Conjunto de cambios d7a822e en sipes para cord/includes/file.inc
- Fecha y hora:
- 23/05/2016 15:48:25 (hace 8 años)
- Branches:
- stable, version-3.0
- Children:
- 6f9ddf1
- Parents:
- b354002
- Fichero:
-
- 1 editado
Leyenda
- No modificado
- Añadido
- Eliminado
-
cord/includes/file.inc
rb354002 rd7a822e 39 39 */ 40 40 function file_create_url($path) { 41 // Strip file_directory_path from $path. We only include relative paths in urls.41 // Strip file_directory_path from $path. We only include relative paths in URLs. 42 42 if (strpos($path, file_directory_path() .'/') === 0) { 43 43 $path = trim(substr($path, strlen(file_directory_path())), '\\/'); … … 135 135 } 136 136 137 if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) { 138 $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks"; 137 if (file_directory_path() == $directory || file_directory_temp() == $directory) { 138 file_create_htaccess($directory, $form_item); 139 } 140 141 return TRUE; 142 } 143 144 /** 145 * Creates a .htaccess file in the given directory. 146 * 147 * @param $directory 148 * The directory. 149 * @param $form_item 150 * An optional string containing the name of a form item that any errors 151 * will be attached to. Useful when called from file_check_directory() to 152 * validate a directory path entered as a form value. An error will 153 * consequently prevent form submit handlers from running, and instead 154 * display the form along with the error messages. 155 * @param $force_overwrite 156 * Set to TRUE to attempt to overwrite the existing .htaccess file if one is 157 * already present. Defaults to FALSE. 158 */ 159 function file_create_htaccess($directory, $form_item = NULL, $force_overwrite = FALSE) { 160 if (!is_file("$directory/.htaccess") || $force_overwrite) { 161 $htaccess_lines = file_htaccess_lines(); 139 162 if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) { 140 163 fclose($fp); … … 143 166 else { 144 167 $variables = array('%directory' => $directory, '!htaccess' => '<br />'. nl2br(check_plain($htaccess_lines))); 145 form_set_error($form_item, t("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables)); 168 if ($form_item) { 169 form_set_error($form_item, t("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables)); 170 } 146 171 watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables, WATCHDOG_ERROR); 147 172 } 148 173 } 149 150 return TRUE; 174 } 175 176 /** 177 * Returns the standard .htaccess lines that Drupal writes to file directories. 178 * 179 * @return 180 * A string representing the desired contents of the .htaccess file. 181 * 182 * @see file_create_htaccess() 183 */ 184 function file_htaccess_lines() { 185 $lines = <<<EOF 186 # Turn off all options we don't need. 187 Options None 188 Options +FollowSymLinks 189 190 # Set the catch-all handler to prevent scripts from being executed. 191 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 192 <Files *> 193 # Override the handler again if we're run later in the evaluation list. 194 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 195 </Files> 196 197 # If we know how to do it safely, disable the PHP engine entirely. 198 <IfModule mod_php5.c> 199 php_flag engine off 200 </IfModule> 201 # PHP 4, Apache 1. 202 <IfModule mod_php4.c> 203 php_flag engine off 204 </IfModule> 205 # PHP 4, Apache 2. 206 <IfModule sapi_apache2.c> 207 php_flag engine off 208 </IfModule> 209 EOF; 210 211 return $lines; 151 212 } 152 213 … … 404 465 // Allow potentially insecure uploads for very savvy users and admin 405 466 if (!variable_get('allow_insecure_uploads', 0)) { 467 // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php 468 $filename = str_replace(chr(0), '', $filename); 469 406 470 $whitelist = array_unique(explode(' ', trim($extensions))); 407 471 … … 460 524 else { 461 525 $name = $basename; 526 $ext = ''; 462 527 } 463 528 … … 683 748 // Bypass validation for uid = 1. 684 749 if ($user->uid != 1) { 685 $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i';750 $regex = '/\.('. @ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; 686 751 if (!preg_match($regex, $file->filename)) { 687 752 $errors[] = t('Only files with the following extensions are allowed: %files-allowed.', array('%files-allowed' => $extensions)); … … 831 896 * Set the status of a file. 832 897 * 833 * @param file A Drupal file object 834 * @param status A status value to set the file to. 898 * @param $file 899 * A Drupal file object. 900 * @param $status 901 * A status value to set the file to. One of: 902 * - FILE_STATUS_PERMANENT 903 * - FILE_STATUS_TEMPORARY 904 * 835 905 * @return FALSE on failure, TRUE on success and $file->status will contain the 836 906 * status. … … 857 927 858 928 // IE cannot download private files because it cannot store files downloaded 859 // over httpsin the browser cache. The problem can be solved by sending929 // over HTTPS in the browser cache. The problem can be solved by sending 860 930 // custom headers to IE. See http://support.microsoft.com/kb/323308/en-us 861 931 if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) { … … 919 989 /** 920 990 * Finds all files that match a given mask in a given directory. 991 * 921 992 * Directories and files beginning with a period are excluded; this 922 993 * prevents hidden files and directories (such as SVN working directories) … … 935 1006 * starting at the provided directory. 936 1007 * @param $key 937 * The key to be used for the returned a rray of files. Possible938 * values are "filename", for the path starting with $dir ,939 * "basename", for the basename of the file, and "name" for the name940 * of the file without anextension.1008 * The key to be used for the returned associative array of files. Possible 1009 * values are "filename", for the path starting with $dir; "basename", for 1010 * the basename of the file; and "name" for the name of the file without the 1011 * extension. 941 1012 * @param $min_depth 942 1013 * Minimum depth of directories to return files from. 943 1014 * @param $depth 944 * Current depth of recursion. This parameter is only used internally and should not be passed. 1015 * Current depth of recursion. This parameter is only used internally and 1016 * should not be passed in. 945 1017 * 946 1018 * @return 947 1019 * An associative array (keyed on the provided key) of objects with 948 * " path", "basename", and "name" members corresponding to the1020 * "filename", "basename", and "name" members corresponding to the 949 1021 * matching files. 950 1022 */ … … 960 1032 $files = array_merge(file_scan_directory("$dir/$file", $mask, $nomask, $callback, $recurse, $key, $min_depth, $depth + 1), $files); 961 1033 } 962 elseif ($depth >= $min_depth && ereg($mask, $file)) {1034 elseif ($depth >= $min_depth && @ereg($mask, $file)) { 963 1035 // Always use this match over anything already set in $files with the same $$key. 964 1036 $filename = "$dir/$file";
Nota: Vea TracChangeset
para ayuda en el uso del visor de conjuntos de cambios.