Closed (duplicate)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
3 Jan 2017 at 06:39 UTC
Updated:
5 Aug 2018 at 21:33 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
visabhishek commentedComment #3
visabhishek commented1: Found menu callback with 'access callback' => TRUE for all defined menu hooks. Give proper permission for menu callbacks in hook_menu()
2: XSS Issue : If I enter
<script>alert('XSS');</script>in comment and subject, its getting executed.You need to sanitize data before printing. For more information about sanitizing, please read https://www.drupal.org/node/28984.
3: Please remove used variable under hook_uninstall();
example :
variable_get('get_vocab', '');Comment #4
satyam upadhyay commentedHi visabhishek,
Thanks for your review on this issue, all the 3 points have been fixed
Comment #5
satyam upadhyay commentedComment #6
satyam upadhyay commentedComment #7
PA robot commentedWe are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #8
satyam upadhyay commentedComment #9
satyam upadhyay commentedComment #10
klausiRemoving one item from the issue summary which is not an actual review.
Comment #11
klausiThe Git commits are not connected to your user account. You need to specify an email address. See https://www.drupal.org/node/1022156 and https://www.drupal.org/node/1051722
manual review:
Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #12
satyam upadhyay commentedHi klausi,
Thank you for your time on reviewing my module very carefully.
For this point Path /taxonomy_comment/%/delete only authenticated user can delete the comment but only their own comment not any other user comment you can see this http://www.screencast.com/t/07dVzp1Ri
Note: Still working to fix other points.
Regards
Satyam
Comment #13
satyam upadhyay commentedComment #14
satyam upadhyay commentedComment #15
satyam upadhyay commentedComment #16
satyam upadhyay commentedHi klausi,
Above Points have been fixed.
Regards
Satyam
Comment #17
satyam upadhyay commentedComment #18
satyam upadhyay commentedComment #19
satyam upadhyay commentedComment #20
satyam upadhyay commentedComment #21
satyam upadhyay commentedComment #22
satyam upadhyay commentedComment #23
satyam upadhyay commentedHi,
I have done another manual review on 5 more projects, so i am going to add the Issue tags: as
PAReview: review bonus and updated the priority as Major
Regards
Satyam
Comment #24
klausiplease don't remove the security tag, we keep that for statistics and to show examples of security problems.
Comment #25
satyam upadhyay commentedHi Klausi,
I am sorry for removing the security tag. I was not aware that this tag is for statistics and to show examples of security problems.
Thank you for adding this tag also to the Issue tags of this project.
Regards
Satyam
Comment #26
satyam upadhyay commentedComment #27
rajveergangwarBelow are my reviews :
[+] Dont use camel case variables.
[+] I am getting error attached the file https://www.drupal.org/files/issues/error_236.png
Comment #28
satyam upadhyay commentedHi rajveergang,
Thank you for review this project,
As per your suggestion all the variables has been converted to lower case and the error message that you found has been fixed now.
Regards
Satyam
Comment #29
klausiRemoved some automated reviews from the issue summary.
Comment #30
klausimanual review:
why is the menu tab on admin/structure/taxonomy called "taxonomy select"? Shouldn't it be "taxonomy comments" or similar?
The comment deletion security vulnerability still exists. Attack scenario:
1. grant the "Add/show comments" and "Delete Own comment" permission to the authenticated user role
2. Add a victim user account
3. Log in as victim user and create a comment on a taxonomy term. Copy the link the delete the comment (but do not delete the term).
4. Add an attacker user account.
5. Log in as attacker.
6. Paste the copied term deletion link into your browser URL bar. You are able to delete the comment of another user, which is an access bypass security vulnerability.
Comment #31
satyam upadhyay commentedHi klausi,
Thank You for reviewing this project again, as per your suggestion all the points have been fixed, kindly review them.
1. Now the menu tab for admin/structure/taxonomy has been updated to "Taxonomy Comments Vocabulary".
2. "Add/show comments" and "Delete Own comment" permission has been granted to authenticated role also.
3. As per your suggestion for points (2,3,4,5,6) The comment deletion security vulnerability has been fix.
Regards
Satyam
Comment #32
klausimanual review:
Comment #33
satyam upadhyay commented@klausi
Thank you again for giving your valuable time to this project , and i am sorry for my delayed update on this.
Above points have been fixed.
Regards
Satyam
Comment #34
ishwar commentedHi @Satyam Upadhyay
Below are my manual review:
1. Line no 209 and 214 its good practice to use l() function for create link.
2. Do not write query on tpl file use variable and pass in
theme()function (taxonomy-comments-tpl)3. In taxomony-comments-tpl file use
taxonomy_comment_userload()function you have already written in inc file instead ofuser_load()because you have to get only user name.4. Add
hook_help()in your module file.Comment #35
klausiThanks for the review @ishwar! Yep, template files must not contain database queries. Data that is required in templates should be prepared beforehand and passed down as variable in hook_theme() or it should be prepared in theme preprocess functions.
Comment #36
satyam upadhyay commentedHi,
@ishwar thanks for doing your manual review on this project and @klausi thank you for giving your valuable time to this project
database query and user_load function is now removed from template file and hook_help is added to the module file
Regards
Satyam
Comment #37
puspanjalim commentedHi @Satyam
Nice extension. Very well, i see your module's file and reviewed by installing on latest D7 version.
One issue I found
when I write comment in comment box and save it, some html tags generated automatically and are not converted properly.
Refer to the attached screenshot.
Comment #38
satyam upadhyay commentedHi puspanjalim,
Thanks for review this project, html tags issue has been fix now and you were forgotten to change the status when you were doing your comments for this project.
Comment #39
klausimanual review:
t('<h2>Select Vocabulary</h2>'): HTML tags should be outside of t() where possible.Comment #40
satyam upadhyay commented@klausi,
Thank You for your review on this project, above points are fix as follows:
1 and 2: hard code user role has been fixed.
3. access check and user roles load are now removed from tpl file but one check i have added that is, to check if user is logged in and (comment_id = $user->uid) then print edit or delete link to tpl file in respect of their comments.
4. fixed.
5. No access check is using while inserting comment's body data
6. fixed.
Regards
Satyam
Comment #41
klausimanual review:
"user_access('administrator')": it looks like you have not understood the Drupal permission system. You need to pass a permission name to user_access(), not a role name. Please read up on Drupal roles and permissions and test your code before you set this back to "needs review" next time.
Comment #42
deepanker_bhalla commentedHi Satyam Upadhyay,
Your module is working fine but I want to ask you as it looks like an error to me.
When I am commenting a taxonomy term, then under "admin/content/taxonomy-comment" the comment is showing more than 1500 times on that page.
Ex: i commented Test. => it is showing more than 1500 in the lists.
Kindly look into this.
Comment #43
satyam upadhyay commented@deepanker_bhalla
Can you show me the screenshot for this kind of error, i never faced this error
Regards
Satyam
Comment #44
deepanker_bhalla commentedHi Satyam Upadhyay,
I have uploaded the screenshot. Kindly refer to it.
This comment is coming from 1st page to 15th page(i.e. approx 739 posts)
Comment #45
jeetendrakumar commented@Satyam Upadhyay
This issue comes when we edit any term and try to add comment.
Suggestion:
1. Remove comment section from edit term page.
2. Add
dependencies[] = taxonomyin .info file.Comment #46
satyam upadhyay commented@klausi,
Thank you for your valuable time for this project, and as per your instruction user_access for permission name has been fixed, kindly have your review on this is project.
@deepanker_bhalla, thanks for your review, this issue has been fixed.
@jeetendrakumar, thanks for your suggestion and review on this project and i think there is no need to add dependency with taxonomy.
Regards
Satyam
Comment #47
khurrami commentedHi,
in your .module file please check your hook & non hook functions these exceed 80 character limit
https://www.drupal.org/docs/develop/standards/coding-standards#linelength
for example in
function taxonomy_comment_help($path, $arg) {}
$output = t('This module helps to create commenting on the taxonomy terms as per your selected vocabulary.');
thanks
Comment #48
deepanker_bhalla commentedHi,
Working fine for me now. Great work.
Comment #49
klausimanual review:
The t() usage and sanitizing on DB writing operations are blockers right now.
Comment #50
satyam upadhyay commented@klausi,
Thank you for your valuable time to this project, and as per your instructions above all the points have been fixed, kindly have your review on this is project.
Regards
Satyam
Comment #51
klausimanual review:
<script>alert('XSS');</script>as comment text this gets printed unsanitized here. You need to apply the proper text format here.When you submit this for review next time please make sure that all potential XSS vulnerabilities are covered.
Comment #52
satyam upadhyay commented@klausi,
Sorry for my delayed reply, actually i was on a long leave
Thank you for your valuable time to this project, and as per your instructions above all the points have been fixed, kindly have your review on this is project.
Regards
Satyam
Comment #53
satyam upadhyay commented@klausi,
Kindly Review this project.
Regards
Satyam
Comment #54
PA robot commentedGit clone failed for https://git.drupal.org/sandbox/SatyamUpadhyay/2839137.git while invoking http://pareview.sh/pareview/httpsgitdrupalorgsandboxSatyamUpadhyay283913...
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #55
sharma.amitt16 commentedUnable to clone the code due to repository not found error.
Comment #56
ishwar commentedHi Satyam ,
Please mention project GIT URL instead of sandbox GIT url.
Because we unable to clone.
Thanks
Ishwar
Comment #57
satyam upadhyay commentedComment #58
satyam upadhyay commentedComment #59
satyam upadhyay commentedHi,
@ishwar i have mentioned my project's GIT url, now it's available to take clone.
Thanks
Satyam
Comment #60
satyam upadhyay commented@klausi,
Hope all the blockers are fixed for this project, kindly have your review on this and fix this.
Regards
Satyam
Comment #61
PA robot commentedProject 1: https://www.drupal.org/node/2884065
Project 2: https://www.drupal.org/node/2840555
As successful completion of the project application process results in the applicant being granted the 'Create Full Projects' permission, there is no need to take multiple applications through the process. Once the first application has been successfully approved, then the applicant can promote other projects without review. Because of this, posting multiple applications is not necessary, and results in additional workload for reviewers ... which in turn results in longer wait times for everyone in the queue. With this in mind, your secondary applications have been marked as 'closed(duplicate)', with only one application left open (chosen at random).
If you prefer that we proceed through this review process with a different application than the one which was left open, then feel free to close the 'open' application as a duplicate, and re-open one of the project applications which had been closed.
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #62
avpaderno