Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
2a0e3264
Commit
2a0e3264
authored
Oct 21, 2010
by
Dries Buytaert
Browse files
- Patch
#942690
by effulgentsia: security harden stream wrappers by defaulting them as remote.
parent
c7e9857d
Changes
4
Hide whitespace changes
Inline
Side-by-side
includes/file.inc
View file @
2a0e3264
...
...
@@ -90,12 +90,37 @@
*
* A stream is referenced as "scheme://target".
*
* The optional $filter parameter can be used to retrieve only the stream
* wrappers that are appropriate for particular usage. For example, this returns
* only stream wrappers that use local file storage:
* @code
* $local_stream_wrappers = file_get_stream_wrappers(STEAM_WRAPPERS_LOCAL);
* @endcode
*
* The $filter parameter can only filter to types containing a particular flag.
* In some cases, you may want to filter to types that do not contain a
* particular flag. For example, you may want to retrieve all stream wrappers
* that are not writable, or all stream wrappers that are not local. PHP's
* array_diff_key() function can be used to help with this. For example, this
* returns only stream wrappers that do not use local file storage:
* @code
* $remote_stream_wrappers = array_diff_key(file_get_stream_wrappers(STREAM_WRAPPERS_ALL), file_get_stream_wrappers(STEAM_WRAPPERS_LOCAL));
* @endcode
*
* @param $filter
* Optionally filter out all types except these. Defaults to
* STREAM_WRAPPERS_ALL, which returns all registered stream wrappers.
* (Optional) Filters out all types except those with an on bit for each on
* bit in $filter. For example, if $filter is STREAM_WRAPPERS_WRITE_VISIBLE,
* which is equal to (STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE |
* STREAM_WRAPPERS_VISIBLE), then only stream wrappers with all three of these
* bits set are returned. Defaults to STREAM_WRAPPERS_ALL, which returns all
* registered stream wrappers.
*
* @return
* Returns the entire Drupal stream wrapper registry.
* An array keyed by scheme, with values containing an array of information
* about the stream wrapper, as returned by hook_stream_wrappers(). If $filter
* is omitted or set to STREAM_WRAPPERS_ALL, the entire Drupal stream wrapper
* registry is returned. Otherwise only the stream wrappers whose 'type'
* bitmask has an on bit for each bit specified in $filter are returned.
*
* @see hook_stream_wrappers()
* @see hook_stream_wrappers_alter()
...
...
@@ -122,11 +147,11 @@ function file_get_stream_wrappers($filter = STREAM_WRAPPERS_ALL) {
else
{
$wrappers
[
$scheme
][
'override'
]
=
FALSE
;
}
if
((
$info
[
'type'
]
&
STREAM_WRAPPERS_
REMOTE
)
==
STREAM_WRAPPERS_
REMOTE
)
{
stream_wrapper_register
(
$scheme
,
$info
[
'class'
]
,
STREAM_IS_URL
);
if
((
$info
[
'type'
]
&
STREAM_WRAPPERS_
LOCAL
)
==
STREAM_WRAPPERS_
LOCAL
)
{
stream_wrapper_register
(
$scheme
,
$info
[
'class'
]);
}
else
{
stream_wrapper_register
(
$scheme
,
$info
[
'class'
]);
stream_wrapper_register
(
$scheme
,
$info
[
'class'
]
,
STREAM_IS_URL
);
}
}
// Pre-populate the static cache with the filters most typically used.
...
...
@@ -141,7 +166,7 @@ function file_get_stream_wrappers($filter = STREAM_WRAPPERS_ALL) {
$wrappers_storage
[
$filter
]
=
array
();
foreach
(
$wrappers_storage
[
STREAM_WRAPPERS_ALL
]
as
$scheme
=>
$info
)
{
// Bit-wise filter.
if
(
$info
[
'type'
]
&
$filter
==
$filter
)
{
if
(
(
$info
[
'type'
]
&
$filter
)
==
$filter
)
{
$wrappers_storage
[
$filter
][
$scheme
]
=
$info
;
}
}
...
...
includes/stream_wrappers.inc
View file @
2a0e3264
...
...
@@ -22,6 +22,9 @@
/**
* Stream wrapper bit flags that are the basis for composite types.
*
* Note that 0x0002 is skipped, because it was the value of a constant that has
* since been removed.
*/
/**
...
...
@@ -34,11 +37,6 @@
*/
define
(
'STREAM_WRAPPERS_LOCAL'
,
0x0001
);
/**
* Stream wrapper bit flag -- refers to a remote filesystem location.
*/
define
(
'STREAM_WRAPPERS_REMOTE'
,
0x0002
);
/**
* Stream wrapper bit flag -- wrapper is readable (almost always true).
*/
...
...
@@ -64,6 +62,11 @@
*/
define
(
'STREAM_WRAPPERS_HIDDEN'
,
STREAM_WRAPPERS_READ
|
STREAM_WRAPPERS_WRITE
);
/**
* Stream wrapper type flag -- hidden, readable and writeable using local files.
*/
define
(
'STREAM_WRAPPERS_LOCAL_HIDDEN'
,
STREAM_WRAPPERS_LOCAL
|
STREAM_WRAPPERS_HIDDEN
);
/**
* Stream wrapper type flag -- visible, readable and writeable.
*/
...
...
@@ -74,10 +77,19 @@
*/
define
(
'STREAM_WRAPPERS_READ_VISIBLE'
,
STREAM_WRAPPERS_READ
|
STREAM_WRAPPERS_VISIBLE
);
/**
* Stream wrapper type flag -- the default when 'type' is omitted from
* hook_stream_wrappers(). This does not include STREAM_WRAPPERS_LOCAL,
* because PHP grants a greater trust level to local files (for example, they
* can be used in an "include" statement, regardless of the "allow_url_include"
* setting), so stream wrappers need to explicitly opt-in to this.
*/
define
(
'STREAM_WRAPPERS_NORMAL'
,
STREAM_WRAPPERS_WRITE_VISIBLE
);
/**
* Stream wrapper type flag -- visible, readable and writeable using local files.
*/
define
(
'STREAM_WRAPPERS_NORMAL'
,
STREAM_WRAPPERS_LOCAL
|
STREAM_WRAPPERS_
WRITE_VISIBLE
);
define
(
'STREAM_WRAPPERS_
LOCAL_
NORMAL'
,
STREAM_WRAPPERS_LOCAL
|
STREAM_WRAPPERS_
NORMAL
);
/**
* Generic PHP stream wrapper interface.
...
...
modules/system/system.api.php
View file @
2a0e3264
...
...
@@ -2297,9 +2297,13 @@ function hook_modules_uninstalled($modules) {
* - 'class' A string specifying the PHP class that implements the
* DrupalStreamWrapperInterface interface.
* - 'description' A string with a short description of what the wrapper does.
* - 'type' A bitmask of flags indicating what type of streams this wrapper
* will access - local or remote, readable and/or writeable, etc. Many
* shortcut constants are defined in stream_wrappers.inc.
* - 'type' (Optional) A bitmask of flags indicating what type of streams this
* wrapper will access - local or remote, readable and/or writeable, etc.
* Many shortcut constants are defined in stream_wrappers.inc. Defaults to
* STREAM_WRAPPERS_NORMAL which includes all of these bit flags:
* - STREAM_WRAPPERS_READ
* - STREAM_WRAPPERS_WRITE
* - STREAM_WRAPPERS_VISIBLE
*
* @see file_get_stream_wrappers()
* @see hook_stream_wrappers_alter()
...
...
@@ -2311,18 +2315,35 @@ function hook_stream_wrappers() {
'name'
=>
t
(
'Public files'
),
'class'
=>
'DrupalPublicStreamWrapper'
,
'description'
=>
t
(
'Public local files served by the webserver.'
),
'type'
=>
STREAM_WRAPPERS_LOCAL_NORMAL
,
),
'private'
=>
array
(
'name'
=>
t
(
'Private files'
),
'class'
=>
'DrupalPrivateStreamWrapper'
,
'description'
=>
t
(
'Private local files served by Drupal.'
),
'type'
=>
STREAM_WRAPPERS_LOCAL_NORMAL
,
),
'temp'
=>
array
(
'name'
=>
t
(
'Temporary files'
),
'class'
=>
'DrupalTempStreamWrapper'
,
'description'
=>
t
(
'Temporary local files for upload and previews.'
),
'type'
=>
STREAM_WRAPPERS_HIDDEN
,
)
'type'
=>
STREAM_WRAPPERS_LOCAL_HIDDEN
,
),
'cdn'
=>
array
(
'name'
=>
t
(
'Content delivery network files'
),
'class'
=>
'MyModuleCDNStreamWrapper'
,
'description'
=>
t
(
'Files served by a content delivery network.'
),
// 'type' can be omitted to use the default of STREAM_WRAPPERS_NORMAL
),
'youtube'
=>
array
(
'name'
=>
t
(
'YouTube video'
),
'class'
=>
'MyModuleYouTubeStreamWrapper'
,
'description'
=>
t
(
'Video streamed from YouTube.'
),
// A module implementing YouTube integration may decide to support using
// the YouTube API for uploading video, but here, we assume that this
// particular module only supports playing YouTube video.
'type'
=>
STREAM_WRAPPERS_READ_VISIBLE
,
),
);
}
...
...
modules/system/system.module
View file @
2a0e3264
...
...
@@ -1545,12 +1545,13 @@ function system_stream_wrappers() {
'name'
=>
t
(
'Public files'
),
'class'
=>
'DrupalPublicStreamWrapper'
,
'description'
=>
t
(
'Public local files served by the webserver.'
),
'type'
=>
STREAM_WRAPPERS_LOCAL_NORMAL
,
),
'temporary'
=>
array
(
'name'
=>
t
(
'Temporary files'
),
'class'
=>
'DrupalTemporaryStreamWrapper'
,
'description'
=>
t
(
'Temporary local files for upload and previews.'
),
'type'
=>
STREAM_WRAPPERS_HIDDEN
,
'type'
=>
STREAM_WRAPPERS_
LOCAL_
HIDDEN
,
),
);
...
...
@@ -1560,6 +1561,7 @@ function system_stream_wrappers() {
'name'
=>
t
(
'Private files'
),
'class'
=>
'DrupalPrivateStreamWrapper'
,
'description'
=>
t
(
'Private local files served by Drupal.'
),
'type'
=>
STREAM_WRAPPERS_LOCAL_NORMAL
,
);
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment