summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiroslav2012-01-19 18:41:45 (GMT)
committer Miroslav2012-01-19 18:41:45 (GMT)
commit589e8f6a404ab0102f43217d966c858dddd174ca (patch)
tree4ec887c95bc56aabb57abb7664a7bea36f03648e
parentc19a0802c75716d0b1a9e974cbff92f3ef5c1a94 (diff)
Security Issue fix:7.x-2.17.x-2.x
- Major SQL injection security issue fixed Major Issues fix: - [#1313178] : settings where propagated to every forms instead of only child form. Minor Issues fix: - [#1316596] : minor Javascript issue, fixed for old IE compatibility New functionality: - [#192424] : add new placeholder for potential language sensitive autocompletion.
-rw-r--r--README.txt2
-rw-r--r--js/jquery.autocomplete.js2
-rw-r--r--search_autocomplete.form.configure.inc10
-rw-r--r--search_autocomplete.info2
-rw-r--r--search_autocomplete.install41
-rw-r--r--search_autocomplete.module17
-rw-r--r--search_autocomplete.suggestion.configure.inc2
7 files changed, 50 insertions, 26 deletions
diff --git a/README.txt b/README.txt
index f451cad..61d5ce7 100644
--- a/README.txt
+++ b/README.txt
@@ -1,6 +1,6 @@
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
-* Welcome to Search Autocomplete v7.x-2.0 !
+* Welcome to Search Autocomplete v7.x-2.1 !
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
***
diff --git a/js/jquery.autocomplete.js b/js/jquery.autocomplete.js
index 4a3811d..5c34e25 100644
--- a/js/jquery.autocomplete.js
+++ b/js/jquery.autocomplete.js
@@ -22,7 +22,7 @@
matchContains: true,
minChars: eval(obj + '.minChars'),
selectFirst: false,
- max: eval(obj + '.max_sug'),
+ max: eval(obj + '.max_sug')
}).result(function () {
$(this).get(0).form.submit();
}).focus();
diff --git a/search_autocomplete.form.configure.inc b/search_autocomplete.form.configure.inc
index 3cc588e..5253fe1 100644
--- a/search_autocomplete.form.configure.inc
+++ b/search_autocomplete.form.configure.inc
@@ -185,7 +185,10 @@ function search_autocomplete_form_configure_submit($form, &$form_state) {
->execute();
// -> update each suggestions
foreach ($form_state['input']['search_autocomplete_what'] as $key => $item) {
- drupal_write_record('search_autocomplete_suggestions', $values['search_autocomplete_what'][$key], 'sid');
+ $values['search_autocomplete_what'][$key]['sug_fid'] = $values['fid'];
+ drupal_write_record('search_autocomplete_suggestions',
+ $values['search_autocomplete_what'][$key],
+ array('sid','sug_fid') );
}
// ###
// UPDATE CHILD LIST BUT NOT THE ADVANCED OPTIONS
@@ -202,7 +205,10 @@ function search_autocomplete_form_configure_submit($form, &$form_state) {
->execute();
// -> update each suggestions
foreach ($form_state['input']['search_autocomplete_what'] as $key => $item) {
- drupal_write_record('search_autocomplete_suggestions', $values['search_autocomplete_what'][$key], 'sid');
+ $values['search_autocomplete_what'][$key]['sug_fid'] = $fid;
+ drupal_write_record('search_autocomplete_suggestions',
+ $values['search_autocomplete_what'][$key],
+ array('sid','sug_fid') );
}
}
// ###
diff --git a/search_autocomplete.info b/search_autocomplete.info
index 683081e..284079b 100644
--- a/search_autocomplete.info
+++ b/search_autocomplete.info
@@ -2,6 +2,6 @@ name = Search Autocomplete
description = Provides aucompletion for Drupal search forms.
core = 7.x
package = Search
-version = 2.0
+version = 2.1
dependencies[] = search
configure = admin/config/search/search_autocomplete \ No newline at end of file
diff --git a/search_autocomplete.install b/search_autocomplete.install
index e1e69cb..9992d8e 100644
--- a/search_autocomplete.install
+++ b/search_autocomplete.install
@@ -209,7 +209,7 @@ function search_autocomplete_install() {
'sug_name' => "node_title",
'sug_dependencies' => "",
'sug_weight' => 1,
- 'sug_query' => "SELECT n.title FROM {node} n WHERE n.status = 1 AND LOWER(n.title) LIKE LOWER('%%%s%%')"
+ 'sug_query' => "SELECT n.title FROM {node} n WHERE n.status = 1 AND LOWER(n.title) LIKE LOWER(:like_word)"
));
// values for username default form
$insert->values(array(
@@ -221,7 +221,7 @@ function search_autocomplete_install() {
'sug_name' => "username",
'sug_dependencies' => "",
'sug_weight' => 2,
- 'sug_query' => "SELECT u.name FROM {users} u WHERE u.status = 1 AND LOWER(u.name) LIKE LOWER('%%%s%%')"
+ 'sug_query' => "SELECT u.name FROM {users} u WHERE u.status = 1 AND LOWER(u.name) LIKE LOWER(:like_word)"
));
// values for taxonomies default form
$insert->values(array(
@@ -233,7 +233,7 @@ function search_autocomplete_install() {
'sug_name' => "taxo_title",
'sug_dependencies' => "taxonomy",
'sug_weight' => 3,
- 'sug_query' => "SELECT t.name FROM {taxonomy_term_data} t WHERE LOWER(t.name) LIKE LOWER('%%%s%%')"
+ 'sug_query' => "SELECT t.name FROM {taxonomy_term_data} t WHERE LOWER(t.name) LIKE LOWER(:like_word)"
));
// values for comment title default form
$insert->values(array(
@@ -245,7 +245,7 @@ function search_autocomplete_install() {
'sug_name' => "comment_title",
'sug_dependencies' => "comment",
'sug_weight' => 4,
- 'sug_query' => "SELECT c.subject FROM {comment} c WHERE c.subject LIKE LOWER('%%%s%%')"
+ 'sug_query' => "SELECT c.subject FROM {comment} c WHERE c.subject LIKE LOWER(:like_word)"
));
// values for comment title default form
$insert->values(array(
@@ -257,7 +257,7 @@ function search_autocomplete_install() {
'sug_name' => "word_title",
'sug_dependencies' => "search",
'sug_weight' => 5,
- 'sug_query' => "SELECT DISTINCT s.word FROM {search_index} s, {node} n WHERE s.type = 'node' AND n.nid = s.sid AND n.status = 1 AND LOWER(s.word) LIKE LOWER('%%%s%%')"
+ 'sug_query' => "SELECT DISTINCT s.word FROM {search_index} s, {node} n WHERE s.type = 'node' AND n.nid = s.sid AND n.status = 1 AND LOWER(s.word) LIKE LOWER(:like_word)"
));
$insert->execute();
}
@@ -268,21 +268,19 @@ function search_autocomplete_install() {
// -----------------------------------------------------------------------------------------------
/**
- * Implementation of hook_update_N().
- * Get ready from version 1.x to 2.x
+ * Get ready for 2.x
*/
-function search_autocomplete_update_6200() {
+function search_autocomplete_update_7200() {
// if tables does'not already exists: run install
$ret = array();
$ok_result = TRUE; // so far so good
- $results = drupal_install_schema('search_autocomplete'); //Install the database specified in 'function search_autocomplete_schema'
- foreach ($results as $result) { // Check eventual errors that could have occured
- if (!$result->success)
- drupal_set_message(st('An error has occured during table creation, please retry. If the problem persist please post an issue and report the code: #err_code:400 @query', $result['query']), 'error');
- }
-
- if (db_table_exists('search_autocomplete_forms') && db_table_exists('search_autocomplete_suggestions')) {
+ if (!(db_table_exists('search_autocomplete_forms') && db_table_exists('search_autocomplete_suggestions'))) {
+ $results = drupal_install_schema('search_autocomplete'); //Install the database specified in 'function search_autocomplete_schema'
+ foreach ($results as $result) { // Check eventual errors that could have occured
+ if (!$result->success)
+ drupal_set_message(st('An error has occured during table creation, please retry. If the problem persist please post an issue and report the code: #err_code:400 @query', $result['query']), 'error');
+ }
search_autocomplete_install();
}
@@ -297,4 +295,17 @@ function search_autocomplete_update_6200() {
system_rebuild_theme_data();
return $ret;
+}
+
+/**
+ * Get ready for version 2.0 to 2.1
+ */
+function search_autocomplete_update_7201() {
+ $ret = array();
+ $results = db_query('SELECT sug_query FROM {search_autocomplete_suggestions}');
+ foreach ($results as $item) {
+ $new_query = str_replace("LIKE LOWER('%%%s%%')", "LIKE(:like_word)", $item->sug_query);
+ db_query('UPDATE {search_autocomplete_suggestions} SET sug_query = :sug_query WHERE sug_query = :new_query', array(':sug_query' => $new_query, ':new_query' => $item->sug_query));
+ }
+ return $ret;
} \ No newline at end of file
diff --git a/search_autocomplete.module b/search_autocomplete.module
index 1ca5feb..0d876b0 100644
--- a/search_autocomplete.module
+++ b/search_autocomplete.module
@@ -21,6 +21,8 @@ include_once('search_autocomplete.admin.inc');
* @param string the characters entered in the search boxs
*/
function search_autocomplete_autocomplete($string = '') {
+ global $language;
+
$matches = array();
$word_items = array();
$node_items = array();
@@ -44,17 +46,22 @@ function search_autocomplete_autocomplete($string = '') {
// get every suggestion types associated with the form being autocompleted
$result = db_query('SELECT * FROM {search_autocomplete_suggestions} s WHERE s.sug_fid = :fid AND s.sug_enabled = :sug_enabled', array(':fid' => $fid, 'sug_enabled' => 1));
foreach ($result as $item) { // while there is suggestion types to analyse:
- //if ($query != NULL) {
- $prefix = $item->sug_prefix; // get the prefix for this suggestion type
- $query = sprintf($item->sug_query, $word); // get the SQL query for this suggestion type
- $result = db_query($query); // get all the suggestions of this suggestion type
+
+ $query = $item->sug_query;
+ $prefix = t($item->sug_prefix); // get the prefix for this suggestion type
+ $params = array(':like_word' => '%'.$word.'%');
+ if (strpos($query,':curr_lang')!== false) {
+ $params[':curr_lang'] = $language->language;
+ }
+
+ $result = db_query($query,$params);
+
foreach ($result as $obj) {
$sug_elem = array_shift(array_values(get_object_vars($obj)));
$sug = html_entity_decode(check_plain($sug_elem), ENT_QUOTES);
$sug_index = trim($prefix) . ' ' . $sug;
$matches[trim($sug_index)] = trim($sug); // add the suggestion to be returned
}
- //}
}
drupal_json_output($matches); // Return matches.
} // search_autocomplete_autocomplete()
diff --git a/search_autocomplete.suggestion.configure.inc b/search_autocomplete.suggestion.configure.inc
index f02b037..321ccc8 100644
--- a/search_autocomplete.suggestion.configure.inc
+++ b/search_autocomplete.suggestion.configure.inc
@@ -88,7 +88,7 @@ function search_autocomplete_suggestion_configure($form, &$form_state, $sid = -1
'#maxlength' => 255,
'#required' => FALSE,
);
- $descr = t('The query to perform to retrieve suggestions. If you are not sure what to do, please look at examples in <a href="http://projects.axiomcafe.fr/search-autocomplete">the documentation</a> and/or ask for help');
+ $descr = t('The query to perform to retrieve suggestions.') . '<br />' . t('You can use the placeholders :like_word for the input sequence and :curr_lang for the current language.') . '<br />' .t('If you are not sure what to do, please look at examples in <a href="http://projects.axiomcafe.fr/search-autocomplete">the documentation</a> and/or ask for help');
$form['query'] = array(
'#title' => t('Query performed to get suggestion'),
'#description' => $descr,