[drupal-devel] Rewriting use of forms in Drupal
Steven Wittens
steven at acko.net
Fri Jun 3 12:04:51 UTC 2005
Gerhard Killesreiter wrote:
>Hi there!
>
>What follows is a proposal I sent to Dries before the security releases
>were made. Since it hinted at the possibility of flaws in our current
>way of handling forms I didn't want to make it available for public
>viewing at that time. There are probably still errors in some forms, but
>the most serious exploits should be fixed now. Although the proposal is
>geared towards node forms, it could be easily extended for other forms.
>
>Feedback would be appreciated.
>
>
Actually, I discovered a something related issue today... it is in fact
impossible to do this in Drupal:
$node = node_load(...);
node_validate($node);
node_save($node);
The problem is that in node_validate() we assume that we only get fields
which were output in forms. Some fields, like the teaser, are by default
not output (only if you have excerpt.module). node_validate() checks if
there is a teaser provided already (assuming any teaser comes from an
external module), and if so, doesn't generate a new one.
Similar problems can exist, for example when a contributed module does
not have a single body field. After submitting the node_form(), there
would be no $node->body, but this field is present after you do a
node_load().
In node_validate we would need to unset any field which is not part of
the standard form. Your technique seems to open the door for that.
Steven Wittens
More information about the drupal-devel
mailing list