[development] Geo-IP Modifications to 'watchdog' and 'statistics' modules

Gary (Lists) listout at accidentaltechie.org
Tue Apr 18 17:47:20 UTC 2006 

"Dries Buytaert" wrote:

> 
>>> The screenshots look nice but the code looks a little dangerous as
>>> you're not
>>> validating the input.  Hackers can inject XSS attacks.
>> 
>> I'm not sure who the hackers would be, since this is on the admin
>> side of
>> things, and my script only operates on the hostname that is already
>> in the
>> SQL db.
> 
> If the server you 'curl' sends back malicious Javascript, they could hijack
> your session and take over your website.

Okay, this I get.  The returned result point, that is.  (Perhaps if
'hostip.info' wants my web site, they can have it. ;)

Where should I look for a similar "wiper" for the return?


>> Yeah. This script, in the admin pages, only acts on whatever data
>> is in the
>> watchdog 'hostname' field, which is an IP address placed there by
>> other
>> parts of Drupal (as you know. ;)
> 
> MySQL tables in Drupal contain insecure data, including the watchdog and
> statistics tables.  Drupal cleans up the data "on output" (just before sending
> the data to the client).  Your code does not clean up the data, whereas the
> original code did.

Perhaps I'm not following you (and I'd like to), so this is not
argumentative, rather it is educational.

I just reviewed 'watchdog' again, and I don't see any clean-up.

The original watchdog code says:

#
$output .= ' <tr><th>'. t('Hostname')
."</th><td>$watchdog->hostname</td></tr>";
#


I use the same value, in a different place.  This _is_ the "on output"
value, so whatever Drupal gives me (in /admin/) already, that's exactly what
I re-display.

Now, I do notice that 'watchdog' and 'statistics' do redundant work, but
whereas the 'watchdog' module just outputs

    $watchdog->hostname

the 'statistics' module outputs

    check_plain($access->hostname)


(Which is the same value, different variable names.)

This is true for the repeated identical table in both modules...statistics
module wraps the output in another function, watchdog does not.


Any tips on the 'curl' cleaning, I can use.

Otherwise, with the display of the IP address stored by Drupal, I just
repeat whatever 'watchdog' already uses, and that meets my needs.

--
Gary

More information about the development mailing list