def _query_callback(match, init = False): """ Helper function for db_query(). """ php.static(_query_callback, 'args') if (init): _query_callback.args = list(match); return; # We must use type casting to int to convert FALSE/NULL/(TRUE?) if match[1] == '%d': # We don't need db_escape_string as numbers are db-safe return str(int(php.array_shift(_query_callback.args))); elif match[1] == '%s': return db.escape_string(php.array_shift(_query_callback.args)); elif match[1] == '%n': # Numeric values have arbitrary precision, so can't be treated as float. # is_numeric() allows hex values (0xFF), but they are not valid. value = php.trim(php.array_shift(args)); return (value if (php.is_numeric(value) and not \ php.stripos(value, 'x')) else '0') elif match[1] == '%%': return '%'; elif match[1] == '%f': return float(php.array_shift(_query_callback.args)); elif match[1] == '%b': # binary data return db.encode_blob(php.array_shift(_query_callback.args));
def munge_filename(filename, extensions, alerts = True): """ Munge the filename as needed for security purposes + For instance the file name "exploit.php.pps" would become "exploit.php_.pps". @param filename The name of a file to modify. @param extensions A space separated list of extensions that should not be altered. @param alerts Whether alerts (watchdog, drupal_set_message()) should be displayed. @return filename The potentially modified filename. """ original = filename # Allow potentially insecure uploads for very savvy users and admin if (not variable_get('allow_insecure_uploads', 0)): whitelist = array_unique(php.explode(' ', php.trim(extensions))) # Split the filename up by periods + The first part becomes the basename # the last part the final extension. filename_parts = php.explode('.', filename) new_filename = php.array_shift(filename_parts); # Remove file basename. final_extension = php.array_pop(filename_parts); # Remove final extension. # Loop through the middle parts of the name and add an underscore to the # end of each section that could be a file extension but isn't in the list # of allowed extensions. for filename_part in filename_parts: new_filename += '.' + filename_part if (not php.in_array(filename_part, whitelist) and \ php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)): new_filename += '_' filename = new_filename + '.' + final_extension if (alerts and original != filename): drupal_set_message(t('For security reasons, your upload has ' + \ 'been renamed to %filename.', {'%filename' : filename})) return filename
def query_temporary(query): """ Runs a SELECT query and stores its results in a temporary table. Use this as a substitute for db_query() when the results need to stored in a temporary table. Temporary tables exist for the duration of the page request. User-supplied arguments to the query should be passed in as separate parameters so that they can be properly escaped to avoid SQL injection attacks. Note that if you need to know how many results were returned, you should do a SELECT COUNT(*) on the temporary table afterwards. db_affected_rows() does not give consistent result across different database types in this case. @param query A string containing a normal SELECT SQL query. @param ... A variable number of arguments which are substituted into the query using printf() syntax. The query arguments can be enclosed in one array instead. Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in '') and %%. NOTE: using this syntax will cast None and False values to decimal 0, and True values to decimal 1. @param table The name of the temporary table to select into. This name will not be prefixed as there is no risk of collision. @return A database query result resource, or False if the query was not executed correctly. """ args = func_get_args() tablename = php.array_pop(args) php.array_shift(args) query = php.preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' + \ tablename + ' Engine=HEAP SELECT', db_prefix_tables(query)) # 'All arguments in one array' syntax if (php.isset(args, 0) and php.is_array(args, 0)): args = args[0] _db_query_callback(args, True) query = php.preg_replace_callback(DB_QUERY_REGEXP, \ '_db_query_callback', query) return _db_query(query)
def query_range(query): """ Runs a limited-range query in the active database. Use this as a substitute for db_query() when a subset of the query is to be returned. User-supplied arguments to the query should be passed in as separate parameters so that they can be properly escaped to avoid SQL injection attacks. @param query A string containing an SQL query. @param ... A variable number of arguments which are substituted into the query using printf() syntax. The query arguments can be enclosed in one array instead. Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in '') and %%. NOTE: using this syntax will cast None and False values to decimal 0, and True values to decimal 1. @param from The first result row to return. @param count The maximum number of result rows to return. @return A database query result resource, or False if the query was not executed correctly. """ args = func_get_args() count = php.array_pop(args) from_ = php.array_pop(args) php.array_shift(args) query = db_prefix_tables(query) # 'All arguments in one array' syntax if (php.isset(args, 0) and php.is_array(args, 0)): args = args[0] _db_query_callback(args, True) query = php.preg_replace_callback(DB_QUERY_REGEXP, \ '_db_query_callback', query) query += ' LIMIT ' + int(from_) + ', ' . int(count) return _db_query(query)
def query_range(query): """ Runs a limited-range query in the active database. Use this as a substitute for db_query() when a subset of the query is to be returned. User-supplied arguments to the query should be passed in as separate parameters so that they can be properly escaped to avoid SQL injection attacks. @param query A string containing an SQL query. @param ... A variable number of arguments which are substituted into the query using printf() syntax. The query arguments can be enclosed in one array instead. Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in '') and %%. NOTE: using this syntax will cast None and False values to decimal 0, and True values to decimal 1. @param from The first result row to return. @param count The maximum number of result rows to return. @return A database query result resource, or False if the query was not executed correctly. """ args = func_get_args() count = php.array_pop(args) from_ = php.array_pop(args) php.array_shift(args) query = db_prefix_tables(query) # 'All arguments in one array' syntax if (php.isset(args, 0) and php.is_array(args, 0)): args = args[0] _db_query_callback(args, True) query = php.preg_replace_callback(DB_QUERY_REGEXP, \ '_db_query_callback', query) query += ' LIMIT ' + int(from_) + ', '.int(count) return _db_query(query)
def initialize(): """ Choose a language for the page, based on language negotiation settings. """ # Configured presentation language mode. mode = variable_get('language_negotiation', \ lib_bootstrap.LANGUAGE_NEGOTIATION_NONE) # Get a list of enabled languages. languages = lib_bootstrap.language_list('enabled') languages = languages[1] if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE: return language_default() elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN: for language in languages: parts = php.parse_url(language.domain) if (not php.empty(parts['host']) and \ (php.SERVER['php.SERVER_NAME'] == parts['host'])): return language return language_default() elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \ mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH: # _GET['q'] might not be available at this time, because # path initialization runs after the language bootstrap phase. args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else []) prefix = php.array_shift(args) # Search prefix within enabled languages. for language in languages: if (not php.empty(language.prefix) and language.prefix == prefix): # Rebuild php.GET['q'] with the language removed. php.GET['q'] = php.implode('/', args) return language if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT): # If we did not found the language by prefix, choose the default. return language_default() # User language. if (lib_appglobals.user.uid and \ php.isset(languages[lib_appglobals.user.language])): return languages[lib_appglobals.user.language] # Browser accept-language parsing. language = language_from_browser() if (language): return language # Fall back on the default if everything else fails. return language_default()
def munge_filename(filename, extensions, alerts=True): """ Munge the filename as needed for security purposes + For instance the file name "exploit.php.pps" would become "exploit.php_.pps". @param filename The name of a file to modify. @param extensions A space separated list of extensions that should not be altered. @param alerts Whether alerts (watchdog, drupal_set_message()) should be displayed. @return filename The potentially modified filename. """ original = filename # Allow potentially insecure uploads for very savvy users and admin if (not variable_get('allow_insecure_uploads', 0)): whitelist = array_unique(php.explode(' ', php.trim(extensions))) # Split the filename up by periods + The first part becomes the basename # the last part the final extension. filename_parts = php.explode('.', filename) new_filename = php.array_shift(filename_parts) # Remove file basename. final_extension = php.array_pop(filename_parts) # Remove final extension. # Loop through the middle parts of the name and add an underscore to the # end of each section that could be a file extension but isn't in the list # of allowed extensions. for filename_part in filename_parts: new_filename += '.' + filename_part if (not php.in_array(filename_part, whitelist) and \ php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)): new_filename += '_' filename = new_filename + '.' + final_extension if (alerts and original != filename): drupal_set_message(t('For security reasons, your upload has ' + \ 'been renamed to %filename.', {'%filename' : filename})) return filename