- Reworked the CXX checking; now, _any_ user input will be checked
and the request will be terminated when something suspicious is detected. This will be logged in the watchdog. With help from Marco. - Fixed translation issue in the archive module. Patch by Gerhard. - Removed dead parameter from variable_get(). Patch by Chris Johnson. Fixes bug #2111. - Improved input checking of taxonomy module. Patch by Gerhard. Fixes bug #2112.4.2.x
Dries Buytaert
parent
2323e57233
commit
f4df719502
|
|
@ -179,7 +179,7 @@ function variable_init($conf = array()) {
|
|||
return $conf;
|
||||
}
|
||||
|
||||
function variable_get($name, $default, $object = 0) {
|
||||
function variable_get($name, $default) {
|
||||
global $conf;
|
||||
|
||||
return isset($conf[$name]) ? $conf[$name] : $default;
|
||||
|
|
@ -412,12 +412,6 @@ function search_type($type = 0, $action = 0, $keys = 0, $options = 0) {
|
|||
|
||||
function drupal_goto($url) {
|
||||
|
||||
/*
|
||||
** Check the URL to prevent XSS attacks:
|
||||
*/
|
||||
|
||||
$url = check_url($url);
|
||||
|
||||
/*
|
||||
** Translate & to simply &
|
||||
*/
|
||||
|
|
@ -475,12 +469,61 @@ function referer_load() {
|
|||
}
|
||||
}
|
||||
|
||||
function check_url($uri) {
|
||||
/*
|
||||
** We pipe the request URI through htmlspecialchars() to prevent
|
||||
** XSS attacks.
|
||||
*/
|
||||
function xss_check_input_data($data) {
|
||||
|
||||
if (is_array($data)) {
|
||||
/*
|
||||
** Form data can contain a number of nested arrays.
|
||||
*/
|
||||
|
||||
foreach ($data as $key => $value) {
|
||||
xss_check_input_data($value);
|
||||
}
|
||||
}
|
||||
else {
|
||||
/*
|
||||
** Detect evil input data.
|
||||
*/
|
||||
|
||||
// check attributes:
|
||||
$match = preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wdynsrc\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wdatasrc\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wdata\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wlowsrc\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Won[a-z]+\s*=[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
|
||||
$match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
|
||||
|
||||
// check tags:
|
||||
$match += preg_match("/<\s*applet/i", $data);
|
||||
$match += preg_match("/<\s*script/i", $data);
|
||||
$match += preg_match("/<\s*object/i", $data);
|
||||
$match += preg_match("/<\s*style/i", $data);
|
||||
$match += preg_match("/<\s*embed/i", $data);
|
||||
$match += preg_match("/<\s*form/i", $data);
|
||||
$match += preg_match("/<\s*blink/i", $data);
|
||||
$match += preg_match("/<\s*meta/i", $data);
|
||||
$match += preg_match("/<\s*font/i", $data);
|
||||
$match += preg_match("/<\s*html/i", $data);
|
||||
$match += preg_match("/<\s*frame/i", $data);
|
||||
$match += preg_match("/<\s*iframe/i", $data);
|
||||
$match += preg_match("/<\s*layer/i", $data);
|
||||
$match += preg_match("/<\s*ilayer/i", $data);
|
||||
$match += preg_match("/<\s*head/i", $data);
|
||||
$match += preg_match("/<\s*frameset/i", $data);
|
||||
$match += preg_match("/<\s*xml/i", $data);
|
||||
|
||||
if ($match) {
|
||||
watchdog("warning", "terminated request because of suspicious input data: ". drupal_specialchars($data));
|
||||
die("terminated request because of suspicious input data");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function check_url($uri) {
|
||||
$uri = htmlspecialchars($uri, ENT_QUOTES);
|
||||
|
||||
/*
|
||||
|
|
@ -979,6 +1022,7 @@ function timer_start() {
|
|||
}
|
||||
|
||||
function drupal_page_header() {
|
||||
|
||||
if (variable_get("dev_timer", 0)) {
|
||||
timer_start();
|
||||
}
|
||||
|
|
@ -1036,6 +1080,9 @@ set_error_handler("error_handler");
|
|||
// spit out the correct charset http header
|
||||
header("Content-Type: text/html; charset=utf-8");
|
||||
|
||||
// filter input data:
|
||||
xss_check_input_data($_REQUEST);
|
||||
|
||||
// initialize installed modules:
|
||||
module_init();
|
||||
|
||||
|
|
@ -1045,4 +1092,5 @@ $locale = locale_init();
|
|||
// initialize theme:
|
||||
$theme = theme_init();
|
||||
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -305,6 +305,9 @@ function import_refresh($feed) {
|
|||
}
|
||||
fclose($fp);
|
||||
|
||||
// filter the input data:
|
||||
xss_check_input_data($data);
|
||||
|
||||
// parse the data:
|
||||
$xml_parser = xml_parser_create();
|
||||
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
|
||||
|
|
@ -320,14 +323,6 @@ function import_refresh($feed) {
|
|||
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
|
||||
$tt["'"] = "'";
|
||||
|
||||
/*
|
||||
** Strip invalid tags and provide default values (if required):
|
||||
*/
|
||||
|
||||
foreach ($channel as $key => $value) {
|
||||
$channel[$key] = node_filter(strtr(trim($value), $tt));
|
||||
}
|
||||
|
||||
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -305,6 +305,9 @@ function import_refresh($feed) {
|
|||
}
|
||||
fclose($fp);
|
||||
|
||||
// filter the input data:
|
||||
xss_check_input_data($data);
|
||||
|
||||
// parse the data:
|
||||
$xml_parser = xml_parser_create();
|
||||
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
|
||||
|
|
@ -320,14 +323,6 @@ function import_refresh($feed) {
|
|||
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
|
||||
$tt["'"] = "'";
|
||||
|
||||
/*
|
||||
** Strip invalid tags and provide default values (if required):
|
||||
*/
|
||||
|
||||
foreach ($channel as $key => $value) {
|
||||
$channel[$key] = node_filter(strtr(trim($value), $tt));
|
||||
}
|
||||
|
||||
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
|
|||
|
||||
$output .= " <tr class=\"header-week\">";
|
||||
for ($i = 0; $i < 7; $i++) {
|
||||
$output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
|
||||
$output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
|
||||
}
|
||||
$output .= "</tr>\n";
|
||||
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
|
|||
|
||||
$output .= " <tr class=\"header-week\">";
|
||||
for ($i = 0; $i < 7; $i++) {
|
||||
$output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
|
||||
$output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
|
||||
}
|
||||
$output .= "</tr>\n";
|
||||
|
||||
|
|
|
|||
|
|
@ -305,6 +305,9 @@ function import_refresh($feed) {
|
|||
}
|
||||
fclose($fp);
|
||||
|
||||
// filter the input data:
|
||||
xss_check_input_data($data);
|
||||
|
||||
// parse the data:
|
||||
$xml_parser = xml_parser_create();
|
||||
xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
|
||||
|
|
@ -320,14 +323,6 @@ function import_refresh($feed) {
|
|||
$tt = array_flip(get_html_translation_table(HTML_ENTITIES));
|
||||
$tt["'"] = "'";
|
||||
|
||||
/*
|
||||
** Strip invalid tags and provide default values (if required):
|
||||
*/
|
||||
|
||||
foreach ($channel as $key => $value) {
|
||||
$channel[$key] = node_filter(strtr(trim($value), $tt));
|
||||
}
|
||||
|
||||
db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -499,11 +499,6 @@ function node_comment_mode($nid) {
|
|||
}
|
||||
|
||||
function node_filter($text) {
|
||||
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
|
||||
|
||||
if (variable_get("filter_html", 0)) {
|
||||
$text = node_filter_html($text);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -499,11 +499,6 @@ function node_comment_mode($nid) {
|
|||
}
|
||||
|
||||
function node_filter($text) {
|
||||
$text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
|
||||
$text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
|
||||
|
||||
if (variable_get("filter_html", 0)) {
|
||||
$text = node_filter_html($text);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -364,15 +364,7 @@ function search_view($keys) {
|
|||
theme("box", t("Search Results"), $output);
|
||||
}
|
||||
else {
|
||||
// no results. try a substring search
|
||||
$output = search_data("*". $keys. "*");
|
||||
|
||||
if ($output) {
|
||||
theme("box", t("Search Results"), $output);
|
||||
}
|
||||
else {
|
||||
theme("box", t("Search Results"), t("Your search yielded no results."));
|
||||
}
|
||||
theme("box", t("Search Results"), t("Your search yielded no results."));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -364,15 +364,7 @@ function search_view($keys) {
|
|||
theme("box", t("Search Results"), $output);
|
||||
}
|
||||
else {
|
||||
// no results. try a substring search
|
||||
$output = search_data("*". $keys. "*");
|
||||
|
||||
if ($output) {
|
||||
theme("box", t("Search Results"), $output);
|
||||
}
|
||||
else {
|
||||
theme("box", t("Search Results"), t("Your search yielded no results."));
|
||||
}
|
||||
theme("box", t("Search Results"), t("Your search yielded no results."));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
|
|||
function taxonomy_select_nodes($taxonomy, $pager = 1) {
|
||||
global $user;
|
||||
|
||||
if ($taxonomy->operator == "or") {
|
||||
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
|
||||
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
|
||||
}
|
||||
else {
|
||||
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
|
||||
if ($taxonomy->str_tids) {
|
||||
if ($taxonomy->operator == "or") {
|
||||
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
|
||||
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
|
||||
}
|
||||
else {
|
||||
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
|
||||
|
||||
// Special trick as we could not find anything better:
|
||||
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
|
||||
$sql_count = "SELECT $count";
|
||||
}
|
||||
// Special trick as we could not find anything better:
|
||||
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
|
||||
$sql_count = "SELECT $count";
|
||||
}
|
||||
|
||||
if ($pager) {
|
||||
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
|
||||
}
|
||||
else {
|
||||
$result = db_query_range($sql, 0, 15);
|
||||
if ($pager) {
|
||||
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
|
||||
}
|
||||
else {
|
||||
$result = db_query_range($sql, 0, 15);
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
|
|
|||
|
|
@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
|
|||
function taxonomy_select_nodes($taxonomy, $pager = 1) {
|
||||
global $user;
|
||||
|
||||
if ($taxonomy->operator == "or") {
|
||||
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
|
||||
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
|
||||
}
|
||||
else {
|
||||
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
|
||||
if ($taxonomy->str_tids) {
|
||||
if ($taxonomy->operator == "or") {
|
||||
$sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
|
||||
$sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
|
||||
}
|
||||
else {
|
||||
$sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
|
||||
|
||||
// Special trick as we could not find anything better:
|
||||
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
|
||||
$sql_count = "SELECT $count";
|
||||
}
|
||||
// Special trick as we could not find anything better:
|
||||
$count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
|
||||
$sql_count = "SELECT $count";
|
||||
}
|
||||
|
||||
if ($pager) {
|
||||
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
|
||||
}
|
||||
else {
|
||||
$result = db_query_range($sql, 0, 15);
|
||||
if ($pager) {
|
||||
$result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
|
||||
}
|
||||
else {
|
||||
$result = db_query_range($sql, 0, 15);
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
|
|
|||
Loading…
Reference in New Issue