fixing stuff

INSTALL.txt

@@ -68,8 +68,8 @@ INSTALLATION
 
    The default configuration can be found in the
    'sites/default/settings.php' file within your Drupal installation.
-   Before you can run Drupal, you must set the database URL. Open the
-   configuration file and edit the $db_url line to match the database
+   Before you can run Drupal, you must set the database URL. Open the 
+   configuration file and edit the $db_url line to match the database 
    defined in the previous step:
 
      $db_url = "mysql://username:password@localhost/databasename";
@@ -144,12 +144,17 @@ INSTALLATION
    by the Drupal server process. You can change the name of this
    subdirectory at "Administer > Settings > File system settings".
 
-   SECURITY NOTICE: Certain Apache configurations can be vulnerable
-   to a security exploit allowing arbitrary code execution. Drupal
-   will attempt to automatically create a .htaccess file in your
+   SECURITY NOTICE: Certain Apache configurations can be vulnerable 
+   to a security exploit allowing arbitrary code execution. Drupal 
+   will attempt to automatically create a .htaccess file in your 
    "files" directory to protect you. If you already have a .htaccess
-   file in that location, please add the following line:
-   SetHandler This_is_a_Drupal_security_line_do_not_remove
+   file in that location, please add the following lines:
+
+     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
+     Options None
+     <IfModule mod_rewrite.c>
+       RewriteEngine off
+     </IfModule>
 
    You can now launch your browser and point it to your Drupal site.
 
@@ -186,7 +191,7 @@ example, set some general settings for your site with "Administer >
 Settings". Enable modules via "Administer > Modules". User permissions
 can be set with "Administer > Users > Configure > Permissions".
 
-For more information on configuration options, read the
+For more information on configuration options, read the 
 instructions which accompany the different configuration settings and
 consult the various help pages available in the administration panel.
 

includes/file.inc

@@ -113,17 +113,17 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
   }
 
   if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
-    if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) {
+    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\n<IfModule mod_rewrite.c>\n  RewriteEngine off\n</IfModule>";
+    if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) {
       fclose($fp);
     }
     else {
-      $message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: <code>SetHandler This_is_a_Drupal_security_line_do_not_remove</code>", array('%directory' => $directory));
+      $message = t("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>%htaccess</code>", array('%directory' => theme('placeholder', $directory), '%htaccess' => '<br />'. str_replace("\n", '<br />', check_plain($htaccess_lines))));
       form_set_error($form_item, $message);
-      watchdog('file system', $message, WATCHDOG_ERROR);
+      watchdog('security', $message, WATCHDOG_ERROR);
     }
   }
 
-
   return true;
 }
 

modules/upload.module

@@ -253,9 +253,10 @@ function _upload_prepare(&$node) {
 
   unset($_SESSION['file_current_upload']);
 
+  global $user;
+
   // Save new file uploads to tmp dir.
   if (($file = file_check_upload()) && user_access('upload files')) {
-    global $user;
 
     // Scale image uploads.
     $file = _upload_image($file);
@@ -274,6 +275,11 @@ function _upload_prepare(&$node) {
   // Attach file previews to node object.
   if (is_array($_SESSION['file_previews']) && count($_SESSION['file_previews'])) {
     foreach($_SESSION['file_previews'] as $fid => $file) {
+      if ($user->uid != 1) {
+        // Here something.php.pps becomes something.php_.pps
+        $file->filename = upload_munge_filename($file->filename, NULL, 0);
+        $file->description = $file->filename;
+      }
       $node->files[$fid] = $file;
     }
   }
@@ -375,6 +381,11 @@ function _upload_validate(&$node) {
             form_set_error('upload', t('The selected file %name can not be attached to this post, because the disk quota of %quota has been reached.', array('%name' => theme('placeholder', $file->filename), '%quota' => theme('placeholder', format_size($usersize)))));
             $valid = FALSE;
           }
+          elseif (strlen($node->files[$fid]->filename) > 255) {
+            form_set_error('upload', t('The selected file %name can not be attached to this post, because the filename is too long.', array('%name' => theme('placeholder', $munged_filename))));
+            $valid = FALSE;
+          }
+
           if (!$valid) {
             unset($node->files[$fid], $_SESSION['file_previews'][$fid]);
             file_delete($file->filepath);
@@ -522,6 +533,66 @@ function upload_total_space_used() {
   return db_result(db_query('SELECT SUM(filesize) FROM {files}'));
 }
 
+/**
+ * Munge the filename as needed for security purposes.
+ *
+ * @param $filename
+ *   The name of a file to modify.
+ * @param $extensions
+ *   A space separated list of valid extensions. If this is blank, we'll use
+ *   the admin-defined defaults for the user role from upload_extensions_$rid.
+ * @param $alerts
+ *   Whether alerts (watchdog, drupal_set_message()) should be displayed.
+ * @return $filename
+ *   The potentially modified $filename.
+ */
+function upload_munge_filename($filename, $extensions = NULL, $alerts = 1) {
+  global $user;
+
+  $original = $filename;
+
+  // Allow potentially insecure uploads for very savvy users and admin
+  if (!variable_get('allow_insecure_uploads', 0)) {
+
+    if (!isset($extensions)) {
+      $extensions = '';
+      foreach ($user->roles as $rid => $name) {
+        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps'));
+      }
+
+    }
+
+    $whitelist = array_unique(explode(' ', trim($extensions)));
+
+    $filename_parts = explode('.', $filename);
+
+    $new_filename = array_shift($filename_parts); // Remove file basename.
+    $final_extension = array_pop($filename_parts); // Remove final extension.
+
+    foreach($filename_parts as $filename_part) {
+      $new_filename .= ".$filename_part";
+      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
+        $new_filename .= '_';
+      }
+    }
+    $filename = "$new_filename.$final_extension";
+  }
+
+  if ($alerts && $original != $filename) {
+    $message = t('Your filename has been renamed to conform to site policy.');
+    drupal_set_message($message);
+  }
+
+  return $filename;
+}
+
+/**
+ * Undo the effect of upload_munge_filename().
+ */
+function upload_unmunge_filename($filename) {
+  return str_replace('_.', '.', $filename);
+}
+
 function upload_save($node) {
   if (!is_array($node->files)) {
     return;
@@ -609,14 +680,17 @@ function upload_delete_revision($node) {
 }
 
 function _upload_form($node) {
+
   $form['#theme'] = 'upload_form_new';
 
   if (is_array($node->files) && count($node->files)) {
     $form['files']['#theme'] = 'upload_form_current';
     $form['files']['#tree'] = TRUE;
     foreach ($node->files as $key => $file) {
-      $description = "<small>". file_create_url((strpos($file->fid,'upload') === false ? $file->filepath : file_create_filename($file->filename, file_create_path()))) ."</small>";
+      $description = file_create_url((strpos($file->fid, 'upload') === false ? $file->filepath : file_create_filename($file->filename, file_create_path())));
+      $description = "<small>". check_plain($description) ."</small>";
       $form['files'][$key]['description'] = array('#type' => 'textfield', '#default_value' => (strlen($file->description)) ? $file->description : $file->filename, '#maxlength' => 256, '#description' => $description );
+
       $form['files'][$key]['size'] = array('#type' => 'markup', '#value' => format_size($file->filesize));
       $form['files'][$key]['remove'] = array('#type' => 'checkbox', '#default_value' => $file->remove);
       $form['files'][$key]['list'] = array('#type' => 'checkbox',  '#default_value' => $file->list);

modules/upload/upload.module

@@ -253,9 +253,10 @@ function _upload_prepare(&$node) {
 
   unset($_SESSION['file_current_upload']);
 
+  global $user;
+
   // Save new file uploads to tmp dir.
   if (($file = file_check_upload()) && user_access('upload files')) {
-    global $user;
 
     // Scale image uploads.
     $file = _upload_image($file);
@@ -274,6 +275,11 @@ function _upload_prepare(&$node) {
   // Attach file previews to node object.
   if (is_array($_SESSION['file_previews']) && count($_SESSION['file_previews'])) {
     foreach($_SESSION['file_previews'] as $fid => $file) {
+      if ($user->uid != 1) {
+        // Here something.php.pps becomes something.php_.pps
+        $file->filename = upload_munge_filename($file->filename, NULL, 0);
+        $file->description = $file->filename;
+      }
       $node->files[$fid] = $file;
     }
   }
@@ -375,6 +381,11 @@ function _upload_validate(&$node) {
             form_set_error('upload', t('The selected file %name can not be attached to this post, because the disk quota of %quota has been reached.', array('%name' => theme('placeholder', $file->filename), '%quota' => theme('placeholder', format_size($usersize)))));
             $valid = FALSE;
           }
+          elseif (strlen($node->files[$fid]->filename) > 255) {
+            form_set_error('upload', t('The selected file %name can not be attached to this post, because the filename is too long.', array('%name' => theme('placeholder', $munged_filename))));
+            $valid = FALSE;
+          }
+
           if (!$valid) {
             unset($node->files[$fid], $_SESSION['file_previews'][$fid]);
             file_delete($file->filepath);
@@ -522,6 +533,66 @@ function upload_total_space_used() {
   return db_result(db_query('SELECT SUM(filesize) FROM {files}'));
 }
 
+/**
+ * Munge the filename as needed for security purposes.
+ *
+ * @param $filename
+ *   The name of a file to modify.
+ * @param $extensions
+ *   A space separated list of valid extensions. If this is blank, we'll use
+ *   the admin-defined defaults for the user role from upload_extensions_$rid.
+ * @param $alerts
+ *   Whether alerts (watchdog, drupal_set_message()) should be displayed.
+ * @return $filename
+ *   The potentially modified $filename.
+ */
+function upload_munge_filename($filename, $extensions = NULL, $alerts = 1) {
+  global $user;
+
+  $original = $filename;
+
+  // Allow potentially insecure uploads for very savvy users and admin
+  if (!variable_get('allow_insecure_uploads', 0)) {
+
+    if (!isset($extensions)) {
+      $extensions = '';
+      foreach ($user->roles as $rid => $name) {
+        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps'));
+      }
+
+    }
+
+    $whitelist = array_unique(explode(' ', trim($extensions)));
+
+    $filename_parts = explode('.', $filename);
+
+    $new_filename = array_shift($filename_parts); // Remove file basename.
+    $final_extension = array_pop($filename_parts); // Remove final extension.
+
+    foreach($filename_parts as $filename_part) {
+      $new_filename .= ".$filename_part";
+      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
+        $new_filename .= '_';
+      }
+    }
+    $filename = "$new_filename.$final_extension";
+  }
+
+  if ($alerts && $original != $filename) {
+    $message = t('Your filename has been renamed to conform to site policy.');
+    drupal_set_message($message);
+  }
+
+  return $filename;
+}
+
+/**
+ * Undo the effect of upload_munge_filename().
+ */
+function upload_unmunge_filename($filename) {
+  return str_replace('_.', '.', $filename);
+}
+
 function upload_save($node) {
   if (!is_array($node->files)) {
     return;
@@ -609,14 +680,17 @@ function upload_delete_revision($node) {
 }
 
 function _upload_form($node) {
+
   $form['#theme'] = 'upload_form_new';
 
   if (is_array($node->files) && count($node->files)) {
     $form['files']['#theme'] = 'upload_form_current';
     $form['files']['#tree'] = TRUE;
     foreach ($node->files as $key => $file) {
-      $description = "<small>". file_create_url((strpos($file->fid,'upload') === false ? $file->filepath : file_create_filename($file->filename, file_create_path()))) ."</small>";
+      $description = file_create_url((strpos($file->fid, 'upload') === false ? $file->filepath : file_create_filename($file->filename, file_create_path())));
+      $description = "<small>". check_plain($description) ."</small>";
       $form['files'][$key]['description'] = array('#type' => 'textfield', '#default_value' => (strlen($file->description)) ? $file->description : $file->filename, '#maxlength' => 256, '#description' => $description );
+
       $form['files'][$key]['size'] = array('#type' => 'markup', '#value' => format_size($file->filesize));
       $form['files'][$key]['remove'] = array('#type' => 'checkbox', '#default_value' => $file->remove);
       $form['files'][$key]['list'] = array('#type' => 'checkbox',  '#default_value' => $file->list);