summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2008-08-13 23:59:14 +0000
committerNeil Drumm2008-08-13 23:59:14 +0000
commit49f719f7c4f7c1b69dc35ff8fbdea123e7d88f92 (patch)
treee00700c5701f702c2ec55c6ac04c0e2628bd0104
parent23fb5835bcc2c6211280d4480b3d9a7e8b1767df (diff)
Drupal 6.4.6.4
-rw-r--r--CHANGELOG.txt47
-rw-r--r--includes/common.inc2
-rw-r--r--includes/file.inc374
-rw-r--r--includes/form.inc37
-rw-r--r--modules/blogapi/blogapi.install105
-rw-r--r--modules/blogapi/blogapi.module128
-rw-r--r--modules/book/book.pages.inc7
-rw-r--r--modules/filter/filter.module2
-rw-r--r--modules/poll/poll.module4
-rw-r--r--modules/system/system.module2
-rw-r--r--modules/upload/upload.module110
-rw-r--r--modules/user/user.admin.inc59
12 files changed, 749 insertions, 128 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f796b7d..d647137 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,28 +1,35 @@
// $Id$
-Drupal 6.4-dev, xxxx-xx-xx (development version)
+Drupal 6.4, 2008-08-13
----------------------
-
+- Fixed a security issue (Cross site scripting, Arbitrary file uploads via
+ BlogAPI, Cross site request forgeries and Various Upload module
+ vulnerabilities), see SA-2008-047.
+- Improved error messages during installation.
+- Fixed a bug that prevented AHAH handlers to be attached to radios widgets.
+- Fixed a variety of small bugs.
Drupal 6.3, 2008-07-09
----------------------
-- fixed security issues, (Cross site scripting, cross site request forgery, session fixation and SQL injection), see SA-2008-044
-- slightly modified installation process to prevent file ownership issues on shared hosts
-- improved PostgreSQL compatibility (rewritten queries; custom blocks)
-- upgraded to jQuery 1.2.6
-- performance improvements to search, menu handling and form API caches
-- fixed Views compatibility issues (Views for Drupal 6 requires Drupal 6.3+)
-- fixed a variety of small bugs.
+- Fixed security issues, (Cross site scripting, cross site request forgery,
+ session fixation and SQL injection), see SA-2008-044.
+- Slightly modified installation process to prevent file ownership issues on
+ shared hosts.
+- Improved PostgreSQL compatibility (rewritten queries; custom blocks).
+- Upgraded to jQuery 1.2.6.
+- Performance improvements to search, menu handling and form API caches.
+- Fixed Views compatibility issues (Views for Drupal 6 requires Drupal 6.3+).
+- Fixed a variety of small bugs.
Drupal 6.2, 2008-04-09
----------------------
-- fixed a variety of small bugs
-- fixed a security issue (Access bypasses), see SA-2008-026
+- Fixed a variety of small bugs.
+- Fixed a security issue (Access bypasses), see SA-2008-026.
Drupal 6.1, 2008-02-27
----------------------
-- fixed a variety of small bugs.
-- fixed a security issue (Cross site scripting), see SA-2008-018
+- Fixed a variety of small bugs.
+- Fixed a security issue (Cross site scripting), see SA-2008-018.
Drupal 6.0, 2008-02-13
----------------------
@@ -124,10 +131,22 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
+Drupal 5.10, 2008-08-13
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site scripting, Arbitrary file uploads via
+ BlogAPI and Cross site request forgery), see SA-2008-047
+
+Drupal 5.9, 2008-07-23
+----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Session fixation), see SA-2008-046
+
Drupal 5.8, 2008-07-09
----------------------
- fixed a variety of small bugs.
-- fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044
+- fixed security issues, (Cross site scripting, cross site request forgery, and
+ session fixation), see SA-2008-044
Drupal 5.7, 2008-01-28
----------------------
diff --git a/includes/common.inc b/includes/common.inc
index 0f5ed11..879b147 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -587,7 +587,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL)) {
+ if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/includes/file.inc b/includes/file.inc
index 8000333..20ba3fa 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -527,7 +527,7 @@ function file_save_upload($source, $validators = array(), $dest = FALSE, $replac
$file = new stdClass();
$file->filename = file_munge_filename(trim(basename($_FILES['files']['name'][$source]), '.'), $extensions);
$file->filepath = $_FILES['files']['tmp_name'][$source];
- $file->filemime = $_FILES['files']['type'][$source];
+ $file->filemime = file_get_mimetype($file->filename);
// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
@@ -980,5 +980,377 @@ function file_upload_max_size() {
}
/**
+ * Determine an Internet Media Type, or MIME type from a filename.
+ *
+ * @param $filename
+ * Name of the file, including extension.
+ * @param $mapping
+ * An optional array of extension to media type mappings in the form
+ * 'extension1|extension2|...' => 'type'.
+ *
+ * @return
+ * The internet media type registered for the extension or application/octet-stream for unknown extensions.
+ */
+function file_get_mimetype($filename, $mapping = NULL) {
+ if (!is_array($mapping)) {
+ $mapping = variable_get('mime_extension_mapping', array(
+ 'ez' => 'application/andrew-inset',
+ 'atom' => 'application/atom',
+ 'atomcat' => 'application/atomcat+xml',
+ 'atomsrv' => 'application/atomserv+xml',
+ 'cap|pcap' => 'application/cap',
+ 'cu' => 'application/cu-seeme',
+ 'tsp' => 'application/dsptype',
+ 'spl' => 'application/x-futuresplash',
+ 'hta' => 'application/hta',
+ 'jar' => 'application/java-archive',
+ 'ser' => 'application/java-serialized-object',
+ 'class' => 'application/java-vm',
+ 'hqx' => 'application/mac-binhex40',
+ 'cpt' => 'image/x-corelphotopaint',
+ 'nb' => 'application/mathematica',
+ 'mdb' => 'application/msaccess',
+ 'doc|dot' => 'application/msword',
+ 'bin' => 'application/octet-stream',
+ 'oda' => 'application/oda',
+ 'ogg|ogx' => 'application/ogg',
+ 'pdf' => 'application/pdf',
+ 'key' => 'application/pgp-keys',
+ 'pgp' => 'application/pgp-signature',
+ 'prf' => 'application/pics-rules',
+ 'ps|ai|eps' => 'application/postscript',
+ 'rar' => 'application/rar',
+ 'rdf' => 'application/rdf+xml',
+ 'rss' => 'application/rss+xml',
+ 'rtf' => 'application/rtf',
+ 'smi|smil' => 'application/smil',
+ 'wpd' => 'application/wordperfect',
+ 'wp5' => 'application/wordperfect5.1',
+ 'xhtml|xht' => 'application/xhtml+xml',
+ 'xml|xsl' => 'application/xml',
+ 'zip' => 'application/zip',
+ 'cdy' => 'application/vnd.cinderella',
+ 'kml' => 'application/vnd.google-earth.kml+xml',
+ 'kmz' => 'application/vnd.google-earth.kmz',
+ 'xul' => 'application/vnd.mozilla.xul+xml',
+ 'xls|xlb|xlt' => 'application/vnd.ms-excel',
+ 'cat' => 'application/vnd.ms-pki.seccat',
+ 'stl' => 'application/vnd.ms-pki.stl',
+ 'ppt|pps' => 'application/vnd.ms-powerpoint',
+ 'odc' => 'application/vnd.oasis.opendocument.chart',
+ 'odb' => 'application/vnd.oasis.opendocument.database',
+ 'odf' => 'application/vnd.oasis.opendocument.formula',
+ 'odg' => 'application/vnd.oasis.opendocument.graphics',
+ 'otg' => 'application/vnd.oasis.opendocument.graphics-template',
+ 'odi' => 'application/vnd.oasis.opendocument.image',
+ 'odp' => 'application/vnd.oasis.opendocument.presentation',
+ 'otp' => 'application/vnd.oasis.opendocument.presentation-template',
+ 'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
+ 'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
+ 'odt' => 'application/vnd.oasis.opendocument.text',
+ 'odm' => 'application/vnd.oasis.opendocument.text-master',
+ 'ott' => 'application/vnd.oasis.opendocument.text-template',
+ 'oth' => 'application/vnd.oasis.opendocument.text-web',
+ 'docm' => 'application/vnd.ms-word.document.macroEnabled.12',
+ 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+ 'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
+ 'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
+ 'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
+ 'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
+ 'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
+ 'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
+ 'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
+ 'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
+ 'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+ 'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
+ 'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
+ 'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
+ 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+ 'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
+ 'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
+ 'cod' => 'application/vnd.rim.cod',
+ 'mmf' => 'application/vnd.smaf',
+ 'sdc' => 'application/vnd.stardivision.calc',
+ 'sds' => 'application/vnd.stardivision.chart',
+ 'sda' => 'application/vnd.stardivision.draw',
+ 'sdd' => 'application/vnd.stardivision.impress',
+ 'sdf' => 'application/vnd.stardivision.math',
+ 'sdw' => 'application/vnd.stardivision.writer',
+ 'sgl' => 'application/vnd.stardivision.writer-global',
+ 'sxc' => 'application/vnd.sun.xml.calc',
+ 'stc' => 'application/vnd.sun.xml.calc.template',
+ 'sxd' => 'application/vnd.sun.xml.draw',
+ 'std' => 'application/vnd.sun.xml.draw.template',
+ 'sxi' => 'application/vnd.sun.xml.impress',
+ 'sti' => 'application/vnd.sun.xml.impress.template',
+ 'sxm' => 'application/vnd.sun.xml.math',
+ 'sxw' => 'application/vnd.sun.xml.writer',
+ 'sxg' => 'application/vnd.sun.xml.writer.global',
+ 'stw' => 'application/vnd.sun.xml.writer.template',
+ 'sis' => 'application/vnd.symbian.install',
+ 'vsd' => 'application/vnd.visio',
+ 'wbxml' => 'application/vnd.wap.wbxml',
+ 'wmlc' => 'application/vnd.wap.wmlc',
+ 'wmlsc' => 'application/vnd.wap.wmlscriptc',
+ 'wk' => 'application/x-123',
+ '7z' => 'application/x-7z-compressed',
+ 'abw' => 'application/x-abiword',
+ 'dmg' => 'application/x-apple-diskimage',
+ 'bcpio' => 'application/x-bcpio',
+ 'torrent' => 'application/x-bittorrent',
+ 'cab' => 'application/x-cab',
+ 'cbr' => 'application/x-cbr',
+ 'cbz' => 'application/x-cbz',
+ 'cdf' => 'application/x-cdf',
+ 'vcd' => 'application/x-cdlink',
+ 'pgn' => 'application/x-chess-pgn',
+ 'cpio' => 'application/x-cpio',
+ 'csh' => 'text/x-csh',
+ 'deb|udeb' => 'application/x-debian-package',
+ 'dcr|dir|dxr' => 'application/x-director',
+ 'dms' => 'application/x-dms',
+ 'wad' => 'application/x-doom',
+ 'dvi' => 'application/x-dvi',
+ 'rhtml' => 'application/x-httpd-eruby',
+ 'flac' => 'application/x-flac',
+ 'pfa|pfb|gsf|pcf|pcf.Z' => 'application/x-font',
+ 'mm' => 'application/x-freemind',
+ 'gnumeric' => 'application/x-gnumeric',
+ 'sgf' => 'application/x-go-sgf',
+ 'gcf' => 'application/x-graphing-calculator',
+ 'gtar|tgz|taz' => 'application/x-gtar',
+ 'hdf' => 'application/x-hdf',
+ 'phtml|pht|php' => 'application/x-httpd-php',
+ 'phps' => 'application/x-httpd-php-source',
+ 'php3' => 'application/x-httpd-php3',
+ 'php3p' => 'application/x-httpd-php3-preprocessed',
+ 'php4' => 'application/x-httpd-php4',
+ 'ica' => 'application/x-ica',
+ 'ins|isp' => 'application/x-internet-signup',
+ 'iii' => 'application/x-iphone',
+ 'iso' => 'application/x-iso9660-image',
+ 'jnlp' => 'application/x-java-jnlp-file',
+ 'js' => 'application/x-javascript',
+ 'jmz' => 'application/x-jmol',
+ 'chrt' => 'application/x-kchart',
+ 'kil' => 'application/x-killustrator',
+ 'skp|skd|skt|skm' => 'application/x-koan',
+ 'kpr|kpt' => 'application/x-kpresenter',
+ 'ksp' => 'application/x-kspread',
+ 'kwd|kwt' => 'application/x-kword',
+ 'latex' => 'application/x-latex',
+ 'lha' => 'application/x-lha',
+ 'lyx' => 'application/x-lyx',
+ 'lzh' => 'application/x-lzh',
+ 'lzx' => 'application/x-lzx',
+ 'frm|maker|frame|fm|fb|book|fbdoc' => 'application/x-maker',
+ 'mif' => 'application/x-mif',
+ 'wmd' => 'application/x-ms-wmd',
+ 'wmz' => 'application/x-ms-wmz',
+ 'com|exe|bat|dll' => 'application/x-msdos-program',
+ 'msi' => 'application/x-msi',
+ 'nc' => 'application/x-netcdf',
+ 'pac' => 'application/x-ns-proxy-autoconfig',
+ 'nwc' => 'application/x-nwc',
+ 'o' => 'application/x-object',
+ 'oza' => 'application/x-oz-application',
+ 'p7r' => 'application/x-pkcs7-certreqresp',
+ 'crl' => 'application/x-pkcs7-crl',
+ 'pyc|pyo' => 'application/x-python-code',
+ 'qtl' => 'application/x-quicktimeplayer',
+ 'rpm' => 'application/x-redhat-package-manager',
+ 'sh' => 'text/x-sh',
+ 'shar' => 'application/x-shar',
+ 'swf|swfl' => 'application/x-shockwave-flash',
+ 'sit|sitx' => 'application/x-stuffit',
+ 'sv4cpio' => 'application/x-sv4cpio',
+ 'sv4crc' => 'application/x-sv4crc',
+ 'tar' => 'application/x-tar',
+ 'tcl' => 'application/x-tcl',
+ 'gf' => 'application/x-tex-gf',
+ 'pk' => 'application/x-tex-pk',
+ 'texinfo|texi' => 'application/x-texinfo',
+ '~|%|bak|old|sik' => 'application/x-trash',
+ 't|tr|roff' => 'application/x-troff',
+ 'man' => 'application/x-troff-man',
+ 'me' => 'application/x-troff-me',
+ 'ms' => 'application/x-troff-ms',
+ 'ustar' => 'application/x-ustar',
+ 'src' => 'application/x-wais-source',
+ 'wz' => 'application/x-wingz',
+ 'crt' => 'application/x-x509-ca-cert',
+ 'xcf' => 'application/x-xcf',
+ 'fig' => 'application/x-xfig',
+ 'xpi' => 'application/x-xpinstall',
+ 'au|snd' => 'audio/basic',
+ 'mid|midi|kar' => 'audio/midi',
+ 'mpga|mpega|mp2|mp3|m4a' => 'audio/mpeg',
+ 'm3u' => 'audio/x-mpegurl',
+ 'oga|spx' => 'audio/ogg',
+ 'sid' => 'audio/prs.sid',
+ 'aif|aiff|aifc' => 'audio/x-aiff',
+ 'gsm' => 'audio/x-gsm',
+ 'wma' => 'audio/x-ms-wma',
+ 'wax' => 'audio/x-ms-wax',
+ 'ra|rm|ram' => 'audio/x-pn-realaudio',
+ 'ra' => 'audio/x-realaudio',
+ 'pls' => 'audio/x-scpls',
+ 'sd2' => 'audio/x-sd2',
+ 'wav' => 'audio/x-wav',
+ 'alc' => 'chemical/x-alchemy',
+ 'cac|cache' => 'chemical/x-cache',
+ 'csf' => 'chemical/x-cache-csf',
+ 'cbin|cascii|ctab' => 'chemical/x-cactvs-binary',
+ 'cdx' => 'chemical/x-cdx',
+ 'cer' => 'chemical/x-cerius',
+ 'c3d' => 'chemical/x-chem3d',
+ 'chm' => 'chemical/x-chemdraw',
+ 'cif' => 'chemical/x-cif',
+ 'cmdf' => 'chemical/x-cmdf',
+ 'cml' => 'chemical/x-cml',
+ 'cpa' => 'chemical/x-compass',
+ 'bsd' => 'chemical/x-crossfire',
+ 'csml|csm' => 'chemical/x-csml',
+ 'ctx' => 'chemical/x-ctx',
+ 'cxf|cef' => 'chemical/x-cxf',
+ 'emb|embl' => 'chemical/x-embl-dl-nucleotide',
+ 'spc' => 'chemical/x-galactic-spc',
+ 'inp|gam|gamin' => 'chemical/x-gamess-input',
+ 'fch|fchk' => 'chemical/x-gaussian-checkpoint',
+ 'cub' => 'chemical/x-gaussian-cube',
+ 'gau|gjc|gjf' => 'chemical/x-gaussian-input',
+ 'gal' => 'chemical/x-gaussian-log',
+ 'gcg' => 'chemical/x-gcg8-sequence',
+ 'gen' => 'chemical/x-genbank',
+ 'hin' => 'chemical/x-hin',
+ 'istr|ist' => 'chemical/x-isostar',
+ 'jdx|dx' => 'chemical/x-jcamp-dx',
+ 'kin' => 'chemical/x-kinemage',
+ 'mcm' => 'chemical/x-macmolecule',
+ 'mmd|mmod' => 'chemical/x-macromodel-input',
+ 'mol' => 'chemical/x-mdl-molfile',
+ 'rd' => 'chemical/x-mdl-rdfile',
+ 'rxn' => 'chemical/x-mdl-rxnfile',
+ 'sd|sdf' => 'chemical/x-mdl-sdfile',
+ 'tgf' => 'chemical/x-mdl-tgf',
+ 'mcif' => 'chemical/x-mmcif',
+ 'mol2' => 'chemical/x-mol2',
+ 'b' => 'chemical/x-molconn-Z',
+ 'gpt' => 'chemical/x-mopac-graph',
+ 'mop|mopcrt|mpc|dat|zmt' => 'chemical/x-mopac-input',
+ 'moo' => 'chemical/x-mopac-out',
+ 'mvb' => 'chemical/x-mopac-vib',
+ 'asn' => 'chemical/x-ncbi-asn1-spec',
+ 'prt|ent' => 'chemical/x-ncbi-asn1-ascii',
+ 'val|aso' => 'chemical/x-ncbi-asn1-binary',
+ 'pdb|ent' => 'chemical/x-pdb',
+ 'ros' => 'chemical/x-rosdal',
+ 'sw' => 'chemical/x-swissprot',
+ 'vms' => 'chemical/x-vamas-iso14976',
+ 'vmd' => 'chemical/x-vmd',
+ 'xtel' => 'chemical/x-xtel',
+ 'xyz' => 'chemical/x-xyz',
+ 'gif' => 'image/gif',
+ 'ief' => 'image/ief',
+ 'jpeg|jpg|jpe' => 'image/jpeg',
+ 'pcx' => 'image/pcx',
+ 'png' => 'image/png',
+ 'svg|svgz' => 'image/svg+xml',
+ 'tiff|tif' => 'image/tiff',
+ 'djvu|djv' => 'image/vnd.djvu',
+ 'wbmp' => 'image/vnd.wap.wbmp',
+ 'ras' => 'image/x-cmu-raster',
+ 'cdr' => 'image/x-coreldraw',
+ 'pat' => 'image/x-coreldrawpattern',
+ 'cdt' => 'image/x-coreldrawtemplate',
+ 'ico' => 'image/x-icon',
+ 'art' => 'image/x-jg',
+ 'jng' => 'image/x-jng',
+ 'bmp' => 'image/x-ms-bmp',
+ 'psd' => 'image/x-photoshop',
+ 'pnm' => 'image/x-portable-anymap',
+ 'pbm' => 'image/x-portable-bitmap',
+ 'pgm' => 'image/x-portable-graymap',
+ 'ppm' => 'image/x-portable-pixmap',
+ 'rgb' => 'image/x-rgb',
+ 'xbm' => 'image/x-xbitmap',
+ 'xpm' => 'image/x-xpixmap',
+ 'xwd' => 'image/x-xwindowdump',
+ 'eml' => 'message/rfc822',
+ 'igs|iges' => 'model/iges',
+ 'msh|mesh|silo' => 'model/mesh',
+ 'wrl|vrml' => 'model/vrml',
+ 'ics|icz' => 'text/calendar',
+ 'css' => 'text/css',
+ 'csv' => 'text/csv',
+ '323' => 'text/h323',
+ 'html|htm|shtml' => 'text/html',
+ 'uls' => 'text/iuls',
+ 'mml' => 'text/mathml',
+ 'asc|txt|text|pot' => 'text/plain',
+ 'rtx' => 'text/richtext',
+ 'sct|wsc' => 'text/scriptlet',
+ 'tm|ts' => 'text/texmacs',
+ 'tsv' => 'text/tab-separated-values',
+ 'jad' => 'text/vnd.sun.j2me.app-descriptor',
+ 'wml' => 'text/vnd.wap.wml',
+ 'wmls' => 'text/vnd.wap.wmlscript',
+ 'bib' => 'text/x-bibtex',
+ 'boo' => 'text/x-boo',
+ 'h++|hpp|hxx|hh' => 'text/x-c++hdr',
+ 'c++|cpp|cxx|cc' => 'text/x-c++src',
+ 'h' => 'text/x-chdr',
+ 'htc' => 'text/x-component',
+ 'c' => 'text/x-csrc',
+ 'd' => 'text/x-dsrc',
+ 'diff|patch' => 'text/x-diff',
+ 'hs' => 'text/x-haskell',
+ 'java' => 'text/x-java',
+ 'lhs' => 'text/x-literate-haskell',
+ 'moc' => 'text/x-moc',
+ 'p|pas' => 'text/x-pascal',
+ 'gcd' => 'text/x-pcs-gcd',
+ 'pl|pm' => 'text/x-perl',
+ 'py' => 'text/x-python',
+ 'etx' => 'text/x-setext',
+ 'tcl|tk' => 'text/x-tcl',
+ 'tex|ltx|sty|cls' => 'text/x-tex',
+ 'vcs' => 'text/x-vcalendar',
+ 'vcf' => 'text/x-vcard',
+ '3gp' => 'video/3gpp',
+ 'dl' => 'video/dl',
+ 'dif|dv' => 'video/dv',
+ 'fli' => 'video/fli',
+ 'gl' => 'video/gl',
+ 'mpeg|mpg|mpe' => 'video/mpeg',
+ 'mp4' => 'video/mp4',
+ 'ogv' => 'video/ogg',
+ 'qt|mov' => 'video/quicktime',
+ 'mxu' => 'video/vnd.mpegurl',
+ 'lsf|lsx' => 'video/x-la-asf',
+ 'mng' => 'video/x-mng',
+ 'asf|asx' => 'video/x-ms-asf',
+ 'wm' => 'video/x-ms-wm',
+ 'wmv' => 'video/x-ms-wmv',
+ 'wmx' => 'video/x-ms-wmx',
+ 'wvx' => 'video/x-ms-wvx',
+ 'avi' => 'video/x-msvideo',
+ 'movie' => 'video/x-sgi-movie',
+ 'ice' => 'x-conference/x-cooltalk',
+ 'sisx' => 'x-epoc/x-sisx-app',
+ 'vrm|vrml|wrl' => 'x-world/x-vrml',
+ 'xps' => 'application/vnd.ms-xpsdocument',
+ ));
+ }
+ foreach ($mapping as $ext_preg => $mime_match) {
+ if (preg_match('!\.('. $ext_preg .')$!i', $filename)) {
+ return $mime_match;
+ }
+ }
+
+ return 'application/octet-stream';
+}
+
+/**
* @} End of "defgroup file".
*/
diff --git a/includes/form.inc b/includes/form.inc
index 4f00618..fd316eb 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -100,7 +100,7 @@ function drupal_get_form($form_id) {
array_unshift($args_temp, $form_id);
$form = call_user_func_array('drupal_retrieve_form', $args_temp);
- $form_build_id = 'form-'. md5(mt_rand());
+ $form_build_id = 'form-'. md5(uniqid(mt_rand(), true));
$form['#build_id'] = $form_build_id;
drupal_prepare_form($form_id, $form, $form_state);
// Store a copy of the unprocessed form for caching and indicate that it
@@ -216,25 +216,16 @@ function drupal_rebuild_form($form_id, &$form_state, $args, $form_build_id = NUL
}
/**
- * Fetch a form from cache.
- */
-function form_get_cache($form_build_id, &$form_state) {
- if ($cached = cache_get('form_'. $form_build_id, 'cache_form')) {
- $form = $cached->data;
- if ($cached = cache_get('storage_'. $form_build_id, 'cache_form')) {
- $form_state['storage'] = $cached->data;
- }
- return $form;
- }
-}
-
-/**
- * Store a form in the cache
+ * Store a form in the cache.
*/
function form_set_cache($form_build_id, $form, $form_state) {
+ global $user;
// 6 hours cache life time for forms should be plenty.
$expire = 21600;
+ if ($user->uid) {
+ $form['#cache_token'] = drupal_get_token();
+ }
cache_set('form_'. $form_build_id, $form, 'cache_form', time() + $expire);
if (!empty($form_state['storage'])) {
cache_set('storage_'. $form_build_id, $form_state['storage'], 'cache_form', time() + $expire);
@@ -242,6 +233,22 @@ function form_set_cache($form_build_id, $form, $form_state) {
}
/**
+ * Fetch a form from cache.
+ */
+function form_get_cache($form_build_id, &$form_state) {
+ global $user;
+ if ($cached = cache_get('form_'. $form_build_id, 'cache_form')) {
+ $form = $cached->data;
+ if ((isset($form['#cache_token']) && drupal_valid_token($form['#cache_token'])) || (!isset($form['#cache_token']) && !$user->uid)) {
+ if ($cached = cache_get('storage_'. $form_build_id, 'cache_form')) {
+ $form_state['storage'] = $cached->data;
+ }
+ return $form;
+ }
+ }
+}
+
+/**
* Retrieves a form using a form_id, populates it with $form_state['values'],
* processes it, and returns any validation errors encountered. This
* function is the programmatic counterpart to drupal_get_form().
diff --git a/modules/blogapi/blogapi.install b/modules/blogapi/blogapi.install
index c7cc3e5..1c0aebf 100644
--- a/modules/blogapi/blogapi.install
+++ b/modules/blogapi/blogapi.install
@@ -2,6 +2,63 @@
// $Id$
/**
+ * Implementation of hook_install().
+ */
+function blogapi_install() {
+ // Create tables.
+ drupal_install_schema('blogapi');
+}
+
+/**
+ * Implementation of hook_uninstall().
+ */
+function blogapi_uninstall() {
+ // Remove tables.
+ drupal_uninstall_schema('blogapi');
+}
+
+
+/**
+ * Implementation of hook_schema().
+ */
+function blogapi_schema() {
+ //This table was introduced in Drupal 6.4
+ $schema['blogapi_files'] = array(
+ 'description' => t('Stores information for files uploaded via the blogapi.'),
+ 'fields' => array(
+ 'fid' => array(
+ 'description' => t('Primary Key: Unique file ID.'),
+ 'type' => 'serial',
+ ),
+ 'uid' => array(
+ 'description' => t('The {users}.uid of the user who is associated with the file.'),
+ 'type' => 'int',
+ 'unsigned' => TRUE,
+ 'not null' => TRUE,
+ 'default' => 0),
+ 'filepath' => array(
+ 'description' => t('Path of the file relative to Drupal root.'),
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'not null' => TRUE,
+ 'default' => ''),
+ 'filesize' => array(
+ 'description' => t('The size of the file in bytes.'),
+ 'type' => 'int',
+ 'unsigned' => TRUE,
+ 'not null' => TRUE,
+ 'default' => 0),
+ ),
+ 'primary key' => array('fid'),
+ 'indexes' => array(
+ 'uid' => array('uid'),
+ ),
+ );
+
+ return $schema;
+}
+
+/**
* @defgroup updates-5.x-to-6.x Blog API updates from 5.x to 6.x
* @{
*/
@@ -14,7 +71,55 @@ function blogapi_update_6000() {
return array();
}
+
+/**
+ * Add blogapi_files table to enable size restriction for BlogAPI file uploads.
+ *
+ * This table was introduced in Drupal 6.4.
+ */
+function blogapi_update_6001() {
+ $schema['blogapi_files'] = array(
+ 'description' => t('Stores information for files uploaded via the blogapi.'),
+ 'fields' => array(
+ 'fid' => array(
+ 'description' => t('Primary Key: Unique file ID.'),
+ 'type' => 'serial',
+ ),
+ 'uid' => array(
+ 'description' => t('The {users}.uid of the user who is associated with the file.'),
+ 'type' => 'int',
+ 'unsigned' => TRUE,
+ 'not null' => TRUE,
+ 'default' => 0),
+ 'filepath' => array(
+ 'description' => t('Path of the file relative to Drupal root.'),
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'not null' => TRUE,
+ 'default' => ''),
+ 'filesize' => array(
+ 'description' => t('The size of the file in bytes.'),
+ 'type' => 'int',
+ 'unsigned' => TRUE,
+ 'not null' => TRUE,
+ 'default' => 0),
+ ),
+ 'primary key' => array('fid'),
+ 'indexes' => array(
+ 'uid' => array('uid'),
+ ),
+ );
+
+ $ret = array();
+
+ if (!db_table_exists('blogapi_files')) {
+ db_create_table($ret, 'blogapi_files', $schema['blogapi_files']);
+ }
+ return $ret;
+}
+
/**
* @} End of "defgroup updates-5.x-to-6.x"
* The next series of updates should start at 7000.
*/
+
diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module
index bce7100..7ba1ddb 100644
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -371,17 +371,64 @@ function blogapi_metaweblog_new_media_object($blogid, $username, $password, $fil
return blogapi_error($user);
}
+ $usersize = 0;
+ $uploadsize = 0;
+
+ $roles = array_intersect(user_roles(FALSE, 'administer content with blog api'), $user->roles);
+
+ foreach ($roles as $rid => $name) {
+ $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
+ $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
+ $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
+ }
+
+ $filesize = strlen($file['bits']);
+
+ if ($filesize > $uploadsize) {
+ return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize))));
+ }
+
+ if (_blogapi_space_used($user->uid) + $filesize > $usersize) {
+ return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize))));
+ }
+
+ // Only allow files with whitelisted extensions and convert remaining dots to
+ // underscores to prevent attacks via non-terminal executable extensions with
+ // files such as exploit.php.jpg.
+
+ $whitelist = array_unique(explode(' ', trim($extensions)));
+
$name = basename($file['name']);
+
+ if ($extension_position = strrpos($name, '.')) {
+ $filename = drupal_substr($name, 0, $extension_position);
+ $final_extension = drupal_substr($name, $extension_position + 1);
+
+ if (!in_array(strtolower($final_extension), $whitelist)) {
+ return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist))));
+ }
+
+ $filename = str_replace('.', '_', $filename);
+ $filename .= '.'. $final_extension;
+ }
+
$data = $file['bits'];
if (!$data) {
return blogapi_error(t('No file sent.'));
}
- if (!$file = file_save_data($data, $name)) {
+ if (!$file = file_save_data($data, $filename)) {
return blogapi_error(t('Error storing file.'));
}
+ $row = new stdClass();
+ $row->uid = $user->uid;
+ $row->filepath = $file;
+ $row->filesize = $filesize;
+
+ drupal_write_record('blogapi_files', $row);
+
// Return the successful result.
return array('url' => file_create_url($file), 'struct');
}
@@ -568,6 +615,81 @@ function blogapi_admin_settings() {
'#description' => t('Select the content types available to external blogging clients via Blog API. If supported, each enabled content type will be displayed as a separate "blog" by the external client.')
);
+ $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
+ $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1);
+ $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1);
+
+ $form['settings_general'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('File settings'),
+ '#collapsible' => TRUE,
+ );
+
+ $form['settings_general']['blogapi_extensions_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default permitted file extensions'),
+ '#default_value' => $blogapi_extensions_default,
+ '#maxlength' => 255,
+ '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'),
+ );
+
+ $form['settings_general']['blogapi_uploadsize_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default maximum file size per upload'),
+ '#default_value' => $blogapi_uploadsize_default,
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The default maximum file size a user can upload.'),
+ '#field_suffix' => t('MB')
+ );
+
+ $form['settings_general']['blogapi_usersize_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default total file size per user'),
+ '#default_value' => $blogapi_usersize_default,
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The default maximum size of all files a user can have on the site.'),
+ '#field_suffix' => t('MB')
+ );
+
+ $form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>');
+
+ $roles = user_roles(0, 'administer content with blog api');
+ $form['roles'] = array('#type' => 'value', '#value' => $roles);
+
+ foreach ($roles as $rid => $role) {
+ $form['settings_role_'. $rid] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Settings for @role', array('@role' => $role)),
+ '#collapsible' => TRUE,
+ '#collapsed' => TRUE,
+ );
+ $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Permitted file extensions'),
+ '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default),
+ '#maxlength' => 255,
+ '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'),
+ );
+ $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Maximum file size per upload'),
+ '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default),
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The maximum size of a file a user can upload (in megabytes).'),
+ );
+ $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Total file size per user'),
+ '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default),
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'),
+ );
+ }
+
return system_settings_form($form);
}
@@ -726,3 +848,7 @@ function _blogapi_get_node_types() {
return $types;
}
+
+function _blogapi_space_used($uid) {
+ return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid));
+}
diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc
index a744e97..48b8deb 100644
--- a/modules/book/book.pages.inc
+++ b/modules/book/book.pages.inc
@@ -231,11 +231,8 @@ function book_remove_form_submit($form, &$form_state) {
* Prints the replacement HTML in JSON format.
*/
function book_form_update() {
- $cid = 'form_'. $_POST['form_build_id'];
$bid = $_POST['book']['bid'];
- $cache = cache_get($cid, 'cache_form');
- if ($cache) {
- $form = $cache->data;
+ if ($form = form_get_cache($_POST['form_build_id'], $form_state)) {
// Validate the bid.
if (isset($form['book']['bid']['#options'][$bid])) {
@@ -243,7 +240,7 @@ function book_form_update() {
$book_link['bid'] = $bid;
// Get the new options and update the cache.
$form['book']['plid'] = _book_parent_select($book_link);
- cache_set($cid, $form, 'cache_form', $cache->expire);
+ form_set_cache($_POST['form_build_id'], $form, $form_state);
// Build and render the new select element, then return it in JSON format.
$form_state = array();
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 5d03a02..2d0743f 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -983,7 +983,7 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
- <[^>]*.(>|$) # a string that starts with a <, up until the > or the end of the string
+ <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', '_filter_xss_split', $string);
diff --git a/modules/poll/poll.module b/modules/poll/poll.module
index 588136d..9f92561 100644
--- a/modules/poll/poll.module
+++ b/modules/poll/poll.module
@@ -338,7 +338,9 @@ function poll_choice_js() {
// Add the new element to the stored form. Without adding the element to the
// form, Drupal is not aware of this new elements existence and will not
// process it. We retreive the cached form, add the element, and resave.
- $form = form_get_cache($form_build_id, $form_state);
+ if (!$form = form_get_cache($form_build_id, $form_state)) {
+ exit();
+ }
$form['choice_wrapper']['choice'][$delta] = $form_element;
form_set_cache($form_build_id, $form, $form_state);
$form += array(
diff --git a/modules/system/system.module b/modules/system/system.module
index db47daf..d5d43c0 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.4-dev');
+define('VERSION', '6.4');
/**
* Core API compatibility.
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index d291faa..cf04200 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -144,17 +144,19 @@ function _upload_file_limits($user) {
/**
* Implementation of hook_file_download().
*/
-function upload_file_download($file) {
- if (!user_access('view uploaded files')) {
- return -1;
- }
- $file = file_create_path($file);
- $result = db_query("SELECT f.* FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $file);
+function upload_file_download($filepath) {
+ $filepath = file_create_path($filepath);
+ $result = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
if ($file = db_fetch_object($result)) {
- return array(
- 'Content-Type: '. $file->filemime,
- 'Content-Length: '. $file->filesize,
- );
+ if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
+ return array(
+ 'Content-Type: ' . $file->filemime,
+ 'Content-Length: ' . $file->filesize,
+ );
+ }
+ else {
+ return -1;
+ }
}
}
@@ -165,7 +167,7 @@ function upload_file_download($file) {
* @param $node
* A node object to associate with uploaded files.
*/
-function upload_node_form_submit($form, &$form_state) {
+function upload_node_form_submit(&$form, &$form_state) {
global $user;
$limits = _upload_file_limits($user);
@@ -180,15 +182,14 @@ function upload_node_form_submit($form, &$form_state) {
$file->list = variable_get('upload_list_default', 1);
$file->description = $file->filename;
$file->weight = 0;
- $_SESSION['upload_files'][$file->fid] = $file;
+ $file->new = TRUE;
+ $form['#node']->files[$file->fid] = $file;
+ $form_state['values']['files'][$file->fid] = (array)$file;
}
- // Attach session files to node.
- if (!empty($_SESSION['upload_files'])) {
- foreach ($_SESSION['upload_files'] as $fid => $file) {
- if (!isset($form_state['values']['files'][$fid]['filepath'])) {
- $form_state['values']['files'][$fid] = (array)$file;
- }
+ if (isset($form_state['values']['files'])) {
+ foreach ($form_state['values']['files'] as $fid => $file) {
+ $form_state['values']['files'][$fid]['new'] = !empty($form['#node']->files[$fid]->new);
}
}
@@ -289,16 +290,6 @@ function upload_nodeapi(&$node, $op, $teaser) {
}
break;
- case 'prepare':
- // Initialize $_SESSION['upload_files'] if no post occurred.
- // This clears the variable from old forms and makes sure it
- // is an array to prevent notices and errors in other parts
- // of upload.module.
- if (!$_POST) {
- $_SESSION['upload_files'] = array();
- }
- break;
-
case 'insert':
case 'update':
if (user_access('upload files')) {
@@ -410,13 +401,13 @@ function upload_save(&$node) {
// Remove it from the session in the case of new uploads,
// that you want to disassociate before node submission.
- unset($_SESSION['upload_files'][$fid]);
+ unset($node->files[$fid]);
// Move on, so the removed file won't be added to new revisions.
continue;
}
// Create a new revision, or associate a new file needed.
- if (!empty($node->old_vid) || isset($_SESSION['upload_files'][$fid])) {
+ if (!empty($node->old_vid) || $file->new) {
db_query("INSERT INTO {upload} (fid, nid, vid, list, description, weight) VALUES (%d, %d, %d, %d, '%s', %d)", $file->fid, $node->nid, $node->vid, $file->list, $file->description, $file->weight);
file_set_status($file, FILE_STATUS_PERMANENT);
}
@@ -426,9 +417,6 @@ function upload_save(&$node) {
file_set_status($file, FILE_STATUS_PERMANENT);
}
}
- // Empty the session storage after save. We use this variable to track files
- // that haven't been related to the node yet.
- unset($_SESSION['upload_files']);
}
function upload_delete($node) {
@@ -491,6 +479,7 @@ function _upload_form($node) {
$form['files'][$key]['filemime'] = array('#type' => 'value', '#value' => $file->filemime);
$form['files'][$key]['filesize'] = array('#type' => 'value', '#value' => $file->filesize);
$form['files'][$key]['fid'] = array('#type' => 'value', '#value' => $file->fid);
+ $form['files'][$key]['new'] = array('#type' => 'value', '#value' => FALSE);
}
}
@@ -516,8 +505,6 @@ function _upload_form($node) {
);
}
- // This value is used in upload_js().
- $form['current']['vid'] = array('#type' => 'hidden', '#value' => isset($node->vid) ? $node->vid : 0);
return $form;
}
@@ -576,45 +563,52 @@ function upload_load($node) {
* Menu-callback for JavaScript-based uploads.
*/
function upload_js() {
+ $cached_form_state = array();
+ $files = array();
+
// Load the form from the Form API cache.
- $cache = cache_get('form_'. $_POST['form_build_id'], 'cache_form');
+ if (!($cached_form = form_get_cache($_POST['form_build_id'], $cached_form_state)) || !isset($cached_form['#node']) || !isset($cached_form['attachments'])) {
+ form_set_error('form_token', t('Validation error, please try again. If this error persists, please contact the site administrator.'));
+ $output = theme('status_messages');
+ print drupal_to_js(array('status' => TRUE, 'data' => $output));
+ exit();
+ }
- // We only do the upload.module part of the node validation process.
- $node = (object)$_POST;
- unset($node->files['upload']);
- $form = $cache->data;
$form_state = array('values' => $_POST);
// Handle new uploads, and merge tmp files into node-files.
- upload_node_form_submit($form, $form_state);
- $node_files = upload_load($node);
- if (!empty($form_state['values']['files'])) {
+ upload_node_form_submit($cached_form, $form_state);
+
+ if(!empty($form_state['values']['files'])) {
foreach ($form_state['values']['files'] as $fid => $file) {
- if (is_numeric($fid)) {
- $node->files[$fid] = $file;
- if (!isset($file['filepath'])) {
- $node->files[$fid] = $node_files[$fid];
- }
+ if (isset($cached_form['#node']->files[$fid])) {
+ $files[$fid] = $cached_form['#node']->files[$fid];
}
}
}
+
+ $node = $cached_form['#node'];
+
+ $node->files = $files;
+
$form = _upload_form($node);
- // Update the default values changed in the $_POST array.
- $files = isset($_POST['files']) ? $_POST['files'] : array();
+ unset($cached_form['attachments']['wrapper']['new']);
+ $cached_form['attachments']['wrapper'] = array_merge($cached_form['attachments']['wrapper'], $form);
+
+ $cached_form['attachments']['#collapsed'] = FALSE;
+
+ form_set_cache($_POST['form_build_id'], $cached_form, $cached_form_state);
+
foreach ($files as $fid => $file) {
if (is_numeric($fid)) {
- $form['files'][$fid]['description']['#default_value'] = $file['description'];
- $form['files'][$fid]['list']['#default_value'] = isset($file['list']) ? 1 : 0;
- $form['files'][$fid]['remove']['#default_value'] = isset($file['remove']) ? 1 : 0;
- $form['files'][$fid]['weight']['#default_value'] = $file['weight'];
+ $form['files'][$fid]['description']['#default_value'] = $form_state['values']['files'][$fid]['description'];
+ $form['files'][$fid]['list']['#default_value'] = !empty($form_state['values']['files'][$fid]['list']);
+ $form['files'][$fid]['remove']['#default_value'] = !empty($form_state['values']['files'][$fid]['remove']);
+ $form['files'][$fid]['weight']['#default_value'] = $form_state['values']['files'][$fid]['weight'];
}
}
- // Add the new element to the stored form state and resave.
- $cache->data['attachments']['wrapper'] = array_merge($cache->data['attachments']['wrapper'], $form);
- cache_set('form_'. $_POST['form_build_id'], $cache->data, 'cache_form', $cache->expire);
-
// Render the form for output.
$form += array(
'#post' => $_POST,
diff --git a/modules/user/user.admin.inc b/modules/user/user.admin.inc
index c639280..e8323b9 100644
--- a/modules/user/user.admin.inc
+++ b/modules/user/user.admin.inc
@@ -707,44 +707,21 @@ function user_admin_access_check() {
}
/**
- * Menu callback: add an access rule
+ * Menu callback: add an access rule.
*/
function user_admin_access_add($mask = NULL, $type = NULL) {
- if ($edit = $_POST) {
- if (!$edit['mask']) {
- form_set_error('mask', t('You must enter a mask.'));
- }
- else {
- db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $edit['mask'], $edit['type'], $edit['status']);
- $aid = db_last_insert_id('access', 'aid');
- drupal_set_message(t('The access rule has been added.'));
- drupal_goto('admin/user/rules');
- }
- }
- else {
- $edit['mask'] = $mask;
- $edit['type'] = $type;
- }
+ $edit = array();
+ $edit['aid'] = 0;
+ $edit['mask'] = $mask;
+ $edit['type'] = $type;
return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule'));
}
/**
- * Menu callback: edit an access rule
+ * Menu callback: edit an access rule.
*/
function user_admin_access_edit($aid = 0) {
- if ($edit = $_POST) {
- if (!$edit['mask']) {
- form_set_error('mask', t('You must enter a mask.'));
- }
- else {
- db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid);
- drupal_set_message(t('The access rule has been saved.'));
- drupal_goto('admin/user/rules');
- }
- }
- else {
- $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
- }
+ $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule'));
}
@@ -754,6 +731,11 @@ function user_admin_access_edit($aid = 0) {
* @ingroup forms
*/
function user_admin_access_form(&$form_state, $edit, $submit) {
+ $form = array();
+ $form['aid'] = array(
+ '#type' => 'value',
+ '#value' => $edit['aid'],
+ );
$form['status'] = array(
'#type' => 'radios',
'#title' => t('Access type'),
@@ -777,10 +759,27 @@ function user_admin_access_form(&$form_state, $edit, $submit) {
'#required' => TRUE,
);
$form['submit'] = array('#type' => 'submit', '#value' => $submit);
+ $form['#submit'] = array('user_admin_access_form_submit');
return $form;
}
+/**
+ * Submit callback for user_admin_access_form().
+ */
+function user_admin_access_form_submit($form, &$form_state) {
+ $edit = $form_state['values'];
+ if ($edit['aid']) {
+ db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $edit['aid']);
+ drupal_set_message(t('The access rule has been saved.'));
+ }
+ else {
+ db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $edit['mask'], $edit['type'], $edit['status']);
+ drupal_set_message(t('The access rule has been added.'));
+ }
+ $form_state['redirect'] = 'admin/user/rules';
+}
+
function user_admin_access_check_validate($form, &$form_state) {
if (empty($form_state['values']['test'])) {
form_set_error($form_state['values']['type'], t('No value entered. Please enter a test string and try again.'));