[b354002] | 1 | <?php |
---|
| 2 | |
---|
| 3 | /** |
---|
| 4 | * @file |
---|
| 5 | * Functions that need to be loaded on every Drupal request. |
---|
| 6 | */ |
---|
| 7 | |
---|
| 8 | /** |
---|
| 9 | * Indicates that the item should never be removed unless explicitly told to |
---|
| 10 | * using cache_clear_all() with a cache ID. |
---|
| 11 | */ |
---|
| 12 | define('CACHE_PERMANENT', 0); |
---|
| 13 | |
---|
| 14 | /** |
---|
| 15 | * Indicates that the item should be removed at the next general cache wipe. |
---|
| 16 | */ |
---|
| 17 | define('CACHE_TEMPORARY', -1); |
---|
| 18 | |
---|
| 19 | /** |
---|
| 20 | * Indicates that page caching is disabled. |
---|
| 21 | */ |
---|
| 22 | define('CACHE_DISABLED', 0); |
---|
| 23 | |
---|
| 24 | /** |
---|
| 25 | * Indicates that page caching is enabled, using "normal" mode. |
---|
| 26 | */ |
---|
| 27 | define('CACHE_NORMAL', 1); |
---|
| 28 | |
---|
| 29 | /** |
---|
| 30 | * Indicates that page caching is using "aggressive" mode. This bypasses |
---|
| 31 | * loading any modules for additional speed, which may break functionality in |
---|
| 32 | * modules that expect to be run on each page load. |
---|
| 33 | */ |
---|
| 34 | define('CACHE_AGGRESSIVE', 2); |
---|
| 35 | |
---|
| 36 | /** |
---|
| 37 | * Log message severity -- Emergency: system is unusable. |
---|
| 38 | * |
---|
| 39 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 40 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 41 | * |
---|
| 42 | * @see watchdog() |
---|
| 43 | * @see watchdog_severity_levels() |
---|
| 44 | */ |
---|
| 45 | define('WATCHDOG_EMERG', 0); |
---|
| 46 | |
---|
| 47 | /** |
---|
| 48 | * Log message severity -- Alert: action must be taken immediately. |
---|
| 49 | * |
---|
| 50 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 51 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 52 | * |
---|
| 53 | * @see watchdog() |
---|
| 54 | * @see watchdog_severity_levels() |
---|
| 55 | */ |
---|
| 56 | define('WATCHDOG_ALERT', 1); |
---|
| 57 | |
---|
| 58 | /** |
---|
| 59 | * Log message severity -- Critical: critical conditions. |
---|
| 60 | * |
---|
| 61 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 62 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 63 | * |
---|
| 64 | * @see watchdog() |
---|
| 65 | * @see watchdog_severity_levels() |
---|
| 66 | */ |
---|
| 67 | define('WATCHDOG_CRITICAL', 2); |
---|
| 68 | |
---|
| 69 | /** |
---|
| 70 | * Log message severity -- Error: error conditions. |
---|
| 71 | * |
---|
| 72 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 73 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 74 | * |
---|
| 75 | * @see watchdog() |
---|
| 76 | * @see watchdog_severity_levels() |
---|
| 77 | */ |
---|
| 78 | define('WATCHDOG_ERROR', 3); |
---|
| 79 | |
---|
| 80 | /** |
---|
| 81 | * Log message severity -- Warning: warning conditions. |
---|
| 82 | * |
---|
| 83 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 84 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 85 | * |
---|
| 86 | * @see watchdog() |
---|
| 87 | * @see watchdog_severity_levels() |
---|
| 88 | */ |
---|
| 89 | define('WATCHDOG_WARNING', 4); |
---|
| 90 | |
---|
| 91 | /** |
---|
| 92 | * Log message severity -- Notice: normal but significant condition. |
---|
| 93 | * |
---|
| 94 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 95 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 96 | * |
---|
| 97 | * @see watchdog() |
---|
| 98 | * @see watchdog_severity_levels() |
---|
| 99 | */ |
---|
| 100 | define('WATCHDOG_NOTICE', 5); |
---|
| 101 | |
---|
| 102 | /** |
---|
| 103 | * Log message severity -- Informational: informational messages. |
---|
| 104 | * |
---|
| 105 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 106 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 107 | * |
---|
| 108 | * @see watchdog() |
---|
| 109 | * @see watchdog_severity_levels() |
---|
| 110 | */ |
---|
| 111 | define('WATCHDOG_INFO', 6); |
---|
| 112 | |
---|
| 113 | /** |
---|
| 114 | * Log message severity -- Debug: debug-level messages. |
---|
| 115 | * |
---|
| 116 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
| 117 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
| 118 | * |
---|
| 119 | * @see watchdog() |
---|
| 120 | * @see watchdog_severity_levels() |
---|
| 121 | */ |
---|
| 122 | define('WATCHDOG_DEBUG', 7); |
---|
| 123 | |
---|
| 124 | /** |
---|
| 125 | * First bootstrap phase: initialize configuration. |
---|
| 126 | */ |
---|
| 127 | define('DRUPAL_BOOTSTRAP_CONFIGURATION', 0); |
---|
| 128 | |
---|
| 129 | /** |
---|
| 130 | * Second bootstrap phase: try to call a non-database cache |
---|
| 131 | * fetch routine. |
---|
| 132 | */ |
---|
| 133 | define('DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE', 1); |
---|
| 134 | |
---|
| 135 | /** |
---|
| 136 | * Third bootstrap phase: initialize database layer. |
---|
| 137 | */ |
---|
| 138 | define('DRUPAL_BOOTSTRAP_DATABASE', 2); |
---|
| 139 | |
---|
| 140 | /** |
---|
| 141 | * Fourth bootstrap phase: identify and reject banned hosts. |
---|
| 142 | */ |
---|
| 143 | define('DRUPAL_BOOTSTRAP_ACCESS', 3); |
---|
| 144 | |
---|
| 145 | /** |
---|
| 146 | * Fifth bootstrap phase: initialize session handling. |
---|
| 147 | */ |
---|
| 148 | define('DRUPAL_BOOTSTRAP_SESSION', 4); |
---|
| 149 | |
---|
| 150 | /** |
---|
| 151 | * Sixth bootstrap phase: load bootstrap.inc and module.inc, start |
---|
| 152 | * the variable system and try to serve a page from the cache. |
---|
| 153 | */ |
---|
| 154 | define('DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE', 5); |
---|
| 155 | |
---|
| 156 | /** |
---|
| 157 | * Seventh bootstrap phase: find out language of the page. |
---|
| 158 | */ |
---|
| 159 | define('DRUPAL_BOOTSTRAP_LANGUAGE', 6); |
---|
| 160 | |
---|
| 161 | /** |
---|
| 162 | * Eighth bootstrap phase: set $_GET['q'] to Drupal path of request. |
---|
| 163 | */ |
---|
| 164 | define('DRUPAL_BOOTSTRAP_PATH', 7); |
---|
| 165 | |
---|
| 166 | /** |
---|
| 167 | * Final bootstrap phase: Drupal is fully loaded; validate and fix |
---|
| 168 | * input data. |
---|
| 169 | */ |
---|
| 170 | define('DRUPAL_BOOTSTRAP_FULL', 8); |
---|
| 171 | |
---|
| 172 | /** |
---|
| 173 | * Role ID for anonymous users; should match what's in the "role" table. |
---|
| 174 | */ |
---|
| 175 | define('DRUPAL_ANONYMOUS_RID', 1); |
---|
| 176 | |
---|
| 177 | /** |
---|
| 178 | * Role ID for authenticated users; should match what's in the "role" table. |
---|
| 179 | */ |
---|
| 180 | define('DRUPAL_AUTHENTICATED_RID', 2); |
---|
| 181 | |
---|
| 182 | /** |
---|
| 183 | * No language negotiation. The default language is used. |
---|
| 184 | */ |
---|
| 185 | define('LANGUAGE_NEGOTIATION_NONE', 0); |
---|
| 186 | |
---|
| 187 | /** |
---|
| 188 | * Path based negotiation with fallback to default language |
---|
| 189 | * if no defined path prefix identified. |
---|
| 190 | */ |
---|
| 191 | define('LANGUAGE_NEGOTIATION_PATH_DEFAULT', 1); |
---|
| 192 | |
---|
| 193 | /** |
---|
| 194 | * Path based negotiation with fallback to user preferences |
---|
| 195 | * and browser language detection if no defined path prefix |
---|
| 196 | * identified. |
---|
| 197 | */ |
---|
| 198 | define('LANGUAGE_NEGOTIATION_PATH', 2); |
---|
| 199 | |
---|
| 200 | /** |
---|
| 201 | * Domain based negotiation with fallback to default language |
---|
| 202 | * if no language identified by domain. |
---|
| 203 | */ |
---|
| 204 | define('LANGUAGE_NEGOTIATION_DOMAIN', 3); |
---|
| 205 | |
---|
| 206 | /** |
---|
| 207 | * Language written left to right. Possible value of $language->direction. |
---|
| 208 | */ |
---|
| 209 | define('LANGUAGE_LTR', 0); |
---|
| 210 | |
---|
| 211 | /** |
---|
| 212 | * Language written right to left. Possible value of $language->direction. |
---|
| 213 | */ |
---|
| 214 | define('LANGUAGE_RTL', 1); |
---|
| 215 | |
---|
| 216 | // Hide E_DEPRECATED messages. |
---|
| 217 | if (defined('E_DEPRECATED')) { |
---|
| 218 | error_reporting(error_reporting() & ~E_DEPRECATED); |
---|
| 219 | } |
---|
| 220 | |
---|
| 221 | /** |
---|
| 222 | * Start the timer with the specified name. If you start and stop |
---|
| 223 | * the same timer multiple times, the measured intervals will be |
---|
| 224 | * accumulated. |
---|
| 225 | * |
---|
| 226 | * @param name |
---|
| 227 | * The name of the timer. |
---|
| 228 | */ |
---|
| 229 | function timer_start($name) { |
---|
| 230 | global $timers; |
---|
| 231 | |
---|
| 232 | list($usec, $sec) = explode(' ', microtime()); |
---|
| 233 | $timers[$name]['start'] = (float)$usec + (float)$sec; |
---|
| 234 | $timers[$name]['count'] = isset($timers[$name]['count']) ? ++$timers[$name]['count'] : 1; |
---|
| 235 | } |
---|
| 236 | |
---|
| 237 | /** |
---|
| 238 | * Read the current timer value without stopping the timer. |
---|
| 239 | * |
---|
| 240 | * @param name |
---|
| 241 | * The name of the timer. |
---|
| 242 | * @return |
---|
| 243 | * The current timer value in ms. |
---|
| 244 | */ |
---|
| 245 | function timer_read($name) { |
---|
| 246 | global $timers; |
---|
| 247 | |
---|
| 248 | if (isset($timers[$name]['start'])) { |
---|
| 249 | list($usec, $sec) = explode(' ', microtime()); |
---|
| 250 | $stop = (float)$usec + (float)$sec; |
---|
| 251 | $diff = round(($stop - $timers[$name]['start']) * 1000, 2); |
---|
| 252 | |
---|
| 253 | if (isset($timers[$name]['time'])) { |
---|
| 254 | $diff += $timers[$name]['time']; |
---|
| 255 | } |
---|
| 256 | return $diff; |
---|
| 257 | } |
---|
| 258 | } |
---|
| 259 | |
---|
| 260 | /** |
---|
| 261 | * Stop the timer with the specified name. |
---|
| 262 | * |
---|
| 263 | * @param name |
---|
| 264 | * The name of the timer. |
---|
| 265 | * @return |
---|
| 266 | * A timer array. The array contains the number of times the |
---|
| 267 | * timer has been started and stopped (count) and the accumulated |
---|
| 268 | * timer value in ms (time). |
---|
| 269 | */ |
---|
| 270 | function timer_stop($name) { |
---|
| 271 | global $timers; |
---|
| 272 | |
---|
| 273 | $timers[$name]['time'] = timer_read($name); |
---|
| 274 | unset($timers[$name]['start']); |
---|
| 275 | |
---|
| 276 | return $timers[$name]; |
---|
| 277 | } |
---|
| 278 | |
---|
| 279 | /** |
---|
| 280 | * Find the appropriate configuration directory. |
---|
| 281 | * |
---|
| 282 | * Try finding a matching configuration directory by stripping the website's |
---|
| 283 | * hostname from left to right and pathname from right to left. The first |
---|
| 284 | * configuration file found will be used; the remaining will ignored. If no |
---|
| 285 | * configuration file is found, return a default value '$confdir/default'. |
---|
| 286 | * |
---|
| 287 | * Example for a fictitious site installed at |
---|
| 288 | * http://www.drupal.org:8080/mysite/test/ the 'settings.php' is searched in |
---|
| 289 | * the following directories: |
---|
| 290 | * |
---|
| 291 | * 1. $confdir/8080.www.drupal.org.mysite.test |
---|
| 292 | * 2. $confdir/www.drupal.org.mysite.test |
---|
| 293 | * 3. $confdir/drupal.org.mysite.test |
---|
| 294 | * 4. $confdir/org.mysite.test |
---|
| 295 | * |
---|
| 296 | * 5. $confdir/8080.www.drupal.org.mysite |
---|
| 297 | * 6. $confdir/www.drupal.org.mysite |
---|
| 298 | * 7. $confdir/drupal.org.mysite |
---|
| 299 | * 8. $confdir/org.mysite |
---|
| 300 | * |
---|
| 301 | * 9. $confdir/8080.www.drupal.org |
---|
| 302 | * 10. $confdir/www.drupal.org |
---|
| 303 | * 11. $confdir/drupal.org |
---|
| 304 | * 12. $confdir/org |
---|
| 305 | * |
---|
| 306 | * 13. $confdir/default |
---|
| 307 | * |
---|
| 308 | * @param $require_settings |
---|
| 309 | * Only configuration directories with an existing settings.php file |
---|
| 310 | * will be recognized. Defaults to TRUE. During initial installation, |
---|
| 311 | * this is set to FALSE so that Drupal can detect a matching directory, |
---|
| 312 | * then create a new settings.php file in it. |
---|
| 313 | * @param reset |
---|
| 314 | * Force a full search for matching directories even if one had been |
---|
| 315 | * found previously. |
---|
| 316 | * @return |
---|
| 317 | * The path of the matching directory. |
---|
| 318 | */ |
---|
| 319 | function conf_path($require_settings = TRUE, $reset = FALSE) { |
---|
| 320 | static $conf = ''; |
---|
| 321 | |
---|
| 322 | if ($conf && !$reset) { |
---|
| 323 | return $conf; |
---|
| 324 | } |
---|
| 325 | |
---|
| 326 | $confdir = 'sites'; |
---|
| 327 | $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); |
---|
| 328 | $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); |
---|
| 329 | for ($i = count($uri) - 1; $i > 0; $i--) { |
---|
| 330 | for ($j = count($server); $j > 0; $j--) { |
---|
| 331 | $dir = implode('.', array_slice($server, -$j)) . implode('.', array_slice($uri, 0, $i)); |
---|
| 332 | if (file_exists("$confdir/$dir/settings.php") || (!$require_settings && file_exists("$confdir/$dir"))) { |
---|
| 333 | $conf = "$confdir/$dir"; |
---|
| 334 | return $conf; |
---|
| 335 | } |
---|
| 336 | } |
---|
| 337 | } |
---|
| 338 | $conf = "$confdir/default"; |
---|
| 339 | return $conf; |
---|
| 340 | } |
---|
| 341 | |
---|
| 342 | /** |
---|
| 343 | * Unsets all disallowed global variables. See $allowed for what's allowed. |
---|
| 344 | */ |
---|
| 345 | function drupal_unset_globals() { |
---|
| 346 | if (ini_get('register_globals')) { |
---|
| 347 | $allowed = array('_ENV' => 1, '_GET' => 1, '_POST' => 1, '_COOKIE' => 1, '_FILES' => 1, '_SERVER' => 1, '_REQUEST' => 1, 'GLOBALS' => 1); |
---|
| 348 | foreach ($GLOBALS as $key => $value) { |
---|
| 349 | if (!isset($allowed[$key])) { |
---|
| 350 | unset($GLOBALS[$key]); |
---|
| 351 | } |
---|
| 352 | } |
---|
| 353 | } |
---|
| 354 | } |
---|
| 355 | |
---|
| 356 | /** |
---|
| 357 | * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe. |
---|
| 358 | * |
---|
| 359 | * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters |
---|
| 360 | * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is |
---|
| 361 | * lowercased. |
---|
| 362 | * |
---|
| 363 | * @return |
---|
| 364 | * TRUE if only containing valid characters, or FALSE otherwise. |
---|
| 365 | */ |
---|
| 366 | function drupal_valid_http_host($host) { |
---|
[6627152] | 367 | // Limit the length of the host name to 1000 bytes to prevent DoS attacks with |
---|
| 368 | // long host names. |
---|
| 369 | return strlen($host) <= 1000 |
---|
| 370 | // Limit the number of subdomains and port separators to prevent DoS attacks |
---|
| 371 | // in conf_path(). |
---|
| 372 | && substr_count($host, '.') <= 100 |
---|
| 373 | && substr_count($host, ':') <= 100 |
---|
| 374 | && preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host); |
---|
[b354002] | 375 | } |
---|
| 376 | |
---|
| 377 | /** |
---|
| 378 | * Loads the configuration and sets the base URL, cookie domain, and |
---|
| 379 | * session name correctly. |
---|
| 380 | */ |
---|
| 381 | function conf_init() { |
---|
| 382 | global $base_url, $base_path, $base_root; |
---|
| 383 | |
---|
| 384 | // Export the following settings.php variables to the global namespace |
---|
| 385 | global $db_url, $db_prefix, $db_collation, $cookie_domain, $conf, $installed_profile, $update_free_access; |
---|
| 386 | $conf = array(); |
---|
| 387 | |
---|
[d7a822e] | 388 | if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { |
---|
| 389 | $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; |
---|
| 390 | } |
---|
| 391 | |
---|
[b354002] | 392 | if (isset($_SERVER['HTTP_HOST'])) { |
---|
| 393 | // As HTTP_HOST is user input, ensure it only contains characters allowed |
---|
| 394 | // in hostnames. See RFC 952 (and RFC 2181). |
---|
| 395 | // $_SERVER['HTTP_HOST'] is lowercased here per specifications. |
---|
| 396 | $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); |
---|
| 397 | if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) { |
---|
| 398 | // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. |
---|
[d7a822e] | 399 | header($_SERVER['SERVER_PROTOCOL'] .' 400 Bad Request'); |
---|
[b354002] | 400 | exit; |
---|
| 401 | } |
---|
| 402 | } |
---|
| 403 | else { |
---|
| 404 | // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is |
---|
| 405 | // defined for E_ALL compliance. |
---|
| 406 | $_SERVER['HTTP_HOST'] = ''; |
---|
| 407 | } |
---|
| 408 | |
---|
| 409 | if (file_exists('./'. conf_path() .'/settings.php')) { |
---|
| 410 | include_once './'. conf_path() .'/settings.php'; |
---|
| 411 | } |
---|
| 412 | |
---|
[d7a822e] | 413 | // Ignore the placeholder URL from default.settings.php. |
---|
[b354002] | 414 | if (isset($db_url) && $db_url == 'mysql://username:password@localhost/databasename') { |
---|
| 415 | $db_url = ''; |
---|
| 416 | } |
---|
| 417 | |
---|
| 418 | if (isset($base_url)) { |
---|
| 419 | // Parse fixed base URL from settings.php. |
---|
| 420 | $parts = parse_url($base_url); |
---|
| 421 | if (!isset($parts['path'])) { |
---|
| 422 | $parts['path'] = ''; |
---|
| 423 | } |
---|
| 424 | $base_path = $parts['path'] .'/'; |
---|
| 425 | // Build $base_root (everything until first slash after "scheme://"). |
---|
| 426 | $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path'])); |
---|
| 427 | } |
---|
| 428 | else { |
---|
| 429 | // Create base URL |
---|
| 430 | $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; |
---|
| 431 | |
---|
| 432 | $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST']; |
---|
| 433 | |
---|
| 434 | // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not |
---|
| 435 | // be modified by a visitor. |
---|
| 436 | if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { |
---|
| 437 | $base_path = "/$dir"; |
---|
| 438 | $base_url .= $base_path; |
---|
| 439 | $base_path .= '/'; |
---|
| 440 | } |
---|
| 441 | else { |
---|
| 442 | $base_path = '/'; |
---|
| 443 | } |
---|
| 444 | } |
---|
| 445 | |
---|
| 446 | if ($cookie_domain) { |
---|
| 447 | // If the user specifies the cookie domain, also use it for session name. |
---|
| 448 | $session_name = $cookie_domain; |
---|
| 449 | } |
---|
| 450 | else { |
---|
| 451 | // Otherwise use $base_url as session name, without the protocol |
---|
[d7a822e] | 452 | // to use the same session identifiers across HTTP and HTTPS. |
---|
[b354002] | 453 | list( , $session_name) = explode('://', $base_url, 2); |
---|
| 454 | // We escape the hostname because it can be modified by a visitor. |
---|
| 455 | if (!empty($_SERVER['HTTP_HOST'])) { |
---|
| 456 | $cookie_domain = check_plain($_SERVER['HTTP_HOST']); |
---|
| 457 | // Strip leading periods, www., and port numbers from cookie domain. |
---|
| 458 | $cookie_domain = ltrim($cookie_domain, '.'); |
---|
| 459 | if (strpos($cookie_domain, 'www.') === 0) { |
---|
| 460 | $cookie_domain = substr($cookie_domain, 4); |
---|
| 461 | } |
---|
| 462 | $cookie_domain = explode(':', $cookie_domain); |
---|
| 463 | $cookie_domain = '.'. $cookie_domain[0]; |
---|
| 464 | } |
---|
| 465 | } |
---|
| 466 | // To prevent session cookies from being hijacked, a user can configure the |
---|
| 467 | // SSL version of their website to only transfer session cookies via SSL by |
---|
| 468 | // using PHP's session.cookie_secure setting. The browser will then use two |
---|
| 469 | // separate session cookies for the HTTPS and HTTP versions of the site. So we |
---|
| 470 | // must use different session identifiers for HTTPS and HTTP to prevent a |
---|
| 471 | // cookie collision. |
---|
| 472 | if (ini_get('session.cookie_secure')) { |
---|
| 473 | $session_name .= 'SSL'; |
---|
| 474 | } |
---|
| 475 | // Per RFC 2109, cookie domains must contain at least one dot other than the |
---|
| 476 | // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. |
---|
| 477 | if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { |
---|
| 478 | ini_set('session.cookie_domain', $cookie_domain); |
---|
| 479 | } |
---|
| 480 | session_name('SESS'. md5($session_name)); |
---|
| 481 | } |
---|
| 482 | |
---|
| 483 | /** |
---|
| 484 | * Returns and optionally sets the filename for a system item (module, |
---|
| 485 | * theme, etc.). The filename, whether provided, cached, or retrieved |
---|
| 486 | * from the database, is only returned if the file exists. |
---|
| 487 | * |
---|
| 488 | * This function plays a key role in allowing Drupal's resources (modules |
---|
| 489 | * and themes) to be located in different places depending on a site's |
---|
| 490 | * configuration. For example, a module 'foo' may legally be be located |
---|
| 491 | * in any of these three places: |
---|
| 492 | * |
---|
| 493 | * modules/foo/foo.module |
---|
| 494 | * sites/all/modules/foo/foo.module |
---|
| 495 | * sites/example.com/modules/foo/foo.module |
---|
| 496 | * |
---|
| 497 | * Calling drupal_get_filename('module', 'foo') will give you one of |
---|
| 498 | * the above, depending on where the module is located. |
---|
| 499 | * |
---|
| 500 | * @param $type |
---|
| 501 | * The type of the item (i.e. theme, theme_engine, module, profile). |
---|
| 502 | * @param $name |
---|
| 503 | * The name of the item for which the filename is requested. |
---|
| 504 | * @param $filename |
---|
| 505 | * The filename of the item if it is to be set explicitly rather |
---|
| 506 | * than by consulting the database. |
---|
| 507 | * |
---|
| 508 | * @return |
---|
| 509 | * The filename of the requested item. |
---|
| 510 | */ |
---|
| 511 | function drupal_get_filename($type, $name, $filename = NULL) { |
---|
| 512 | static $files = array(); |
---|
| 513 | |
---|
| 514 | if (!isset($files[$type])) { |
---|
| 515 | $files[$type] = array(); |
---|
| 516 | } |
---|
| 517 | |
---|
| 518 | if (!empty($filename) && file_exists($filename)) { |
---|
| 519 | $files[$type][$name] = $filename; |
---|
| 520 | } |
---|
| 521 | elseif (isset($files[$type][$name])) { |
---|
| 522 | // nothing |
---|
| 523 | } |
---|
| 524 | // Verify that we have an active database connection, before querying |
---|
| 525 | // the database. This is required because this function is called both |
---|
| 526 | // before we have a database connection (i.e. during installation) and |
---|
| 527 | // when a database connection fails. |
---|
| 528 | elseif (db_is_active() && (($file = db_result(db_query("SELECT filename FROM {system} WHERE name = '%s' AND type = '%s'", $name, $type))) && file_exists($file))) { |
---|
| 529 | $files[$type][$name] = $file; |
---|
| 530 | } |
---|
| 531 | else { |
---|
| 532 | // Fallback to searching the filesystem if the database connection is |
---|
| 533 | // not established or the requested file is not found. |
---|
| 534 | $config = conf_path(); |
---|
| 535 | $dir = (($type == 'theme_engine') ? 'themes/engines' : "${type}s"); |
---|
| 536 | $file = (($type == 'theme_engine') ? "$name.engine" : "$name.$type"); |
---|
| 537 | |
---|
| 538 | foreach (array("$config/$dir/$file", "$config/$dir/$name/$file", "$dir/$file", "$dir/$name/$file") as $file) { |
---|
| 539 | if (file_exists($file)) { |
---|
| 540 | $files[$type][$name] = $file; |
---|
| 541 | break; |
---|
| 542 | } |
---|
| 543 | } |
---|
| 544 | } |
---|
| 545 | |
---|
| 546 | if (isset($files[$type][$name])) { |
---|
| 547 | return $files[$type][$name]; |
---|
| 548 | } |
---|
| 549 | } |
---|
| 550 | |
---|
| 551 | /** |
---|
| 552 | * Load the persistent variable table. |
---|
| 553 | * |
---|
| 554 | * The variable table is composed of values that have been saved in the table |
---|
| 555 | * with variable_set() as well as those explicitly specified in the configuration |
---|
| 556 | * file. |
---|
| 557 | */ |
---|
| 558 | function variable_init($conf = array()) { |
---|
| 559 | // NOTE: caching the variables improves performance by 20% when serving cached pages. |
---|
| 560 | if ($cached = cache_get('variables', 'cache')) { |
---|
| 561 | $variables = $cached->data; |
---|
| 562 | } |
---|
| 563 | else { |
---|
| 564 | $result = db_query('SELECT * FROM {variable}'); |
---|
| 565 | while ($variable = db_fetch_object($result)) { |
---|
| 566 | $variables[$variable->name] = unserialize($variable->value); |
---|
| 567 | } |
---|
| 568 | cache_set('variables', $variables); |
---|
| 569 | } |
---|
| 570 | |
---|
| 571 | foreach ($conf as $name => $value) { |
---|
| 572 | $variables[$name] = $value; |
---|
| 573 | } |
---|
| 574 | |
---|
| 575 | return $variables; |
---|
| 576 | } |
---|
| 577 | |
---|
| 578 | /** |
---|
| 579 | * Returns a persistent variable. |
---|
| 580 | * |
---|
| 581 | * Case-sensitivity of the variable_* functions depends on the database |
---|
| 582 | * collation used. To avoid problems, always use lower case for persistent |
---|
| 583 | * variable names. |
---|
| 584 | * |
---|
| 585 | * @param $name |
---|
| 586 | * The name of the variable to return. |
---|
| 587 | * @param $default |
---|
| 588 | * The default value to use if this variable has never been set. |
---|
| 589 | * @return |
---|
| 590 | * The value of the variable. |
---|
| 591 | * |
---|
| 592 | * @see variable_del(), variable_set() |
---|
| 593 | */ |
---|
| 594 | function variable_get($name, $default) { |
---|
| 595 | global $conf; |
---|
| 596 | |
---|
| 597 | return isset($conf[$name]) ? $conf[$name] : $default; |
---|
| 598 | } |
---|
| 599 | |
---|
| 600 | /** |
---|
| 601 | * Sets a persistent variable. |
---|
| 602 | * |
---|
| 603 | * Case-sensitivity of the variable_* functions depends on the database |
---|
| 604 | * collation used. To avoid problems, always use lower case for persistent |
---|
| 605 | * variable names. |
---|
| 606 | * |
---|
| 607 | * @param $name |
---|
| 608 | * The name of the variable to set. |
---|
| 609 | * @param $value |
---|
| 610 | * The value to set. This can be any PHP data type; these functions take care |
---|
| 611 | * of serialization as necessary. |
---|
| 612 | * |
---|
| 613 | * @see variable_del(), variable_get() |
---|
| 614 | */ |
---|
| 615 | function variable_set($name, $value) { |
---|
| 616 | global $conf; |
---|
| 617 | |
---|
| 618 | $serialized_value = serialize($value); |
---|
| 619 | db_query("UPDATE {variable} SET value = '%s' WHERE name = '%s'", $serialized_value, $name); |
---|
| 620 | if (!db_affected_rows()) { |
---|
| 621 | @db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", $name, $serialized_value); |
---|
| 622 | } |
---|
| 623 | |
---|
| 624 | cache_clear_all('variables', 'cache'); |
---|
| 625 | |
---|
| 626 | $conf[$name] = $value; |
---|
| 627 | } |
---|
| 628 | |
---|
| 629 | /** |
---|
| 630 | * Unsets a persistent variable. |
---|
| 631 | * |
---|
| 632 | * Case-sensitivity of the variable_* functions depends on the database |
---|
| 633 | * collation used. To avoid problems, always use lower case for persistent |
---|
| 634 | * variable names. |
---|
| 635 | * |
---|
| 636 | * @param $name |
---|
| 637 | * The name of the variable to undefine. |
---|
| 638 | * |
---|
| 639 | * @see variable_get(), variable_set() |
---|
| 640 | */ |
---|
| 641 | function variable_del($name) { |
---|
| 642 | global $conf; |
---|
| 643 | |
---|
| 644 | db_query("DELETE FROM {variable} WHERE name = '%s'", $name); |
---|
| 645 | cache_clear_all('variables', 'cache'); |
---|
| 646 | |
---|
| 647 | unset($conf[$name]); |
---|
| 648 | } |
---|
| 649 | |
---|
| 650 | |
---|
| 651 | /** |
---|
| 652 | * Retrieve the current page from the cache. |
---|
| 653 | * |
---|
| 654 | * Note: we do not serve cached pages when status messages are waiting (from |
---|
| 655 | * a redirected form submission which was completed). |
---|
| 656 | * |
---|
| 657 | * @param $status_only |
---|
| 658 | * When set to TRUE, retrieve the status of the page cache only |
---|
| 659 | * (whether it was started in this request or not). |
---|
| 660 | */ |
---|
| 661 | function page_get_cache($status_only = FALSE) { |
---|
| 662 | static $status = FALSE; |
---|
| 663 | global $user, $base_root; |
---|
| 664 | |
---|
| 665 | if ($status_only) { |
---|
| 666 | return $status; |
---|
| 667 | } |
---|
| 668 | $cache = NULL; |
---|
| 669 | |
---|
| 670 | if (!$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET' && count(drupal_set_message()) == 0 && $_SERVER['SERVER_SOFTWARE'] !== 'PHP CLI') { |
---|
| 671 | $cache = cache_get($base_root . request_uri(), 'cache_page'); |
---|
| 672 | |
---|
| 673 | if (empty($cache)) { |
---|
| 674 | ob_start(); |
---|
| 675 | $status = TRUE; |
---|
| 676 | } |
---|
| 677 | } |
---|
| 678 | |
---|
| 679 | return $cache; |
---|
| 680 | } |
---|
| 681 | |
---|
| 682 | /** |
---|
| 683 | * Call all init or exit hooks without including all modules. |
---|
| 684 | * |
---|
| 685 | * @param $hook |
---|
| 686 | * The name of the bootstrap hook we wish to invoke. |
---|
| 687 | */ |
---|
| 688 | function bootstrap_invoke_all($hook) { |
---|
| 689 | foreach (module_list(TRUE, TRUE) as $module) { |
---|
| 690 | drupal_load('module', $module); |
---|
| 691 | module_invoke($module, $hook); |
---|
| 692 | } |
---|
| 693 | } |
---|
| 694 | |
---|
| 695 | /** |
---|
| 696 | * Includes a file with the provided type and name. This prevents |
---|
| 697 | * including a theme, engine, module, etc., more than once. |
---|
| 698 | * |
---|
| 699 | * @param $type |
---|
| 700 | * The type of item to load (i.e. theme, theme_engine, module, profile). |
---|
| 701 | * @param $name |
---|
| 702 | * The name of the item to load. |
---|
| 703 | * |
---|
| 704 | * @return |
---|
| 705 | * TRUE if the item is loaded or has already been loaded. |
---|
| 706 | */ |
---|
| 707 | function drupal_load($type, $name) { |
---|
| 708 | static $files = array(); |
---|
| 709 | |
---|
| 710 | if (isset($files[$type][$name])) { |
---|
| 711 | return TRUE; |
---|
| 712 | } |
---|
| 713 | |
---|
| 714 | $filename = drupal_get_filename($type, $name); |
---|
| 715 | |
---|
| 716 | if ($filename) { |
---|
| 717 | include_once "./$filename"; |
---|
| 718 | $files[$type][$name] = TRUE; |
---|
| 719 | |
---|
| 720 | return TRUE; |
---|
| 721 | } |
---|
| 722 | |
---|
| 723 | return FALSE; |
---|
| 724 | } |
---|
| 725 | |
---|
| 726 | /** |
---|
| 727 | * Set HTTP headers in preparation for a page response. |
---|
| 728 | * |
---|
| 729 | * Authenticated users are always given a 'no-cache' header, and will |
---|
| 730 | * fetch a fresh page on every request. This prevents authenticated |
---|
| 731 | * users seeing locally cached pages that show them as logged out. |
---|
| 732 | * |
---|
| 733 | * @see page_set_cache() |
---|
| 734 | */ |
---|
| 735 | function drupal_page_header() { |
---|
| 736 | header("Expires: Sun, 19 Nov 1978 05:00:00 GMT"); |
---|
| 737 | header("Last-Modified: ". gmdate("D, d M Y H:i:s") ." GMT"); |
---|
| 738 | header("Cache-Control: store, no-cache, must-revalidate"); |
---|
| 739 | header("Cache-Control: post-check=0, pre-check=0", FALSE); |
---|
| 740 | } |
---|
| 741 | |
---|
| 742 | /** |
---|
| 743 | * Set HTTP headers in preparation for a cached page response. |
---|
| 744 | * |
---|
| 745 | * The general approach here is that anonymous users can keep a local |
---|
| 746 | * cache of the page, but must revalidate it on every request. Then, |
---|
| 747 | * they are given a '304 Not Modified' response as long as they stay |
---|
| 748 | * logged out and the page has not been modified. |
---|
| 749 | * |
---|
| 750 | */ |
---|
| 751 | function drupal_page_cache_header($cache) { |
---|
| 752 | // Set default values: |
---|
| 753 | $last_modified = gmdate('D, d M Y H:i:s', $cache->created) .' GMT'; |
---|
| 754 | $etag = '"'. md5($last_modified) .'"'; |
---|
| 755 | |
---|
| 756 | // See if the client has provided the required HTTP headers: |
---|
| 757 | $if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE; |
---|
| 758 | $if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE; |
---|
| 759 | |
---|
| 760 | if ($if_modified_since && $if_none_match |
---|
| 761 | && $if_none_match == $etag // etag must match |
---|
| 762 | && $if_modified_since == $last_modified) { // if-modified-since must match |
---|
[d7a822e] | 763 | header($_SERVER['SERVER_PROTOCOL'] .' 304 Not Modified'); |
---|
[b354002] | 764 | // All 304 responses must send an etag if the 200 response for the same object contained an etag |
---|
| 765 | header("Etag: $etag"); |
---|
| 766 | return; |
---|
| 767 | } |
---|
| 768 | |
---|
| 769 | // Send appropriate response: |
---|
| 770 | header("Last-Modified: $last_modified"); |
---|
| 771 | header("ETag: $etag"); |
---|
| 772 | |
---|
| 773 | // The following headers force validation of cache: |
---|
| 774 | header("Expires: Sun, 19 Nov 1978 05:00:00 GMT"); |
---|
| 775 | header("Cache-Control: must-revalidate"); |
---|
| 776 | |
---|
| 777 | if (variable_get('page_compression', TRUE) && extension_loaded('zlib')) { |
---|
| 778 | // Determine if the browser accepts gzipped data. |
---|
| 779 | if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE) { |
---|
| 780 | // $cache->data is already gzip'ed, so make sure zlib.output_compression |
---|
| 781 | // does not compress it once more. |
---|
| 782 | ini_set('zlib.output_compression', '0'); |
---|
| 783 | header('Content-Encoding: gzip'); |
---|
| 784 | } |
---|
| 785 | else { |
---|
| 786 | // The client does not support compression, so unzip the data in the |
---|
| 787 | // cache. Strip the gzip header and run uncompress. |
---|
| 788 | $cache->data = gzinflate(substr(substr($cache->data, 10), 0, -8)); |
---|
| 789 | } |
---|
| 790 | } |
---|
| 791 | |
---|
| 792 | // Send the original request's headers. We send them one after |
---|
| 793 | // another so PHP's header() function can deal with duplicate |
---|
| 794 | // headers. |
---|
| 795 | $headers = explode("\n", $cache->headers); |
---|
| 796 | foreach ($headers as $header) { |
---|
| 797 | header($header); |
---|
| 798 | } |
---|
| 799 | |
---|
| 800 | print $cache->data; |
---|
| 801 | } |
---|
| 802 | |
---|
| 803 | /** |
---|
| 804 | * Define the critical hooks that force modules to always be loaded. |
---|
| 805 | */ |
---|
| 806 | function bootstrap_hooks() { |
---|
| 807 | return array('boot', 'exit'); |
---|
| 808 | } |
---|
| 809 | |
---|
| 810 | /** |
---|
| 811 | * Unserializes and appends elements from a serialized string. |
---|
| 812 | * |
---|
| 813 | * @param $obj |
---|
| 814 | * The object to which the elements are appended. |
---|
| 815 | * @param $field |
---|
| 816 | * The attribute of $obj whose value should be unserialized. |
---|
| 817 | */ |
---|
| 818 | function drupal_unpack($obj, $field = 'data') { |
---|
| 819 | if ($obj->$field && $data = unserialize($obj->$field)) { |
---|
| 820 | foreach ($data as $key => $value) { |
---|
| 821 | if (!empty($key) && !isset($obj->$key)) { |
---|
| 822 | $obj->$key = $value; |
---|
| 823 | } |
---|
| 824 | } |
---|
| 825 | } |
---|
| 826 | return $obj; |
---|
| 827 | } |
---|
| 828 | |
---|
| 829 | /** |
---|
| 830 | * Return the URI of the referring page. |
---|
| 831 | */ |
---|
| 832 | function referer_uri() { |
---|
| 833 | if (isset($_SERVER['HTTP_REFERER'])) { |
---|
| 834 | return $_SERVER['HTTP_REFERER']; |
---|
| 835 | } |
---|
| 836 | } |
---|
| 837 | |
---|
| 838 | /** |
---|
| 839 | * Encode special characters in a plain-text string for display as HTML. |
---|
| 840 | * |
---|
| 841 | * Also validates strings as UTF-8 to prevent cross site scripting attacks on |
---|
| 842 | * Internet Explorer 6. |
---|
| 843 | * |
---|
| 844 | * @param $text |
---|
| 845 | * The text to be checked or processed. |
---|
| 846 | * @return |
---|
| 847 | * An HTML safe version of $text, or an empty string if $text is not |
---|
| 848 | * valid UTF-8. |
---|
| 849 | * |
---|
| 850 | * @see drupal_validate_utf8(). |
---|
| 851 | */ |
---|
| 852 | function check_plain($text) { |
---|
| 853 | static $php525; |
---|
| 854 | |
---|
| 855 | if (!isset($php525)) { |
---|
| 856 | $php525 = version_compare(PHP_VERSION, '5.2.5', '>='); |
---|
| 857 | } |
---|
| 858 | // We duplicate the preg_match() to validate strings as UTF-8 from |
---|
| 859 | // drupal_validate_utf8() here. This avoids the overhead of an additional |
---|
| 860 | // function call, since check_plain() may be called hundreds of times during |
---|
| 861 | // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled |
---|
| 862 | // internally by PHP in htmlspecialchars(). |
---|
| 863 | // @see http://www.php.net/releases/5_2_5.php |
---|
| 864 | // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped. |
---|
| 865 | |
---|
| 866 | if ($php525) { |
---|
| 867 | return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); |
---|
| 868 | } |
---|
| 869 | return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : ''; |
---|
| 870 | } |
---|
| 871 | |
---|
| 872 | /** |
---|
| 873 | * Checks whether a string is valid UTF-8. |
---|
| 874 | * |
---|
| 875 | * All functions designed to filter input should use drupal_validate_utf8 |
---|
| 876 | * to ensure they operate on valid UTF-8 strings to prevent bypass of the |
---|
| 877 | * filter. |
---|
| 878 | * |
---|
| 879 | * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented |
---|
| 880 | * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent |
---|
| 881 | * bytes. When these subsequent bytes are HTML control characters such as |
---|
| 882 | * quotes or angle brackets, parts of the text that were deemed safe by filters |
---|
| 883 | * end up in locations that are potentially unsafe; An onerror attribute that |
---|
| 884 | * is outside of a tag, and thus deemed safe by a filter, can be interpreted |
---|
| 885 | * by the browser as if it were inside the tag. |
---|
| 886 | * |
---|
| 887 | * This function exploits preg_match behaviour (since PHP 4.3.5) when used |
---|
| 888 | * with the u modifier, as a fast way to find invalid UTF-8. When the matched |
---|
| 889 | * string contains an invalid byte sequence, it will fail silently. |
---|
| 890 | * |
---|
| 891 | * preg_match may not fail on 4 and 5 octet sequences, even though they |
---|
| 892 | * are not supported by the specification. |
---|
| 893 | * |
---|
| 894 | * The specific preg_match behaviour is present since PHP 4.3.5. |
---|
| 895 | * |
---|
| 896 | * @param $text |
---|
| 897 | * The text to check. |
---|
| 898 | * @return |
---|
| 899 | * TRUE if the text is valid UTF-8, FALSE if not. |
---|
| 900 | */ |
---|
| 901 | function drupal_validate_utf8($text) { |
---|
| 902 | if (strlen($text) == 0) { |
---|
| 903 | return TRUE; |
---|
| 904 | } |
---|
| 905 | // For performance reasons this logic is duplicated in check_plain(). |
---|
| 906 | return (preg_match('/^./us', $text) == 1); |
---|
| 907 | } |
---|
| 908 | |
---|
| 909 | /** |
---|
| 910 | * Since $_SERVER['REQUEST_URI'] is only available on Apache, we |
---|
| 911 | * generate an equivalent using other environment variables. |
---|
| 912 | */ |
---|
| 913 | function request_uri() { |
---|
| 914 | |
---|
| 915 | if (isset($_SERVER['REQUEST_URI'])) { |
---|
| 916 | $uri = $_SERVER['REQUEST_URI']; |
---|
| 917 | } |
---|
| 918 | else { |
---|
| 919 | if (isset($_SERVER['argv'])) { |
---|
| 920 | $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0]; |
---|
| 921 | } |
---|
| 922 | elseif (isset($_SERVER['QUERY_STRING'])) { |
---|
| 923 | $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING']; |
---|
| 924 | } |
---|
| 925 | else { |
---|
| 926 | $uri = $_SERVER['SCRIPT_NAME']; |
---|
| 927 | } |
---|
| 928 | } |
---|
| 929 | // Prevent multiple slashes to avoid cross site requests via the FAPI. |
---|
| 930 | $uri = '/'. ltrim($uri, '/'); |
---|
| 931 | |
---|
| 932 | return $uri; |
---|
| 933 | } |
---|
| 934 | |
---|
| 935 | /** |
---|
| 936 | * Log a system message. |
---|
| 937 | * |
---|
| 938 | * @param $type |
---|
| 939 | * The category to which this message belongs. Can be any string, but the |
---|
| 940 | * general practice is to use the name of the module calling watchdog(). |
---|
[6627152] | 941 | * The $type parameter is limited to 16 characters; anything longer is |
---|
| 942 | * truncated. |
---|
[b354002] | 943 | * @param $message |
---|
| 944 | * The message to store in the log. See t() for documentation |
---|
| 945 | * on how $message and $variables interact. Keep $message |
---|
| 946 | * translatable by not concatenating dynamic values into it! |
---|
| 947 | * @param $variables |
---|
| 948 | * Array of variables to replace in the message on display or |
---|
| 949 | * NULL if message is already translated or not possible to |
---|
| 950 | * translate. |
---|
| 951 | * @param $severity |
---|
[6627152] | 952 | * The severity of the message; one of the following values as defined in |
---|
| 953 | * @link http://www.faqs.org/rfcs/rfc3164.html RFC 3164: @endlink |
---|
| 954 | * - WATCHDOG_EMERGENCY: Emergency, system is unusable. |
---|
| 955 | * - WATCHDOG_ALERT: Alert, action must be taken immediately. |
---|
| 956 | * - WATCHDOG_CRITICAL: Critical conditions. |
---|
| 957 | * - WATCHDOG_ERROR: Error conditions. |
---|
| 958 | * - WATCHDOG_WARNING: Warning conditions. |
---|
| 959 | * - WATCHDOG_NOTICE: (default) Normal but significant conditions. |
---|
| 960 | * - WATCHDOG_INFO: Informational messages. |
---|
| 961 | * - WATCHDOG_DEBUG: Debug-level messages. |
---|
[b354002] | 962 | * @param $link |
---|
| 963 | * A link to associate with the message. |
---|
| 964 | * |
---|
| 965 | * @see watchdog_severity_levels() |
---|
| 966 | */ |
---|
| 967 | function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NOTICE, $link = NULL) { |
---|
| 968 | global $user, $base_root; |
---|
| 969 | |
---|
| 970 | // Prepare the fields to be logged |
---|
| 971 | $log_message = array( |
---|
| 972 | 'type' => $type, |
---|
| 973 | 'message' => $message, |
---|
| 974 | 'variables' => $variables, |
---|
| 975 | 'severity' => $severity, |
---|
| 976 | 'link' => $link, |
---|
| 977 | 'user' => $user, |
---|
| 978 | 'request_uri' => $base_root . request_uri(), |
---|
| 979 | 'referer' => referer_uri(), |
---|
| 980 | 'ip' => ip_address(), |
---|
| 981 | 'timestamp' => time(), |
---|
| 982 | ); |
---|
| 983 | |
---|
| 984 | // Call the logging hooks to log/process the message |
---|
| 985 | foreach (module_implements('watchdog') as $module) { |
---|
| 986 | module_invoke($module, 'watchdog', $log_message); |
---|
| 987 | } |
---|
| 988 | } |
---|
| 989 | |
---|
| 990 | /** |
---|
| 991 | * Set a message which reflects the status of the performed operation. |
---|
| 992 | * |
---|
| 993 | * If the function is called with no arguments, this function returns all set |
---|
| 994 | * messages without clearing them. |
---|
| 995 | * |
---|
| 996 | * @param $message |
---|
| 997 | * The message should begin with a capital letter and always ends with a |
---|
| 998 | * period '.'. |
---|
| 999 | * @param $type |
---|
| 1000 | * The type of the message. One of the following values are possible: |
---|
| 1001 | * - 'status' |
---|
| 1002 | * - 'warning' |
---|
| 1003 | * - 'error' |
---|
| 1004 | * @param $repeat |
---|
| 1005 | * If this is FALSE and the message is already set, then the message won't |
---|
| 1006 | * be repeated. |
---|
| 1007 | */ |
---|
| 1008 | function drupal_set_message($message = NULL, $type = 'status', $repeat = TRUE) { |
---|
| 1009 | if ($message) { |
---|
| 1010 | if (!isset($_SESSION['messages'])) { |
---|
| 1011 | $_SESSION['messages'] = array(); |
---|
| 1012 | } |
---|
| 1013 | |
---|
| 1014 | if (!isset($_SESSION['messages'][$type])) { |
---|
| 1015 | $_SESSION['messages'][$type] = array(); |
---|
| 1016 | } |
---|
| 1017 | |
---|
| 1018 | if ($repeat || !in_array($message, $_SESSION['messages'][$type])) { |
---|
| 1019 | $_SESSION['messages'][$type][] = $message; |
---|
| 1020 | } |
---|
| 1021 | } |
---|
| 1022 | |
---|
| 1023 | // messages not set when DB connection fails |
---|
| 1024 | return isset($_SESSION['messages']) ? $_SESSION['messages'] : NULL; |
---|
| 1025 | } |
---|
| 1026 | |
---|
| 1027 | /** |
---|
| 1028 | * Return all messages that have been set. |
---|
| 1029 | * |
---|
| 1030 | * @param $type |
---|
| 1031 | * (optional) Only return messages of this type. |
---|
| 1032 | * @param $clear_queue |
---|
| 1033 | * (optional) Set to FALSE if you do not want to clear the messages queue |
---|
| 1034 | * @return |
---|
| 1035 | * An associative array, the key is the message type, the value an array |
---|
| 1036 | * of messages. If the $type parameter is passed, you get only that type, |
---|
| 1037 | * or an empty array if there are no such messages. If $type is not passed, |
---|
| 1038 | * all message types are returned, or an empty array if none exist. |
---|
| 1039 | */ |
---|
| 1040 | function drupal_get_messages($type = NULL, $clear_queue = TRUE) { |
---|
| 1041 | if ($messages = drupal_set_message()) { |
---|
| 1042 | if ($type) { |
---|
| 1043 | if ($clear_queue) { |
---|
| 1044 | unset($_SESSION['messages'][$type]); |
---|
| 1045 | } |
---|
| 1046 | if (isset($messages[$type])) { |
---|
| 1047 | return array($type => $messages[$type]); |
---|
| 1048 | } |
---|
| 1049 | } |
---|
| 1050 | else { |
---|
| 1051 | if ($clear_queue) { |
---|
| 1052 | unset($_SESSION['messages']); |
---|
| 1053 | } |
---|
| 1054 | return $messages; |
---|
| 1055 | } |
---|
| 1056 | } |
---|
| 1057 | return array(); |
---|
| 1058 | } |
---|
| 1059 | |
---|
| 1060 | /** |
---|
| 1061 | * Perform an access check for a given mask and rule type. Rules are usually |
---|
| 1062 | * created via admin/user/rules page. |
---|
| 1063 | * |
---|
| 1064 | * If any allow rule matches, access is allowed. Otherwise, if any deny rule |
---|
| 1065 | * matches, access is denied. If no rule matches, access is allowed. |
---|
| 1066 | * |
---|
| 1067 | * @param $type string |
---|
| 1068 | * Type of access to check: Allowed values are: |
---|
| 1069 | * - 'host': host name or IP address |
---|
| 1070 | * - 'mail': e-mail address |
---|
| 1071 | * - 'user': username |
---|
| 1072 | * @param $mask string |
---|
| 1073 | * String or mask to test: '_' matches any character, '%' matches any |
---|
| 1074 | * number of characters. |
---|
| 1075 | * @return bool |
---|
| 1076 | * TRUE if access is denied, FALSE if access is allowed. |
---|
| 1077 | */ |
---|
| 1078 | function drupal_is_denied($type, $mask) { |
---|
| 1079 | // Because this function is called for every page request, both cached |
---|
| 1080 | // and non-cached pages, we tried to optimize it as much as possible. |
---|
| 1081 | // We deny access if the only matching records in the {access} table have |
---|
| 1082 | // status 0 (deny). If any have status 1 (allow), or if there are no |
---|
| 1083 | // matching records, we allow access. |
---|
| 1084 | $sql = "SELECT 1 FROM {access} WHERE type = '%s' AND LOWER('%s') LIKE LOWER(mask) AND status = %d"; |
---|
| 1085 | return db_result(db_query_range($sql, $type, $mask, 0, 0, 1)) && !db_result(db_query_range($sql, $type, $mask, 1, 0, 1)); |
---|
| 1086 | } |
---|
| 1087 | |
---|
| 1088 | /** |
---|
| 1089 | * Generates a default anonymous $user object. |
---|
| 1090 | * |
---|
| 1091 | * @return Object - the user object. |
---|
| 1092 | */ |
---|
| 1093 | function drupal_anonymous_user($session = '') { |
---|
| 1094 | $user = new stdClass(); |
---|
| 1095 | $user->uid = 0; |
---|
| 1096 | $user->hostname = ip_address(); |
---|
| 1097 | $user->roles = array(); |
---|
| 1098 | $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user'; |
---|
| 1099 | $user->session = $session; |
---|
| 1100 | $user->cache = 0; |
---|
| 1101 | return $user; |
---|
| 1102 | } |
---|
| 1103 | |
---|
| 1104 | /** |
---|
| 1105 | * A string describing a phase of Drupal to load. Each phase adds to the |
---|
| 1106 | * previous one, so invoking a later phase automatically runs the earlier |
---|
| 1107 | * phases too. The most important usage is that if you want to access the |
---|
| 1108 | * Drupal database from a script without loading anything else, you can |
---|
| 1109 | * include bootstrap.inc, and call drupal_bootstrap(DRUPAL_BOOTSTRAP_DATABASE). |
---|
| 1110 | * |
---|
| 1111 | * @param $phase |
---|
| 1112 | * A constant. Allowed values are: |
---|
| 1113 | * DRUPAL_BOOTSTRAP_CONFIGURATION: initialize configuration. |
---|
| 1114 | * DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE: try to call a non-database cache fetch routine. |
---|
| 1115 | * DRUPAL_BOOTSTRAP_DATABASE: initialize database layer. |
---|
| 1116 | * DRUPAL_BOOTSTRAP_ACCESS: identify and reject banned hosts. |
---|
| 1117 | * DRUPAL_BOOTSTRAP_SESSION: initialize session handling. |
---|
| 1118 | * DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE: load bootstrap.inc and module.inc, start |
---|
| 1119 | * the variable system and try to serve a page from the cache. |
---|
| 1120 | * DRUPAL_BOOTSTRAP_LANGUAGE: identify the language used on the page. |
---|
| 1121 | * DRUPAL_BOOTSTRAP_PATH: set $_GET['q'] to Drupal path of request. |
---|
| 1122 | * DRUPAL_BOOTSTRAP_FULL: Drupal is fully loaded, validate and fix input data. |
---|
| 1123 | */ |
---|
| 1124 | function drupal_bootstrap($phase) { |
---|
| 1125 | static $phases = array(DRUPAL_BOOTSTRAP_CONFIGURATION, DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE, DRUPAL_BOOTSTRAP_DATABASE, DRUPAL_BOOTSTRAP_ACCESS, DRUPAL_BOOTSTRAP_SESSION, DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE, DRUPAL_BOOTSTRAP_LANGUAGE, DRUPAL_BOOTSTRAP_PATH, DRUPAL_BOOTSTRAP_FULL), $phase_index = 0; |
---|
| 1126 | |
---|
| 1127 | while ($phase >= $phase_index && isset($phases[$phase_index])) { |
---|
| 1128 | $current_phase = $phases[$phase_index]; |
---|
| 1129 | unset($phases[$phase_index++]); |
---|
| 1130 | _drupal_bootstrap($current_phase); |
---|
| 1131 | } |
---|
| 1132 | } |
---|
| 1133 | |
---|
| 1134 | function _drupal_bootstrap($phase) { |
---|
| 1135 | global $conf; |
---|
| 1136 | |
---|
| 1137 | switch ($phase) { |
---|
| 1138 | |
---|
| 1139 | case DRUPAL_BOOTSTRAP_CONFIGURATION: |
---|
| 1140 | drupal_unset_globals(); |
---|
| 1141 | // Start a page timer: |
---|
| 1142 | timer_start('page'); |
---|
| 1143 | // Initialize the configuration |
---|
| 1144 | conf_init(); |
---|
| 1145 | break; |
---|
| 1146 | |
---|
| 1147 | case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE: |
---|
| 1148 | // Allow specifying special cache handlers in settings.php, like |
---|
| 1149 | // using memcached or files for storing cache information. |
---|
| 1150 | require_once variable_get('cache_inc', './includes/cache.inc'); |
---|
| 1151 | // If the page_cache_fastpath is set to TRUE in settings.php and |
---|
| 1152 | // page_cache_fastpath (implemented in the special implementation of |
---|
| 1153 | // cache.inc) printed the page and indicated this with a returned TRUE |
---|
| 1154 | // then we are done. |
---|
| 1155 | if (variable_get('page_cache_fastpath', FALSE) && page_cache_fastpath()) { |
---|
| 1156 | exit; |
---|
| 1157 | } |
---|
| 1158 | break; |
---|
| 1159 | |
---|
| 1160 | case DRUPAL_BOOTSTRAP_DATABASE: |
---|
| 1161 | // Initialize the default database. |
---|
| 1162 | require_once './includes/database.inc'; |
---|
| 1163 | db_set_active(); |
---|
| 1164 | // Allow specifying alternate lock implementations in settings.php, like |
---|
| 1165 | // those using APC or memcached. |
---|
| 1166 | require_once variable_get('lock_inc', './includes/lock.inc'); |
---|
| 1167 | lock_init(); |
---|
| 1168 | break; |
---|
| 1169 | |
---|
| 1170 | case DRUPAL_BOOTSTRAP_ACCESS: |
---|
| 1171 | // Deny access to hosts which were banned - t() is not yet available. |
---|
| 1172 | if (drupal_is_denied('host', ip_address())) { |
---|
[d7a822e] | 1173 | header($_SERVER['SERVER_PROTOCOL'] .' 403 Forbidden'); |
---|
[b354002] | 1174 | print 'Sorry, '. check_plain(ip_address()) .' has been banned.'; |
---|
| 1175 | exit(); |
---|
| 1176 | } |
---|
| 1177 | break; |
---|
| 1178 | |
---|
| 1179 | case DRUPAL_BOOTSTRAP_SESSION: |
---|
| 1180 | require_once variable_get('session_inc', './includes/session.inc'); |
---|
| 1181 | session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc'); |
---|
| 1182 | session_start(); |
---|
| 1183 | break; |
---|
| 1184 | |
---|
| 1185 | case DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE: |
---|
| 1186 | // Initialize configuration variables, using values from settings.php if available. |
---|
| 1187 | $conf = variable_init(isset($conf) ? $conf : array()); |
---|
[6627152] | 1188 | |
---|
| 1189 | // Sanitize the destination parameter (which is often used for redirects) |
---|
| 1190 | // to prevent open redirect attacks leading to other domains. Sanitize |
---|
| 1191 | // both $_GET['destination'] and $_REQUEST['destination'] to protect code |
---|
| 1192 | // that relies on either, but do not sanitize $_POST to avoid interfering |
---|
| 1193 | // with unrelated form submissions. $_REQUEST['edit']['destination'] is |
---|
| 1194 | // also sanitized since drupal_goto() will sometimes rely on it, and |
---|
| 1195 | // other code might therefore use it too. The sanitization happens here |
---|
| 1196 | // because menu_path_is_external() requires the variable system to be |
---|
| 1197 | // available. |
---|
| 1198 | if (isset($_GET['destination']) || isset($_REQUEST['destination']) || isset($_REQUEST['edit']['destination'])) { |
---|
| 1199 | // If the destination is an external URL, remove it. |
---|
| 1200 | if (isset($_GET['destination']) && menu_path_is_external($_GET['destination'])) { |
---|
| 1201 | unset($_GET['destination']); |
---|
| 1202 | unset($_REQUEST['destination']); |
---|
| 1203 | } |
---|
| 1204 | // If there's still something in $_REQUEST['destination'] that didn't |
---|
| 1205 | // come from $_GET, check it too. |
---|
| 1206 | if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && menu_path_is_external($_REQUEST['destination'])) { |
---|
| 1207 | unset($_REQUEST['destination']); |
---|
| 1208 | } |
---|
| 1209 | // Check $_REQUEST['edit']['destination'] separately. |
---|
| 1210 | if (isset($_REQUEST['edit']['destination']) && menu_path_is_external($_REQUEST['edit']['destination'])) { |
---|
| 1211 | unset($_REQUEST['edit']['destination']); |
---|
| 1212 | } |
---|
| 1213 | } |
---|
| 1214 | |
---|
[b354002] | 1215 | $cache_mode = variable_get('cache', CACHE_DISABLED); |
---|
| 1216 | // Get the page from the cache. |
---|
| 1217 | $cache = $cache_mode == CACHE_DISABLED ? '' : page_get_cache(); |
---|
| 1218 | // If the skipping of the bootstrap hooks is not enforced, call hook_boot. |
---|
| 1219 | if (!$cache || $cache_mode != CACHE_AGGRESSIVE) { |
---|
| 1220 | // Load module handling. |
---|
| 1221 | require_once './includes/module.inc'; |
---|
| 1222 | bootstrap_invoke_all('boot'); |
---|
| 1223 | } |
---|
| 1224 | // If there is a cached page, display it. |
---|
| 1225 | if ($cache) { |
---|
| 1226 | drupal_page_cache_header($cache); |
---|
| 1227 | // If the skipping of the bootstrap hooks is not enforced, call hook_exit. |
---|
| 1228 | if ($cache_mode != CACHE_AGGRESSIVE) { |
---|
| 1229 | bootstrap_invoke_all('exit'); |
---|
| 1230 | } |
---|
| 1231 | // We are done. |
---|
| 1232 | exit; |
---|
| 1233 | } |
---|
| 1234 | // Prepare for non-cached page workflow. |
---|
| 1235 | drupal_page_header(); |
---|
| 1236 | break; |
---|
| 1237 | |
---|
| 1238 | case DRUPAL_BOOTSTRAP_LANGUAGE: |
---|
| 1239 | drupal_init_language(); |
---|
| 1240 | break; |
---|
| 1241 | |
---|
| 1242 | case DRUPAL_BOOTSTRAP_PATH: |
---|
| 1243 | require_once './includes/path.inc'; |
---|
| 1244 | // Initialize $_GET['q'] prior to loading modules and invoking hook_init(). |
---|
| 1245 | drupal_init_path(); |
---|
| 1246 | break; |
---|
| 1247 | |
---|
| 1248 | case DRUPAL_BOOTSTRAP_FULL: |
---|
| 1249 | require_once './includes/common.inc'; |
---|
| 1250 | _drupal_bootstrap_full(); |
---|
| 1251 | break; |
---|
| 1252 | } |
---|
| 1253 | } |
---|
| 1254 | |
---|
| 1255 | /** |
---|
| 1256 | * Enables use of the theme system without requiring database access. |
---|
| 1257 | * |
---|
| 1258 | * Loads and initializes the theme system for site installs, updates and when |
---|
| 1259 | * the site is in off-line mode. This also applies when the database fails. |
---|
| 1260 | * |
---|
| 1261 | * @see _drupal_maintenance_theme() |
---|
| 1262 | */ |
---|
| 1263 | function drupal_maintenance_theme() { |
---|
| 1264 | require_once './includes/theme.maintenance.inc'; |
---|
| 1265 | _drupal_maintenance_theme(); |
---|
| 1266 | } |
---|
| 1267 | |
---|
| 1268 | /** |
---|
| 1269 | * Return the name of the localisation function. Use in code that needs to |
---|
| 1270 | * run both during installation and normal operation. |
---|
| 1271 | */ |
---|
| 1272 | function get_t() { |
---|
| 1273 | static $t; |
---|
| 1274 | if (is_null($t)) { |
---|
| 1275 | $t = function_exists('install_main') ? 'st' : 't'; |
---|
| 1276 | } |
---|
| 1277 | return $t; |
---|
| 1278 | } |
---|
| 1279 | |
---|
| 1280 | /** |
---|
| 1281 | * Choose a language for the current page, based on site and user preferences. |
---|
| 1282 | */ |
---|
| 1283 | function drupal_init_language() { |
---|
| 1284 | global $language, $user; |
---|
| 1285 | |
---|
| 1286 | // Ensure the language is correctly returned, even without multilanguage support. |
---|
| 1287 | // Useful for eg. XML/HTML 'lang' attributes. |
---|
| 1288 | if (variable_get('language_count', 1) == 1) { |
---|
| 1289 | $language = language_default(); |
---|
| 1290 | } |
---|
| 1291 | else { |
---|
| 1292 | include_once './includes/language.inc'; |
---|
| 1293 | $language = language_initialize(); |
---|
| 1294 | } |
---|
| 1295 | } |
---|
| 1296 | |
---|
| 1297 | /** |
---|
| 1298 | * Get a list of languages set up indexed by the specified key |
---|
| 1299 | * |
---|
| 1300 | * @param $field The field to index the list with. |
---|
| 1301 | * @param $reset Boolean to request a reset of the list. |
---|
| 1302 | */ |
---|
| 1303 | function language_list($field = 'language', $reset = FALSE) { |
---|
| 1304 | static $languages = NULL; |
---|
| 1305 | |
---|
| 1306 | // Reset language list |
---|
| 1307 | if ($reset) { |
---|
| 1308 | $languages = NULL; |
---|
| 1309 | } |
---|
| 1310 | |
---|
| 1311 | // Init language list |
---|
| 1312 | if (!isset($languages)) { |
---|
| 1313 | if (variable_get('language_count', 1) > 1 || module_exists('locale')) { |
---|
| 1314 | $result = db_query('SELECT * FROM {languages} ORDER BY weight ASC, name ASC'); |
---|
| 1315 | while ($row = db_fetch_object($result)) { |
---|
| 1316 | $languages['language'][$row->language] = $row; |
---|
| 1317 | } |
---|
| 1318 | } |
---|
| 1319 | else { |
---|
| 1320 | // No locale module, so use the default language only. |
---|
| 1321 | $default = language_default(); |
---|
| 1322 | $languages['language'][$default->language] = $default; |
---|
| 1323 | } |
---|
| 1324 | } |
---|
| 1325 | |
---|
| 1326 | // Return the array indexed by the right field |
---|
| 1327 | if (!isset($languages[$field])) { |
---|
| 1328 | $languages[$field] = array(); |
---|
| 1329 | foreach ($languages['language'] as $lang) { |
---|
| 1330 | // Some values should be collected into an array |
---|
| 1331 | if (in_array($field, array('enabled', 'weight'))) { |
---|
| 1332 | $languages[$field][$lang->$field][$lang->language] = $lang; |
---|
| 1333 | } |
---|
| 1334 | else { |
---|
| 1335 | $languages[$field][$lang->$field] = $lang; |
---|
| 1336 | } |
---|
| 1337 | } |
---|
| 1338 | } |
---|
| 1339 | return $languages[$field]; |
---|
| 1340 | } |
---|
| 1341 | |
---|
| 1342 | /** |
---|
| 1343 | * Default language used on the site |
---|
| 1344 | * |
---|
| 1345 | * @param $property |
---|
| 1346 | * Optional property of the language object to return |
---|
| 1347 | */ |
---|
| 1348 | function language_default($property = NULL) { |
---|
| 1349 | $language = variable_get('language_default', (object) array('language' => 'en', 'name' => 'English', 'native' => 'English', 'direction' => 0, 'enabled' => 1, 'plurals' => 0, 'formula' => '', 'domain' => '', 'prefix' => '', 'weight' => 0, 'javascript' => '')); |
---|
| 1350 | return $property ? $language->$property : $language; |
---|
| 1351 | } |
---|
| 1352 | |
---|
| 1353 | /** |
---|
| 1354 | * If Drupal is behind a reverse proxy, we use the X-Forwarded-For header |
---|
| 1355 | * instead of $_SERVER['REMOTE_ADDR'], which would be the IP address |
---|
| 1356 | * of the proxy server, and not the client's. |
---|
| 1357 | * |
---|
| 1358 | * @return |
---|
| 1359 | * IP address of client machine, adjusted for reverse proxy. |
---|
| 1360 | */ |
---|
| 1361 | function ip_address() { |
---|
| 1362 | static $ip_address = NULL; |
---|
| 1363 | |
---|
| 1364 | if (!isset($ip_address)) { |
---|
| 1365 | $ip_address = $_SERVER['REMOTE_ADDR']; |
---|
| 1366 | if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { |
---|
| 1367 | // If an array of known reverse proxy IPs is provided, then trust |
---|
| 1368 | // the XFF header if request really comes from one of them. |
---|
| 1369 | $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); |
---|
| 1370 | if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { |
---|
| 1371 | // If there are several arguments, we need to check the most |
---|
| 1372 | // recently added one, i.e. the last one. |
---|
| 1373 | $ip_address_parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); |
---|
| 1374 | $ip_address = array_pop($ip_address_parts); |
---|
| 1375 | } |
---|
| 1376 | } |
---|
| 1377 | } |
---|
| 1378 | |
---|
| 1379 | return $ip_address; |
---|
| 1380 | } |
---|
[d7a822e] | 1381 | |
---|
| 1382 | /** |
---|
| 1383 | * Returns a URL-safe, base64 encoded string of highly randomized bytes (over the full 8-bit range). |
---|
| 1384 | * |
---|
| 1385 | * @param $byte_count |
---|
| 1386 | * The number of random bytes to fetch and base64 encode. |
---|
| 1387 | * |
---|
| 1388 | * @return string |
---|
| 1389 | * The base64 encoded result will have a length of up to 4 * $byte_count. |
---|
| 1390 | */ |
---|
| 1391 | function drupal_random_key($byte_count = 32) { |
---|
| 1392 | return drupal_base64_encode(drupal_random_bytes($byte_count)); |
---|
| 1393 | } |
---|
| 1394 | |
---|
| 1395 | /** |
---|
| 1396 | * Returns a URL-safe, base64 encoded version of the supplied string. |
---|
| 1397 | * |
---|
| 1398 | * @param $string |
---|
| 1399 | * The string to convert to base64. |
---|
| 1400 | * |
---|
| 1401 | * @return string |
---|
| 1402 | */ |
---|
| 1403 | function drupal_base64_encode($string) { |
---|
| 1404 | $data = base64_encode($string); |
---|
| 1405 | // Modify the output so it's safe to use in URLs. |
---|
| 1406 | return strtr($data, array('+' => '-', '/' => '_', '=' => '')); |
---|
| 1407 | } |
---|
| 1408 | |
---|
| 1409 | /** |
---|
| 1410 | * Returns a string of highly randomized bytes (over the full 8-bit range). |
---|
| 1411 | * |
---|
| 1412 | * This function is better than simply calling mt_rand() or any other built-in |
---|
| 1413 | * PHP function because it can return a long string of bytes (compared to < 4 |
---|
| 1414 | * bytes normally from mt_rand()) and uses the best available pseudo-random |
---|
| 1415 | * source. |
---|
| 1416 | * |
---|
| 1417 | * @param $count |
---|
| 1418 | * The number of characters (bytes) to return in the string. |
---|
| 1419 | */ |
---|
| 1420 | function drupal_random_bytes($count) { |
---|
| 1421 | // $random_state does not use drupal_static as it stores random bytes. |
---|
| 1422 | static $random_state, $bytes, $has_openssl, $has_hash; |
---|
| 1423 | |
---|
| 1424 | $missing_bytes = $count - strlen($bytes); |
---|
| 1425 | |
---|
| 1426 | if ($missing_bytes > 0) { |
---|
| 1427 | // PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes() |
---|
| 1428 | // locking on Windows and rendered it unusable. |
---|
| 1429 | if (!isset($has_openssl)) { |
---|
| 1430 | $has_openssl = version_compare(PHP_VERSION, '5.3.4', '>=') && function_exists('openssl_random_pseudo_bytes'); |
---|
| 1431 | } |
---|
| 1432 | |
---|
| 1433 | // openssl_random_pseudo_bytes() will find entropy in a system-dependent |
---|
| 1434 | // way. |
---|
| 1435 | if ($has_openssl) { |
---|
| 1436 | $bytes .= openssl_random_pseudo_bytes($missing_bytes); |
---|
| 1437 | } |
---|
| 1438 | |
---|
| 1439 | // Else, read directly from /dev/urandom, which is available on many *nix |
---|
| 1440 | // systems and is considered cryptographically secure. |
---|
| 1441 | elseif ($fh = @fopen('/dev/urandom', 'rb')) { |
---|
| 1442 | // PHP only performs buffered reads, so in reality it will always read |
---|
| 1443 | // at least 4096 bytes. Thus, it costs nothing extra to read and store |
---|
| 1444 | // that much so as to speed any additional invocations. |
---|
| 1445 | $bytes .= fread($fh, max(4096, $missing_bytes)); |
---|
| 1446 | fclose($fh); |
---|
| 1447 | } |
---|
| 1448 | |
---|
| 1449 | // If we couldn't get enough entropy, this simple hash-based PRNG will |
---|
| 1450 | // generate a good set of pseudo-random bytes on any system. |
---|
| 1451 | // Note that it may be important that our $random_state is passed |
---|
| 1452 | // through hash() prior to being rolled into $output, that the two hash() |
---|
| 1453 | // invocations are different, and that the extra input into the first one - |
---|
| 1454 | // the microtime() - is prepended rather than appended. This is to avoid |
---|
| 1455 | // directly leaking $random_state via the $output stream, which could |
---|
| 1456 | // allow for trivial prediction of further "random" numbers. |
---|
| 1457 | if (strlen($bytes) < $count) { |
---|
| 1458 | // Initialize on the first call. The contents of $_SERVER includes a mix of |
---|
| 1459 | // user-specific and system information that varies a little with each page. |
---|
| 1460 | if (!isset($random_state)) { |
---|
| 1461 | $random_state = print_r($_SERVER, TRUE); |
---|
| 1462 | if (function_exists('getmypid')) { |
---|
| 1463 | // Further initialize with the somewhat random PHP process ID. |
---|
| 1464 | $random_state .= getmypid(); |
---|
| 1465 | } |
---|
| 1466 | // hash() is only available in PHP 5.1.2+ or via PECL. |
---|
| 1467 | $has_hash = function_exists('hash') && in_array('sha256', hash_algos()); |
---|
| 1468 | $bytes = ''; |
---|
| 1469 | } |
---|
| 1470 | |
---|
| 1471 | if ($has_hash) { |
---|
| 1472 | do { |
---|
| 1473 | $random_state = hash('sha256', microtime() . mt_rand() . $random_state); |
---|
| 1474 | $bytes .= hash('sha256', mt_rand() . $random_state, TRUE); |
---|
| 1475 | } while (strlen($bytes) < $count); |
---|
| 1476 | } |
---|
| 1477 | else { |
---|
| 1478 | do { |
---|
| 1479 | $random_state = md5(microtime() . mt_rand() . $random_state); |
---|
| 1480 | $bytes .= pack("H*", md5(mt_rand() . $random_state)); |
---|
| 1481 | } while (strlen($bytes) < $count); |
---|
| 1482 | } |
---|
| 1483 | } |
---|
| 1484 | } |
---|
| 1485 | $output = substr($bytes, 0, $count); |
---|
| 1486 | $bytes = substr($bytes, $count); |
---|
| 1487 | return $output; |
---|
| 1488 | } |
---|
[6627152] | 1489 | |
---|
| 1490 | /** |
---|
| 1491 | * Calculates a hexadecimal encoded sha-1 hmac. |
---|
| 1492 | * |
---|
| 1493 | * @param string $data |
---|
| 1494 | * String to be validated with the hmac. |
---|
| 1495 | * @param string $key |
---|
| 1496 | * A secret string key. |
---|
| 1497 | * |
---|
| 1498 | * See RFC2104 (http://www.ietf.org/rfc/rfc2104.txt). Note, the result of this |
---|
| 1499 | * must be identical to using hash_hmac('sha1', $data, $key); We don't use |
---|
| 1500 | * that function since PHP can be missing it if it was compiled with the |
---|
| 1501 | * --disable-hash switch. |
---|
| 1502 | * |
---|
| 1503 | * @return string |
---|
| 1504 | * A hexadecimal encoded sha-1 hmac. |
---|
| 1505 | */ |
---|
| 1506 | function drupal_hash_hmac_sha1($data, $key) { |
---|
| 1507 | // Keys longer than the 64 byte block size must be hashed first. |
---|
| 1508 | if (strlen($key) > 64) { |
---|
| 1509 | $key = pack("H*", sha1($key)); |
---|
| 1510 | } |
---|
| 1511 | return sha1((str_pad($key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) . pack("H*", sha1((str_pad($key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) . $data))); |
---|
| 1512 | } |
---|
| 1513 | |
---|
| 1514 | /** |
---|
| 1515 | * Calculates a base-64 encoded, URL-safe sha-1 hmac. |
---|
| 1516 | * |
---|
| 1517 | * @param string $data |
---|
| 1518 | * String to be validated with the hmac. |
---|
| 1519 | * @param string $key |
---|
| 1520 | * A secret string key. |
---|
| 1521 | * |
---|
| 1522 | * @return string |
---|
| 1523 | * A base-64 encoded sha-1 hmac, with + replaced with -, / with _ and |
---|
| 1524 | * any = padding characters removed. |
---|
| 1525 | */ |
---|
| 1526 | function drupal_hmac_base64($data, $key) { |
---|
| 1527 | // Casting $data and $key to strings here is necessary to avoid empty string |
---|
| 1528 | // results of the hash function if they are not scalar values. As this |
---|
| 1529 | // function is used in security-critical contexts like token validation it is |
---|
| 1530 | // important that it never returns an empty string. |
---|
| 1531 | $hmac = base64_encode(pack("H*", drupal_hash_hmac_sha1((string) $data, (string) $key))); |
---|
| 1532 | // Modify the hmac so it's safe to use in URLs. |
---|
| 1533 | return strtr($hmac, array('+' => '-', '/' => '_', '=' => '')); |
---|
| 1534 | } |
---|
| 1535 | |
---|
| 1536 | /** |
---|
| 1537 | * Returns TRUE if a path is external (e.g. http://example.com). |
---|
| 1538 | * |
---|
| 1539 | * May be used early in bootstrap. |
---|
| 1540 | */ |
---|
| 1541 | function menu_path_is_external($path) { |
---|
| 1542 | // Avoid calling filter_xss_bad_protocol() if there is any slash (/), |
---|
| 1543 | // hash (#) or question_mark (?) before the colon (:) occurrence - if any - as |
---|
| 1544 | // this would clearly mean it is not a URL. If the path starts with 2 slashes |
---|
| 1545 | // then it is always considered an external URL without an explicit protocol |
---|
| 1546 | // part. Leading control characters may be ignored or mishandled by browsers, |
---|
| 1547 | // so assume such a path may lead to an external location. The range matches |
---|
| 1548 | // all UTF-8 control characters, class Cc. |
---|
| 1549 | $colonpos = strpos($path, ':'); |
---|
| 1550 | // Some browsers treat \ as / so normalize to forward slashes. |
---|
| 1551 | $path = str_replace('\\', '/', $path); |
---|
| 1552 | return (strpos($path, '//') === 0) || (preg_match('/^[\x00-\x1F\x7F-\x9F]/u', $path) !== 0) |
---|
| 1553 | || ($colonpos !== FALSE |
---|
| 1554 | && !preg_match('![/?#]!', substr($path, 0, $colonpos)) |
---|
| 1555 | && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); |
---|
| 1556 | } |
---|
| 1557 | |
---|
| 1558 | /** |
---|
| 1559 | * Processes an HTML attribute value and ensures it does not contain an URL |
---|
| 1560 | * with a disallowed protocol (e.g. javascript:) |
---|
| 1561 | * |
---|
| 1562 | * May be used early in bootstrap. |
---|
| 1563 | * |
---|
| 1564 | * @param $string |
---|
| 1565 | * The string with the attribute value. |
---|
| 1566 | * @param $decode |
---|
| 1567 | * Whether to decode entities in the $string. Set to FALSE if the $string |
---|
| 1568 | * is in plain text, TRUE otherwise. Defaults to TRUE. |
---|
| 1569 | * @return |
---|
| 1570 | * Cleaned up and HTML-escaped version of $string. |
---|
| 1571 | */ |
---|
| 1572 | function filter_xss_bad_protocol($string, $decode = TRUE) { |
---|
| 1573 | static $allowed_protocols; |
---|
| 1574 | if (!isset($allowed_protocols)) { |
---|
| 1575 | $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'tel', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal', 'rtsp'))); |
---|
| 1576 | } |
---|
| 1577 | |
---|
| 1578 | // Get the plain text representation of the attribute value (i.e. its meaning). |
---|
| 1579 | if ($decode) { |
---|
| 1580 | $string = decode_entities($string); |
---|
| 1581 | } |
---|
| 1582 | |
---|
| 1583 | // Iteratively remove any invalid protocol found. |
---|
| 1584 | |
---|
| 1585 | do { |
---|
| 1586 | $before = $string; |
---|
| 1587 | $colonpos = strpos($string, ':'); |
---|
| 1588 | if ($colonpos > 0) { |
---|
| 1589 | // We found a colon, possibly a protocol. Verify. |
---|
| 1590 | $protocol = substr($string, 0, $colonpos); |
---|
| 1591 | // If a colon is preceded by a slash, question mark or hash, it cannot |
---|
| 1592 | // possibly be part of the URL scheme. This must be a relative URL, |
---|
| 1593 | // which inherits the (safe) protocol of the base document. |
---|
| 1594 | if (preg_match('![/?#]!', $protocol)) { |
---|
| 1595 | break; |
---|
| 1596 | } |
---|
| 1597 | // Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive |
---|
| 1598 | // Check if this is a disallowed protocol. |
---|
| 1599 | if (!isset($allowed_protocols[strtolower($protocol)])) { |
---|
| 1600 | $string = substr($string, $colonpos + 1); |
---|
| 1601 | } |
---|
| 1602 | } |
---|
| 1603 | } while ($before != $string); |
---|
| 1604 | return check_plain($string); |
---|
| 1605 | } |
---|