- Reworked the CXX checking; now, _any_ user input will be checked

and the request will be terminated when something suspicious is detected. This will be logged in the watchdog. With help from Marco. - Fixed translation issue in the archive module. Patch by Gerhard. - Removed dead parameter from variable_get(). Patch by Chris Johnson. Fixes bug #2111. - Improved input checking of taxonomy module. Patch by Gerhard. Fixes bug #2112.
2003-06-27 17:48:20 +00:00 · 2003-06-27 17:48:20 +00:00 · f4df719502
parent 2323e57233
commit f4df719502
12 changed files with 107 additions and 96 deletions
--- a/includes/common.inc
+++ b/includes/common.inc
@ -179,7 +179,7 @@ function variable_init($conf = array()) {
  return $conf;
 }
-function variable_get($name, $default, $object = 0) {
+function variable_get($name, $default) {
  global $conf;
  return isset($conf[$name]) ? $conf[$name] : $default;
@ -412,12 +412,6 @@ function search_type($type = 0, $action = 0, $keys = 0, $options = 0) {
 function drupal_goto($url) {
  /*
  ** Check the URL to prevent XSS attacks:
  */
  $url = check_url($url);
  /*
  ** Translate &amp; to simply &
  */
@ -475,12 +469,61 @@ function referer_load() {
  }
 }
-function check_url($uri) {
+function xss_check_input_data($data) {
  /*
  ** We pipe the request URI through htmlspecialchars() to prevent
  ** XSS attacks.
  */
  if (is_array($data)) {
    /*
    ** Form data can contain a number of nested arrays.
    */
    foreach ($data as $key => $value) {
      xss_check_input_data($value);
    }
  }
  else {
    /*
    ** Detect evil input data.
    */
    // check attributes:
    $match  = preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wdynsrc\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wdatasrc\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wdata\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wlowsrc\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wstyle\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Won[a-z]+\s*=[^>]+?>/i", $data);
    $match += preg_match("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", $data);
    $match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
    $match += preg_match("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", $data);
    // check tags:
    $match += preg_match("/<\s*applet/i", $data);
    $match += preg_match("/<\s*script/i", $data);
    $match += preg_match("/<\s*object/i", $data);
    $match += preg_match("/<\s*style/i", $data);
    $match += preg_match("/<\s*embed/i", $data);
    $match += preg_match("/<\s*form/i", $data);
    $match += preg_match("/<\s*blink/i", $data);
    $match += preg_match("/<\s*meta/i", $data);
    $match += preg_match("/<\s*font/i", $data);
    $match += preg_match("/<\s*html/i", $data);
    $match += preg_match("/<\s*frame/i", $data);
    $match += preg_match("/<\s*iframe/i", $data);
    $match += preg_match("/<\s*layer/i", $data);
    $match += preg_match("/<\s*ilayer/i", $data);
    $match += preg_match("/<\s*head/i", $data);
    $match += preg_match("/<\s*frameset/i", $data);
    $match += preg_match("/<\s*xml/i", $data);
    if ($match) {
      watchdog("warning", "terminated request because of suspicious input data: ". drupal_specialchars($data));
      die("terminated request because of suspicious input data");
    }
  }
 }
 function check_url($uri) {
  $uri = htmlspecialchars($uri, ENT_QUOTES);
  /*
@ -979,6 +1022,7 @@ function timer_start() {
 }
 function drupal_page_header() {
  if (variable_get("dev_timer", 0)) {
    timer_start();
  }
@ -1036,6 +1080,9 @@ set_error_handler("error_handler");
 // spit out the correct charset http header
 header("Content-Type: text/html; charset=utf-8");
 // filter input data:
 xss_check_input_data($_REQUEST);
 // initialize installed modules:
 module_init();
@ -1045,4 +1092,5 @@ $locale = locale_init();
 // initialize theme:
 $theme = theme_init();
 ?>
--- a/modules/aggregator.module
+++ b/modules/aggregator.module
@ -305,6 +305,9 @@ function import_refresh($feed) {
    }
    fclose($fp);
    // filter the input data:
    xss_check_input_data($data);
    // parse the data:
    $xml_parser = xml_parser_create();
    xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
@ -320,14 +323,6 @@ function import_refresh($feed) {
    $tt = array_flip(get_html_translation_table(HTML_ENTITIES));
    $tt["&apos;"] = "'";
    /*
    ** Strip invalid tags and provide default values (if required):
    */
    foreach ($channel as $key => $value) {
      $channel[$key] = node_filter(strtr(trim($value), $tt));
    }
    db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
    /*
--- a/modules/aggregator/aggregator.module
+++ b/modules/aggregator/aggregator.module
@ -305,6 +305,9 @@ function import_refresh($feed) {
    }
    fclose($fp);
    // filter the input data:
    xss_check_input_data($data);
    // parse the data:
    $xml_parser = xml_parser_create();
    xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
@ -320,14 +323,6 @@ function import_refresh($feed) {
    $tt = array_flip(get_html_translation_table(HTML_ENTITIES));
    $tt["&apos;"] = "'";
    /*
    ** Strip invalid tags and provide default values (if required):
    */
    foreach ($channel as $key => $value) {
      $channel[$key] = node_filter(strtr(trim($value), $tt));
    }
    db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
    /*
--- a/modules/archive.module
+++ b/modules/archive.module
@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
  $output .= " <tr class=\"header-week\">";
  for ($i = 0; $i < 7; $i++) {
-    $output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
+    $output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
  }
  $output .= "</tr>\n";
--- a/modules/archive/archive.module
+++ b/modules/archive/archive.module
@ -87,7 +87,7 @@ function archive_calendar($original = 0) {
  $output .= " <tr class=\"header-week\">";
  for ($i = 0; $i < 7; $i++) {
-    $output .= "<td>". substr(ucfirst(t(date("l", $firstcolumn + $i * 86400))), 0, 1) ."</td>";
+    $output .= "<td>". t(substr(ucfirst(date("l", $firstcolumn + $i * 86400)), 0, 2)) ."</td>";
  }
  $output .= "</tr>\n";
--- a/modules/import.module
+++ b/modules/import.module
@ -305,6 +305,9 @@ function import_refresh($feed) {
    }
    fclose($fp);
    // filter the input data:
    xss_check_input_data($data);
    // parse the data:
    $xml_parser = xml_parser_create();
    xml_set_element_handler($xml_parser, "import_element_start", "import_element_end");
@ -320,14 +323,6 @@ function import_refresh($feed) {
    $tt = array_flip(get_html_translation_table(HTML_ENTITIES));
    $tt["&apos;"] = "'";
    /*
    ** Strip invalid tags and provide default values (if required):
    */
    foreach ($channel as $key => $value) {
      $channel[$key] = node_filter(strtr(trim($value), $tt));
    }
    db_query("UPDATE feed SET timestamp = %d, link = '%s', description = '%s' WHERE fid = %d", time(), $channel["LINK"], $channel["DESCRIPTION"], $feed["fid"]);
    /*
--- a/modules/node.module
+++ b/modules/node.module
@ -499,11 +499,6 @@ function node_comment_mode($nid) {
 }
 function node_filter($text) {
  $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
  if (variable_get("filter_html", 0)) {
    $text = node_filter_html($text);
  }
--- a/modules/node/node.module
+++ b/modules/node/node.module
@ -499,11 +499,6 @@ function node_comment_mode($nid) {
 }
 function node_filter($text) {
  $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Wsrc\s*=[\s'\"]*javascript[^>]+?>/i", ">", $text);
  $text = preg_replace("/\Whref\s*=[\s'\"]*javascript:[^>]+?>/i", ">", $text);
  if (variable_get("filter_html", 0)) {
    $text = node_filter_html($text);
  }
--- a/modules/search.module
+++ b/modules/search.module
@ -364,15 +364,7 @@ function search_view($keys) {
        theme("box", t("Search Results"), $output);
      }
      else {
-        // no results. try a substring search
+        theme("box", t("Search Results"), t("Your search yielded no results."));
        $output = search_data("*". $keys. "*");
        if ($output) {
          theme("box", t("Search Results"), $output);
        }
        else {
          theme("box", t("Search Results"), t("Your search yielded no results."));
        }
      }
    }
--- a/modules/search/search.module
+++ b/modules/search/search.module
@ -364,15 +364,7 @@ function search_view($keys) {
        theme("box", t("Search Results"), $output);
      }
      else {
-        // no results. try a substring search
+        theme("box", t("Search Results"), t("Your search yielded no results."));
        $output = search_data("*". $keys. "*");
        if ($output) {
          theme("box", t("Search Results"), $output);
        }
        else {
          theme("box", t("Search Results"), t("Your search yielded no results."));
        }
      }
    }
--- a/modules/taxonomy.module
+++ b/modules/taxonomy.module
@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
 function taxonomy_select_nodes($taxonomy, $pager = 1) {
  global $user;
-  if ($taxonomy->operator == "or") {
+  if ($taxonomy->str_tids) {
-    $sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
+    if ($taxonomy->operator == "or") {
-    $sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
+      $sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
-  }
+      $sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
-  else {
+    }
-    $sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
+    else {
      $sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
-    // Special trick as we could not find anything better:
+      // Special trick as we could not find anything better:
-    $count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
+      $count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
-    $sql_count = "SELECT $count";
+      $sql_count = "SELECT $count";
-  }
+    }
-  if ($pager) {
+    if ($pager) {
-    $result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
+      $result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
-  }
+    }
-  else {
+    else {
-    $result = db_query_range($sql, 0, 15);
+      $result = db_query_range($sql, 0, 15);
    }
  }
  return $result;
--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@ -657,23 +657,25 @@ function _prepare_insert($data, $stage) {
 function taxonomy_select_nodes($taxonomy, $pager = 1) {
  global $user;
-  if ($taxonomy->operator == "or") {
+  if ($taxonomy->str_tids) {
-    $sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
+    if ($taxonomy->operator == "or") {
-    $sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
+      $sql = "SELECT DISTINCT(n.nid), n.title, n.type, n.created, n.changed, n.uid, n.static, n.created, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' ORDER BY static DESC, created DESC";
-  }
+      $sql_count = "SELECT COUNT(DISTINCT(n.nid)) FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1'";
-  else {
+    }
-    $sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
+    else {
      $sql = "SELECT n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name FROM node n LEFT JOIN term_node r ON n.nid = r.nid LEFT JOIN users u ON n.uid = u.uid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid, n.title, n.type, n.created, n.changed, n.uid, u.name HAVING COUNT(n.nid) = ".count($taxonomy->tids)." ORDER BY static DESC, created DESC";
-    // Special trick as we could not find anything better:
+      // Special trick as we could not find anything better:
-    $count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
+      $count = db_num_rows(db_query("SELECT n.nid FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE r.tid IN ($taxonomy->str_tids) AND n.status = '1' GROUP BY n.nid HAVING COUNT(n.nid) = ". count($taxonomy->tids)));
-    $sql_count = "SELECT $count";
+      $sql_count = "SELECT $count";
-  }
+    }
-  if ($pager) {
+    if ($pager) {
-    $result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
+      $result = pager_query($sql, variable_get("default_nodes_main", 10) , 0, $sql_count);
-  }
+    }
-  else {
+    else {
-    $result = db_query_range($sql, 0, 15);
+      $result = db_query_range($sql, 0, 15);
    }
  }
  return $result;