diff options
| author | Dries Buytaert <dries@buytaert.net> | 2005-11-29 20:17:10 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2005-11-29 20:17:10 +0000 |
| commit | 2d0df351d704ba34d191831f7d4b8cb385555be2 (patch) | |
| tree | b18d02dfa6d075ff540eeffc4ab38393e53a3da0 /includes | |
| parent | 236da7af059e6cf3aba6e8ec923e082b1f8fe143 (diff) | |
| download | brdo-2d0df351d704ba34d191831f7d4b8cb385555be2.tar.gz brdo-2d0df351d704ba34d191831f7d4b8cb385555be2.tar.bz2 | |
- Various fixes. Updated CHANGELOG.txt
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 6 | ||||
| -rw-r--r-- | includes/common.inc | 67 | ||||
| -rw-r--r-- | includes/database.mysql.inc | 2 | ||||
| -rw-r--r-- | includes/database.mysqli.inc | 2 | ||||
| -rw-r--r-- | includes/database.pgsql.inc | 2 | ||||
| -rw-r--r-- | includes/file.inc | 18 | ||||
| -rw-r--r-- | includes/unicode.inc | 4 |
7 files changed, 27 insertions, 74 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 6c87605ac..9d3e44cd0 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -708,14 +708,12 @@ function arg($index) { } /** - * Prepare a URL for use in an HTML attribute. + * Prepare a URL for use in an HTML attribute. Strips harmful protocols. * - * We replace ( and ) with their url-encoded equivalents to prevent XSS attacks. */ function check_url($uri) { $uri = htmlspecialchars($uri, ENT_QUOTES); - - $uri = strtr($uri, array('(' => '%28', ')' => '%29')); + $uri = filter_xss_bad_protocol($uri, FALSE); return $uri; } diff --git a/includes/common.inc b/includes/common.inc index 84c955eed..08545ce0e 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -616,13 +616,6 @@ function t($string, $args = 0) { } /** - * Encode special characters in a plain-text string for display as HTML. - */ -function check_plain($text) { - return htmlspecialchars($text, ENT_QUOTES); -} - -/** * @defgroup validation Input validation * @{ * Functions to validate user input. @@ -668,54 +661,6 @@ function valid_url($url, $absolute = FALSE) { } /** - * Validate data input by a user. - * - * Ensures that user data cannot be used to perform attacks on the site. - * - * @param $data - * The input to check. - * @return - * TRUE if the input data is acceptable. - */ -function valid_input_data($data) { - if (is_array($data) || is_object($data)) { - // Form data can contain a number of nested arrays. - foreach ($data as $key => $value) { - if (!valid_input_data($key) || !valid_input_data($value)) { - return FALSE; - } - } - } - else if (isset($data)) { - // Detect dangerous input data. - - // Decode all normal character entities. - $data = decode_entities($data, array('<', '&', '"')); - - // Check strings: - $match = preg_match('/\Wjavascript\s*:/i', $data); - $match += preg_match('/\Wexpression\s*\(/i', $data); - $match += preg_match('/\Walert\s*\(/i', $data); - - // Check attributes: - $match += preg_match("/\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data); - - // Check tags: - $match += preg_match("/<\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data); - - if ($match) { - watchdog('security', t('Terminated request because of suspicious input data: %data.', array('%data' => theme('placeholder', $data)))); - return FALSE; - } - } - - return TRUE; -} -/** - * @} End of "defgroup validation". - */ - -/** * Register an event for the current visitor (hostname/IP) to the flood control mechanism. * * @param $name @@ -1366,17 +1311,7 @@ function _drupal_bootstrap_full() { } // Initialize all enabled modules. module_init(); - if (!user_access('bypass input data check')) { - // We can't use $_REQUEST because it consists of the contents of $_POST, - // $_GET and $_COOKIE: if any of the input arrays share a key, only one - // value will be verified. - if (!valid_input_data($_GET) - || !valid_input_data($_POST) - || !valid_input_data($_COOKIE) - || !valid_input_data($_FILES)) { - die('Terminated request because of suspicious input data.'); - } - } + // Undo magic quotes fix_gpc_magic(); // Initialize the localization system. $locale = locale_initialize(); diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index ed02fa886..3fce79940 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -105,7 +105,7 @@ function _db_query($query, $debug = 0) { return $result; } else { - trigger_error(mysql_error() ."\nquery: ". htmlspecialchars($query), E_USER_ERROR); + trigger_error(check_plain(mysql_error() ."\nquery: ". $query), E_USER_ERROR); return FALSE; } } diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc index f2583b214..3eaea5854 100644 --- a/includes/database.mysqli.inc +++ b/includes/database.mysqli.inc @@ -113,7 +113,7 @@ function _db_query($query, $debug = 0) { return $result; } else { - trigger_error(mysqli_error($active_db) ."\nquery: ". htmlspecialchars($query), E_USER_ERROR); + trigger_error(check_plain(mysqli_error($active_db) ."\nquery: ". $query), E_USER_ERROR); return FALSE; } } diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 415565a47..3c2f8f710 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -92,7 +92,7 @@ function _db_query($query, $debug = 0) { return $last_result; } else { - trigger_error(pg_last_error() ."\nquery: ". htmlspecialchars($query), E_USER_ERROR); + trigger_error(check_plain(pg_last_error() ."\nquery: ". $query), E_USER_ERROR); return FALSE; } } diff --git a/includes/file.inc b/includes/file.inc index 41f9a78f1..55f7825d5 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -144,8 +144,24 @@ function file_check_upload($source) { elseif ($_FILES["edit"]["name"][$source] && is_uploaded_file($_FILES["edit"]["tmp_name"][$source])) { $file = new StdClass(); $file->filename = trim(basename($_FILES["edit"]["name"][$source]), '.'); - $file->filemime = $_FILES["edit"]["type"][$source]; $file->filepath = $_FILES["edit"]["tmp_name"][$source]; + + if (function_exists('mime_content_type')) { + $file->filemime = mime_content_type($file->filepath); + if ($file->filemime != $_FILES["edit"]["type"][$source]) { + watchdog('file', t('For %file the system thinks its MIME type is %detected while the user has given %given for MIME type', array('%file' => theme('placeholder', $file->filepath), '%detected' => theme('placeholder', $file>-filemime), '%given' => theme('placeholder', $_FILES['edit']['type'][$source])))); + } + } + else { + $file->filemime = $_FILES["edit"]["type"][$source]; + } + if (((substr($file->filemime, 0, 5) == 'text/' || strpos($file->filemime, 'javascript')) && (substr($file->filepath, -4) != '.txt')) || preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) { + $file->filemime = 'text/plain'; + rename($file->filepath, $file->filepath .'.txt'); + $file->filepath .= '.txt'; + $file->filename .= '.txt'; + } + $file->error = $_FILES["edit"]["error"][$source]; $file->filesize = $_FILES["edit"]["size"][$source]; $file->source = $source; diff --git a/includes/unicode.inc b/includes/unicode.inc index 3508aad64..0c562a8c1 100644 --- a/includes/unicode.inc +++ b/includes/unicode.inc @@ -303,6 +303,10 @@ function _decode_entities($prefix, $codepoint, $original, &$table, &$exclude) { if ($prefix == '#x') { $codepoint = base_convert($codepoint, 16, 10); } + // Decimal numerical entity (strip leading zeros to avoid PHP octal notation) + else { + $codepoint = preg_replace('/^0+/', '', $codepoint); + } // Encode codepoint as UTF-8 bytes if ($codepoint < 0x80) { $str = chr($codepoint); |