- Patch #942690 by effulgentsia: security harden stream wrappers by defaulting them as remote.

2 files changed, 50 insertions, 13 deletions

diff --git a/includes/file.inc b/includes/file.inc
index 588bea086..0eb97281f 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -90,12 +90,37 @@ define('FILE_STATUS_PERMANENT', 1);
  *
  * A stream is referenced as "scheme://target".
  *
+ * The optional $filter parameter can be used to retrieve only the stream
+ * wrappers that are appropriate for particular usage. For example, this returns
+ * only stream wrappers that use local file storage:
+ * @code
+ *   $local_stream_wrappers = file_get_stream_wrappers(STEAM_WRAPPERS_LOCAL);
+ * @endcode
+ *
+ * The $filter parameter can only filter to types containing a particular flag.
+ * In some cases, you may want to filter to types that do not contain a
+ * particular flag. For example, you may want to retrieve all stream wrappers
+ * that are not writable, or all stream wrappers that are not local. PHP's
+ * array_diff_key() function can be used to help with this. For example, this
+ * returns only stream wrappers that do not use local file storage:
+ * @code
+ *   $remote_stream_wrappers = array_diff_key(file_get_stream_wrappers(STREAM_WRAPPERS_ALL), file_get_stream_wrappers(STEAM_WRAPPERS_LOCAL));
+ * @endcode
+ *
  * @param $filter
- *  Optionally filter out all types except these.  Defaults to
- *  STREAM_WRAPPERS_ALL, which returns all registered stream wrappers.
+ *   (Optional) Filters out all types except those with an on bit for each on
+ *   bit in $filter. For example, if $filter is STREAM_WRAPPERS_WRITE_VISIBLE,
+ *   which is equal to (STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE |
+ *   STREAM_WRAPPERS_VISIBLE), then only stream wrappers with all three of these
+ *   bits set are returned. Defaults to STREAM_WRAPPERS_ALL, which returns all
+ *   registered stream wrappers.
  *
  * @return
- *   Returns the entire Drupal stream wrapper registry.
+ *   An array keyed by scheme, with values containing an array of information
+ *   about the stream wrapper, as returned by hook_stream_wrappers(). If $filter
+ *   is omitted or set to STREAM_WRAPPERS_ALL, the entire Drupal stream wrapper
+ *   registry is returned. Otherwise only the stream wrappers whose 'type'
+ *   bitmask has an on bit for each bit specified in $filter are returned.
  *
  * @see hook_stream_wrappers()
  * @see hook_stream_wrappers_alter()
@@ -122,11 +147,11 @@ function file_get_stream_wrappers($filter = STREAM_WRAPPERS_ALL) {
         else {
           $wrappers[$scheme]['override'] = FALSE;
         }
-        if (($info['type'] & STREAM_WRAPPERS_REMOTE) == STREAM_WRAPPERS_REMOTE) {
-          stream_wrapper_register($scheme, $info['class'], STREAM_IS_URL);
+        if (($info['type'] & STREAM_WRAPPERS_LOCAL) == STREAM_WRAPPERS_LOCAL) {
+          stream_wrapper_register($scheme, $info['class']);
         }
         else {
-          stream_wrapper_register($scheme, $info['class']);
+          stream_wrapper_register($scheme, $info['class'], STREAM_IS_URL);
         }
       }
       // Pre-populate the static cache with the filters most typically used.
@@ -141,7 +166,7 @@ function file_get_stream_wrappers($filter = STREAM_WRAPPERS_ALL) {
     $wrappers_storage[$filter] = array();
     foreach ($wrappers_storage[STREAM_WRAPPERS_ALL] as $scheme => $info) {
       // Bit-wise filter.
-      if ($info['type'] & $filter == $filter) {
+      if (($info['type'] & $filter) == $filter) {
         $wrappers_storage[$filter][$scheme] = $info;
       }
     }
diff --git a/includes/stream_wrappers.inc b/includes/stream_wrappers.inc
index f49d3bc29..23faf4fc9 100644
--- a/includes/stream_wrappers.inc
+++ b/includes/stream_wrappers.inc
@@ -22,6 +22,9 @@
 
 /**
  * Stream wrapper bit flags that are the basis for composite types.
+ *
+ * Note that 0x0002 is skipped, because it was the value of a constant that has
+ * since been removed.
  */
 
 /**
@@ -35,11 +38,6 @@ define('STREAM_WRAPPERS_ALL', 0x0000);
 define('STREAM_WRAPPERS_LOCAL', 0x0001);
 
 /**
- * Stream wrapper bit flag -- refers to a remote filesystem location.
- */
-define('STREAM_WRAPPERS_REMOTE', 0x0002);
-
-/**
  * Stream wrapper bit flag -- wrapper is readable (almost always true).
  */
 define('STREAM_WRAPPERS_READ', 0x0004);
@@ -65,6 +63,11 @@ define('STREAM_WRAPPERS_VISIBLE', 0x0010);
 define('STREAM_WRAPPERS_HIDDEN', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE);
 
 /**
+ * Stream wrapper type flag -- hidden, readable and writeable using local files.
+ */
+define('STREAM_WRAPPERS_LOCAL_HIDDEN', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_HIDDEN);
+
+/**
  * Stream wrapper type flag -- visible, readable and writeable.
  */
 define('STREAM_WRAPPERS_WRITE_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE | STREAM_WRAPPERS_VISIBLE);
@@ -75,9 +78,18 @@ define('STREAM_WRAPPERS_WRITE_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_W
 define('STREAM_WRAPPERS_READ_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_VISIBLE);
 
 /**
+ * Stream wrapper type flag -- the default when 'type' is omitted from
+ * hook_stream_wrappers(). This does not include STREAM_WRAPPERS_LOCAL,
+ * because PHP grants a greater trust level to local files (for example, they
+ * can be used in an "include" statement, regardless of the "allow_url_include"
+ * setting), so stream wrappers need to explicitly opt-in to this.
+ */
+define('STREAM_WRAPPERS_NORMAL', STREAM_WRAPPERS_WRITE_VISIBLE);
+
+/**
  * Stream wrapper type flag -- visible, readable and writeable using local files.
  */
-define('STREAM_WRAPPERS_NORMAL', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_WRITE_VISIBLE);
+define('STREAM_WRAPPERS_LOCAL_NORMAL', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_NORMAL);
 
 /**
  * Generic PHP stream wrapper interface.