Commit c8c15dd3 authored by Dries's avatar Dries

- Fixed problems with filter formats and problem with XML-RPC server.

parent 041563db
......@@ -61,12 +61,6 @@
$xmlrpcArray => 2,
$xmlrpcStruct => 3);
$xmlEntities=array( "amp" => "&",
"quot" => '"',
"lt" => "<",
"gt" => ">",
"apos" => "'");
$xmlrpcerr["unknown_method"]=1;
$xmlrpcstr["unknown_method"]="Unknown method";
$xmlrpcerr["invalid_return"]=2;
......@@ -92,9 +86,6 @@
// let XML parse errors start at 100
$xmlrpcerrxml=100;
// formulate backslashes for escaping regexp
$xmlrpc_backslash=chr(92).chr(92);
// used to store state during parsing
// quick explanation of components:
// st - used to build up a string for evaluation
......@@ -109,36 +100,6 @@
$_xh=array();
function xmlrpc_entity_decode($string) {
$top=split("&", $string);
$op="";
$i=0;
while($i<sizeof($top)) {
if (ereg("^([#a-zA-Z0-9]+);", $top[$i], $regs)) {
$op.=ereg_replace("^[#a-zA-Z0-9]+;",
xmlrpc_lookup_entity($regs[1]),
$top[$i]);
} else {
if ($i==0)
$op=$top[$i];
else
$op.="&" . $top[$i];
}
$i++;
}
return $op;
}
function xmlrpc_lookup_entity($ent) {
global $xmlEntities;
if (isset($xmlEntities[strtolower($ent)]))
return $xmlEntities[strtolower($ent)];
if (ereg("^#([0-9]+)$", $ent, $regs))
return chr($regs[1]);
return "?";
}
function xmlrpc_se($parser, $name, $attrs) {
global $_xh, $xmlrpcDateTime, $xmlrpcString;
......@@ -237,9 +198,9 @@ function xmlrpc_ee($parser, $name) {
case "BASE64":
if ($_xh[$parser]['qt']==1) {
// we use double quotes rather than single so backslashification works OK
$_xh[$parser]['st'].="\"". $_xh[$parser]['ac'] . "\"";
$_xh[$parser]['st'].="'". $_xh[$parser]['ac'] ."'";
} else if ($_xh[$parser]['qt']==2) {
$_xh[$parser]['st'].="base64_decode('". $_xh[$parser]['ac'] . "')";
$_xh[$parser]['st'].="base64_decode('". $_xh[$parser]['ac'] ."')";
} else if ($name=="BOOLEAN") {
$_xh[$parser]['st'].=$_xh[$parser]['ac'];
} else {
......@@ -262,12 +223,12 @@ function xmlrpc_ee($parser, $name) {
// deal with a string value
if (strlen($_xh[$parser]['ac'])>0 &&
$_xh[$parser]['vt']==$xmlrpcString) {
$_xh[$parser]['st'].="\"". $_xh[$parser]['ac'] . "\"";
$_xh[$parser]['st'].="'". $_xh[$parser]['ac'] . "'";
}
// This if() detects if no scalar was inside <VALUE></VALUE>
// and pads an empty "".
if($_xh[$parser]['st'][strlen($_xh[$parser]['st'])-1] == '(') {
$_xh[$parser]['st'].= '""';
$_xh[$parser]['st'].= "''";
}
$_xh[$parser]['st'].=", '" . $_xh[$parser]['vt'] . "')";
if ($_xh[$parser]['cm']) $_xh[$parser]['st'].=",";
......@@ -306,7 +267,7 @@ function xmlrpc_ee($parser, $name) {
function xmlrpc_cd($parser, $data)
{
global $_xh, $xmlrpc_backslash;
global $_xh;
//if (ereg("^[\n\r \t]+$", $data)) return;
// print "adding [${data}]\n";
......@@ -323,12 +284,23 @@ function xmlrpc_cd($parser, $data)
}
// replace characters that eval would
// do special things with
$_xh[$parser]['ac'].=str_replace('$', '\$',
str_replace('"', '\"', str_replace(chr(92),
$xmlrpc_backslash, $data)));
$_xh[$parser]['ac'].= xmlrpc_escape_php($data);
}
}
/**
* Escapes a piece of text so it can be placed literally between single quotes
* as a string inside PHP code.
*
* A single slash is converted to a double slash, a single quote converted to
* a slash followed by a quote.
*/
function xmlrpc_escape_php($data) {
return str_replace(array('\\', "'"),
array('\\\\', "\\'"),
$data);
}
function xmlrpc_dh($parser, $data)
{
global $_xh;
......@@ -337,9 +309,7 @@ function xmlrpc_dh($parser, $data)
$_xh[$parser]['qt']=1;
$_xh[$parser]['lv']=2;
}
$_xh[$parser]['ac'].=str_replace('$', '\$',
str_replace('"', '\"', str_replace(chr(92),
$xmlrpc_backslash, $data)));
$_xh[$parser]['ac'].= xmlrpc_escape_php($data);
}
}
......
......@@ -246,7 +246,7 @@ function parseRequest($data="") {
for($i=0; $i<sizeof($_xh[$parser]['params']); $i++) {
//print "<!-- " . $_xh[$parser]['params'][$i]. "-->\n";
$plist.="$i - " . $_xh[$parser]['params'][$i]. " \n";
eval('$m->addParam(' . $_xh[$parser]['params'][$i]. ");");
$m->addParam(eval('return '. $_xh[$parser]['params'][$i] .';'));
}
// uncomment this to really see what the server's getting!
// xmlrpc_debugmsg($plist);
......@@ -265,13 +265,12 @@ function parseRequest($data="") {
}
if ( (!isset($dmap[$methName]['signature']))
|| $sr[0]) {
$f = $dmap[$methName]['function'];
// if no signature or correct signature
if ($sysCall) {
eval('$r=' . $dmap[$methName]['function'] .
'($this, $m);');
$r = $f($this, $m);
} else {
eval('$r=' . $dmap[$methName]['function'] .
'($m);');
$r = $f($m);
}
} else {
$r=new xmlrpcresp(0,
......
......@@ -436,7 +436,8 @@ function comment_validate_form($edit) {
// 1) Filter it into HTML
// 2) Strip out all HTML tags
// 3) Convert entities back to plain-text.
$edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE);
// Note: format is checked by check_output().
$edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format'], TRUE))), 29, TRUE);
}
// Validate the comment's body.
......@@ -496,8 +497,11 @@ function comment_preview($edit) {
$comment->timestamp = time();
$comment->name = check_plain($user->name ? $user->name : $comment->name);
// Preview the comment.
$output .= theme('comment_preview', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1)));
// Preview the comment if there were no errors, including the 'The supplied input format is invalid.'
// error message, ie. this is a security check here.
if (!form_get_errors()) {
$output .= theme('comment_preview', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1)));
}
$output .= theme('comment_form', $edit, t('Reply'));
if ($edit['pid']) {
......@@ -658,7 +662,7 @@ function comment_post($edit) {
}
}
else {
print theme('page', comment_preview($edit));
return comment_preview($edit);
}
}
else {
......
......@@ -646,13 +646,35 @@ function filter_list_format($format) {
* @{
* Modules which need to have content filtered can use these functions to
* interact with the filter system.
*
* For more info, see the hook_filter() documentation.
*
* Note: because filters can inject JavaScript or execute PHP code, security is
* vital here. When a user supplies a $format, you should validate it with
* filter_access($format) before accepting/using it. This is normally done in
* the validation stage of the node system. You should for example never make a
* preview of content in a disallowed format.
*/
/**
* Run all the enabled filters on a piece of text.
*/
function check_output($text, $format = FILTER_FORMAT_DEFAULT) {
if (isset($text)) {
*
* You can do a filter_access() check on $format automatically by passing
* $check = TRUE. Note that this will check the permissions of the current user,
* so you should specify $check = FALSE when viewing other people's content.
*
* @param $text
* The text to be filtered.
* @param $format
* The format of the text to be filtered. Specify FILTER_FORMAT_DEFAULT for
* the default format.
* @param $check
* Whether to check the $format with filter_access() first. If set to false,
* make sure the check has performed at some point earlier.
*/
function check_output($text, $format = FILTER_FORMAT_DEFAULT, $check = FALSE) {
// When $check = true, do an access check on $format.
if (isset($text) && (!$check || filter_access($format))) {
if ($format == FILTER_FORMAT_DEFAULT) {
$format = variable_get('filter_default_format', 1);
}
......
......@@ -499,6 +499,13 @@ function node_view($node, $teaser = FALSE, $page = FALSE, $links = TRUE) {
if ($links) {
$node->links = module_invoke_all('link', 'node', $node, !$page);
}
// unset unused $node part so that a bad theme can not open a security hole
if ($teaser) {
unset($node->body);
}
else {
unset($node->teaser);
}
return theme('node', $node, $teaser, $page);
}
......@@ -1469,7 +1476,9 @@ function node_preview($node) {
// Display a preview of the node:
// Previewing alters $node so it needs to be cloned.
$output = theme('node_preview', clone($node));
if (!form_get_errors()) {
$output = theme('node_preview', clone($node));
}
$output .= node_form($node);
......
......@@ -135,7 +135,7 @@ function chameleon_node($node, $main = 0, $page = 0) {
$links = array_merge($links, $node->links);
}
if (count($links)) {
$output .= " <div class=\"links\">". theme('links', $links) ."</div>\n";
$output .= " <div class=\"links\">". theme('links', $links) ."</div>\n";
}
$output .= "</div>\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment