diff options
author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-01 23:02:13 +0000 |
---|---|---|
committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-01 23:02:13 +0000 |
commit | 14c1c505e0b5915ff85f0698afc209f530fd83fb (patch) | |
tree | fb56f39b8ccf4ea846977b50c07845b5b80cc911 /includes | |
parent | fedcd1acf0f1ee126febe211e8a1f47c27282956 (diff) | |
download | brdo-14c1c505e0b5915ff85f0698afc209f530fd83fb.tar.gz brdo-14c1c505e0b5915ff85f0698afc209f530fd83fb.tar.bz2 |
#607008 by dww, Gerhard Killesreiter, JacobSingh, and chx: Changed Fix bugs in https support and use https for authorize.php if available.
Diffstat (limited to 'includes')
-rw-r--r-- | includes/authorize.inc | 10 | ||||
-rw-r--r-- | includes/common.inc | 31 | ||||
-rw-r--r-- | includes/form.inc | 2 | ||||
-rw-r--r-- | includes/menu.inc | 12 |
4 files changed, 36 insertions, 19 deletions
diff --git a/includes/authorize.inc b/includes/authorize.inc index 9cd4dd32f..772481b2d 100644 --- a/includes/authorize.inc +++ b/includes/authorize.inc @@ -10,10 +10,12 @@ * Build the form for choosing a FileTransfer type and supplying credentials. */ function authorize_filetransfer_form($form_state) { - global $base_url; + global $base_url, $is_https; $form = array(); - $form['#action'] = $base_url . '/authorize.php'; + // If possible, we want to post this form securely via https. + $form['#https'] = TRUE; + // CSS we depend on lives in modules/system/maintenance.css, which is loaded // via the default maintenance theme. $form['#attached']['js'][] = $base_url . '/misc/authorize.js'; @@ -26,6 +28,10 @@ function authorize_filetransfer_form($form_state) { $available_backends = $_SESSION['authorize_filetransfer_backends']; uasort($available_backends, 'drupal_sort_weight'); + if (!$is_https) { + drupal_set_message(t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href="@https-link">Learn more</a>.', array('@https-link' => 'http://drupal.org/https-information')), 'error'); + } + // Decide on a default backend. if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) { $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default']; diff --git a/includes/common.inc b/includes/common.inc index adacdee5e..ce76725cf 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -2375,10 +2375,10 @@ function format_username($account) { * - 'alias': Defaults to FALSE. Whether the given path is a URL alias * already. * - 'external': Whether the given path is an external URL. - * - 'language': An optional language object. Used to build the URL to link to - * and look up the proper alias for the link. + * - 'language': An optional language object. Used to build the URL to link + * to and look up the proper alias for the link. * - 'https': Whether this URL should point to a secure location. If not - * specified, the current scheme is used, so the user stays on http or https + * defined, the current scheme is used, so the user stays on http or https * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can * only be enforced when the variable 'https' is set to TRUE. * - 'base_url': Only used internally, to modify the base URL when a language @@ -2401,14 +2401,15 @@ function url($path = NULL, array $options = array()) { 'query' => array(), 'absolute' => FALSE, 'alias' => FALSE, - 'https' => FALSE, 'prefix' => '' ); if (!isset($options['external'])) { // Return an external link if $path contains an allowed absolute URL. - // Only call the slow filter_xss_bad_protocol if $path contains a ':' before - // any / ? or #. + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + // Note: we could use url_is_external($path) here, but that would + // requre another function call, and performance inside url() is critical. $colonpos = strpos($path, ':'); $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); } @@ -2443,6 +2444,14 @@ function url($path = NULL, array $options = array()) { if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']); } + if (isset($options['https']) && variable_get('https', FALSE)) { + if ($options['https'] === TRUE) { + $path = str_replace('http://', 'https://', $path); + } + elseif ($options['https'] === FALSE) { + $path = str_replace('https://', 'http://', $path); + } + } // Reassemble. return $path . $options['fragment']; } @@ -2521,6 +2530,16 @@ function url($path = NULL, array $options = array()) { } /** + * Return TRUE if a path is external (e.g. http://example.com). + */ +function url_is_external($path) { + $colonpos = strpos($path, ':'); + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); +} + +/** * Format an attribute string to insert in a tag. * * Each array key and its value will be formatted into an HTML attribute string. diff --git a/includes/form.inc b/includes/form.inc index 0de410ea5..062fc089e 100644 --- a/includes/form.inc +++ b/includes/form.inc @@ -1017,7 +1017,7 @@ function form_builder($form_id, $element, &$form_state) { // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && variable_get('https', FALSE) && - !menu_path_is_external($element['#action'])) { + !url_is_external($element['#action'])) { global $base_root; // Not an external URL so ensure that it is secure. diff --git a/includes/menu.inc b/includes/menu.inc index 7a6787c5f..558209355 100644 --- a/includes/menu.inc +++ b/includes/menu.inc @@ -2517,7 +2517,7 @@ function menu_link_save(&$item) { // This is the easiest way to handle the unique internal path '<front>', // since a path marked as external does not need to match a router path. - $item['external'] = (menu_path_is_external($item['link_path']) || $item['link_path'] == '<front>') ? 1 : 0; + $item['external'] = (url_is_external($item['link_path']) || $item['link_path'] == '<front>') ? 1 : 0; // Load defaults. $item += array( 'menu_name' => 'navigation', @@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks) { } /** - * Returns TRUE if a path is external (e.g. http://example.com). - */ -function menu_path_is_external($path) { - $colonpos = strpos($path, ':'); - return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); -} - -/** * Checks whether the site is in maintenance mode. * * This function will log the current user out and redirect to front page @@ -3254,7 +3246,7 @@ function menu_valid_path($form_item) { $path = $form_item['link_path']; // We indicate that a menu administrator is running the menu access check. $menu_admin = TRUE; - if ($path == '<front>' || menu_path_is_external($path)) { + if ($path == '<front>' || url_is_external($path)) { $item = array('access' => TRUE); } elseif (preg_match('/\/\%/', $path)) { |