to find a patch for Menu Token?
Comment #12
bennetteson CreditAttribution: bennetteson commented@LCG No you can't. "Menu Token" use
token_replace_multiple
noctools_context_keyword_substitute
.Comment #13
merlinofchaos CreditAttribution: merlinofchaos commentedI actually need this patch for other reasons, but Damien is right. Just using 'sanitize' => FALSE is not necessarily what you want. Interesting.
The $options addition is unnecessary there because token_generate already has that exact same line. So it is completely redundant in every case unless token_generate changes its default in the future, which it would never do because of the security implications.
Otherwise I think I am going to use this, as it is valuable.
Committed and pushed with the change I made above.
Comment #14
bennetteson CreditAttribution: bennetteson commented@merlinofchaos my last patch #9 as exactly the same code.
Now I use $options += array('sanitize' => TRUE); so by default this patch still use the legacy behavior. No more security risk added in this module.
Comment #15
merlinofchaos CreditAttribution: merlinofchaos commentedNo no. What I was saying was that the $options += array('sanitize' => TRUE) is unnecessary -- token_generate has that exact line of code. So omitting the line is the exact same result.
Comment #16
bennetteson CreditAttribution: bennetteson commentedOk you're right, I just see that.
So here the good patch.
Comment #17
merlinofchaos CreditAttribution: merlinofchaos commentedIs this what I committed?
http://drupalcode.org/project/ctools.git/commit/e33eb1da18f81ae275eeb6ce...
Comment #18
bennetteson CreditAttribution: bennetteson commentedlooks good for me
Comment #19
merlinofchaos CreditAttribution: merlinofchaos commentedComment #20.0
(not verified) CreditAttribution: commented' show as '