summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2008-08-13 23:59:09 +0000
committerNeil Drumm2008-08-13 23:59:09 +0000
commit8ca7bee6b416d5aaebe010d3cb714eae8713f785 (patch)
treee5eca8526a52b9d8b91baab814b88ef14f432c14
parent4c6fd4ac8a95662a120840f5e27d78e59aa8df34 (diff)
Drupal 5.10.5.10
-rw-r--r--CHANGELOG.txt9
-rw-r--r--includes/file.inc374
-rw-r--r--modules/blogapi/blogapi.install90
-rw-r--r--modules/blogapi/blogapi.module125
-rw-r--r--modules/filter/filter.module2
-rw-r--r--modules/system/system.module2
-rw-r--r--modules/user/user.module54
7 files changed, 621 insertions, 35 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 479b204..94c0017 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,8 +1,10 @@
// $Id$
-Drupal 5.10, xxxx-xx-xx
+Drupal 5.10, 2008-08-13
-----------------------
-
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site scripting, Arbitrary file uploads via
+ BlogAPI and Cross site request forgery), see SA-2008-047
Drupal 5.9, 2008-07-23
----------------------
@@ -12,7 +14,8 @@ Drupal 5.9, 2008-07-23
Drupal 5.8, 2008-07-09
----------------------
- fixed a variety of small bugs.
-- fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044
+- fixed security issues, (Cross site scripting, cross site request forgery, and
+ session fixation), see SA-2008-044
Drupal 5.7, 2008-01-28
----------------------
diff --git a/includes/file.inc b/includes/file.inc
index 12bf337..d18b9e6 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -227,7 +227,7 @@ function file_check_upload($source = 'upload') {
// requires an absolute path, so we use realpath().
$file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_');
- $file->filemime = $_FILES["files"]["type"][$source];
+ $file->filemime = file_get_mimetype($file->filename);
// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
@@ -733,3 +733,375 @@ function file_upload_max_size() {
}
return $max_size;
}
+
+/**
+ * Determine an Internet Media Type, or MIME type from a filename.
+ *
+ * @param $filename
+ * Name of the file, including extension.
+ * @param $mapping
+ * An optional array of extension to media type mappings in the form
+ * 'extension1|extension2|...' => 'type'.
+ *
+ * @return
+ * The internet media type registered for the extension or application/octet-stream for unknown extensions.
+ */
+function file_get_mimetype($filename, $mapping = NULL) {
+ if (!is_array($mapping)) {
+ $mapping = variable_get('mime_extension_mapping', array(
+ 'ez' => 'application/andrew-inset',
+ 'atom' => 'application/atom',
+ 'atomcat' => 'application/atomcat+xml',
+ 'atomsrv' => 'application/atomserv+xml',
+ 'cap|pcap' => 'application/cap',
+ 'cu' => 'application/cu-seeme',
+ 'tsp' => 'application/dsptype',
+ 'spl' => 'application/x-futuresplash',
+ 'hta' => 'application/hta',
+ 'jar' => 'application/java-archive',
+ 'ser' => 'application/java-serialized-object',
+ 'class' => 'application/java-vm',
+ 'hqx' => 'application/mac-binhex40',
+ 'cpt' => 'image/x-corelphotopaint',
+ 'nb' => 'application/mathematica',
+ 'mdb' => 'application/msaccess',
+ 'doc|dot' => 'application/msword',
+ 'bin' => 'application/octet-stream',
+ 'oda' => 'application/oda',
+ 'ogg|ogx' => 'application/ogg',
+ 'pdf' => 'application/pdf',
+ 'key' => 'application/pgp-keys',
+ 'pgp' => 'application/pgp-signature',
+ 'prf' => 'application/pics-rules',
+ 'ps|ai|eps' => 'application/postscript',
+ 'rar' => 'application/rar',
+ 'rdf' => 'application/rdf+xml',
+ 'rss' => 'application/rss+xml',
+ 'rtf' => 'application/rtf',
+ 'smi|smil' => 'application/smil',
+ 'wpd' => 'application/wordperfect',
+ 'wp5' => 'application/wordperfect5.1',
+ 'xhtml|xht' => 'application/xhtml+xml',
+ 'xml|xsl' => 'application/xml',
+ 'zip' => 'application/zip',
+ 'cdy' => 'application/vnd.cinderella',
+ 'kml' => 'application/vnd.google-earth.kml+xml',
+ 'kmz' => 'application/vnd.google-earth.kmz',
+ 'xul' => 'application/vnd.mozilla.xul+xml',
+ 'xls|xlb|xlt' => 'application/vnd.ms-excel',
+ 'cat' => 'application/vnd.ms-pki.seccat',
+ 'stl' => 'application/vnd.ms-pki.stl',
+ 'ppt|pps' => 'application/vnd.ms-powerpoint',
+ 'odc' => 'application/vnd.oasis.opendocument.chart',
+ 'odb' => 'application/vnd.oasis.opendocument.database',
+ 'odf' => 'application/vnd.oasis.opendocument.formula',
+ 'odg' => 'application/vnd.oasis.opendocument.graphics',
+ 'otg' => 'application/vnd.oasis.opendocument.graphics-template',
+ 'odi' => 'application/vnd.oasis.opendocument.image',
+ 'odp' => 'application/vnd.oasis.opendocument.presentation',
+ 'otp' => 'application/vnd.oasis.opendocument.presentation-template',
+ 'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
+ 'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
+ 'odt' => 'application/vnd.oasis.opendocument.text',
+ 'odm' => 'application/vnd.oasis.opendocument.text-master',
+ 'ott' => 'application/vnd.oasis.opendocument.text-template',
+ 'oth' => 'application/vnd.oasis.opendocument.text-web',
+ 'docm' => 'application/vnd.ms-word.document.macroEnabled.12',
+ 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+ 'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
+ 'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
+ 'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
+ 'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
+ 'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
+ 'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
+ 'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
+ 'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
+ 'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+ 'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
+ 'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
+ 'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
+ 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+ 'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
+ 'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
+ 'cod' => 'application/vnd.rim.cod',
+ 'mmf' => 'application/vnd.smaf',
+ 'sdc' => 'application/vnd.stardivision.calc',
+ 'sds' => 'application/vnd.stardivision.chart',
+ 'sda' => 'application/vnd.stardivision.draw',
+ 'sdd' => 'application/vnd.stardivision.impress',
+ 'sdf' => 'application/vnd.stardivision.math',
+ 'sdw' => 'application/vnd.stardivision.writer',
+ 'sgl' => 'application/vnd.stardivision.writer-global',
+ 'sxc' => 'application/vnd.sun.xml.calc',
+ 'stc' => 'application/vnd.sun.xml.calc.template',
+ 'sxd' => 'application/vnd.sun.xml.draw',
+ 'std' => 'application/vnd.sun.xml.draw.template',
+ 'sxi' => 'application/vnd.sun.xml.impress',
+ 'sti' => 'application/vnd.sun.xml.impress.template',
+ 'sxm' => 'application/vnd.sun.xml.math',
+ 'sxw' => 'application/vnd.sun.xml.writer',
+ 'sxg' => 'application/vnd.sun.xml.writer.global',
+ 'stw' => 'application/vnd.sun.xml.writer.template',
+ 'sis' => 'application/vnd.symbian.install',
+ 'vsd' => 'application/vnd.visio',
+ 'wbxml' => 'application/vnd.wap.wbxml',
+ 'wmlc' => 'application/vnd.wap.wmlc',
+ 'wmlsc' => 'application/vnd.wap.wmlscriptc',
+ 'wk' => 'application/x-123',
+ '7z' => 'application/x-7z-compressed',
+ 'abw' => 'application/x-abiword',
+ 'dmg' => 'application/x-apple-diskimage',
+ 'bcpio' => 'application/x-bcpio',
+ 'torrent' => 'application/x-bittorrent',
+ 'cab' => 'application/x-cab',
+ 'cbr' => 'application/x-cbr',
+ 'cbz' => 'application/x-cbz',
+ 'cdf' => 'application/x-cdf',
+ 'vcd' => 'application/x-cdlink',
+ 'pgn' => 'application/x-chess-pgn',
+ 'cpio' => 'application/x-cpio',
+ 'csh' => 'text/x-csh',
+ 'deb|udeb' => 'application/x-debian-package',
+ 'dcr|dir|dxr' => 'application/x-director',
+ 'dms' => 'application/x-dms',
+ 'wad' => 'application/x-doom',
+ 'dvi' => 'application/x-dvi',
+ 'rhtml' => 'application/x-httpd-eruby',
+ 'flac' => 'application/x-flac',
+ 'pfa|pfb|gsf|pcf|pcf.Z' => 'application/x-font',
+ 'mm' => 'application/x-freemind',
+ 'gnumeric' => 'application/x-gnumeric',
+ 'sgf' => 'application/x-go-sgf',
+ 'gcf' => 'application/x-graphing-calculator',
+ 'gtar|tgz|taz' => 'application/x-gtar',
+ 'hdf' => 'application/x-hdf',
+ 'phtml|pht|php' => 'application/x-httpd-php',
+ 'phps' => 'application/x-httpd-php-source',
+ 'php3' => 'application/x-httpd-php3',
+ 'php3p' => 'application/x-httpd-php3-preprocessed',
+ 'php4' => 'application/x-httpd-php4',
+ 'ica' => 'application/x-ica',
+ 'ins|isp' => 'application/x-internet-signup',
+ 'iii' => 'application/x-iphone',
+ 'iso' => 'application/x-iso9660-image',
+ 'jnlp' => 'application/x-java-jnlp-file',
+ 'js' => 'application/x-javascript',
+ 'jmz' => 'application/x-jmol',
+ 'chrt' => 'application/x-kchart',
+ 'kil' => 'application/x-killustrator',
+ 'skp|skd|skt|skm' => 'application/x-koan',
+ 'kpr|kpt' => 'application/x-kpresenter',
+ 'ksp' => 'application/x-kspread',
+ 'kwd|kwt' => 'application/x-kword',
+ 'latex' => 'application/x-latex',
+ 'lha' => 'application/x-lha',
+ 'lyx' => 'application/x-lyx',
+ 'lzh' => 'application/x-lzh',
+ 'lzx' => 'application/x-lzx',
+ 'frm|maker|frame|fm|fb|book|fbdoc' => 'application/x-maker',
+ 'mif' => 'application/x-mif',
+ 'wmd' => 'application/x-ms-wmd',
+ 'wmz' => 'application/x-ms-wmz',
+ 'com|exe|bat|dll' => 'application/x-msdos-program',
+ 'msi' => 'application/x-msi',
+ 'nc' => 'application/x-netcdf',
+ 'pac' => 'application/x-ns-proxy-autoconfig',
+ 'nwc' => 'application/x-nwc',
+ 'o' => 'application/x-object',
+ 'oza' => 'application/x-oz-application',
+ 'p7r' => 'application/x-pkcs7-certreqresp',
+ 'crl' => 'application/x-pkcs7-crl',
+ 'pyc|pyo' => 'application/x-python-code',
+ 'qtl' => 'application/x-quicktimeplayer',
+ 'rpm' => 'application/x-redhat-package-manager',
+ 'sh' => 'text/x-sh',
+ 'shar' => 'application/x-shar',
+ 'swf|swfl' => 'application/x-shockwave-flash',
+ 'sit|sitx' => 'application/x-stuffit',
+ 'sv4cpio' => 'application/x-sv4cpio',
+ 'sv4crc' => 'application/x-sv4crc',
+ 'tar' => 'application/x-tar',
+ 'tcl' => 'application/x-tcl',
+ 'gf' => 'application/x-tex-gf',
+ 'pk' => 'application/x-tex-pk',
+ 'texinfo|texi' => 'application/x-texinfo',
+ '~|%|bak|old|sik' => 'application/x-trash',
+ 't|tr|roff' => 'application/x-troff',
+ 'man' => 'application/x-troff-man',
+ 'me' => 'application/x-troff-me',
+ 'ms' => 'application/x-troff-ms',
+ 'ustar' => 'application/x-ustar',
+ 'src' => 'application/x-wais-source',
+ 'wz' => 'application/x-wingz',
+ 'crt' => 'application/x-x509-ca-cert',
+ 'xcf' => 'application/x-xcf',
+ 'fig' => 'application/x-xfig',
+ 'xpi' => 'application/x-xpinstall',
+ 'au|snd' => 'audio/basic',
+ 'mid|midi|kar' => 'audio/midi',
+ 'mpga|mpega|mp2|mp3|m4a' => 'audio/mpeg',
+ 'm3u' => 'audio/x-mpegurl',
+ 'oga|spx' => 'audio/ogg',
+ 'sid' => 'audio/prs.sid',
+ 'aif|aiff|aifc' => 'audio/x-aiff',
+ 'gsm' => 'audio/x-gsm',
+ 'wma' => 'audio/x-ms-wma',
+ 'wax' => 'audio/x-ms-wax',
+ 'ra|rm|ram' => 'audio/x-pn-realaudio',
+ 'ra' => 'audio/x-realaudio',
+ 'pls' => 'audio/x-scpls',
+ 'sd2' => 'audio/x-sd2',
+ 'wav' => 'audio/x-wav',
+ 'alc' => 'chemical/x-alchemy',
+ 'cac|cache' => 'chemical/x-cache',
+ 'csf' => 'chemical/x-cache-csf',
+ 'cbin|cascii|ctab' => 'chemical/x-cactvs-binary',
+ 'cdx' => 'chemical/x-cdx',
+ 'cer' => 'chemical/x-cerius',
+ 'c3d' => 'chemical/x-chem3d',
+ 'chm' => 'chemical/x-chemdraw',
+ 'cif' => 'chemical/x-cif',
+ 'cmdf' => 'chemical/x-cmdf',
+ 'cml' => 'chemical/x-cml',
+ 'cpa' => 'chemical/x-compass',
+ 'bsd' => 'chemical/x-crossfire',
+ 'csml|csm' => 'chemical/x-csml',
+ 'ctx' => 'chemical/x-ctx',
+ 'cxf|cef' => 'chemical/x-cxf',
+ 'emb|embl' => 'chemical/x-embl-dl-nucleotide',
+ 'spc' => 'chemical/x-galactic-spc',
+ 'inp|gam|gamin' => 'chemical/x-gamess-input',
+ 'fch|fchk' => 'chemical/x-gaussian-checkpoint',
+ 'cub' => 'chemical/x-gaussian-cube',
+ 'gau|gjc|gjf' => 'chemical/x-gaussian-input',
+ 'gal' => 'chemical/x-gaussian-log',
+ 'gcg' => 'chemical/x-gcg8-sequence',
+ 'gen' => 'chemical/x-genbank',
+ 'hin' => 'chemical/x-hin',
+ 'istr|ist' => 'chemical/x-isostar',
+ 'jdx|dx' => 'chemical/x-jcamp-dx',
+ 'kin' => 'chemical/x-kinemage',
+ 'mcm' => 'chemical/x-macmolecule',
+ 'mmd|mmod' => 'chemical/x-macromodel-input',
+ 'mol' => 'chemical/x-mdl-molfile',
+ 'rd' => 'chemical/x-mdl-rdfile',
+ 'rxn' => 'chemical/x-mdl-rxnfile',
+ 'sd|sdf' => 'chemical/x-mdl-sdfile',
+ 'tgf' => 'chemical/x-mdl-tgf',
+ 'mcif' => 'chemical/x-mmcif',
+ 'mol2' => 'chemical/x-mol2',
+ 'b' => 'chemical/x-molconn-Z',
+ 'gpt' => 'chemical/x-mopac-graph',
+ 'mop|mopcrt|mpc|dat|zmt' => 'chemical/x-mopac-input',
+ 'moo' => 'chemical/x-mopac-out',
+ 'mvb' => 'chemical/x-mopac-vib',
+ 'asn' => 'chemical/x-ncbi-asn1-spec',
+ 'prt|ent' => 'chemical/x-ncbi-asn1-ascii',
+ 'val|aso' => 'chemical/x-ncbi-asn1-binary',
+ 'pdb|ent' => 'chemical/x-pdb',
+ 'ros' => 'chemical/x-rosdal',
+ 'sw' => 'chemical/x-swissprot',
+ 'vms' => 'chemical/x-vamas-iso14976',
+ 'vmd' => 'chemical/x-vmd',
+ 'xtel' => 'chemical/x-xtel',
+ 'xyz' => 'chemical/x-xyz',
+ 'gif' => 'image/gif',
+ 'ief' => 'image/ief',
+ 'jpeg|jpg|jpe' => 'image/jpeg',
+ 'pcx' => 'image/pcx',
+ 'png' => 'image/png',
+ 'svg|svgz' => 'image/svg+xml',
+ 'tiff|tif' => 'image/tiff',
+ 'djvu|djv' => 'image/vnd.djvu',
+ 'wbmp' => 'image/vnd.wap.wbmp',
+ 'ras' => 'image/x-cmu-raster',
+ 'cdr' => 'image/x-coreldraw',
+ 'pat' => 'image/x-coreldrawpattern',
+ 'cdt' => 'image/x-coreldrawtemplate',
+ 'ico' => 'image/x-icon',
+ 'art' => 'image/x-jg',
+ 'jng' => 'image/x-jng',
+ 'bmp' => 'image/x-ms-bmp',
+ 'psd' => 'image/x-photoshop',
+ 'pnm' => 'image/x-portable-anymap',
+ 'pbm' => 'image/x-portable-bitmap',
+ 'pgm' => 'image/x-portable-graymap',
+ 'ppm' => 'image/x-portable-pixmap',
+ 'rgb' => 'image/x-rgb',
+ 'xbm' => 'image/x-xbitmap',
+ 'xpm' => 'image/x-xpixmap',
+ 'xwd' => 'image/x-xwindowdump',
+ 'eml' => 'message/rfc822',
+ 'igs|iges' => 'model/iges',
+ 'msh|mesh|silo' => 'model/mesh',
+ 'wrl|vrml' => 'model/vrml',
+ 'ics|icz' => 'text/calendar',
+ 'css' => 'text/css',
+ 'csv' => 'text/csv',
+ '323' => 'text/h323',
+ 'html|htm|shtml' => 'text/html',
+ 'uls' => 'text/iuls',
+ 'mml' => 'text/mathml',
+ 'asc|txt|text|pot' => 'text/plain',
+ 'rtx' => 'text/richtext',
+ 'sct|wsc' => 'text/scriptlet',
+ 'tm|ts' => 'text/texmacs',
+ 'tsv' => 'text/tab-separated-values',
+ 'jad' => 'text/vnd.sun.j2me.app-descriptor',
+ 'wml' => 'text/vnd.wap.wml',
+ 'wmls' => 'text/vnd.wap.wmlscript',
+ 'bib' => 'text/x-bibtex',
+ 'boo' => 'text/x-boo',
+ 'h++|hpp|hxx|hh' => 'text/x-c++hdr',
+ 'c++|cpp|cxx|cc' => 'text/x-c++src',
+ 'h' => 'text/x-chdr',
+ 'htc' => 'text/x-component',
+ 'c' => 'text/x-csrc',
+ 'd' => 'text/x-dsrc',
+ 'diff|patch' => 'text/x-diff',
+ 'hs' => 'text/x-haskell',
+ 'java' => 'text/x-java',
+ 'lhs' => 'text/x-literate-haskell',
+ 'moc' => 'text/x-moc',
+ 'p|pas' => 'text/x-pascal',
+ 'gcd' => 'text/x-pcs-gcd',
+ 'pl|pm' => 'text/x-perl',
+ 'py' => 'text/x-python',
+ 'etx' => 'text/x-setext',
+ 'tcl|tk' => 'text/x-tcl',
+ 'tex|ltx|sty|cls' => 'text/x-tex',
+ 'vcs' => 'text/x-vcalendar',
+ 'vcf' => 'text/x-vcard',
+ '3gp' => 'video/3gpp',
+ 'dl' => 'video/dl',
+ 'dif|dv' => 'video/dv',
+ 'fli' => 'video/fli',
+ 'gl' => 'video/gl',
+ 'mpeg|mpg|mpe' => 'video/mpeg',
+ 'mp4' => 'video/mp4',
+ 'ogv' => 'video/ogg',
+ 'qt|mov' => 'video/quicktime',
+ 'mxu' => 'video/vnd.mpegurl',
+ 'lsf|lsx' => 'video/x-la-asf',
+ 'mng' => 'video/x-mng',
+ 'asf|asx' => 'video/x-ms-asf',
+ 'wm' => 'video/x-ms-wm',
+ 'wmv' => 'video/x-ms-wmv',
+ 'wmx' => 'video/x-ms-wmx',
+ 'wvx' => 'video/x-ms-wvx',
+ 'avi' => 'video/x-msvideo',
+ 'movie' => 'video/x-sgi-movie',
+ 'ice' => 'x-conference/x-cooltalk',
+ 'sisx' => 'x-epoc/x-sisx-app',
+ 'vrm|vrml|wrl' => 'x-world/x-vrml',
+ 'xps' => 'application/vnd.ms-xpsdocument',
+ ));
+ }
+ foreach ($mapping as $ext_preg => $mime_match) {
+ if (preg_match('!\.('. $ext_preg .')$!i', $filename)) {
+ return $mime_match;
+ }
+ }
+
+ return 'application/octet-stream';
+}
diff --git a/modules/blogapi/blogapi.install b/modules/blogapi/blogapi.install
new file mode 100644
index 0000000..d6d01f5
--- /dev/null
+++ b/modules/blogapi/blogapi.install
@@ -0,0 +1,90 @@
+<?php
+// $Id$
+
+/**
+ * Implementation of hook_install().
+ */
+function blogapi_install() {
+ // Create table.
+ switch ($GLOBALS['db_type']) {
+ case 'mysql':
+ case 'mysqli':
+ db_query("CREATE TABLE {blogapi_files} (
+ fid int NOT NULL auto_increment,
+ uid int unsigned NOT NULL default 0,
+ filepath varchar(255) NOT NULL default '',
+ filesize int unsigned NOT NULL default 0,
+ PRIMARY KEY (fid),
+ KEY uid (uid)
+ ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
+ break;
+
+ case 'pgsql':
+ db_query("CREATE TABLE {blogapi_files} (
+ fid serial,
+ filename varchar(255) NOT NULL default '',
+ filepath varchar(255) NOT NULL default '',
+ filesize int_unsigned NOT NULL default 0,
+ PRIMARY KEY (fid)
+ )");
+
+ db_query("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
+ break;
+ }
+
+}
+
+/**
+ * Implementation of hook_uninstall().
+ */
+function blogapi_uninstall() {
+ // Remove table.
+ db_query("DROP TABLE {blogapi_files}");
+}
+
+/**
+ * @defgroup updates-5.x-extra Extra blogapi updates for 5.x
+ * @{
+ */
+
+/**
+ * Add blogapi_files table to enable size restriction for BlogAPI file uploads.
+ *
+ * Added in Drupal 5.10 (and 6.4).
+ */
+function blogapi_update_5000() {
+ $ret = array();
+ switch ($GLOBALS['db_type']) {
+ case 'mysql':
+ case 'mysqli':
+ $ret[] = update_sql("CREATE TABLE {blogapi_files} (
+ fid int NOT NULL auto_increment,
+ uid int unsigned NOT NULL default 0,
+ filepath varchar(255) NOT NULL default '',
+ filesize int unsigned NOT NULL default 0,
+ PRIMARY KEY (fid),
+ KEY uid (uid)
+ ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
+ break;
+
+ case 'pgsql':
+ $ret[] = update_sql("CREATE TABLE {blogapi_files} (
+ fid serial,
+ filename varchar(255) NOT NULL default '',
+ filepath varchar(255) NOT NULL default '',
+ filesize int_unsigned NOT NULL default 0,
+ PRIMARY KEY (fid)
+ )");
+
+ $ret[] = update_sql("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
+ break;
+ }
+
+ return $ret;
+}
+
+
+/**
+ * @} End of "defgroup updates-5.x-extra"
+ */
+
diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module
index 3ef8cc3..f127187 100644
--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -362,20 +362,63 @@ function blogapi_metaweblog_new_media_object($blogid, $username, $password, $fil
return blogapi_error($user);
}
+ $usersize = 0;
+ $uploadsize = 0;
+
+ $roles = array_intersect(user_roles(0, 'administer content with blog api'), $user->roles);
+
+ foreach ($roles as $rid => $name) {
+ $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
+ $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
+ $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
+ }
+
+ $filesize = strlen($file['bits']);
+
+ if ($filesize > $uploadsize) {
+ return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize))));
+ }
+
+ if (_blogapi_space_used($user->uid) + $filesize > $usersize) {
+ return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize))));
+ }
+
+ // Only allow files with whitelisted extensions and convert remaining dots to
+ // underscores to prevent attacks via non-terminal executable extensions with
+ // files such as exploit.php.jpg.
+
+ $whitelist = array_unique(explode(' ', trim($extensions)));
+
$name = basename($file['name']);
+
+ if ($extension_position = strrpos($name, '.')) {
+ $filename = drupal_substr($name, 0, $extension_position);
+ $final_extension = drupal_substr($name, $extension_position + 1);
+
+ if (!in_array(strtolower($final_extension), $whitelist)) {
+ return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist))));
+ }
+
+ $filename = str_replace('.', '_', $filename);
+ $filename .= '.'. $final_extension;
+ }
+
$data = $file['bits'];
if (!$data) {
return blogapi_error(t('No file sent.'));
}
- if (!$file = file_save_data($data, $name)) {
+ if (!$file = file_save_data($data, $filename)) {
return blogapi_error(t('Error storing file.'));
}
+ db_query("INSERT INTO {blogapi_files} (uid, filepath, filesize) VALUES (%d, '%s', %d)", $user->uid, $file, $filesize);
+
// Return the successful result.
return array('url' => file_create_url($file), 'struct');
}
+
/**
* Blogging API callback. Returns a list of the taxonomy terms that can be
* associated with a blog node.
@@ -555,6 +598,82 @@ function blogapi_admin_settings() {
'#description' => t('Select the content types for which you wish to enable posting via blogapi. Each type will appear as a different "blog" in the client application (if supported).')
);
+
+ $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
+ $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1);
+ $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1);
+
+ $form['settings_general'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('File settings'),
+ '#collapsible' => TRUE,
+ );
+
+ $form['settings_general']['blogapi_extensions_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default permitted file extensions'),
+ '#default_value' => $blogapi_extensions_default,
+ '#maxlength' => 255,
+ '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'),
+ );
+
+ $form['settings_general']['blogapi_uploadsize_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default maximum file size per upload'),
+ '#default_value' => $blogapi_uploadsize_default,
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The default maximum file size a user can upload.'),
+ '#field_suffix' => t('MB')
+ );
+
+ $form['settings_general']['blogapi_usersize_default'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Default total file size per user'),
+ '#default_value' => $blogapi_usersize_default,
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The default maximum size of all files a user can have on the site.'),
+ '#field_suffix' => t('MB')
+ );
+
+ $form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>');
+
+ $roles = user_roles(0, 'administer content with blog api');
+ $form['roles'] = array('#type' => 'value', '#value' => $roles);
+
+ foreach ($roles as $rid => $role) {
+ $form['settings_role_'. $rid] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Settings for @role', array('@role' => $role)),
+ '#collapsible' => TRUE,
+ '#collapsed' => TRUE,
+ );
+ $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Permitted file extensions'),
+ '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default),
+ '#maxlength' => 255,
+ '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'),
+ );
+ $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Maximum file size per upload'),
+ '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default),
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The maximum size of a file a user can upload (in megabytes).'),
+ );
+ $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array(
+ '#type' => 'textfield',
+ '#title' => t('Total file size per user'),
+ '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default),
+ '#size' => 5,
+ '#maxlength' => 5,
+ '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'),
+ );
+ }
+
return system_settings_form($form);
}
@@ -720,3 +839,7 @@ function _blogapi_get_node_types() {
return $types;
}
+
+function _blogapi_space_used($uid) {
+ return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid));
+} \ No newline at end of file
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 8ed3778..031069b 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -1295,7 +1295,7 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
- <[^>]*.(>|$) # a string that starts with a <, up until the > or the end of the string
+ <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', '_filter_xss_split', $string);
diff --git a/modules/system/system.module b/modules/system/system.module
index 5c31580..1a15f4e 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.10-dev');
+define('VERSION', '5.10');
/**
* Implementation of hook_help().
diff --git a/modules/user/user.module b/modules/user/user.module
index 6fefcbd..8405546 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1658,21 +1658,10 @@ function user_admin_access_check_submit($form_id, $form_values) {
* Menu callback: add an access rule
*/
function user_admin_access_add($mask = NULL, $type = NULL) {
- if ($edit = $_POST) {
- if (!$edit['mask']) {
- form_set_error('mask', t('You must enter a mask.'));
- }
- else {
- $aid = db_next_id('{access}_aid');
- db_query("INSERT INTO {access} (aid, mask, type, status) VALUES ('%s', '%s', '%s', %d)", $aid, $edit['mask'], $edit['type'], $edit['status']);
- drupal_set_message(t('The access rule has been added.'));
- drupal_goto('admin/user/rules');
- }
- }
- else {
- $edit['mask'] = $mask;
- $edit['type'] = $type;
- }
+ $edit = array();
+ $edit['aid'] = 0;
+ $edit['mask'] = $mask;
+ $edit['type'] = $type;
return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule'));
}
@@ -1704,23 +1693,16 @@ function user_admin_access_delete_confirm_submit($form_id, $form_values) {
* Menu callback: edit an access rule
*/
function user_admin_access_edit($aid = 0) {
- if ($edit = $_POST) {
- if (!$edit['mask']) {
- form_set_error('mask', t('You must enter a mask.'));
- }
- else {
- db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid);
- drupal_set_message(t('The access rule has been saved.'));
- drupal_goto('admin/user/rules');
- }
- }
- else {
- $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
- }
+ $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule'));
}
function user_admin_access_form($edit, $submit) {
+ $form = array();
+ $form['aid'] = array(
+ '#type' => 'value',
+ '#value' => $edit['aid'],
+ );
$form['status'] = array(
'#type' => 'radios',
'#title' => t('Access type'),
@@ -1744,11 +1726,27 @@ function user_admin_access_form($edit, $submit) {
'#required' => TRUE,
);
$form['submit'] = array('#type' => 'submit', '#value' => $submit);
+ $form['#base'] = 'user_admin_access_form';
return $form;
}
/**
+ * Submit callback for user_admin_access_form().
+ */
+function user_admin_access_form_submit($form_id, $form_values) {
+ if ($form_values['aid']) {
+ db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $form_values['mask'], $form_values['type'], $form_values['status'], $form_values['aid']);
+ drupal_set_message(t('The access rule has been saved.'));
+ }
+ else {
+ db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $form_values['mask'], $form_values['type'], $form_values['status']);
+ drupal_set_message(t('The access rule has been added.'));
+ }
+ return 'admin/user/rules';
+}
+
+/**
* Menu callback: list all access rules
*/
function user_admin_access() {