Commit f4df7195 authored by Dries's avatar Dries

- Reworked the CXX checking; now, _any_ user input will be checked

and the request will be terminated when something suspicious is
detected.  This will be logged in the watchdog.  With help from Marco.

- Fixed translation issue in the archive module.  Patch by Gerhard.

- Removed dead parameter from variable_get().  Patch by Chris Johnson.
Fixes bug #2111.

- Improved input checking of taxonomy module.  Patch by Gerhard.
Fixes bug #2112.
parent 2323e572
......@@ -179,7 +179,7 @@ function variable_init($conf = array()) {
return $conf;
}
function variable_get($name, $default, $object = 0) {
function variable_get($name, $default) {
global $conf;
return isset($conf[$name]) ? $conf[$name] : $default;
......@@ -412,12 +412,6 @@ function search_type($type = 0, $action = 0, $keys = 0, $options = 0) {
function drupal_goto($url) {
/*
** Check the URL to prevent XSS attacks:
*/
$url = check_url($url);
/*
** Translate & to simply &
*/
......@@ -475,12 +469,61 @@ function referer_load() {
}
}
function check_url($uri) {
/*
** We pipe the request URI through htmlspecialchars() to prevent
** XSS attacks.
*/
function xss_check_input_data($data) {
if (is_array($data)) {
/*
** Form data can contain a number of nested arrays.
*/
foreach ($data as $key => $value) {
xss_check_input_data($value);
}
}
else {
/*
** Detect evil input data.
*/
// check attributes:
$match = preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wdynsrc\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wdatasrc\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wdata\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wlowsrc\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
$match += preg_match("/\Won[a-z]+\s*=[^>]+?>/i", $data);
$match += preg_match("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", $data);
$match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
$match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
// check tags:
$match += preg_match("/<\s*applet/i", $data);
$match += preg_match("/<\s*script/i", $data);
$match += preg_match("/<\s*object/i", $data);
$match += preg_match("/<\s*style/i", $data);
$match += preg_match("/<\s*embed/i", $data);
$match += preg_match("/<\s*form/i", $data);
$match += preg_match("/<\s*blink/i", $data);
$match += preg_match("/<\s*meta/i", $data);
$match += preg_match("/<\s*font/i", $data);
$match += preg_match("/<\s*html/i", $data);
$match += preg_match("/<\s*frame/i", $data);
$match += preg_match("/<\s*iframe/i", $data);
$match += preg_match("/<\s*layer/i", $data);
$match += preg_match("/<\s*ilayer/i", $data);
$match += preg_match("/<\s*head/i", $data);
$match += preg_match("/<\s*frameset/i", $data);
$match += preg_match("/<\s*xml/i", $data);
if ($match) {
watchdog("warning", "terminated request because of suspicious input data: ". drupal_specialchars($data));
die("terminated request because of suspicious input data");
}
}
}
function check_url($uri) {
$uri = htmlspecialchars($uri, ENT_QUOTES);
/*
......@@ -979,6 +1022,7 @@ function timer_start() {
}
function drupal_page_header() {
if (variable_get("dev_timer", 0)) {
timer_start();
}
......@@ -1036,6 +1080,9 @@ function drupal_page_footer() {
// spit out the correct charset http header
header("Content-Type: text/html; charset=utf-8");
// filter input data:
xss_check_input_data($_REQUEST);
// initialize installed modules:
module_init();
......@@ -1045,4 +1092,5 @@ function drupal_page_footer() {
// initialize theme:
$theme = theme_init();
?>
......@@ -305,6 +305,9 @@ function import_refresh($feed) {
}
fclose($fp);
// filter the input data:
xss_check_input_data($data);
// parse the data:
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
......@@ -320,14 +323,6 @@ function import_refresh($feed) {
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
$tt["&apos;"] = "'";
/*
** Strip invalid tags and provide default values (if required):
*/
foreach ($channel as $key => $value) {
$channel[$key] = node_filter(strtr(trim($value), $tt));
}
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
/*
......
......@@ -305,6 +305,9 @@ function import_refresh($feed) {
}
fclose($fp);
// filter the input data:
xss_check_input_data($data);
// parse the data:
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
......@@ -320,14 +323,6 @@ function import_refresh($feed) {
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
$tt["&apos;"] = "'";
/*
** Strip invalid tags and provide default values (if required):
*/
foreach ($channel as $key => $value) {
$channel[$key] = node_filter(strtr(trim($value), $tt));
}
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
/*
......
......@@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
$output .= " <tr class=\"header-week\">";
for ($i = 0; $i < 7; $i++) {
$output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
$output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
}
$output .= "</tr>\n";
......
......@@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
$output .= " <tr class=\"header-week\">";
for ($i = 0; $i < 7; $i++) {
$output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
$output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
}
$output .= "</tr>\n";
......
......@@ -305,6 +305,9 @@ function import_refresh($feed) {
}
fclose($fp);
// filter the input data:
xss_check_input_data($data);
// parse the data:
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
......@@ -320,14 +323,6 @@ function import_refresh($feed) {
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
$tt["&apos;"] = "'";
/*
** Strip invalid tags and provide default values (if required):
*/
foreach ($channel as $key => $value) {
$channel[$key] = node_filter(strtr(trim($value), $tt));
}
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
/*
......
......@@ -499,11 +499,6 @@ function node_comment_mode($nid) {
}
function node_filter($text) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
$text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
$text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
if (variable_get("filter_html", 0)) {
$text = node_filter_html($text);
}
......
......@@ -499,11 +499,6 @@ function node_comment_mode($nid) {
}
function node_filter($text) {
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
$text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
$text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
if (variable_get("filter_html", 0)) {
$text = node_filter_html($text);
}
......
......@@ -364,15 +364,7 @@ function search_view($keys) {
theme("box", t("Search Results"), $output);
}
else {
// no results. try a substring search
$output = search_data("*". $keys. "*");
if ($output) {
theme("box", t("Search Results"), $output);
}
else {
theme("box", t("Search Results"), t("Your search yielded no results."));
}
theme("box", t("Search Results"), t("Your search yielded no results."));
}
}
......
......@@ -364,15 +364,7 @@ function search_view($keys) {
theme("box", t("Search Results"), $output);
}
else {
// no results. try a substring search
$output = search_data("*". $keys. "*");
if ($output) {
theme("box", t("Search Results"), $output);
}
else {
theme("box", t("Search Results"), t("Your search yielded no results."));
}
theme("box", t("Search Results"), t("Your search yielded no results."));
}
}
......
......@@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
function taxonomy_select_nodes($taxonomy, $pager = 1) {
global $user;
if ($taxonomy->operator == "or") {
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
}
else {
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
if ($taxonomy->str_tids) {
if ($taxonomy->operator == "or") {
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
}
else {
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
// Special trick as we could not find anything better:
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
$sql_count = "SELECT $count";
}
// Special trick as we could not find anything better:
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
$sql_count = "SELECT $count";
}
if ($pager) {
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
}
else {
$result = db_query_range($sql, 0, 15);
if ($pager) {
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
}
else {
$result = db_query_range($sql, 0, 15);
}
}
return $result;
......
......@@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
function taxonomy_select_nodes($taxonomy, $pager = 1) {
global $user;
if ($taxonomy->operator == "or") {
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
}
else {
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
if ($taxonomy->str_tids) {
if ($taxonomy->operator == "or") {
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
}
else {
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
// Special trick as we could not find anything better:
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
$sql_count = "SELECT $count";
}
// Special trick as we could not find anything better:
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
$sql_count = "SELECT $count";
}
if ($pager) {
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
}
else {
$result = db_query_range($sql, 0, 15);
if ($pager) {
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
}
else {
$result = db_query_range($sql, 0, 15);
}
}
return $result;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment