Commit de284eb8 authored by dsnopek's avatar dsnopek Committed by dsnopek

Issue #2881258 by dsnopek: [site_verify] Fix for SA-CONTRIB-2017-051

parent fd203a70
diff --git a/site_verify.admin.inc b/site_verify.admin.inc
index c5e68f2..3a558e2 100644
--- a/site_verify.admin.inc
+++ b/site_verify.admin.inc
@@ -100,32 +100,35 @@ function site_verify_edit_form(&$form_state, $record = array(), $engine = NULL)
'#default_value' => $record['meta'],
'#description' => t('This is the full meta tag provided for verification. Note that this meta tag will only be visible in the source code of your <a href="@frontpage">front page</a>.', array('@front-page' => url('<front>'))),
'#element_validate' => $record['engine']['meta_validate'],
- '#access' => $record['engine']['meta'],
+ '#access' => $record['engine']['meta'] && class_exists('DOMDocument'),
'#maxlength' => NULL,
);
- $form['file_upload'] = array(
- '#type' => 'file',
- '#title' => t('Upload an existing verification file'),
- '#description' => t('If you have been provided with an actual file, you can simply upload the file.'),
- '#access' => $record['engine']['file'],
- );
- $form['file'] = array(
- '#type' => 'textfield',
- '#title' => t('Verification file'),
- '#default_value' => $record['file'],
- '#description' => t('The name of the HTML verification file you were asked to upload.'),
- '#element_validate' => $record['engine']['file_validate'],
- '#access' => $record['engine']['file'],
- );
- $form['file_contents'] = array(
- '#type' => 'textarea',
- '#title' => t('Verification file contents'),
- '#default_value' => $record['file_contents'],
- '#element_validate' => $record['engine']['file_contents_validate'],
- '#wysiwyg' => FALSE,
- '#access' => $record['engine']['file_contents'],
- );
+ if (user_access('administer site verify uploads')) {
+ $form['file_upload'] = array(
+ '#type' => 'file',
+ '#title' => t('Upload an existing verification file'),
+ '#description' => t('If you have been provided with an actual file, you can simply upload the file.'),
+ '#access' => $record['engine']['file'],
+ );
+ $form['file'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Verification file'),
+ '#default_value' => $record['file'],
+ '#description' => t('The name of the HTML verification file you were asked to upload.'),
+ '#element_validate' => $record['engine']['file_validate'],
+ '#access' => $record['engine']['file'],
+ );
+ $form['file_contents'] = array(
+ '#type' => 'textarea',
+ '#title' => t('Verification file contents'),
+ '#default_value' => $record['file_contents'],
+ '#element_validate' => $record['engine']['file_contents_validate'],
+ '#wysiwyg' => FALSE,
+ '#access' => $record['engine']['file_contents'],
+ );
+ }
+
if (!variable_get('clean_url', 0)) {
drupal_set_message(t('Using verification files will not work if <a href="@clean-urls">clean URLs</a> are disabled.', array('@clean-urls' => url('admin/settings/clean-url'))), 'error', FALSE);
$form['file']['#disabled'] = TRUE;
@@ -133,8 +136,8 @@ function site_verify_edit_form(&$form_state, $record = array(), $engine = NULL)
$form['file_upload']['#disabled'] = TRUE;
}
+ //@TODO: $record['engine']['file'] is always TRUE
if ($record['engine']['file']) {
- $form['#validate'][] = 'site_verify_validate_file';
$form['#attributes'] = array('enctype' => 'multipart/form-data');
}
@@ -155,29 +158,59 @@ function site_verify_edit_form(&$form_state, $record = array(), $engine = NULL)
}
/**
- * Validation callback; save the uploaded file and check file name uniqueness.
+ * Validation callback; sanitize metatag and save the uploaded file
*/
-function site_verify_validate_file(&$form, &$form_state) {
- $values = &$form_state['values'];
-
- // Import the uploaded verification file.
- if ($file = file_save_upload('file_upload', array(), FALSE, FILE_EXISTS_REPLACE)) {
- $contents = @file_get_contents($file->filepath);
- file_delete($file->filepath);
- if ($contents === FALSE) {
- drupal_set_message(t('The verification file import failed, because the file %filename could not be read.', array('%filename' => $file->filename)), 'error');
- }
- else {
- $values['file'] = $file->filename;
- $values['file_contents'] = $contents;
- //drupal_set_message(t('The verification file <a href="@filename">@filename</a> was successfully imported.', array('@filename' => $file->filename)));
+function site_verify_edit_form_validate($form, &$form_state) {
+ if ($form_state['storage']['step']) {
+ // validate metatag
+ if (isset($form_state['values']['meta']) && $form_state['values']['meta']) {
+ $valid_metatag_set = FALSE;
+
+ $html = $form_state['values']['meta'];
+ $dom = new DOMDocument;
+ $dom->loadHTML($html);
+ //@TODO: If we only care about the first metatag... why foreach? why not [0]?
+ foreach ($dom->getElementsByTagName('meta') as $tag) {
+ if ($tag->getAttribute('name') && $tag->getAttribute('content')) {
+ $form_state['values']['meta'] = '<meta name="' . $tag->getAttribute('name') . '" content="' . $tag->getAttribute('content') . '" />';
+ $valid_metatag_set = TRUE;
+ }
+ }
+
+ if (!$valid_metatag_set) {
+ form_set_error('meta', t('A valid metatag was not found'));
+ }
}
- }
- if ($values['file']) {
- $existing_file = db_result(db_query("SELECT svid FROM {site_verify} WHERE LOWER(file) = LOWER('%s') AND svid <> %d", $values['file'], $values['svid']));
- if ($existing_file) {
- form_set_error('file', t('The file %filename is already being used in another verification.', array('%filename' => $values['file'])));
+ //
+ if (isset($form_state['values']['file']) && $form_state['values']['file']) {
+ $values = &$form_state['values'];
+ // Import the uploaded verification file.
+ $validators = array('file_validate_extensions' => array());
+ if ($file = file_save_upload('file_upload', $validators, FALSE, FILE_EXISTS_REPLACE)) {
+ $contents = @file_get_contents($file->filepath);
+ file_delete($file->filepath);
+ if ($contents === FALSE) {
+ drupal_set_message(t('The verification file import failed, because the file %filename could not be read.', array('%filename' => $file->filename)), 'error');
+ }
+ else {
+ $values['file'] = $file->filename;
+ $values['file_contents'] = $contents;
+ //drupal_set_message(t('The verification file <a href="@filename">@filename</a> was successfully imported.', array('@filename' => $file->filename)));
+ }
+ }
+
+ // Confirm that the desired filename isn't already in use by another
+ // verification.
+ if ($values['file']) {
+ $existing_file = db_result(db_query("SELECT svid FROM {site_verify} WHERE LOWER(file) = LOWER('%s') AND svid <> %d", $values['file'], $values['svid']));
+ if ($existing_file) {
+ form_set_error('file', t('The file %filename is already being used in another verification.', array('%filename' => $values['file'])));
+ }
+ }
+ }
+ else {
+ $form_state['values']['file_contents'] = NULL;
}
}
}
diff --git a/site_verify.module b/site_verify.module
index 8836a20..aff2e20 100755
--- a/site_verify.module
+++ b/site_verify.module
@@ -62,6 +62,13 @@ function site_verify_menu() {
}
/**
+ * Implements hook_perm().
+ */
+function site_verify_perm() {
+ return array('administer site verify uploads');
+}
+
+/**
* Implements hook_init().
*/
function site_verify_init() {
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment