#607008 by dww, Gerhard Killesreiter, JacobSingh, and chx: Changed Fix bugs in https support and use https for authorize.php if available.

4 files changed, 36 insertions, 19 deletions

diff --git a/includes/authorize.inc b/includes/authorize.inc
index 9cd4dd32f..772481b2d 100644
--- a/includes/authorize.inc
+++ b/includes/authorize.inc
@@ -10,10 +10,12 @@
  * Build the form for choosing a FileTransfer type and supplying credentials.
  */
 function authorize_filetransfer_form($form_state) {
-  global $base_url;
+  global $base_url, $is_https;
   $form = array();
 
-  $form['#action'] = $base_url . '/authorize.php';
+  // If possible, we want to post this form securely via https.
+  $form['#https'] = TRUE;
+
   // CSS we depend on lives in modules/system/maintenance.css, which is loaded
   // via the default maintenance theme.
   $form['#attached']['js'][] = $base_url . '/misc/authorize.js';
@@ -26,6 +28,10 @@ function authorize_filetransfer_form($form_state) {
   $available_backends = $_SESSION['authorize_filetransfer_backends'];
   uasort($available_backends, 'drupal_sort_weight');
 
+  if (!$is_https) {
+    drupal_set_message(t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href="@https-link">Learn more</a>.', array('@https-link' => 'http://drupal.org/https-information')), 'error');
+  }
+
   // Decide on a default backend.
   if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) {
     $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default'];
diff --git a/includes/common.inc b/includes/common.inc
index adacdee5e..ce76725cf 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2375,10 +2375,10 @@ function format_username($account) {
  *   - 'alias': Defaults to FALSE. Whether the given path is a URL alias
  *     already.
  *   - 'external': Whether the given path is an external URL.
- *   - 'language': An optional language object. Used to build the URL to link to
- *     and look up the proper alias for the link.
+ *   - 'language': An optional language object. Used to build the URL to link
+ *     to and look up the proper alias for the link.
  *   - 'https': Whether this URL should point to a secure location. If not
- *     specified, the current scheme is used, so the user stays on http or https
+ *     defined, the current scheme is used, so the user stays on http or https
  *     respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
  *     only be enforced when the variable 'https' is set to TRUE.
  *   - 'base_url': Only used internally, to modify the base URL when a language
@@ -2401,14 +2401,15 @@ function url($path = NULL, array $options = array()) {
     'query' => array(),
     'absolute' => FALSE,
     'alias' => FALSE,
-    'https' => FALSE,
     'prefix' => ''
   );
 
   if (!isset($options['external'])) {
     // Return an external link if $path contains an allowed absolute URL.
-    // Only call the slow filter_xss_bad_protocol if $path contains a ':' before
-    // any / ? or #.
+    // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+    // before any / ? or #.
+    // Note: we could use url_is_external($path) here, but that would
+    // requre another function call, and performance inside url() is critical.
     $colonpos = strpos($path, ':');
     $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path));
   }
@@ -2443,6 +2444,14 @@ function url($path = NULL, array $options = array()) {
     if ($options['query']) {
       $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']);
     }
+    if (isset($options['https']) && variable_get('https', FALSE)) {
+      if ($options['https'] === TRUE) {
+        $path = str_replace('http://', 'https://', $path);
+      }
+      elseif ($options['https'] === FALSE) {
+        $path = str_replace('https://', 'http://', $path);
+      }
+    }
     // Reassemble.
     return $path . $options['fragment'];
   }
@@ -2521,6 +2530,16 @@ function url($path = NULL, array $options = array()) {
 }
 
 /**
+ * Return TRUE if a path is external (e.g. http://example.com).
+ */
+function url_is_external($path) {
+  $colonpos = strpos($path, ':');
+  // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+  // before any / ? or #.
+  return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
+}
+
+/**
  * Format an attribute string to insert in a tag.
  *
  * Each array key and its value will be formatted into an HTML attribute string.
diff --git a/includes/form.inc b/includes/form.inc
index 0de410ea5..062fc089e 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -1017,7 +1017,7 @@ function form_builder($form_id, $element, &$form_state) {
   // Special handling if we're on the top level form element.
   if (isset($element['#type']) && $element['#type'] == 'form') {
     if (!empty($element['#https']) && variable_get('https', FALSE) &&
-        !menu_path_is_external($element['#action'])) {
+        !url_is_external($element['#action'])) {
       global $base_root;
 
       // Not an external URL so ensure that it is secure.
diff --git a/includes/menu.inc b/includes/menu.inc
index 7a6787c5f..558209355 100644
--- a/includes/menu.inc
+++ b/includes/menu.inc
@@ -2517,7 +2517,7 @@ function menu_link_save(&$item) {
 
   // This is the easiest way to handle the unique internal path '<front>',
   // since a path marked as external does not need to match a router path.
-  $item['external'] = (menu_path_is_external($item['link_path'])  || $item['link_path'] == '<front>') ? 1 : 0;
+  $item['external'] = (url_is_external($item['link_path'])  || $item['link_path'] == '<front>') ? 1 : 0;
   // Load defaults.
   $item += array(
     'menu_name' => 'navigation',
@@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks) {
 }
 
 /**
- * Returns TRUE if a path is external (e.g. http://example.com).
- */
-function menu_path_is_external($path) {
-  $colonpos = strpos($path, ':');
-  return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
-}
-
-/**
  * Checks whether the site is in maintenance mode.
  *
  * This function will log the current user out and redirect to front page
@@ -3254,7 +3246,7 @@ function menu_valid_path($form_item) {
   $path = $form_item['link_path'];
   // We indicate that a menu administrator is running the menu access check.
   $menu_admin = TRUE;
-  if ($path == '<front>' || menu_path_is_external($path)) {
+  if ($path == '<front>' || url_is_external($path)) {
     $item = array('access' => TRUE);
   }
   elseif (preg_match('/\/\%/', $path)) {