[drupal-devel] [bug] too much information stored during a profile edit

fago drupal-devel at drupal.org
Sat May 7 00:08:22 UTC 2005


Issue status update for http://drupal.org/node/21515

 Project:      Drupal
 Version:      4.6.0
 Component:    user.module
 Category:     bug reports
 Priority:     minor
 Assigned to:  Anonymous
 Reported by:  fago
 Updated by:   fago
 Status:       patch
 Attachment:   http://drupal.org/files/issues/saveform_0.patch (4.52 KB)

unfortunately i noticed some mistakes in the previous patch.
(module_invoke doesn't reference $edit, but then i patched
profile.module to use the saveform hook for saving.)


i've attached a new patch.




fago



Previous comments:
------------------------------------------------------------------------

April 28, 2005 - 17:07 : fago

as i already mentioned in this post [1] some time ago,
arbitrary data can be stored in the serialized data field of the user
table.


example:
go to my account, save the page local, edit it to send the "post" data
to the website and edit an form name  to edit[somethingnew] und press
save
-> $somethingnew will be saved serialized in the data field


i think the fault is in user_edit (on line 1145) where user_save() is
called without checking $edit completely.


however, i 've felt like that's known and tolerated, so i did, the a
little bit missunderstood, post above first.
but i think, it's not acceptable to save just everything, what is
coming in with the form data... what's if a bad guy saves 1GB of
nonesense in my database? furthermore it will be loaded into the memory
everytime user_save is called - seems to me to be a nice possibilty for
a DOS.
[1] http://drupal.org/node/17744




------------------------------------------------------------------------

April 28, 2005 - 19:13 : moshe weitzman

i think apache/php have limits on how much can be posted. if you are
worried, perhaps use those settings.




------------------------------------------------------------------------

April 28, 2005 - 20:53 : fago

yes, but then it's still possible to inject data in little pieces by
using a new name every time.
further you can't limit the size too much, because file uploading
should also work.




------------------------------------------------------------------------

May 1, 2005 - 21:30 : fago

Attachment: http://drupal.org/files/issues/saveform.patch (4.38 KB)

i've written a patch, so that $edit is checked before.


unfortunately i couldn't see a better method than introducing a new
hook type for hook_user 'saveform' for which  each module has to return
an array of values, which it wants to be saved. as an affect some
modules have to be changed to work correctly after applying this patch
:(


my patch (for the 4.6 branch) includes the changes for profile.module
and contact.module and for the user.module of course.
what do you think about this?


i think something like this is necessary.
consider a module, which introduces profile fields, which can only be
edited by administrative users.
and yes of course, i don't like it, if users are able to fill up there
user object with additional variables ;)







More information about the drupal-devel mailing list