Commit 8ca7bee6 authored by drumm's avatar drumm

Drupal 5.10.

parent 4c6fd4ac
// $Id$
Drupal 5.10, xxxx-xx-xx
Drupal 5.10, 2008-08-13
-----------------------
- fixed a variety of small bugs.
- fixed security issues, (Cross site scripting, Arbitrary file uploads via
BlogAPI and Cross site request forgery), see SA-2008-047
Drupal 5.9, 2008-07-23
----------------------
......@@ -12,7 +14,8 @@ Drupal 5.9, 2008-07-23
Drupal 5.8, 2008-07-09
----------------------
- fixed a variety of small bugs.
- fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044
- fixed security issues, (Cross site scripting, cross site request forgery, and
session fixation), see SA-2008-044
Drupal 5.7, 2008-01-28
----------------------
......
This diff is collapsed.
<?php
// $Id$
/**
* Implementation of hook_install().
*/
function blogapi_install() {
// Create table.
switch ($GLOBALS['db_type']) {
case 'mysql':
case 'mysqli':
db_query("CREATE TABLE {blogapi_files} (
fid int NOT NULL auto_increment,
uid int unsigned NOT NULL default 0,
filepath varchar(255) NOT NULL default '',
filesize int unsigned NOT NULL default 0,
PRIMARY KEY (fid),
KEY uid (uid)
) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
break;
case 'pgsql':
db_query("CREATE TABLE {blogapi_files} (
fid serial,
filename varchar(255) NOT NULL default '',
filepath varchar(255) NOT NULL default '',
filesize int_unsigned NOT NULL default 0,
PRIMARY KEY (fid)
)");
db_query("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
break;
}
}
/**
* Implementation of hook_uninstall().
*/
function blogapi_uninstall() {
// Remove table.
db_query("DROP TABLE {blogapi_files}");
}
/**
* @defgroup updates-5.x-extra Extra blogapi updates for 5.x
* @{
*/
/**
* Add blogapi_files table to enable size restriction for BlogAPI file uploads.
*
* Added in Drupal 5.10 (and 6.4).
*/
function blogapi_update_5000() {
$ret = array();
switch ($GLOBALS['db_type']) {
case 'mysql':
case 'mysqli':
$ret[] = update_sql("CREATE TABLE {blogapi_files} (
fid int NOT NULL auto_increment,
uid int unsigned NOT NULL default 0,
filepath varchar(255) NOT NULL default '',
filesize int unsigned NOT NULL default 0,
PRIMARY KEY (fid),
KEY uid (uid)
) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
break;
case 'pgsql':
$ret[] = update_sql("CREATE TABLE {blogapi_files} (
fid serial,
filename varchar(255) NOT NULL default '',
filepath varchar(255) NOT NULL default '',
filesize int_unsigned NOT NULL default 0,
PRIMARY KEY (fid)
)");
$ret[] = update_sql("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
break;
}
return $ret;
}
/**
* @} End of "defgroup updates-5.x-extra"
*/
......@@ -362,20 +362,63 @@ function blogapi_metaweblog_new_media_object($blogid, $username, $password, $fil
return blogapi_error($user);
}
$usersize = 0;
$uploadsize = 0;
$roles = array_intersect(user_roles(0, 'administer content with blog api'), $user->roles);
foreach ($roles as $rid => $name) {
$extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
$usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
$uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
}
$filesize = strlen($file['bits']);
if ($filesize > $uploadsize) {
return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize))));
}
if (_blogapi_space_used($user->uid) + $filesize > $usersize) {
return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize))));
}
// Only allow files with whitelisted extensions and convert remaining dots to
// underscores to prevent attacks via non-terminal executable extensions with
// files such as exploit.php.jpg.
$whitelist = array_unique(explode(' ', trim($extensions)));
$name = basename($file['name']);
if ($extension_position = strrpos($name, '.')) {
$filename = drupal_substr($name, 0, $extension_position);
$final_extension = drupal_substr($name, $extension_position + 1);
if (!in_array(strtolower($final_extension), $whitelist)) {
return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist))));
}
$filename = str_replace('.', '_', $filename);
$filename .= '.'. $final_extension;
}
$data = $file['bits'];
if (!$data) {
return blogapi_error(t('No file sent.'));
}
if (!$file = file_save_data($data, $name)) {
if (!$file = file_save_data($data, $filename)) {
return blogapi_error(t('Error storing file.'));
}
db_query("INSERT INTO {blogapi_files} (uid, filepath, filesize) VALUES (%d, '%s', %d)", $user->uid, $file, $filesize);
// Return the successful result.
return array('url' => file_create_url($file), 'struct');
}
/**
* Blogging API callback. Returns a list of the taxonomy terms that can be
* associated with a blog node.
......@@ -555,6 +598,82 @@ function blogapi_admin_settings() {
'#description' => t('Select the content types for which you wish to enable posting via blogapi. Each type will appear as a different "blog" in the client application (if supported).')
);
$blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
$blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1);
$blogapi_usersize_default = variable_get('blogapi_usersize_default', 1);
$form['settings_general'] = array(
'#type' => 'fieldset',
'#title' => t('File settings'),
'#collapsible' => TRUE,
);
$form['settings_general']['blogapi_extensions_default'] = array(
'#type' => 'textfield',
'#title' => t('Default permitted file extensions'),
'#default_value' => $blogapi_extensions_default,
'#maxlength' => 255,
'#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'),
);
$form['settings_general']['blogapi_uploadsize_default'] = array(
'#type' => 'textfield',
'#title' => t('Default maximum file size per upload'),
'#default_value' => $blogapi_uploadsize_default,
'#size' => 5,
'#maxlength' => 5,
'#description' => t('The default maximum file size a user can upload.'),
'#field_suffix' => t('MB')
);
$form['settings_general']['blogapi_usersize_default'] = array(
'#type' => 'textfield',
'#title' => t('Default total file size per user'),
'#default_value' => $blogapi_usersize_default,
'#size' => 5,
'#maxlength' => 5,
'#description' => t('The default maximum size of all files a user can have on the site.'),
'#field_suffix' => t('MB')
);
$form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>');
$roles = user_roles(0, 'administer content with blog api');
$form['roles'] = array('#type' => 'value', '#value' => $roles);
foreach ($roles as $rid => $role) {
$form['settings_role_'. $rid] = array(
'#type' => 'fieldset',
'#title' => t('Settings for @role', array('@role' => $role)),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array(
'#type' => 'textfield',
'#title' => t('Permitted file extensions'),
'#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default),
'#maxlength' => 255,
'#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'),
);
$form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array(
'#type' => 'textfield',
'#title' => t('Maximum file size per upload'),
'#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default),
'#size' => 5,
'#maxlength' => 5,
'#description' => t('The maximum size of a file a user can upload (in megabytes).'),
);
$form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array(
'#type' => 'textfield',
'#title' => t('Total file size per user'),
'#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default),
'#size' => 5,
'#maxlength' => 5,
'#description' => t('The maximum size of all files a user can have on the site (in megabytes).'),
);
}
return system_settings_form($form);
}
......@@ -720,3 +839,7 @@ function _blogapi_get_node_types() {
return $types;
}
function _blogapi_space_used($uid) {
return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid));
}
\ No newline at end of file
......@@ -1295,7 +1295,7 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
<[^>]*.(>|$) # a string that starts with a <, up until the > or the end of the string
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', '_filter_xss_split', $string);
......
......@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
define('VERSION', '5.10-dev');
define('VERSION', '5.10');
/**
* Implementation of hook_help().
......
......@@ -1658,21 +1658,10 @@ function user_admin_access_check_submit($form_id, $form_values) {
* Menu callback: add an access rule
*/
function user_admin_access_add($mask = NULL, $type = NULL) {
if ($edit = $_POST) {
if (!$edit['mask']) {
form_set_error('mask', t('You must enter a mask.'));
}
else {
$aid = db_next_id('{access}_aid');
db_query("INSERT INTO {access} (aid, mask, type, status) VALUES ('%s', '%s', '%s', %d)", $aid, $edit['mask'], $edit['type'], $edit['status']);
drupal_set_message(t('The access rule has been added.'));
drupal_goto('admin/user/rules');
}
}
else {
$edit['mask'] = $mask;
$edit['type'] = $type;
}
$edit = array();
$edit['aid'] = 0;
$edit['mask'] = $mask;
$edit['type'] = $type;
return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule'));
}
......@@ -1704,23 +1693,16 @@ function user_admin_access_delete_confirm_submit($form_id, $form_values) {
* Menu callback: edit an access rule
*/
function user_admin_access_edit($aid = 0) {
if ($edit = $_POST) {
if (!$edit['mask']) {
form_set_error('mask', t('You must enter a mask.'));
}
else {
db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid);
drupal_set_message(t('The access rule has been saved.'));
drupal_goto('admin/user/rules');
}
}
else {
$edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
}
$edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule'));
}
function user_admin_access_form($edit, $submit) {
$form = array();
$form['aid'] = array(
'#type' => 'value',
'#value' => $edit['aid'],
);
$form['status'] = array(
'#type' => 'radios',
'#title' => t('Access type'),
......@@ -1744,10 +1726,26 @@ function user_admin_access_form($edit, $submit) {
'#required' => TRUE,
);
$form['submit'] = array('#type' => 'submit', '#value' => $submit);
$form['#base'] = 'user_admin_access_form';
return $form;
}
/**
* Submit callback for user_admin_access_form().
*/
function user_admin_access_form_submit($form_id, $form_values) {
if ($form_values['aid']) {
db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $form_values['mask'], $form_values['type'], $form_values['status'], $form_values['aid']);
drupal_set_message(t('The access rule has been saved.'));
}
else {
db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $form_values['mask'], $form_values['type'], $form_values['status']);
drupal_set_message(t('The access rule has been added.'));
}
return 'admin/user/rules';
}
/**
* Menu callback: list all access rules
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment