Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
It seems that AHAH callbacks such as function upload_js() do not do any error checking - a user visiting the corresponding path will see lots of ugly errors
Comment | File | Size | Author |
---|---|---|---|
#16 | check-POST-222588-7x-16.patch | 11.67 KB | Jaza |
#15 | check-POST-222588-7x-15.patch | 11.42 KB | pwolanin |
#8 | check-POST-222588-8.patch | 11.07 KB | pwolanin |
#3 | check-POST-222588-3.patch | 7.06 KB | pwolanin |
#1 | check-POST-222588-1.patch | 967 bytes | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedstarter patch for upload.module
Comment #2
keith.smith CreditAttribution: keith.smith commentedComment #3
pwolanin CreditAttribution: pwolanin commentedfunction book_form_update() looks ok, reworking upload and poll to generally match it's logic (i.e. everything in an if block)
Comment #4
cwgordon7 CreditAttribution: cwgordon7 commentedTested, seems to work fine, I got stuff printed to the screen before but nothing that bad now.
Comment #5
pwolanin CreditAttribution: pwolanin commentedone thing I'm noticing now in trying to improve the patch, we return an array in these functions like
drupal_json(array('status' => TRUE, 'data' => $output));
but if status is set to FALSE, ahah.js happily still processes this response and replaces part of the form.
Comment #6
pwolanin CreditAttribution: pwolanin commentedalso, upload.module has a code comment that drupal_json() should not be used with ahah.js, but both book and poll use drupal_json() - so either the code comment in upload is wrong, or the code in book and poll is wrong.
Comment #7
pwolanin CreditAttribution: pwolanin commentedUpload and Poll modules are including status messages in the returned markup. How does that work?
Comment #8
pwolanin CreditAttribution: pwolanin commentedok, a step towards more complete error checking and consistency, at least in the PHP part
Comment #9
yched CreditAttribution: yched commentedsubscribe
Comment #10
bdragon CreditAttribution: bdragon commentedsubscribing
Comment #11
moshe weitzman CreditAttribution: moshe weitzman commentedIs there some way we cold report back the exact error?
Comment #12
pwolanin CreditAttribution: pwolanin commented@moshe - it seem like now a couple of these would end up stuffing the raw error messages back into the form. That might be ok for deggging, but doesn't seem like the best approach for end users? Hence my intent to catch the errors before this point.
Comment #13
pwolanin CreditAttribution: pwolanin commentedpatch in #8 no longer applies to 7.x, but does apply to 6.x
Comment #14
trevorwh CreditAttribution: trevorwh commentedAlright folks...I needed to do something so that I could display drupal messages through the AHAH api.
I've created a demo..take a look and see what you think. It uses existing drupal_set_message() calls, and adds a "messages" portion to the array. If success returns false, the form remains the same.
To test, attempt to enter an affiliate code and see what happens.
https://converge.epsilonlimited.com/cart/view
Let me know your thoughts. This is for a custom module, but can be extended however people would like. I'm happy to release the code.
-Trevor White
Comment #15
pwolanin CreditAttribution: pwolanin commentedhere's a re-roll for 7.x - did basic testing of all 3 forms. I think the patch above mostly didn't apply due to changes in the use of the concat operator.
Comment #16
Jaza CreditAttribution: Jaza commented@pwolanin: at the very start of this issue, you say that the main bug you're trying to eliminate with this patch is:
The current patch does not solve this. When you type in the AHAH callback and access it directly in a browser, you still get encoded JSON output. If the page is accessed directly rather than through AHAH, it should return something other than an ugly chunk of JSON. I think the most appropriate thing to do is to print 'page not found', since conceptually the page "doesn't exist" if accessed directly.
Attached is an update of the previous patch, with the following code added at the start of the AHAH callbacks for book / poll / upload:
If the callback is reached through an asynchronous request, then $_POST will always have something. But if it's reached by the user typing in the URL directly, then $_POST is completely empty. So this seems like a reasonable check to me. $_POST should only be empty for a human visitor - for an AHAH visitor that has supplied invalid data, the JSON
'status' => FALSE
should still be outputted.Comment #17
pwolanin CreditAttribution: pwolanin commentedHmm, I'd almost rather just have an empty page. And the path exists, so I don't think we want to return a 404 - could that confuse browsers that subsequently want to use the callback?
Actually, looking at this issue more, it's not so much the ugliness of the output that I'm concerned about as potentially invalid data getting added to the cache. My feeling is that a human visitor should not see anything disclosed, but the empty JSON data is pretty innocuous.
In fact, you see something similar if you visit some of the non-AHAH callbacks like drupal.org/user/autocomplete/jaza
Comment #18
dmitrig01 CreditAttribution: dmitrig01 commentedWhat about making a custom access callback, drupal_json_access, that looks like this:
Comment #19
pwolanin CreditAttribution: pwolanin commentedI'd like to get some basic version of this in D6 - for that we should be making a minimal change to the current behavior. So, to achieve the D6 bugfix, does the current version look ok? Once that's in we can consider features for D7.
Comment #20
paul.lovvik CreditAttribution: paul.lovvik commentedI reviewed the patch under comment #15 on Drupal 7, and didn't see any problems with it. With the patch the message that results from entering a url like http://localhost/drupal/poll/js is a user friendly message rather than json. Not sure how critical this is, but the user experience is clearly much better with the patch.
I ran all of the tests for Drupal 7, and this patch is not causing test failures.
Comment #21
paul.lovvik CreditAttribution: paul.lovvik commentedComment #22
catchStill applies, no tests harmed.
Comment #23
Heine CreditAttribution: Heine commentedThe changes to D6 need to get in.
Comment #24
Freso CreditAttribution: Freso commentedHow do changes to D6 affect a patch for D7's status?
That being said, the patch from #16 doesn't seem to apply.
Comment #25
Freso CreditAttribution: Freso commentedAlso, we'll want a test to make sure raw JSON isn't re-introduced on the callback pages.