1 | <?php |
---|
2 | |
---|
3 | /** |
---|
4 | * @file |
---|
5 | * Functions that need to be loaded on every Drupal request. |
---|
6 | */ |
---|
7 | |
---|
8 | /** |
---|
9 | * Indicates that the item should never be removed unless explicitly told to |
---|
10 | * using cache_clear_all() with a cache ID. |
---|
11 | */ |
---|
12 | define('CACHE_PERMANENT', 0); |
---|
13 | |
---|
14 | /** |
---|
15 | * Indicates that the item should be removed at the next general cache wipe. |
---|
16 | */ |
---|
17 | define('CACHE_TEMPORARY', -1); |
---|
18 | |
---|
19 | /** |
---|
20 | * Indicates that page caching is disabled. |
---|
21 | */ |
---|
22 | define('CACHE_DISABLED', 0); |
---|
23 | |
---|
24 | /** |
---|
25 | * Indicates that page caching is enabled, using "normal" mode. |
---|
26 | */ |
---|
27 | define('CACHE_NORMAL', 1); |
---|
28 | |
---|
29 | /** |
---|
30 | * Indicates that page caching is using "aggressive" mode. This bypasses |
---|
31 | * loading any modules for additional speed, which may break functionality in |
---|
32 | * modules that expect to be run on each page load. |
---|
33 | */ |
---|
34 | define('CACHE_AGGRESSIVE', 2); |
---|
35 | |
---|
36 | /** |
---|
37 | * Log message severity -- Emergency: system is unusable. |
---|
38 | * |
---|
39 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
40 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
41 | * |
---|
42 | * @see watchdog() |
---|
43 | * @see watchdog_severity_levels() |
---|
44 | */ |
---|
45 | define('WATCHDOG_EMERG', 0); |
---|
46 | |
---|
47 | /** |
---|
48 | * Log message severity -- Alert: action must be taken immediately. |
---|
49 | * |
---|
50 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
51 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
52 | * |
---|
53 | * @see watchdog() |
---|
54 | * @see watchdog_severity_levels() |
---|
55 | */ |
---|
56 | define('WATCHDOG_ALERT', 1); |
---|
57 | |
---|
58 | /** |
---|
59 | * Log message severity -- Critical: critical conditions. |
---|
60 | * |
---|
61 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
62 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
63 | * |
---|
64 | * @see watchdog() |
---|
65 | * @see watchdog_severity_levels() |
---|
66 | */ |
---|
67 | define('WATCHDOG_CRITICAL', 2); |
---|
68 | |
---|
69 | /** |
---|
70 | * Log message severity -- Error: error conditions. |
---|
71 | * |
---|
72 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
73 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
74 | * |
---|
75 | * @see watchdog() |
---|
76 | * @see watchdog_severity_levels() |
---|
77 | */ |
---|
78 | define('WATCHDOG_ERROR', 3); |
---|
79 | |
---|
80 | /** |
---|
81 | * Log message severity -- Warning: warning conditions. |
---|
82 | * |
---|
83 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
84 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
85 | * |
---|
86 | * @see watchdog() |
---|
87 | * @see watchdog_severity_levels() |
---|
88 | */ |
---|
89 | define('WATCHDOG_WARNING', 4); |
---|
90 | |
---|
91 | /** |
---|
92 | * Log message severity -- Notice: normal but significant condition. |
---|
93 | * |
---|
94 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
95 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
96 | * |
---|
97 | * @see watchdog() |
---|
98 | * @see watchdog_severity_levels() |
---|
99 | */ |
---|
100 | define('WATCHDOG_NOTICE', 5); |
---|
101 | |
---|
102 | /** |
---|
103 | * Log message severity -- Informational: informational messages. |
---|
104 | * |
---|
105 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
106 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
107 | * |
---|
108 | * @see watchdog() |
---|
109 | * @see watchdog_severity_levels() |
---|
110 | */ |
---|
111 | define('WATCHDOG_INFO', 6); |
---|
112 | |
---|
113 | /** |
---|
114 | * Log message severity -- Debug: debug-level messages. |
---|
115 | * |
---|
116 | * The WATCHDOG_* constant definitions correspond to the logging severity levels |
---|
117 | * defined in RFC 3164, section 4.1.1: http://www.faqs.org/rfcs/rfc3164.html |
---|
118 | * |
---|
119 | * @see watchdog() |
---|
120 | * @see watchdog_severity_levels() |
---|
121 | */ |
---|
122 | define('WATCHDOG_DEBUG', 7); |
---|
123 | |
---|
124 | /** |
---|
125 | * First bootstrap phase: initialize configuration. |
---|
126 | */ |
---|
127 | define('DRUPAL_BOOTSTRAP_CONFIGURATION', 0); |
---|
128 | |
---|
129 | /** |
---|
130 | * Second bootstrap phase: try to call a non-database cache |
---|
131 | * fetch routine. |
---|
132 | */ |
---|
133 | define('DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE', 1); |
---|
134 | |
---|
135 | /** |
---|
136 | * Third bootstrap phase: initialize database layer. |
---|
137 | */ |
---|
138 | define('DRUPAL_BOOTSTRAP_DATABASE', 2); |
---|
139 | |
---|
140 | /** |
---|
141 | * Fourth bootstrap phase: identify and reject banned hosts. |
---|
142 | */ |
---|
143 | define('DRUPAL_BOOTSTRAP_ACCESS', 3); |
---|
144 | |
---|
145 | /** |
---|
146 | * Fifth bootstrap phase: initialize session handling. |
---|
147 | */ |
---|
148 | define('DRUPAL_BOOTSTRAP_SESSION', 4); |
---|
149 | |
---|
150 | /** |
---|
151 | * Sixth bootstrap phase: load bootstrap.inc and module.inc, start |
---|
152 | * the variable system and try to serve a page from the cache. |
---|
153 | */ |
---|
154 | define('DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE', 5); |
---|
155 | |
---|
156 | /** |
---|
157 | * Seventh bootstrap phase: find out language of the page. |
---|
158 | */ |
---|
159 | define('DRUPAL_BOOTSTRAP_LANGUAGE', 6); |
---|
160 | |
---|
161 | /** |
---|
162 | * Eighth bootstrap phase: set $_GET['q'] to Drupal path of request. |
---|
163 | */ |
---|
164 | define('DRUPAL_BOOTSTRAP_PATH', 7); |
---|
165 | |
---|
166 | /** |
---|
167 | * Final bootstrap phase: Drupal is fully loaded; validate and fix |
---|
168 | * input data. |
---|
169 | */ |
---|
170 | define('DRUPAL_BOOTSTRAP_FULL', 8); |
---|
171 | |
---|
172 | /** |
---|
173 | * Role ID for anonymous users; should match what's in the "role" table. |
---|
174 | */ |
---|
175 | define('DRUPAL_ANONYMOUS_RID', 1); |
---|
176 | |
---|
177 | /** |
---|
178 | * Role ID for authenticated users; should match what's in the "role" table. |
---|
179 | */ |
---|
180 | define('DRUPAL_AUTHENTICATED_RID', 2); |
---|
181 | |
---|
182 | /** |
---|
183 | * No language negotiation. The default language is used. |
---|
184 | */ |
---|
185 | define('LANGUAGE_NEGOTIATION_NONE', 0); |
---|
186 | |
---|
187 | /** |
---|
188 | * Path based negotiation with fallback to default language |
---|
189 | * if no defined path prefix identified. |
---|
190 | */ |
---|
191 | define('LANGUAGE_NEGOTIATION_PATH_DEFAULT', 1); |
---|
192 | |
---|
193 | /** |
---|
194 | * Path based negotiation with fallback to user preferences |
---|
195 | * and browser language detection if no defined path prefix |
---|
196 | * identified. |
---|
197 | */ |
---|
198 | define('LANGUAGE_NEGOTIATION_PATH', 2); |
---|
199 | |
---|
200 | /** |
---|
201 | * Domain based negotiation with fallback to default language |
---|
202 | * if no language identified by domain. |
---|
203 | */ |
---|
204 | define('LANGUAGE_NEGOTIATION_DOMAIN', 3); |
---|
205 | |
---|
206 | /** |
---|
207 | * Language written left to right. Possible value of $language->direction. |
---|
208 | */ |
---|
209 | define('LANGUAGE_LTR', 0); |
---|
210 | |
---|
211 | /** |
---|
212 | * Language written right to left. Possible value of $language->direction. |
---|
213 | */ |
---|
214 | define('LANGUAGE_RTL', 1); |
---|
215 | |
---|
216 | // Hide E_DEPRECATED messages. |
---|
217 | if (defined('E_DEPRECATED')) { |
---|
218 | error_reporting(error_reporting() & ~E_DEPRECATED); |
---|
219 | } |
---|
220 | |
---|
221 | /** |
---|
222 | * Start the timer with the specified name. If you start and stop |
---|
223 | * the same timer multiple times, the measured intervals will be |
---|
224 | * accumulated. |
---|
225 | * |
---|
226 | * @param name |
---|
227 | * The name of the timer. |
---|
228 | */ |
---|
229 | function timer_start($name) { |
---|
230 | global $timers; |
---|
231 | |
---|
232 | list($usec, $sec) = explode(' ', microtime()); |
---|
233 | $timers[$name]['start'] = (float)$usec + (float)$sec; |
---|
234 | $timers[$name]['count'] = isset($timers[$name]['count']) ? ++$timers[$name]['count'] : 1; |
---|
235 | } |
---|
236 | |
---|
237 | /** |
---|
238 | * Read the current timer value without stopping the timer. |
---|
239 | * |
---|
240 | * @param name |
---|
241 | * The name of the timer. |
---|
242 | * @return |
---|
243 | * The current timer value in ms. |
---|
244 | */ |
---|
245 | function timer_read($name) { |
---|
246 | global $timers; |
---|
247 | |
---|
248 | if (isset($timers[$name]['start'])) { |
---|
249 | list($usec, $sec) = explode(' ', microtime()); |
---|
250 | $stop = (float)$usec + (float)$sec; |
---|
251 | $diff = round(($stop - $timers[$name]['start']) * 1000, 2); |
---|
252 | |
---|
253 | if (isset($timers[$name]['time'])) { |
---|
254 | $diff += $timers[$name]['time']; |
---|
255 | } |
---|
256 | return $diff; |
---|
257 | } |
---|
258 | } |
---|
259 | |
---|
260 | /** |
---|
261 | * Stop the timer with the specified name. |
---|
262 | * |
---|
263 | * @param name |
---|
264 | * The name of the timer. |
---|
265 | * @return |
---|
266 | * A timer array. The array contains the number of times the |
---|
267 | * timer has been started and stopped (count) and the accumulated |
---|
268 | * timer value in ms (time). |
---|
269 | */ |
---|
270 | function timer_stop($name) { |
---|
271 | global $timers; |
---|
272 | |
---|
273 | $timers[$name]['time'] = timer_read($name); |
---|
274 | unset($timers[$name]['start']); |
---|
275 | |
---|
276 | return $timers[$name]; |
---|
277 | } |
---|
278 | |
---|
279 | /** |
---|
280 | * Find the appropriate configuration directory. |
---|
281 | * |
---|
282 | * Try finding a matching configuration directory by stripping the website's |
---|
283 | * hostname from left to right and pathname from right to left. The first |
---|
284 | * configuration file found will be used; the remaining will ignored. If no |
---|
285 | * configuration file is found, return a default value '$confdir/default'. |
---|
286 | * |
---|
287 | * Example for a fictitious site installed at |
---|
288 | * http://www.drupal.org:8080/mysite/test/ the 'settings.php' is searched in |
---|
289 | * the following directories: |
---|
290 | * |
---|
291 | * 1. $confdir/8080.www.drupal.org.mysite.test |
---|
292 | * 2. $confdir/www.drupal.org.mysite.test |
---|
293 | * 3. $confdir/drupal.org.mysite.test |
---|
294 | * 4. $confdir/org.mysite.test |
---|
295 | * |
---|
296 | * 5. $confdir/8080.www.drupal.org.mysite |
---|
297 | * 6. $confdir/www.drupal.org.mysite |
---|
298 | * 7. $confdir/drupal.org.mysite |
---|
299 | * 8. $confdir/org.mysite |
---|
300 | * |
---|
301 | * 9. $confdir/8080.www.drupal.org |
---|
302 | * 10. $confdir/www.drupal.org |
---|
303 | * 11. $confdir/drupal.org |
---|
304 | * 12. $confdir/org |
---|
305 | * |
---|
306 | * 13. $confdir/default |
---|
307 | * |
---|
308 | * @param $require_settings |
---|
309 | * Only configuration directories with an existing settings.php file |
---|
310 | * will be recognized. Defaults to TRUE. During initial installation, |
---|
311 | * this is set to FALSE so that Drupal can detect a matching directory, |
---|
312 | * then create a new settings.php file in it. |
---|
313 | * @param reset |
---|
314 | * Force a full search for matching directories even if one had been |
---|
315 | * found previously. |
---|
316 | * @return |
---|
317 | * The path of the matching directory. |
---|
318 | */ |
---|
319 | function conf_path($require_settings = TRUE, $reset = FALSE) { |
---|
320 | static $conf = ''; |
---|
321 | |
---|
322 | if ($conf && !$reset) { |
---|
323 | return $conf; |
---|
324 | } |
---|
325 | |
---|
326 | $confdir = 'sites'; |
---|
327 | $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); |
---|
328 | $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); |
---|
329 | for ($i = count($uri) - 1; $i > 0; $i--) { |
---|
330 | for ($j = count($server); $j > 0; $j--) { |
---|
331 | $dir = implode('.', array_slice($server, -$j)) . implode('.', array_slice($uri, 0, $i)); |
---|
332 | if (file_exists("$confdir/$dir/settings.php") || (!$require_settings && file_exists("$confdir/$dir"))) { |
---|
333 | $conf = "$confdir/$dir"; |
---|
334 | return $conf; |
---|
335 | } |
---|
336 | } |
---|
337 | } |
---|
338 | $conf = "$confdir/default"; |
---|
339 | return $conf; |
---|
340 | } |
---|
341 | |
---|
342 | /** |
---|
343 | * Unsets all disallowed global variables. See $allowed for what's allowed. |
---|
344 | */ |
---|
345 | function drupal_unset_globals() { |
---|
346 | if (ini_get('register_globals')) { |
---|
347 | $allowed = array('_ENV' => 1, '_GET' => 1, '_POST' => 1, '_COOKIE' => 1, '_FILES' => 1, '_SERVER' => 1, '_REQUEST' => 1, 'GLOBALS' => 1); |
---|
348 | foreach ($GLOBALS as $key => $value) { |
---|
349 | if (!isset($allowed[$key])) { |
---|
350 | unset($GLOBALS[$key]); |
---|
351 | } |
---|
352 | } |
---|
353 | } |
---|
354 | } |
---|
355 | |
---|
356 | /** |
---|
357 | * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe. |
---|
358 | * |
---|
359 | * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters |
---|
360 | * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is |
---|
361 | * lowercased. |
---|
362 | * |
---|
363 | * @return |
---|
364 | * TRUE if only containing valid characters, or FALSE otherwise. |
---|
365 | */ |
---|
366 | function drupal_valid_http_host($host) { |
---|
367 | // Limit the length of the host name to 1000 bytes to prevent DoS attacks with |
---|
368 | // long host names. |
---|
369 | return strlen($host) <= 1000 |
---|
370 | // Limit the number of subdomains and port separators to prevent DoS attacks |
---|
371 | // in conf_path(). |
---|
372 | && substr_count($host, '.') <= 100 |
---|
373 | && substr_count($host, ':') <= 100 |
---|
374 | && preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host); |
---|
375 | } |
---|
376 | |
---|
377 | /** |
---|
378 | * Loads the configuration and sets the base URL, cookie domain, and |
---|
379 | * session name correctly. |
---|
380 | */ |
---|
381 | function conf_init() { |
---|
382 | global $base_url, $base_path, $base_root; |
---|
383 | |
---|
384 | // Export the following settings.php variables to the global namespace |
---|
385 | global $db_url, $db_prefix, $db_collation, $cookie_domain, $conf, $installed_profile, $update_free_access; |
---|
386 | $conf = array(); |
---|
387 | |
---|
388 | if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { |
---|
389 | $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; |
---|
390 | } |
---|
391 | |
---|
392 | if (isset($_SERVER['HTTP_HOST'])) { |
---|
393 | // As HTTP_HOST is user input, ensure it only contains characters allowed |
---|
394 | // in hostnames. See RFC 952 (and RFC 2181). |
---|
395 | // $_SERVER['HTTP_HOST'] is lowercased here per specifications. |
---|
396 | $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); |
---|
397 | if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) { |
---|
398 | // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. |
---|
399 | header($_SERVER['SERVER_PROTOCOL'] .' 400 Bad Request'); |
---|
400 | exit; |
---|
401 | } |
---|
402 | } |
---|
403 | else { |
---|
404 | // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is |
---|
405 | // defined for E_ALL compliance. |
---|
406 | $_SERVER['HTTP_HOST'] = ''; |
---|
407 | } |
---|
408 | |
---|
409 | if (file_exists('./'. conf_path() .'/settings.php')) { |
---|
410 | include_once './'. conf_path() .'/settings.php'; |
---|
411 | } |
---|
412 | |
---|
413 | // Ignore the placeholder URL from default.settings.php. |
---|
414 | if (isset($db_url) && $db_url == 'mysql://username:password@localhost/databasename') { |
---|
415 | $db_url = ''; |
---|
416 | } |
---|
417 | |
---|
418 | if (isset($base_url)) { |
---|
419 | // Parse fixed base URL from settings.php. |
---|
420 | $parts = parse_url($base_url); |
---|
421 | if (!isset($parts['path'])) { |
---|
422 | $parts['path'] = ''; |
---|
423 | } |
---|
424 | $base_path = $parts['path'] .'/'; |
---|
425 | // Build $base_root (everything until first slash after "scheme://"). |
---|
426 | $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path'])); |
---|
427 | } |
---|
428 | else { |
---|
429 | // Create base URL |
---|
430 | $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; |
---|
431 | |
---|
432 | $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST']; |
---|
433 | |
---|
434 | // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not |
---|
435 | // be modified by a visitor. |
---|
436 | if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { |
---|
437 | $base_path = "/$dir"; |
---|
438 | $base_url .= $base_path; |
---|
439 | $base_path .= '/'; |
---|
440 | } |
---|
441 | else { |
---|
442 | $base_path = '/'; |
---|
443 | } |
---|
444 | } |
---|
445 | |
---|
446 | if ($cookie_domain) { |
---|
447 | // If the user specifies the cookie domain, also use it for session name. |
---|
448 | $session_name = $cookie_domain; |
---|
449 | } |
---|
450 | else { |
---|
451 | // Otherwise use $base_url as session name, without the protocol |
---|
452 | // to use the same session identifiers across HTTP and HTTPS. |
---|
453 | list( , $session_name) = explode('://', $base_url, 2); |
---|
454 | // We escape the hostname because it can be modified by a visitor. |
---|
455 | if (!empty($_SERVER['HTTP_HOST'])) { |
---|
456 | $cookie_domain = check_plain($_SERVER['HTTP_HOST']); |
---|
457 | // Strip leading periods, www., and port numbers from cookie domain. |
---|
458 | $cookie_domain = ltrim($cookie_domain, '.'); |
---|
459 | if (strpos($cookie_domain, 'www.') === 0) { |
---|
460 | $cookie_domain = substr($cookie_domain, 4); |
---|
461 | } |
---|
462 | $cookie_domain = explode(':', $cookie_domain); |
---|
463 | $cookie_domain = '.'. $cookie_domain[0]; |
---|
464 | } |
---|
465 | } |
---|
466 | // To prevent session cookies from being hijacked, a user can configure the |
---|
467 | // SSL version of their website to only transfer session cookies via SSL by |
---|
468 | // using PHP's session.cookie_secure setting. The browser will then use two |
---|
469 | // separate session cookies for the HTTPS and HTTP versions of the site. So we |
---|
470 | // must use different session identifiers for HTTPS and HTTP to prevent a |
---|
471 | // cookie collision. |
---|
472 | if (ini_get('session.cookie_secure')) { |
---|
473 | $session_name .= 'SSL'; |
---|
474 | } |
---|
475 | // Per RFC 2109, cookie domains must contain at least one dot other than the |
---|
476 | // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. |
---|
477 | if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { |
---|
478 | ini_set('session.cookie_domain', $cookie_domain); |
---|
479 | } |
---|
480 | session_name('SESS'. md5($session_name)); |
---|
481 | } |
---|
482 | |
---|
483 | /** |
---|
484 | * Returns and optionally sets the filename for a system item (module, |
---|
485 | * theme, etc.). The filename, whether provided, cached, or retrieved |
---|
486 | * from the database, is only returned if the file exists. |
---|
487 | * |
---|
488 | * This function plays a key role in allowing Drupal's resources (modules |
---|
489 | * and themes) to be located in different places depending on a site's |
---|
490 | * configuration. For example, a module 'foo' may legally be be located |
---|
491 | * in any of these three places: |
---|
492 | * |
---|
493 | * modules/foo/foo.module |
---|
494 | * sites/all/modules/foo/foo.module |
---|
495 | * sites/example.com/modules/foo/foo.module |
---|
496 | * |
---|
497 | * Calling drupal_get_filename('module', 'foo') will give you one of |
---|
498 | * the above, depending on where the module is located. |
---|
499 | * |
---|
500 | * @param $type |
---|
501 | * The type of the item (i.e. theme, theme_engine, module, profile). |
---|
502 | * @param $name |
---|
503 | * The name of the item for which the filename is requested. |
---|
504 | * @param $filename |
---|
505 | * The filename of the item if it is to be set explicitly rather |
---|
506 | * than by consulting the database. |
---|
507 | * |
---|
508 | * @return |
---|
509 | * The filename of the requested item. |
---|
510 | */ |
---|
511 | function drupal_get_filename($type, $name, $filename = NULL) { |
---|
512 | static $files = array(); |
---|
513 | |
---|
514 | if (!isset($files[$type])) { |
---|
515 | $files[$type] = array(); |
---|
516 | } |
---|
517 | |
---|
518 | if (!empty($filename) && file_exists($filename)) { |
---|
519 | $files[$type][$name] = $filename; |
---|
520 | } |
---|
521 | elseif (isset($files[$type][$name])) { |
---|
522 | // nothing |
---|
523 | } |
---|
524 | // Verify that we have an active database connection, before querying |
---|
525 | // the database. This is required because this function is called both |
---|
526 | // before we have a database connection (i.e. during installation) and |
---|
527 | // when a database connection fails. |
---|
528 | elseif (db_is_active() && (($file = db_result(db_query("SELECT filename FROM {system} WHERE name = '%s' AND type = '%s'", $name, $type))) && file_exists($file))) { |
---|
529 | $files[$type][$name] = $file; |
---|
530 | } |
---|
531 | else { |
---|
532 | // Fallback to searching the filesystem if the database connection is |
---|
533 | // not established or the requested file is not found. |
---|
534 | $config = conf_path(); |
---|
535 | $dir = (($type == 'theme_engine') ? 'themes/engines' : "${type}s"); |
---|
536 | $file = (($type == 'theme_engine') ? "$name.engine" : "$name.$type"); |
---|
537 | |
---|
538 | foreach (array("$config/$dir/$file", "$config/$dir/$name/$file", "$dir/$file", "$dir/$name/$file") as $file) { |
---|
539 | if (file_exists($file)) { |
---|
540 | $files[$type][$name] = $file; |
---|
541 | break; |
---|
542 | } |
---|
543 | } |
---|
544 | } |
---|
545 | |
---|
546 | if (isset($files[$type][$name])) { |
---|
547 | return $files[$type][$name]; |
---|
548 | } |
---|
549 | } |
---|
550 | |
---|
551 | /** |
---|
552 | * Load the persistent variable table. |
---|
553 | * |
---|
554 | * The variable table is composed of values that have been saved in the table |
---|
555 | * with variable_set() as well as those explicitly specified in the configuration |
---|
556 | * file. |
---|
557 | */ |
---|
558 | function variable_init($conf = array()) { |
---|
559 | // NOTE: caching the variables improves performance by 20% when serving cached pages. |
---|
560 | if ($cached = cache_get('variables', 'cache')) { |
---|
561 | $variables = $cached->data; |
---|
562 | } |
---|
563 | else { |
---|
564 | $result = db_query('SELECT * FROM {variable}'); |
---|
565 | while ($variable = db_fetch_object($result)) { |
---|
566 | $variables[$variable->name] = unserialize($variable->value); |
---|
567 | } |
---|
568 | cache_set('variables', $variables); |
---|
569 | } |
---|
570 | |
---|
571 | foreach ($conf as $name => $value) { |
---|
572 | $variables[$name] = $value; |
---|
573 | } |
---|
574 | |
---|
575 | return $variables; |
---|
576 | } |
---|
577 | |
---|
578 | /** |
---|
579 | * Returns a persistent variable. |
---|
580 | * |
---|
581 | * Case-sensitivity of the variable_* functions depends on the database |
---|
582 | * collation used. To avoid problems, always use lower case for persistent |
---|
583 | * variable names. |
---|
584 | * |
---|
585 | * @param $name |
---|
586 | * The name of the variable to return. |
---|
587 | * @param $default |
---|
588 | * The default value to use if this variable has never been set. |
---|
589 | * @return |
---|
590 | * The value of the variable. |
---|
591 | * |
---|
592 | * @see variable_del(), variable_set() |
---|
593 | */ |
---|
594 | function variable_get($name, $default) { |
---|
595 | global $conf; |
---|
596 | |
---|
597 | return isset($conf[$name]) ? $conf[$name] : $default; |
---|
598 | } |
---|
599 | |
---|
600 | /** |
---|
601 | * Sets a persistent variable. |
---|
602 | * |
---|
603 | * Case-sensitivity of the variable_* functions depends on the database |
---|
604 | * collation used. To avoid problems, always use lower case for persistent |
---|
605 | * variable names. |
---|
606 | * |
---|
607 | * @param $name |
---|
608 | * The name of the variable to set. |
---|
609 | * @param $value |
---|
610 | * The value to set. This can be any PHP data type; these functions take care |
---|
611 | * of serialization as necessary. |
---|
612 | * |
---|
613 | * @see variable_del(), variable_get() |
---|
614 | */ |
---|
615 | function variable_set($name, $value) { |
---|
616 | global $conf; |
---|
617 | |
---|
618 | $serialized_value = serialize($value); |
---|
619 | db_query("UPDATE {variable} SET value = '%s' WHERE name = '%s'", $serialized_value, $name); |
---|
620 | if (!db_affected_rows()) { |
---|
621 | @db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", $name, $serialized_value); |
---|
622 | } |
---|
623 | |
---|
624 | cache_clear_all('variables', 'cache'); |
---|
625 | |
---|
626 | $conf[$name] = $value; |
---|
627 | } |
---|
628 | |
---|
629 | /** |
---|
630 | * Unsets a persistent variable. |
---|
631 | * |
---|
632 | * Case-sensitivity of the variable_* functions depends on the database |
---|
633 | * collation used. To avoid problems, always use lower case for persistent |
---|
634 | * variable names. |
---|
635 | * |
---|
636 | * @param $name |
---|
637 | * The name of the variable to undefine. |
---|
638 | * |
---|
639 | * @see variable_get(), variable_set() |
---|
640 | */ |
---|
641 | function variable_del($name) { |
---|
642 | global $conf; |
---|
643 | |
---|
644 | db_query("DELETE FROM {variable} WHERE name = '%s'", $name); |
---|
645 | cache_clear_all('variables', 'cache'); |
---|
646 | |
---|
647 | unset($conf[$name]); |
---|
648 | } |
---|
649 | |
---|
650 | |
---|
651 | /** |
---|
652 | * Retrieve the current page from the cache. |
---|
653 | * |
---|
654 | * Note: we do not serve cached pages when status messages are waiting (from |
---|
655 | * a redirected form submission which was completed). |
---|
656 | * |
---|
657 | * @param $status_only |
---|
658 | * When set to TRUE, retrieve the status of the page cache only |
---|
659 | * (whether it was started in this request or not). |
---|
660 | */ |
---|
661 | function page_get_cache($status_only = FALSE) { |
---|
662 | static $status = FALSE; |
---|
663 | global $user, $base_root; |
---|
664 | |
---|
665 | if ($status_only) { |
---|
666 | return $status; |
---|
667 | } |
---|
668 | $cache = NULL; |
---|
669 | |
---|
670 | if (!$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET' && count(drupal_set_message()) == 0 && $_SERVER['SERVER_SOFTWARE'] !== 'PHP CLI') { |
---|
671 | $cache = cache_get($base_root . request_uri(), 'cache_page'); |
---|
672 | |
---|
673 | if (empty($cache)) { |
---|
674 | ob_start(); |
---|
675 | $status = TRUE; |
---|
676 | } |
---|
677 | } |
---|
678 | |
---|
679 | return $cache; |
---|
680 | } |
---|
681 | |
---|
682 | /** |
---|
683 | * Call all init or exit hooks without including all modules. |
---|
684 | * |
---|
685 | * @param $hook |
---|
686 | * The name of the bootstrap hook we wish to invoke. |
---|
687 | */ |
---|
688 | function bootstrap_invoke_all($hook) { |
---|
689 | foreach (module_list(TRUE, TRUE) as $module) { |
---|
690 | drupal_load('module', $module); |
---|
691 | module_invoke($module, $hook); |
---|
692 | } |
---|
693 | } |
---|
694 | |
---|
695 | /** |
---|
696 | * Includes a file with the provided type and name. This prevents |
---|
697 | * including a theme, engine, module, etc., more than once. |
---|
698 | * |
---|
699 | * @param $type |
---|
700 | * The type of item to load (i.e. theme, theme_engine, module, profile). |
---|
701 | * @param $name |
---|
702 | * The name of the item to load. |
---|
703 | * |
---|
704 | * @return |
---|
705 | * TRUE if the item is loaded or has already been loaded. |
---|
706 | */ |
---|
707 | function drupal_load($type, $name) { |
---|
708 | static $files = array(); |
---|
709 | |
---|
710 | if (isset($files[$type][$name])) { |
---|
711 | return TRUE; |
---|
712 | } |
---|
713 | |
---|
714 | $filename = drupal_get_filename($type, $name); |
---|
715 | |
---|
716 | if ($filename) { |
---|
717 | include_once "./$filename"; |
---|
718 | $files[$type][$name] = TRUE; |
---|
719 | |
---|
720 | return TRUE; |
---|
721 | } |
---|
722 | |
---|
723 | return FALSE; |
---|
724 | } |
---|
725 | |
---|
726 | /** |
---|
727 | * Set HTTP headers in preparation for a page response. |
---|
728 | * |
---|
729 | * Authenticated users are always given a 'no-cache' header, and will |
---|
730 | * fetch a fresh page on every request. This prevents authenticated |
---|
731 | * users seeing locally cached pages that show them as logged out. |
---|
732 | * |
---|
733 | * @see page_set_cache() |
---|
734 | */ |
---|
735 | function drupal_page_header() { |
---|
736 | header("Expires: Sun, 19 Nov 1978 05:00:00 GMT"); |
---|
737 | header("Last-Modified: ". gmdate("D, d M Y H:i:s") ." GMT"); |
---|
738 | header("Cache-Control: store, no-cache, must-revalidate"); |
---|
739 | header("Cache-Control: post-check=0, pre-check=0", FALSE); |
---|
740 | } |
---|
741 | |
---|
742 | /** |
---|
743 | * Set HTTP headers in preparation for a cached page response. |
---|
744 | * |
---|
745 | * The general approach here is that anonymous users can keep a local |
---|
746 | * cache of the page, but must revalidate it on every request. Then, |
---|
747 | * they are given a '304 Not Modified' response as long as they stay |
---|
748 | * logged out and the page has not been modified. |
---|
749 | * |
---|
750 | */ |
---|
751 | function drupal_page_cache_header($cache) { |
---|
752 | // Set default values: |
---|
753 | $last_modified = gmdate('D, d M Y H:i:s', $cache->created) .' GMT'; |
---|
754 | $etag = '"'. md5($last_modified) .'"'; |
---|
755 | |
---|
756 | // See if the client has provided the required HTTP headers: |
---|
757 | $if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE; |
---|
758 | $if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE; |
---|
759 | |
---|
760 | if ($if_modified_since && $if_none_match |
---|
761 | && $if_none_match == $etag // etag must match |
---|
762 | && $if_modified_since == $last_modified) { // if-modified-since must match |
---|
763 | header($_SERVER['SERVER_PROTOCOL'] .' 304 Not Modified'); |
---|
764 | // All 304 responses must send an etag if the 200 response for the same object contained an etag |
---|
765 | header("Etag: $etag"); |
---|
766 | return; |
---|
767 | } |
---|
768 | |
---|
769 | // Send appropriate response: |
---|
770 | header("Last-Modified: $last_modified"); |
---|
771 | header("ETag: $etag"); |
---|
772 | |
---|
773 | // The following headers force validation of cache: |
---|
774 | header("Expires: Sun, 19 Nov 1978 05:00:00 GMT"); |
---|
775 | header("Cache-Control: must-revalidate"); |
---|
776 | |
---|
777 | if (variable_get('page_compression', TRUE) && extension_loaded('zlib')) { |
---|
778 | // Determine if the browser accepts gzipped data. |
---|
779 | if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE) { |
---|
780 | // $cache->data is already gzip'ed, so make sure zlib.output_compression |
---|
781 | // does not compress it once more. |
---|
782 | ini_set('zlib.output_compression', '0'); |
---|
783 | header('Content-Encoding: gzip'); |
---|
784 | } |
---|
785 | else { |
---|
786 | // The client does not support compression, so unzip the data in the |
---|
787 | // cache. Strip the gzip header and run uncompress. |
---|
788 | $cache->data = gzinflate(substr(substr($cache->data, 10), 0, -8)); |
---|
789 | } |
---|
790 | } |
---|
791 | |
---|
792 | // Send the original request's headers. We send them one after |
---|
793 | // another so PHP's header() function can deal with duplicate |
---|
794 | // headers. |
---|
795 | $headers = explode("\n", $cache->headers); |
---|
796 | foreach ($headers as $header) { |
---|
797 | header($header); |
---|
798 | } |
---|
799 | |
---|
800 | print $cache->data; |
---|
801 | } |
---|
802 | |
---|
803 | /** |
---|
804 | * Define the critical hooks that force modules to always be loaded. |
---|
805 | */ |
---|
806 | function bootstrap_hooks() { |
---|
807 | return array('boot', 'exit'); |
---|
808 | } |
---|
809 | |
---|
810 | /** |
---|
811 | * Unserializes and appends elements from a serialized string. |
---|
812 | * |
---|
813 | * @param $obj |
---|
814 | * The object to which the elements are appended. |
---|
815 | * @param $field |
---|
816 | * The attribute of $obj whose value should be unserialized. |
---|
817 | */ |
---|
818 | function drupal_unpack($obj, $field = 'data') { |
---|
819 | if ($obj->$field && $data = unserialize($obj->$field)) { |
---|
820 | foreach ($data as $key => $value) { |
---|
821 | if (!empty($key) && !isset($obj->$key)) { |
---|
822 | $obj->$key = $value; |
---|
823 | } |
---|
824 | } |
---|
825 | } |
---|
826 | return $obj; |
---|
827 | } |
---|
828 | |
---|
829 | /** |
---|
830 | * Return the URI of the referring page. |
---|
831 | */ |
---|
832 | function referer_uri() { |
---|
833 | if (isset($_SERVER['HTTP_REFERER'])) { |
---|
834 | return $_SERVER['HTTP_REFERER']; |
---|
835 | } |
---|
836 | } |
---|
837 | |
---|
838 | /** |
---|
839 | * Encode special characters in a plain-text string for display as HTML. |
---|
840 | * |
---|
841 | * Also validates strings as UTF-8 to prevent cross site scripting attacks on |
---|
842 | * Internet Explorer 6. |
---|
843 | * |
---|
844 | * @param $text |
---|
845 | * The text to be checked or processed. |
---|
846 | * @return |
---|
847 | * An HTML safe version of $text, or an empty string if $text is not |
---|
848 | * valid UTF-8. |
---|
849 | * |
---|
850 | * @see drupal_validate_utf8(). |
---|
851 | */ |
---|
852 | function check_plain($text) { |
---|
853 | static $php525; |
---|
854 | |
---|
855 | if (!isset($php525)) { |
---|
856 | $php525 = version_compare(PHP_VERSION, '5.2.5', '>='); |
---|
857 | } |
---|
858 | // We duplicate the preg_match() to validate strings as UTF-8 from |
---|
859 | // drupal_validate_utf8() here. This avoids the overhead of an additional |
---|
860 | // function call, since check_plain() may be called hundreds of times during |
---|
861 | // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled |
---|
862 | // internally by PHP in htmlspecialchars(). |
---|
863 | // @see http://www.php.net/releases/5_2_5.php |
---|
864 | // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped. |
---|
865 | |
---|
866 | if ($php525) { |
---|
867 | return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); |
---|
868 | } |
---|
869 | return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : ''; |
---|
870 | } |
---|
871 | |
---|
872 | /** |
---|
873 | * Checks whether a string is valid UTF-8. |
---|
874 | * |
---|
875 | * All functions designed to filter input should use drupal_validate_utf8 |
---|
876 | * to ensure they operate on valid UTF-8 strings to prevent bypass of the |
---|
877 | * filter. |
---|
878 | * |
---|
879 | * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented |
---|
880 | * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent |
---|
881 | * bytes. When these subsequent bytes are HTML control characters such as |
---|
882 | * quotes or angle brackets, parts of the text that were deemed safe by filters |
---|
883 | * end up in locations that are potentially unsafe; An onerror attribute that |
---|
884 | * is outside of a tag, and thus deemed safe by a filter, can be interpreted |
---|
885 | * by the browser as if it were inside the tag. |
---|
886 | * |
---|
887 | * This function exploits preg_match behaviour (since PHP 4.3.5) when used |
---|
888 | * with the u modifier, as a fast way to find invalid UTF-8. When the matched |
---|
889 | * string contains an invalid byte sequence, it will fail silently. |
---|
890 | * |
---|
891 | * preg_match may not fail on 4 and 5 octet sequences, even though they |
---|
892 | * are not supported by the specification. |
---|
893 | * |
---|
894 | * The specific preg_match behaviour is present since PHP 4.3.5. |
---|
895 | * |
---|
896 | * @param $text |
---|
897 | * The text to check. |
---|
898 | * @return |
---|
899 | * TRUE if the text is valid UTF-8, FALSE if not. |
---|
900 | */ |
---|
901 | function drupal_validate_utf8($text) { |
---|
902 | if (strlen($text) == 0) { |
---|
903 | return TRUE; |
---|
904 | } |
---|
905 | // For performance reasons this logic is duplicated in check_plain(). |
---|
906 | return (preg_match('/^./us', $text) == 1); |
---|
907 | } |
---|
908 | |
---|
909 | /** |
---|
910 | * Since $_SERVER['REQUEST_URI'] is only available on Apache, we |
---|
911 | * generate an equivalent using other environment variables. |
---|
912 | */ |
---|
913 | function request_uri() { |
---|
914 | |
---|
915 | if (isset($_SERVER['REQUEST_URI'])) { |
---|
916 | $uri = $_SERVER['REQUEST_URI']; |
---|
917 | } |
---|
918 | else { |
---|
919 | if (isset($_SERVER['argv'])) { |
---|
920 | $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0]; |
---|
921 | } |
---|
922 | elseif (isset($_SERVER['QUERY_STRING'])) { |
---|
923 | $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING']; |
---|
924 | } |
---|
925 | else { |
---|
926 | $uri = $_SERVER['SCRIPT_NAME']; |
---|
927 | } |
---|
928 | } |
---|
929 | // Prevent multiple slashes to avoid cross site requests via the FAPI. |
---|
930 | $uri = '/'. ltrim($uri, '/'); |
---|
931 | |
---|
932 | return $uri; |
---|
933 | } |
---|
934 | |
---|
935 | /** |
---|
936 | * Log a system message. |
---|
937 | * |
---|
938 | * @param $type |
---|
939 | * The category to which this message belongs. Can be any string, but the |
---|
940 | * general practice is to use the name of the module calling watchdog(). |
---|
941 | * The $type parameter is limited to 16 characters; anything longer is |
---|
942 | * truncated. |
---|
943 | * @param $message |
---|
944 | * The message to store in the log. See t() for documentation |
---|
945 | * on how $message and $variables interact. Keep $message |
---|
946 | * translatable by not concatenating dynamic values into it! |
---|
947 | * @param $variables |
---|
948 | * Array of variables to replace in the message on display or |
---|
949 | * NULL if message is already translated or not possible to |
---|
950 | * translate. |
---|
951 | * @param $severity |
---|
952 | * The severity of the message; one of the following values as defined in |
---|
953 | * @link http://www.faqs.org/rfcs/rfc3164.html RFC 3164: @endlink |
---|
954 | * - WATCHDOG_EMERGENCY: Emergency, system is unusable. |
---|
955 | * - WATCHDOG_ALERT: Alert, action must be taken immediately. |
---|
956 | * - WATCHDOG_CRITICAL: Critical conditions. |
---|
957 | * - WATCHDOG_ERROR: Error conditions. |
---|
958 | * - WATCHDOG_WARNING: Warning conditions. |
---|
959 | * - WATCHDOG_NOTICE: (default) Normal but significant conditions. |
---|
960 | * - WATCHDOG_INFO: Informational messages. |
---|
961 | * - WATCHDOG_DEBUG: Debug-level messages. |
---|
962 | * @param $link |
---|
963 | * A link to associate with the message. |
---|
964 | * |
---|
965 | * @see watchdog_severity_levels() |
---|
966 | */ |
---|
967 | function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NOTICE, $link = NULL) { |
---|
968 | global $user, $base_root; |
---|
969 | |
---|
970 | // Prepare the fields to be logged |
---|
971 | $log_message = array( |
---|
972 | 'type' => $type, |
---|
973 | 'message' => $message, |
---|
974 | 'variables' => $variables, |
---|
975 | 'severity' => $severity, |
---|
976 | 'link' => $link, |
---|
977 | 'user' => $user, |
---|
978 | 'request_uri' => $base_root . request_uri(), |
---|
979 | 'referer' => referer_uri(), |
---|
980 | 'ip' => ip_address(), |
---|
981 | 'timestamp' => time(), |
---|
982 | ); |
---|
983 | |
---|
984 | // Call the logging hooks to log/process the message |
---|
985 | foreach (module_implements('watchdog') as $module) { |
---|
986 | module_invoke($module, 'watchdog', $log_message); |
---|
987 | } |
---|
988 | } |
---|
989 | |
---|
990 | /** |
---|
991 | * Set a message which reflects the status of the performed operation. |
---|
992 | * |
---|
993 | * If the function is called with no arguments, this function returns all set |
---|
994 | * messages without clearing them. |
---|
995 | * |
---|
996 | * @param $message |
---|
997 | * The message should begin with a capital letter and always ends with a |
---|
998 | * period '.'. |
---|
999 | * @param $type |
---|
1000 | * The type of the message. One of the following values are possible: |
---|
1001 | * - 'status' |
---|
1002 | * - 'warning' |
---|
1003 | * - 'error' |
---|
1004 | * @param $repeat |
---|
1005 | * If this is FALSE and the message is already set, then the message won't |
---|
1006 | * be repeated. |
---|
1007 | */ |
---|
1008 | function drupal_set_message($message = NULL, $type = 'status', $repeat = TRUE) { |
---|
1009 | if ($message) { |
---|
1010 | if (!isset($_SESSION['messages'])) { |
---|
1011 | $_SESSION['messages'] = array(); |
---|
1012 | } |
---|
1013 | |
---|
1014 | if (!isset($_SESSION['messages'][$type])) { |
---|
1015 | $_SESSION['messages'][$type] = array(); |
---|
1016 | } |
---|
1017 | |
---|
1018 | if ($repeat || !in_array($message, $_SESSION['messages'][$type])) { |
---|
1019 | $_SESSION['messages'][$type][] = $message; |
---|
1020 | } |
---|
1021 | } |
---|
1022 | |
---|
1023 | // messages not set when DB connection fails |
---|
1024 | return isset($_SESSION['messages']) ? $_SESSION['messages'] : NULL; |
---|
1025 | } |
---|
1026 | |
---|
1027 | /** |
---|
1028 | * Return all messages that have been set. |
---|
1029 | * |
---|
1030 | * @param $type |
---|
1031 | * (optional) Only return messages of this type. |
---|
1032 | * @param $clear_queue |
---|
1033 | * (optional) Set to FALSE if you do not want to clear the messages queue |
---|
1034 | * @return |
---|
1035 | * An associative array, the key is the message type, the value an array |
---|
1036 | * of messages. If the $type parameter is passed, you get only that type, |
---|
1037 | * or an empty array if there are no such messages. If $type is not passed, |
---|
1038 | * all message types are returned, or an empty array if none exist. |
---|
1039 | */ |
---|
1040 | function drupal_get_messages($type = NULL, $clear_queue = TRUE) { |
---|
1041 | if ($messages = drupal_set_message()) { |
---|
1042 | if ($type) { |
---|
1043 | if ($clear_queue) { |
---|
1044 | unset($_SESSION['messages'][$type]); |
---|
1045 | } |
---|
1046 | if (isset($messages[$type])) { |
---|
1047 | return array($type => $messages[$type]); |
---|
1048 | } |
---|
1049 | } |
---|
1050 | else { |
---|
1051 | if ($clear_queue) { |
---|
1052 | unset($_SESSION['messages']); |
---|
1053 | } |
---|
1054 | return $messages; |
---|
1055 | } |
---|
1056 | } |
---|
1057 | return array(); |
---|
1058 | } |
---|
1059 | |
---|
1060 | /** |
---|
1061 | * Perform an access check for a given mask and rule type. Rules are usually |
---|
1062 | * created via admin/user/rules page. |
---|
1063 | * |
---|
1064 | * If any allow rule matches, access is allowed. Otherwise, if any deny rule |
---|
1065 | * matches, access is denied. If no rule matches, access is allowed. |
---|
1066 | * |
---|
1067 | * @param $type string |
---|
1068 | * Type of access to check: Allowed values are: |
---|
1069 | * - 'host': host name or IP address |
---|
1070 | * - 'mail': e-mail address |
---|
1071 | * - 'user': username |
---|
1072 | * @param $mask string |
---|
1073 | * String or mask to test: '_' matches any character, '%' matches any |
---|
1074 | * number of characters. |
---|
1075 | * @return bool |
---|
1076 | * TRUE if access is denied, FALSE if access is allowed. |
---|
1077 | */ |
---|
1078 | function drupal_is_denied($type, $mask) { |
---|
1079 | // Because this function is called for every page request, both cached |
---|
1080 | // and non-cached pages, we tried to optimize it as much as possible. |
---|
1081 | // We deny access if the only matching records in the {access} table have |
---|
1082 | // status 0 (deny). If any have status 1 (allow), or if there are no |
---|
1083 | // matching records, we allow access. |
---|
1084 | $sql = "SELECT 1 FROM {access} WHERE type = '%s' AND LOWER('%s') LIKE LOWER(mask) AND status = %d"; |
---|
1085 | return db_result(db_query_range($sql, $type, $mask, 0, 0, 1)) && !db_result(db_query_range($sql, $type, $mask, 1, 0, 1)); |
---|
1086 | } |
---|
1087 | |
---|
1088 | /** |
---|
1089 | * Generates a default anonymous $user object. |
---|
1090 | * |
---|
1091 | * @return Object - the user object. |
---|
1092 | */ |
---|
1093 | function drupal_anonymous_user($session = '') { |
---|
1094 | $user = new stdClass(); |
---|
1095 | $user->uid = 0; |
---|
1096 | $user->hostname = ip_address(); |
---|
1097 | $user->roles = array(); |
---|
1098 | $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user'; |
---|
1099 | $user->session = $session; |
---|
1100 | $user->cache = 0; |
---|
1101 | return $user; |
---|
1102 | } |
---|
1103 | |
---|
1104 | /** |
---|
1105 | * A string describing a phase of Drupal to load. Each phase adds to the |
---|
1106 | * previous one, so invoking a later phase automatically runs the earlier |
---|
1107 | * phases too. The most important usage is that if you want to access the |
---|
1108 | * Drupal database from a script without loading anything else, you can |
---|
1109 | * include bootstrap.inc, and call drupal_bootstrap(DRUPAL_BOOTSTRAP_DATABASE). |
---|
1110 | * |
---|
1111 | * @param $phase |
---|
1112 | * A constant. Allowed values are: |
---|
1113 | * DRUPAL_BOOTSTRAP_CONFIGURATION: initialize configuration. |
---|
1114 | * DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE: try to call a non-database cache fetch routine. |
---|
1115 | * DRUPAL_BOOTSTRAP_DATABASE: initialize database layer. |
---|
1116 | * DRUPAL_BOOTSTRAP_ACCESS: identify and reject banned hosts. |
---|
1117 | * DRUPAL_BOOTSTRAP_SESSION: initialize session handling. |
---|
1118 | * DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE: load bootstrap.inc and module.inc, start |
---|
1119 | * the variable system and try to serve a page from the cache. |
---|
1120 | * DRUPAL_BOOTSTRAP_LANGUAGE: identify the language used on the page. |
---|
1121 | * DRUPAL_BOOTSTRAP_PATH: set $_GET['q'] to Drupal path of request. |
---|
1122 | * DRUPAL_BOOTSTRAP_FULL: Drupal is fully loaded, validate and fix input data. |
---|
1123 | */ |
---|
1124 | function drupal_bootstrap($phase) { |
---|
1125 | static $phases = array(DRUPAL_BOOTSTRAP_CONFIGURATION, DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE, DRUPAL_BOOTSTRAP_DATABASE, DRUPAL_BOOTSTRAP_ACCESS, DRUPAL_BOOTSTRAP_SESSION, DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE, DRUPAL_BOOTSTRAP_LANGUAGE, DRUPAL_BOOTSTRAP_PATH, DRUPAL_BOOTSTRAP_FULL), $phase_index = 0; |
---|
1126 | |
---|
1127 | while ($phase >= $phase_index && isset($phases[$phase_index])) { |
---|
1128 | $current_phase = $phases[$phase_index]; |
---|
1129 | unset($phases[$phase_index++]); |
---|
1130 | _drupal_bootstrap($current_phase); |
---|
1131 | } |
---|
1132 | } |
---|
1133 | |
---|
1134 | function _drupal_bootstrap($phase) { |
---|
1135 | global $conf; |
---|
1136 | |
---|
1137 | switch ($phase) { |
---|
1138 | |
---|
1139 | case DRUPAL_BOOTSTRAP_CONFIGURATION: |
---|
1140 | drupal_unset_globals(); |
---|
1141 | // Start a page timer: |
---|
1142 | timer_start('page'); |
---|
1143 | // Initialize the configuration |
---|
1144 | conf_init(); |
---|
1145 | break; |
---|
1146 | |
---|
1147 | case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE: |
---|
1148 | // Allow specifying special cache handlers in settings.php, like |
---|
1149 | // using memcached or files for storing cache information. |
---|
1150 | require_once variable_get('cache_inc', './includes/cache.inc'); |
---|
1151 | // If the page_cache_fastpath is set to TRUE in settings.php and |
---|
1152 | // page_cache_fastpath (implemented in the special implementation of |
---|
1153 | // cache.inc) printed the page and indicated this with a returned TRUE |
---|
1154 | // then we are done. |
---|
1155 | if (variable_get('page_cache_fastpath', FALSE) && page_cache_fastpath()) { |
---|
1156 | exit; |
---|
1157 | } |
---|
1158 | break; |
---|
1159 | |
---|
1160 | case DRUPAL_BOOTSTRAP_DATABASE: |
---|
1161 | // Initialize the default database. |
---|
1162 | require_once './includes/database.inc'; |
---|
1163 | db_set_active(); |
---|
1164 | // Allow specifying alternate lock implementations in settings.php, like |
---|
1165 | // those using APC or memcached. |
---|
1166 | require_once variable_get('lock_inc', './includes/lock.inc'); |
---|
1167 | lock_init(); |
---|
1168 | break; |
---|
1169 | |
---|
1170 | case DRUPAL_BOOTSTRAP_ACCESS: |
---|
1171 | // Deny access to hosts which were banned - t() is not yet available. |
---|
1172 | if (drupal_is_denied('host', ip_address())) { |
---|
1173 | header($_SERVER['SERVER_PROTOCOL'] .' 403 Forbidden'); |
---|
1174 | print 'Sorry, '. check_plain(ip_address()) .' has been banned.'; |
---|
1175 | exit(); |
---|
1176 | } |
---|
1177 | break; |
---|
1178 | |
---|
1179 | case DRUPAL_BOOTSTRAP_SESSION: |
---|
1180 | require_once variable_get('session_inc', './includes/session.inc'); |
---|
1181 | session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc'); |
---|
1182 | session_start(); |
---|
1183 | break; |
---|
1184 | |
---|
1185 | case DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE: |
---|
1186 | // Initialize configuration variables, using values from settings.php if available. |
---|
1187 | $conf = variable_init(isset($conf) ? $conf : array()); |
---|
1188 | |
---|
1189 | // Sanitize the destination parameter (which is often used for redirects) |
---|
1190 | // to prevent open redirect attacks leading to other domains. Sanitize |
---|
1191 | // both $_GET['destination'] and $_REQUEST['destination'] to protect code |
---|
1192 | // that relies on either, but do not sanitize $_POST to avoid interfering |
---|
1193 | // with unrelated form submissions. $_REQUEST['edit']['destination'] is |
---|
1194 | // also sanitized since drupal_goto() will sometimes rely on it, and |
---|
1195 | // other code might therefore use it too. The sanitization happens here |
---|
1196 | // because menu_path_is_external() requires the variable system to be |
---|
1197 | // available. |
---|
1198 | if (isset($_GET['destination']) || isset($_REQUEST['destination']) || isset($_REQUEST['edit']['destination'])) { |
---|
1199 | // If the destination is an external URL, remove it. |
---|
1200 | if (isset($_GET['destination']) && menu_path_is_external($_GET['destination'])) { |
---|
1201 | unset($_GET['destination']); |
---|
1202 | unset($_REQUEST['destination']); |
---|
1203 | } |
---|
1204 | // If there's still something in $_REQUEST['destination'] that didn't |
---|
1205 | // come from $_GET, check it too. |
---|
1206 | if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && menu_path_is_external($_REQUEST['destination'])) { |
---|
1207 | unset($_REQUEST['destination']); |
---|
1208 | } |
---|
1209 | // Check $_REQUEST['edit']['destination'] separately. |
---|
1210 | if (isset($_REQUEST['edit']['destination']) && menu_path_is_external($_REQUEST['edit']['destination'])) { |
---|
1211 | unset($_REQUEST['edit']['destination']); |
---|
1212 | } |
---|
1213 | } |
---|
1214 | |
---|
1215 | $cache_mode = variable_get('cache', CACHE_DISABLED); |
---|
1216 | // Get the page from the cache. |
---|
1217 | $cache = $cache_mode == CACHE_DISABLED ? '' : page_get_cache(); |
---|
1218 | // If the skipping of the bootstrap hooks is not enforced, call hook_boot. |
---|
1219 | if (!$cache || $cache_mode != CACHE_AGGRESSIVE) { |
---|
1220 | // Load module handling. |
---|
1221 | require_once './includes/module.inc'; |
---|
1222 | bootstrap_invoke_all('boot'); |
---|
1223 | } |
---|
1224 | // If there is a cached page, display it. |
---|
1225 | if ($cache) { |
---|
1226 | drupal_page_cache_header($cache); |
---|
1227 | // If the skipping of the bootstrap hooks is not enforced, call hook_exit. |
---|
1228 | if ($cache_mode != CACHE_AGGRESSIVE) { |
---|
1229 | bootstrap_invoke_all('exit'); |
---|
1230 | } |
---|
1231 | // We are done. |
---|
1232 | exit; |
---|
1233 | } |
---|
1234 | // Prepare for non-cached page workflow. |
---|
1235 | drupal_page_header(); |
---|
1236 | break; |
---|
1237 | |
---|
1238 | case DRUPAL_BOOTSTRAP_LANGUAGE: |
---|
1239 | drupal_init_language(); |
---|
1240 | break; |
---|
1241 | |
---|
1242 | case DRUPAL_BOOTSTRAP_PATH: |
---|
1243 | require_once './includes/path.inc'; |
---|
1244 | // Initialize $_GET['q'] prior to loading modules and invoking hook_init(). |
---|
1245 | drupal_init_path(); |
---|
1246 | break; |
---|
1247 | |
---|
1248 | case DRUPAL_BOOTSTRAP_FULL: |
---|
1249 | require_once './includes/common.inc'; |
---|
1250 | _drupal_bootstrap_full(); |
---|
1251 | break; |
---|
1252 | } |
---|
1253 | } |
---|
1254 | |
---|
1255 | /** |
---|
1256 | * Enables use of the theme system without requiring database access. |
---|
1257 | * |
---|
1258 | * Loads and initializes the theme system for site installs, updates and when |
---|
1259 | * the site is in off-line mode. This also applies when the database fails. |
---|
1260 | * |
---|
1261 | * @see _drupal_maintenance_theme() |
---|
1262 | */ |
---|
1263 | function drupal_maintenance_theme() { |
---|
1264 | require_once './includes/theme.maintenance.inc'; |
---|
1265 | _drupal_maintenance_theme(); |
---|
1266 | } |
---|
1267 | |
---|
1268 | /** |
---|
1269 | * Return the name of the localisation function. Use in code that needs to |
---|
1270 | * run both during installation and normal operation. |
---|
1271 | */ |
---|
1272 | function get_t() { |
---|
1273 | static $t; |
---|
1274 | if (is_null($t)) { |
---|
1275 | $t = function_exists('install_main') ? 'st' : 't'; |
---|
1276 | } |
---|
1277 | return $t; |
---|
1278 | } |
---|
1279 | |
---|
1280 | /** |
---|
1281 | * Choose a language for the current page, based on site and user preferences. |
---|
1282 | */ |
---|
1283 | function drupal_init_language() { |
---|
1284 | global $language, $user; |
---|
1285 | |
---|
1286 | // Ensure the language is correctly returned, even without multilanguage support. |
---|
1287 | // Useful for eg. XML/HTML 'lang' attributes. |
---|
1288 | if (variable_get('language_count', 1) == 1) { |
---|
1289 | $language = language_default(); |
---|
1290 | } |
---|
1291 | else { |
---|
1292 | include_once './includes/language.inc'; |
---|
1293 | $language = language_initialize(); |
---|
1294 | } |
---|
1295 | } |
---|
1296 | |
---|
1297 | /** |
---|
1298 | * Get a list of languages set up indexed by the specified key |
---|
1299 | * |
---|
1300 | * @param $field The field to index the list with. |
---|
1301 | * @param $reset Boolean to request a reset of the list. |
---|
1302 | */ |
---|
1303 | function language_list($field = 'language', $reset = FALSE) { |
---|
1304 | static $languages = NULL; |
---|
1305 | |
---|
1306 | // Reset language list |
---|
1307 | if ($reset) { |
---|
1308 | $languages = NULL; |
---|
1309 | } |
---|
1310 | |
---|
1311 | // Init language list |
---|
1312 | if (!isset($languages)) { |
---|
1313 | if (variable_get('language_count', 1) > 1 || module_exists('locale')) { |
---|
1314 | $result = db_query('SELECT * FROM {languages} ORDER BY weight ASC, name ASC'); |
---|
1315 | while ($row = db_fetch_object($result)) { |
---|
1316 | $languages['language'][$row->language] = $row; |
---|
1317 | } |
---|
1318 | } |
---|
1319 | else { |
---|
1320 | // No locale module, so use the default language only. |
---|
1321 | $default = language_default(); |
---|
1322 | $languages['language'][$default->language] = $default; |
---|
1323 | } |
---|
1324 | } |
---|
1325 | |
---|
1326 | // Return the array indexed by the right field |
---|
1327 | if (!isset($languages[$field])) { |
---|
1328 | $languages[$field] = array(); |
---|
1329 | foreach ($languages['language'] as $lang) { |
---|
1330 | // Some values should be collected into an array |
---|
1331 | if (in_array($field, array('enabled', 'weight'))) { |
---|
1332 | $languages[$field][$lang->$field][$lang->language] = $lang; |
---|
1333 | } |
---|
1334 | else { |
---|
1335 | $languages[$field][$lang->$field] = $lang; |
---|
1336 | } |
---|
1337 | } |
---|
1338 | } |
---|
1339 | return $languages[$field]; |
---|
1340 | } |
---|
1341 | |
---|
1342 | /** |
---|
1343 | * Default language used on the site |
---|
1344 | * |
---|
1345 | * @param $property |
---|
1346 | * Optional property of the language object to return |
---|
1347 | */ |
---|
1348 | function language_default($property = NULL) { |
---|
1349 | $language = variable_get('language_default', (object) array('language' => 'en', 'name' => 'English', 'native' => 'English', 'direction' => 0, 'enabled' => 1, 'plurals' => 0, 'formula' => '', 'domain' => '', 'prefix' => '', 'weight' => 0, 'javascript' => '')); |
---|
1350 | return $property ? $language->$property : $language; |
---|
1351 | } |
---|
1352 | |
---|
1353 | /** |
---|
1354 | * If Drupal is behind a reverse proxy, we use the X-Forwarded-For header |
---|
1355 | * instead of $_SERVER['REMOTE_ADDR'], which would be the IP address |
---|
1356 | * of the proxy server, and not the client's. |
---|
1357 | * |
---|
1358 | * @return |
---|
1359 | * IP address of client machine, adjusted for reverse proxy. |
---|
1360 | */ |
---|
1361 | function ip_address() { |
---|
1362 | static $ip_address = NULL; |
---|
1363 | |
---|
1364 | if (!isset($ip_address)) { |
---|
1365 | $ip_address = $_SERVER['REMOTE_ADDR']; |
---|
1366 | if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { |
---|
1367 | // If an array of known reverse proxy IPs is provided, then trust |
---|
1368 | // the XFF header if request really comes from one of them. |
---|
1369 | $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); |
---|
1370 | if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { |
---|
1371 | // If there are several arguments, we need to check the most |
---|
1372 | // recently added one, i.e. the last one. |
---|
1373 | $ip_address_parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); |
---|
1374 | $ip_address = array_pop($ip_address_parts); |
---|
1375 | } |
---|
1376 | } |
---|
1377 | } |
---|
1378 | |
---|
1379 | return $ip_address; |
---|
1380 | } |
---|
1381 | |
---|
1382 | /** |
---|
1383 | * Returns a URL-safe, base64 encoded string of highly randomized bytes (over the full 8-bit range). |
---|
1384 | * |
---|
1385 | * @param $byte_count |
---|
1386 | * The number of random bytes to fetch and base64 encode. |
---|
1387 | * |
---|
1388 | * @return string |
---|
1389 | * The base64 encoded result will have a length of up to 4 * $byte_count. |
---|
1390 | */ |
---|
1391 | function drupal_random_key($byte_count = 32) { |
---|
1392 | return drupal_base64_encode(drupal_random_bytes($byte_count)); |
---|
1393 | } |
---|
1394 | |
---|
1395 | /** |
---|
1396 | * Returns a URL-safe, base64 encoded version of the supplied string. |
---|
1397 | * |
---|
1398 | * @param $string |
---|
1399 | * The string to convert to base64. |
---|
1400 | * |
---|
1401 | * @return string |
---|
1402 | */ |
---|
1403 | function drupal_base64_encode($string) { |
---|
1404 | $data = base64_encode($string); |
---|
1405 | // Modify the output so it's safe to use in URLs. |
---|
1406 | return strtr($data, array('+' => '-', '/' => '_', '=' => '')); |
---|
1407 | } |
---|
1408 | |
---|
1409 | /** |
---|
1410 | * Returns a string of highly randomized bytes (over the full 8-bit range). |
---|
1411 | * |
---|
1412 | * This function is better than simply calling mt_rand() or any other built-in |
---|
1413 | * PHP function because it can return a long string of bytes (compared to < 4 |
---|
1414 | * bytes normally from mt_rand()) and uses the best available pseudo-random |
---|
1415 | * source. |
---|
1416 | * |
---|
1417 | * @param $count |
---|
1418 | * The number of characters (bytes) to return in the string. |
---|
1419 | */ |
---|
1420 | function drupal_random_bytes($count) { |
---|
1421 | // $random_state does not use drupal_static as it stores random bytes. |
---|
1422 | static $random_state, $bytes, $has_openssl, $has_hash; |
---|
1423 | |
---|
1424 | $missing_bytes = $count - strlen($bytes); |
---|
1425 | |
---|
1426 | if ($missing_bytes > 0) { |
---|
1427 | // PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes() |
---|
1428 | // locking on Windows and rendered it unusable. |
---|
1429 | if (!isset($has_openssl)) { |
---|
1430 | $has_openssl = version_compare(PHP_VERSION, '5.3.4', '>=') && function_exists('openssl_random_pseudo_bytes'); |
---|
1431 | } |
---|
1432 | |
---|
1433 | // openssl_random_pseudo_bytes() will find entropy in a system-dependent |
---|
1434 | // way. |
---|
1435 | if ($has_openssl) { |
---|
1436 | $bytes .= openssl_random_pseudo_bytes($missing_bytes); |
---|
1437 | } |
---|
1438 | |
---|
1439 | // Else, read directly from /dev/urandom, which is available on many *nix |
---|
1440 | // systems and is considered cryptographically secure. |
---|
1441 | elseif ($fh = @fopen('/dev/urandom', 'rb')) { |
---|
1442 | // PHP only performs buffered reads, so in reality it will always read |
---|
1443 | // at least 4096 bytes. Thus, it costs nothing extra to read and store |
---|
1444 | // that much so as to speed any additional invocations. |
---|
1445 | $bytes .= fread($fh, max(4096, $missing_bytes)); |
---|
1446 | fclose($fh); |
---|
1447 | } |
---|
1448 | |
---|
1449 | // If we couldn't get enough entropy, this simple hash-based PRNG will |
---|
1450 | // generate a good set of pseudo-random bytes on any system. |
---|
1451 | // Note that it may be important that our $random_state is passed |
---|
1452 | // through hash() prior to being rolled into $output, that the two hash() |
---|
1453 | // invocations are different, and that the extra input into the first one - |
---|
1454 | // the microtime() - is prepended rather than appended. This is to avoid |
---|
1455 | // directly leaking $random_state via the $output stream, which could |
---|
1456 | // allow for trivial prediction of further "random" numbers. |
---|
1457 | if (strlen($bytes) < $count) { |
---|
1458 | // Initialize on the first call. The contents of $_SERVER includes a mix of |
---|
1459 | // user-specific and system information that varies a little with each page. |
---|
1460 | if (!isset($random_state)) { |
---|
1461 | $random_state = print_r($_SERVER, TRUE); |
---|
1462 | if (function_exists('getmypid')) { |
---|
1463 | // Further initialize with the somewhat random PHP process ID. |
---|
1464 | $random_state .= getmypid(); |
---|
1465 | } |
---|
1466 | // hash() is only available in PHP 5.1.2+ or via PECL. |
---|
1467 | $has_hash = function_exists('hash') && in_array('sha256', hash_algos()); |
---|
1468 | $bytes = ''; |
---|
1469 | } |
---|
1470 | |
---|
1471 | if ($has_hash) { |
---|
1472 | do { |
---|
1473 | $random_state = hash('sha256', microtime() . mt_rand() . $random_state); |
---|
1474 | $bytes .= hash('sha256', mt_rand() . $random_state, TRUE); |
---|
1475 | } while (strlen($bytes) < $count); |
---|
1476 | } |
---|
1477 | else { |
---|
1478 | do { |
---|
1479 | $random_state = md5(microtime() . mt_rand() . $random_state); |
---|
1480 | $bytes .= pack("H*", md5(mt_rand() . $random_state)); |
---|
1481 | } while (strlen($bytes) < $count); |
---|
1482 | } |
---|
1483 | } |
---|
1484 | } |
---|
1485 | $output = substr($bytes, 0, $count); |
---|
1486 | $bytes = substr($bytes, $count); |
---|
1487 | return $output; |
---|
1488 | } |
---|
1489 | |
---|
1490 | /** |
---|
1491 | * Calculates a hexadecimal encoded sha-1 hmac. |
---|
1492 | * |
---|
1493 | * @param string $data |
---|
1494 | * String to be validated with the hmac. |
---|
1495 | * @param string $key |
---|
1496 | * A secret string key. |
---|
1497 | * |
---|
1498 | * See RFC2104 (http://www.ietf.org/rfc/rfc2104.txt). Note, the result of this |
---|
1499 | * must be identical to using hash_hmac('sha1', $data, $key); We don't use |
---|
1500 | * that function since PHP can be missing it if it was compiled with the |
---|
1501 | * --disable-hash switch. |
---|
1502 | * |
---|
1503 | * @return string |
---|
1504 | * A hexadecimal encoded sha-1 hmac. |
---|
1505 | */ |
---|
1506 | function drupal_hash_hmac_sha1($data, $key) { |
---|
1507 | // Keys longer than the 64 byte block size must be hashed first. |
---|
1508 | if (strlen($key) > 64) { |
---|
1509 | $key = pack("H*", sha1($key)); |
---|
1510 | } |
---|
1511 | return sha1((str_pad($key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) . pack("H*", sha1((str_pad($key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) . $data))); |
---|
1512 | } |
---|
1513 | |
---|
1514 | /** |
---|
1515 | * Calculates a base-64 encoded, URL-safe sha-1 hmac. |
---|
1516 | * |
---|
1517 | * @param string $data |
---|
1518 | * String to be validated with the hmac. |
---|
1519 | * @param string $key |
---|
1520 | * A secret string key. |
---|
1521 | * |
---|
1522 | * @return string |
---|
1523 | * A base-64 encoded sha-1 hmac, with + replaced with -, / with _ and |
---|
1524 | * any = padding characters removed. |
---|
1525 | */ |
---|
1526 | function drupal_hmac_base64($data, $key) { |
---|
1527 | // Casting $data and $key to strings here is necessary to avoid empty string |
---|
1528 | // results of the hash function if they are not scalar values. As this |
---|
1529 | // function is used in security-critical contexts like token validation it is |
---|
1530 | // important that it never returns an empty string. |
---|
1531 | $hmac = base64_encode(pack("H*", drupal_hash_hmac_sha1((string) $data, (string) $key))); |
---|
1532 | // Modify the hmac so it's safe to use in URLs. |
---|
1533 | return strtr($hmac, array('+' => '-', '/' => '_', '=' => '')); |
---|
1534 | } |
---|
1535 | |
---|
1536 | /** |
---|
1537 | * Returns TRUE if a path is external (e.g. http://example.com). |
---|
1538 | * |
---|
1539 | * May be used early in bootstrap. |
---|
1540 | */ |
---|
1541 | function menu_path_is_external($path) { |
---|
1542 | // Avoid calling filter_xss_bad_protocol() if there is any slash (/), |
---|
1543 | // hash (#) or question_mark (?) before the colon (:) occurrence - if any - as |
---|
1544 | // this would clearly mean it is not a URL. If the path starts with 2 slashes |
---|
1545 | // then it is always considered an external URL without an explicit protocol |
---|
1546 | // part. Leading control characters may be ignored or mishandled by browsers, |
---|
1547 | // so assume such a path may lead to an external location. The range matches |
---|
1548 | // all UTF-8 control characters, class Cc. |
---|
1549 | $colonpos = strpos($path, ':'); |
---|
1550 | // Some browsers treat \ as / so normalize to forward slashes. |
---|
1551 | $path = str_replace('\\', '/', $path); |
---|
1552 | return (strpos($path, '//') === 0) || (preg_match('/^[\x00-\x1F\x7F-\x9F]/u', $path) !== 0) |
---|
1553 | || ($colonpos !== FALSE |
---|
1554 | && !preg_match('![/?#]!', substr($path, 0, $colonpos)) |
---|
1555 | && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); |
---|
1556 | } |
---|
1557 | |
---|
1558 | /** |
---|
1559 | * Processes an HTML attribute value and ensures it does not contain an URL |
---|
1560 | * with a disallowed protocol (e.g. javascript:) |
---|
1561 | * |
---|
1562 | * May be used early in bootstrap. |
---|
1563 | * |
---|
1564 | * @param $string |
---|
1565 | * The string with the attribute value. |
---|
1566 | * @param $decode |
---|
1567 | * Whether to decode entities in the $string. Set to FALSE if the $string |
---|
1568 | * is in plain text, TRUE otherwise. Defaults to TRUE. |
---|
1569 | * @return |
---|
1570 | * Cleaned up and HTML-escaped version of $string. |
---|
1571 | */ |
---|
1572 | function filter_xss_bad_protocol($string, $decode = TRUE) { |
---|
1573 | static $allowed_protocols; |
---|
1574 | if (!isset($allowed_protocols)) { |
---|
1575 | $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'tel', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal', 'rtsp'))); |
---|
1576 | } |
---|
1577 | |
---|
1578 | // Get the plain text representation of the attribute value (i.e. its meaning). |
---|
1579 | if ($decode) { |
---|
1580 | $string = decode_entities($string); |
---|
1581 | } |
---|
1582 | |
---|
1583 | // Iteratively remove any invalid protocol found. |
---|
1584 | |
---|
1585 | do { |
---|
1586 | $before = $string; |
---|
1587 | $colonpos = strpos($string, ':'); |
---|
1588 | if ($colonpos > 0) { |
---|
1589 | // We found a colon, possibly a protocol. Verify. |
---|
1590 | $protocol = substr($string, 0, $colonpos); |
---|
1591 | // If a colon is preceded by a slash, question mark or hash, it cannot |
---|
1592 | // possibly be part of the URL scheme. This must be a relative URL, |
---|
1593 | // which inherits the (safe) protocol of the base document. |
---|
1594 | if (preg_match('![/?#]!', $protocol)) { |
---|
1595 | break; |
---|
1596 | } |
---|
1597 | // Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive |
---|
1598 | // Check if this is a disallowed protocol. |
---|
1599 | if (!isset($allowed_protocols[strtolower($protocol)])) { |
---|
1600 | $string = substr($string, $colonpos + 1); |
---|
1601 | } |
---|
1602 | } |
---|
1603 | } while ($before != $string); |
---|
1604 | return check_plain($string); |
---|
1605 | } |
---|