Commit 2d0df351 authored by Dries's avatar Dries

- Various fixes. Updated CHANGELOG.txt

parent 236da7af
......@@ -52,6 +52,10 @@ Drupal x.x.x, xxxx-xx-xx (development version)
- PostgreSQL support:
* removed dependency on PL/pgSQL procedural language
Drupal 4.6.4, 2005-11-29
------------------------
- fixed bugs, including 3 security vulnerabilities.
Drupal 4.6.3, 2005-08-15
------------------------
- fixed bugs, including a critical "arbitrary PHP code execution" bug.
......@@ -108,6 +112,10 @@ Drupal 4.6.0, 2005-04-15
- documentation:
* improved and extended PHPDoc/Doxygen comments.
Drupal 4.5.6, 2005-11-29
------------------------
- fixed bugs, including 3 security vulnerabilities.
Drupal 4.5.5, 2005-08-15
------------------------
- fixed bugs, including a critical "arbitrary PHP code execution" bug.
......
......@@ -708,14 +708,12 @@ function arg($index) {
}
/**
* Prepare a URL for use in an HTML attribute.
* Prepare a URL for use in an HTML attribute. Strips harmful protocols.
*
* We replace ( and ) with their url-encoded equivalents to prevent XSS attacks.
*/
function check_url($uri) {
$uri = htmlspecialchars($uri, ENT_QUOTES);
$uri = strtr($uri, array('(' => '%28', ')' => '%29'));
$uri = filter_xss_bad_protocol($uri, FALSE);
return $uri;
}
......
......@@ -615,13 +615,6 @@ function t($string, $args = 0) {
}
}
/**
* Encode special characters in a plain-text string for display as HTML.
*/
function check_plain($text) {
return htmlspecialchars($text, ENT_QUOTES);
}
/**
* @defgroup validation Input validation
* @{
......@@ -667,54 +660,6 @@ function valid_url($url, $absolute = FALSE) {
}
}
/**
* Validate data input by a user.
*
* Ensures that user data cannot be used to perform attacks on the site.
*
* @param $data
* The input to check.
* @return
* TRUE if the input data is acceptable.
*/
function valid_input_data($data) {
if (is_array($data) || is_object($data)) {
// Form data can contain a number of nested arrays.
foreach ($data as $key => $value) {
if (!valid_input_data($key) || !valid_input_data($value)) {
return FALSE;
}
}
}
else if (isset($data)) {
// Detect dangerous input data.
// Decode all normal character entities.
$data = decode_entities($data, array('<', '&', '"'));
// Check strings:
$match = preg_match('/\Wjavascript\s*:/i', $data);
$match += preg_match('/\Wexpression\s*\(/i', $data);
$match += preg_match('/\Walert\s*\(/i', $data);
// Check attributes:
$match += preg_match("/\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data);
// Check tags:
$match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data);
if ($match) {
watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data))));
return FALSE;
}
}
return TRUE;
}
/**
* @} End of "defgroup validation".
*/
/**
* Register an event for the current visitor (hostname/IP) to the flood control mechanism.
*
......@@ -1366,17 +1311,7 @@ function _drupal_bootstrap_full() {
}
// Initialize all enabled modules.
module_init();
if (!user_access('bypass input data check')) {
// We can't use $_REQUEST because it consists of the contents of $_POST,
// $_GET and $_COOKIE: if any of the input arrays share a key, only one
// value will be verified.
if (!valid_input_data($_GET)
|| !valid_input_data($_POST)
|| !valid_input_data($_COOKIE)
|| !valid_input_data($_FILES)) {
die('Terminated request because of suspicious input data.');
}
}
// Undo magic quotes
fix_gpc_magic();
// Initialize the localization system.
$locale = locale_initialize();
......
......@@ -105,7 +105,7 @@ function _db_query($query, $debug = 0) {
return $result;
}
else {
trigger_error(mysql_error() ."\nquery: ". htmlspecialchars($query), E_USER_ERROR);
trigger_error(check_plain(mysql_error() ."\nquery: ". $query), E_USER_ERROR);
return FALSE;
}
}
......
......@@ -113,7 +113,7 @@ function _db_query($query, $debug = 0) {
return $result;
}
else {
trigger_error(mysqli_error($active_db) ."\nquery: ". htmlspecialchars($query), E_USER_ERROR);
trigger_error(check_plain(mysqli_error($active_db) ."\nquery: ". $query), E_USER_ERROR);
return FALSE;
}
}
......
......@@ -92,7 +92,7 @@ function _db_query($query, $debug = 0) {
return $last_result;
}
else {
trigger_error(pg_last_error() ."\nquery: ". htmlspecialchars($query), E_USER_ERROR);
trigger_error(check_plain(pg_last_error() ."\nquery: ". $query), E_USER_ERROR);
return FALSE;
}
}
......
......@@ -144,8 +144,24 @@ function file_check_upload($source) {
elseif ($_FILES["edit"]["name"][$source] && is_uploaded_file($_FILES["edit"]["tmp_name"][$source])) {
$file = new StdClass();
$file->filename = trim(basename($_FILES["edit"]["name"][$source]), '.');
$file->filemime = $_FILES["edit"]["type"][$source];
$file->filepath = $_FILES["edit"]["tmp_name"][$source];
if (function_exists('mime_content_type')) {
$file->filemime = mime_content_type($file->filepath);
if ($file->filemime != $_FILES["edit"]["type"][$source]) {
watchdog('file', t('For %file the system thinks its MIME type is %detected while the user has given %given for MIME type', array('%file' => theme('placeholder', $file->filepath), '%detected' => theme('placeholder', $file>-filemime), '%given' => theme('placeholder', $_FILES['edit']['type'][$source]))));
}
}
else {
$file->filemime = $_FILES["edit"]["type"][$source];
}
if (((substr($file->filemime, 0, 5) == 'text/' || strpos($file->filemime, 'javascript')) && (substr($file->filepath, -4) != '.txt')) || preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filemime = 'text/plain';
rename($file->filepath, $file->filepath .'.txt');
$file->filepath .= '.txt';
$file->filename .= '.txt';
}
$file->error = $_FILES["edit"]["error"][$source];
$file->filesize = $_FILES["edit"]["size"][$source];
$file->source = $source;
......
......@@ -303,6 +303,10 @@ function _decode_entities($prefix, $codepoint, $original, &$table, &$exclude) {
if ($prefix == '#x') {
$codepoint = base_convert($codepoint, 16, 10);
}
// Decimal numerical entity (strip leading zeros to avoid PHP octal notation)
else {
$codepoint = preg_replace('/^0+/', '', $codepoint);
}
// Encode codepoint as UTF-8 bytes
if ($codepoint < 0x80) {
$str = chr($codepoint);
......
This diff is collapsed.
This diff is collapsed.
......@@ -332,7 +332,7 @@ function search_simplify($text) {
// Simple CJK handling
if (variable_get('overlap_cjk', true)) {
$text = preg_replace_callback('/['. PREG_CLASS_CJK .']+/u', 'search_expand_cjk', $text);
$text = preg_replace_callback('/['. PREG_CLASS_CJK .']+/u', 'search_expand_cjk', $text);
}
// To improve searching for numerical data such as dates, IP addresses
......
......@@ -332,7 +332,7 @@ function search_simplify($text) {
// Simple CJK handling
if (variable_get('overlap_cjk', true)) {
$text = preg_replace_callback('/['. PREG_CLASS_CJK .']+/u', 'search_expand_cjk', $text);
$text = preg_replace_callback('/['. PREG_CLASS_CJK .']+/u', 'search_expand_cjk', $text);
}
// To improve searching for numerical data such as dates, IP addresses
......
......@@ -47,7 +47,7 @@ function system_help($section) {
* Implementation of hook_perm().
*/
function system_perm() {
return array('administer site configuration', 'access administration pages', 'bypass input data check');
return array('administer site configuration', 'access administration pages');
}
/**
......
......@@ -47,7 +47,7 @@ function system_help($section) {
* Implementation of hook_perm().
*/
function system_perm() {
return array('administer site configuration', 'access administration pages', 'bypass input data check');
return array('administer site configuration', 'access administration pages');
}
/**
......
......@@ -208,14 +208,6 @@ function upload_nodeapi(&$node, $op, $arg) {
}
}
// Rename possibly executable scripts to prevent accidental execution.
// Uploaded files are attachments and should be shown in their original
// form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
}
if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('The selected file %name can not be attached to this post, because it is only possible to attach files with the following extensions: %files-allowed.', array('%name' => theme('placeholder', $file->filename), '%files-allowed' => theme('placeholder', $extensions))));
}
......
......@@ -208,14 +208,6 @@ function upload_nodeapi(&$node, $op, $arg) {
}
}
// Rename possibly executable scripts to prevent accidental execution.
// Uploaded files are attachments and should be shown in their original
// form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
}
if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('The selected file %name can not be attached to this post, because it is only possible to attach files with the following extensions: %files-allowed.', array('%name' => theme('placeholder', $file->filename), '%files-allowed' => theme('placeholder', $extensions))));
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment