diff options
Diffstat (limited to 'includes/bootstrap.inc')
-rw-r--r-- | includes/bootstrap.inc | 62 |
1 files changed, 45 insertions, 17 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index f1faa9a42..622914d65 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -560,7 +560,7 @@ function drupal_settings_initialize() { global $base_url, $base_path, $base_root; // Export the following settings.php variables to the global namespace - global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url; + global $databases, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url; $conf = array(); if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) { @@ -2149,14 +2149,6 @@ function _drupal_bootstrap_page_cache() { * Bootstrap database: Initialize database system and register autoload functions. */ function _drupal_bootstrap_database() { - // The user agent header is used to pass a database prefix in the request when - // running tests. However, for security reasons, it is imperative that we - // validate we ourselves made the request. - if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], "simpletest") !== FALSE) && !drupal_valid_test_ua($_SERVER['HTTP_USER_AGENT'])) { - header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); - exit; - } - // Redirect the user to the installation script if Drupal has not been // installed yet (i.e., if no $databases array has been defined in the // settings.php file) and we are not already installing. @@ -2165,6 +2157,42 @@ function _drupal_bootstrap_database() { install_goto('install.php'); } + // The user agent header is used to pass a database prefix in the request when + // running tests. However, for security reasons, it is imperative that we + // validate we ourselves made the request. + if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^(simpletest\d+);/", $_SERVER['HTTP_USER_AGENT'], $matches)) { + if (!drupal_valid_test_ua($_SERVER['HTTP_USER_AGENT'])) { + header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); + exit; + } + + // The first part of the user agent is the prefix itself. + $test_prefix = $matches[1]; + + // Set the test run id for use in other parts of Drupal. + $test_info = &$GLOBALS['drupal_test_info']; + $test_info['test_run_id'] = $test_prefix; + $test_info['in_child_site'] = TRUE; + + foreach ($GLOBALS['databases']['default'] as &$value) { + // Extract the current default database prefix. + if (!isset($value['prefix'])) { + $current_prefix = ''; + } + else if (is_array($value['prefix'])) { + $current_prefix = $value['prefix']['default']; + } + else { + $current_prefix = $value['prefix']; + } + + // Remove the current database prefix and replace it by our own. + $value['prefix'] = array( + 'default' => $current_prefix . $test_prefix, + ); + } + } + // Initialize the database system. Note that the connection // won't be initialized until it is actually requested. require_once DRUPAL_ROOT . '/includes/database/database.inc'; @@ -2222,15 +2250,15 @@ function drupal_get_bootstrap_phase() { * Validate the HMAC and timestamp of a user agent header from simpletest. */ function drupal_valid_test_ua($user_agent) { - global $databases; + global $drupal_hash_salt; list($prefix, $time, $salt, $hmac) = explode(';', $user_agent); $check_string = $prefix . ';' . $time . ';' . $salt; - // We use the database credentials from settings.php to make the HMAC key, since + // We use the salt from settings.php to make the HMAC key, since // the database is not yet initialized and we can't access any Drupal variables. // The file properties add more entropy not easily accessible to others. $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; - $key = serialize($databases) . filectime($filepath) . fileinode($filepath); + $key = $drupal_hash_salt . filectime($filepath) . fileinode($filepath); // The HMAC must match. return $hmac == drupal_hmac_base64($check_string, $key); } @@ -2239,15 +2267,15 @@ function drupal_valid_test_ua($user_agent) { * Generate a user agent string with a HMAC and timestamp for simpletest. */ function drupal_generate_test_ua($prefix) { - global $databases; + global $drupal_hash_salt; static $key; if (!isset($key)) { - // We use the database credentials to make the HMAC key, since we - // check the HMAC before the database is initialized. filectime() - // and fileinode() are not easily determined from remote. + // We use the salt from settings.php to make the HMAC key, since + // the database is not yet initialized and we can't access any Drupal variables. + // The file properties add more entropy not easily accessible to others. $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; - $key = serialize($databases) . filectime($filepath) . fileinode($filepath); + $key = $drupal_hash_salt . filectime($filepath) . fileinode($filepath); } // Generate a moderately secure HMAC based on the database credentials. $salt = uniqid('', TRUE); |