def munge_filename(filename, extensions, alerts = True):
"""
Munge the filename as needed for security purposes + For instance the file
name "exploit.php.pps" would become "exploit.php_.pps".
@param filename The name of a file to modify.
@param extensions A space separated list of extensions that should not
be altered.
@param alerts Whether alerts (watchdog, drupal_set_message()) should be
displayed.
@return filename The potentially modified filename.
"""
original = filename
# Allow potentially insecure uploads for very savvy users and admin
if (not variable_get('allow_insecure_uploads', 0)):
whitelist = array_unique(php.explode(' ', php.trim(extensions)))
# Split the filename up by periods + The first part becomes the basename
# the last part the final extension.
filename_parts = php.explode('.', filename)
new_filename = php.array_shift(filename_parts); # Remove file basename.
final_extension = php.array_pop(filename_parts); # Remove final extension.
# Loop through the middle parts of the name and add an underscore to the
# end of each section that could be a file extension but isn't in the list
# of allowed extensions.
for filename_part in filename_parts:
new_filename += '.' + filename_part
if (not php.in_array(filename_part, whitelist) and \
php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
new_filename += '_'
filename = new_filename + '.' + final_extension
if (alerts and original != filename):
drupal_set_message(t('For security reasons, your upload has ' + \
'been renamed to %filename.', {'%filename' : filename}))
return filename
def validate_image_resolution(file, maximum_dimensions = 0, \
minimum_dimensions = 0):
"""
If the file is an image verify that its dimensions are within the specified
maximum and minimum dimensions + Non-image files will be ignored.
@param file
A Drupal file object + This function may resize the file
affecting its size.
@param maximum_dimensions
An optional string in the form WIDTHxHEIGHT e.g + '640x480' or '85x85'. If
an image toolkit is installed the image will be resized down to these
dimensions + A value of 0 indicates no restriction on size, so resizing
will be attempted.
@param minimum_dimensions
An optional string in the form WIDTHxHEIGHT.
This will check that the image
meets a minimum size + A value of 0 indicates no restriction.
@return
An array + If the file is an image and did not meet the requirements, it
will contain an error message.
"""
php.Reference.check(file)
errors = []
# Check first that the file is an image.
info = image_get_info(file.filepath)
if (info):
if (maximum_dimensions):
# Check that it is smaller than the given dimensions.
width, height = php.explode('x', maximum_dimensions)
if (info['width'] > width or info['height'] > height):
# Try to resize the image to fit the dimensions.
if (image_get_toolkit() and image_scale(file.filepath, \
file.filepath, width, height)):
drupal_set_message(t('The image was resized to fit within ' + \
'the maximum allowed dimensions of %dimensions pixels.', \
{'%dimensions' : maximum_dimensions}))
# Clear the cached filesize and refresh the image information.
clearstatcache()
info = image_get_info(file.filepath)
file.filesize = info['file_size']
else:
errors.append( t('The image is too large; the maximum ' + \
'dimensions are %dimensions pixels.', \
{'%dimensions' : maximum_dimensions}) )
if (minimum_dimensions):
# Check that it is larger than the given dimensions.
width, height = php.explode('x', minimum_dimensions)
if (info['width'] < width or info['height'] < height):
errors.append( t('The image is too small; the ' + \
'minimum dimensions are %dimensions pixels.', \
{'%dimensions' : minimum_dimensions}) )
return errors
def validate_image_resolution(file, maximum_dimensions = 0, \
minimum_dimensions = 0):
"""
If the file is an image verify that its dimensions are within the specified
maximum and minimum dimensions + Non-image files will be ignored.
@param file
A Drupal file object + This function may resize the file
affecting its size.
@param maximum_dimensions
An optional string in the form WIDTHxHEIGHT e.g + '640x480' or '85x85'. If
an image toolkit is installed the image will be resized down to these
dimensions + A value of 0 indicates no restriction on size, so resizing
will be attempted.
@param minimum_dimensions
An optional string in the form WIDTHxHEIGHT.
This will check that the image
meets a minimum size + A value of 0 indicates no restriction.
@return
An array + If the file is an image and did not meet the requirements, it
will contain an error message.
"""
php.Reference.check(file)
errors = []
# Check first that the file is an image.
info = image_get_info(file.filepath)
if (info):
if (maximum_dimensions):
# Check that it is smaller than the given dimensions.
width, height = php.explode('x', maximum_dimensions)
if (info['width'] > width or info['height'] > height):
# Try to resize the image to fit the dimensions.
if (image_get_toolkit() and image_scale(file.filepath, \
file.filepath, width, height)):
drupal_set_message(t('The image was resized to fit within ' + \
'the maximum allowed dimensions of %dimensions pixels.', \
{'%dimensions' : maximum_dimensions}))
# Clear the cached filesize and refresh the image information.
clearstatcache()
info = image_get_info(file.filepath)
file.filesize = info['file_size']
else:
errors.append( t('The image is too large; the maximum ' + \
'dimensions are %dimensions pixels.', \
{'%dimensions' : maximum_dimensions}) )
if (minimum_dimensions):
# Check that it is larger than the given dimensions.
width, height = php.explode('x', minimum_dimensions)
if (info['width'] < width or info['height'] < height):
errors.append( t('The image is too small; the ' + \
'minimum dimensions are %dimensions pixels.', \
{'%dimensions' : minimum_dimensions}) )
return errors
def arg(index=None, path=None):
"""
Return a component of the current Drupal path.
When viewing a page at the path "admin/build/types", for example, arg(0)
would return "admin", arg(1) would return "content", and arg(2) would return
"types".
Avoid use of this function where possible, as resulting code is hard to read.
Instead, attempt to use named arguments in menu callback functions. See the
explanation in menu.inc for how to construct callbacks that take arguments.
@param index
The index of the component, where each component is separated by a '/'
(forward-slash), and where the first component has an index of 0 (zero).
@return
The component specified by index, or NULL if the specified component was
not found.
"""
php.static(arg, 'arguments', {})
if (path is None):
path = php.GET['q']
if (not php.isset(arg.arguments, path)):
arg.arguments[path] = php.explode('/', path)
if (index is None):
return arg.arguments[path]
if (php.isset(arg.arguments[path], index)):
return arg.arguments[path][index]
def ip_address(reset=False):
"""
If Drupal is behind a reverse proxy, we use the X-Forwarded-For header
instead of $_SERVER['REMOTE_ADDR'], which would be the IP address of
the proxy server, and not the client's. If Drupal is run in a cluster
we use the X-Cluster-Client-Ip header instead.
@param $reset
Reset the current IP address saved in static.
@return
IP address of client machine, adjusted for reverse proxy and/or cluster
environments.
"""
php.static(ip_address, "ip_address")
if ip_address.ip_address is None or reset:
ip_address.ip_address = php.SERVER["REMOTE_ADDR"]
if variable_get("reverse_proxy", 0):
if php.array_key_exists("HTTP_X_FORWARDED_FOR", php.SERVER):
# If an array of known reverse proxy IPs is provided, then trust
# the XFF header if request really comes from one of them.
reverse_proxy_addresses = variable_get("reverse_proxy_addresses", tuple())
if not php.empty(reverse_proxy_addresses) and php.in_array(
ip_address.ip_address, reverse_proxy_addresses, True
):
# If there are several arguments, we need to check the most
# recently added one, i.e. the last one.
ip_address.ip_address = php.array_pop(php.explode(",", php.SERVER["HTTP_X_FORWARDED_FOR"]))
# When Drupal is run in a cluster environment,
# REMOTE_ADDR contains the IP
# address of a server in the cluster, while the IP address
# of the client is
# stored in HTTP_X_CLUSTER_CLIENT_IP.
if php.array_key_exists("HTTP_X_CLUSTER_CLIENT_IP", php.SERVER):
ip_address.ip_address = php.SERVER["HTTP_X_CLUSTER_CLIENT_IP"]
return ip_address.ip_address
def arg(index = None, path = None):
"""
Return a component of the current Drupal path.
When viewing a page at the path "admin/build/types", for example, arg(0)
would return "admin", arg(1) would return "content", and arg(2) would return
"types".
Avoid use of this function where possible, as resulting code is hard to read.
Instead, attempt to use named arguments in menu callback functions. See the
explanation in menu.inc for how to construct callbacks that take arguments.
@param index
The index of the component, where each component is separated by a '/'
(forward-slash), and where the first component has an index of 0 (zero).
@return
The component specified by index, or NULL if the specified component was
not found.
"""
php.static(arg, 'arguments', {})
if (path is None):
path = php.GET['q'];
if (not php.isset(arg.arguments, path)):
arg.arguments[path] = php.explode('/', path);
if (index is None):
return arg.arguments[path];
if (php.isset(arg.arguments[path], index)):
return arg.arguments[path][index];
def version():
"""
Returns the version of the database server currently in use.
@return Database server version
"""
version = php.explode('-', \
DrupyMySQL.mysqli_get_server_info(lib_appglobals.active_db))
return version
def version():
"""
Returns the version of the database server currently in use.
@return Database server version
"""
version = php.explode('-', \
DrupyMySQL.mysqli_get_server_info(lib_appglobals.active_db))
return version
def drupal_page_cache_header(cache):
"""
Set HTTP headers in preparation for a cached page response.
The general approach here is that anonymous users can keep a local
cache of the page, but must revalidate it on every request. Then,
they are given a '304 Not Modified' response as long as they stay
logged out and the page has not been modified.
"""
# Set default values:
last_modified = php.gmdate("D, d M Y H:i:s", cache.created) + " GMT"
etag = '"' + drupy_md5(last_modified) + '"'
# See if the client has provided the required HTTP headers:
if_modified_since = (
php.stripslashes(php.SERVER["HTTP_IF_MODIFIED_SINCE"])
if php.isset(php.SERVER, "HTTP_IF_MODIFIED_SINCE")
else False
)
if_none_match = (
php.stripslashes(php.SERVER["HTTP_IF_NONE_MATCH"]) if php.isset(php.SERVER, "HTTP_IF_NONE_MATCH") else False
)
if (
if_modified_since
and if_none_match
and if_none_match == etag # etag must match
and if_modified_since == last_modified
): # if-modified-since must match
php.header(php.SERVER["SERVER_PROTOCOL"] + " 304 Not Modified")
# All 304 responses must send an etag if the 200 response for the same
# object contained an etag
php.header("Etag: %(etag)s" % {"etag": etag})
exit()
# Send appropriate response:
php.header("Last-Modified: %(last_modified)s" % {"last_modified": last_modified})
php.header("Etag: %(etag)s" % {"etag": etag})
# The following headers force validation of cache:
php.header("Expires: Sun, 19 Nov 1978 05:00:00 GMT")
php.header("Cache-Control: must-revalidate")
if variable_get("page_compression", True):
# Determine if the browser accepts gzipped data.
if php.strpos(php.SERVER["HTTP_ACCEPT_ENCODING"], "gzip") == False and php.function_exists("gzencode"):
# Strip the gzip php.header and run uncompress.
cache.data = php.gzinflate(php.substr(php.substr(cache.data, 10), 0, -8))
elif php.function_exists("gzencode"):
php.header("Content-Encoding: gzip")
# Send the original request's headers. We send them one after
# another so PHP's php.header() def can deal with duplicate
# headers.
headers = php.explode("\n", cache.headers)
for php.header_ in headers:
php.header(php.header_)
print cache.data
def _query(query_, debug = 0):
"""
Helper function for db_query().
"""
if (lib_bootstrap.variable_get('dev_query', 0)):
usec,sec = php.explode(' ', php.microtime())
timer = float(usec) + float(sec)
# If devel.plugin query logging is enabled, prepend a comment
# with the username and calling function
# to the SQL string. This is useful when running mysql's
# SHOW PROCESSLIST to learn what exact
# code is issueing the slow query.
bt = debug_backtrace()
# t() may not be available yet so we don't wrap 'Anonymous'
name = (lib_appglobals.user.name if (lib_appglobals.user.uid > 0) else \
variable_get('anonymous', 'Anonymous'))
# php.str_replace() to prevent SQL injection via username
# or anonymous name.
name = php.str_replace(['*', '/'], '', name)
query_ = '/* ' + name + ' : ' . bt[2]['function'] + ' */ ' + query_
result = DrupyMySQL.mysqli_query(lib_appglobals.active_db, query_)
if (lib_bootstrap.variable_get('dev_query', 0)):
query_ = bt[2]['function'] + "\n" + query_
usec,sec = php.explode(' ', php.microtime())
stop = float(usec) + float(sec)
diff = stop - timer
lib_appglobals.queries.append( [query_, diff] )
if (debug):
print '<p>query: ' + query_ + '<br />error:' + \
DrupyMySQL.mysqli_error(lib_appglobals.active_db) + '</p>'
if (not DrupyMySQL.mysqli_errno(lib_appglobals.active_db)):
return result
else:
# Indicate to drupal_error_handler that this is a database error.
DB_ERROR = True
php.trigger_error(lib_bootstrap.check_plain(\
DrupyMySQL.mysqli_error(lib_appglobals.active_db) + \
"\nquery: " + query_), php.E_USER_WARNING)
return False
def _query(query_, debug=0):
"""
Helper function for db_query().
"""
if (lib_bootstrap.variable_get('dev_query', 0)):
usec, sec = php.explode(' ', php.microtime())
timer = float(usec) + float(sec)
# If devel.plugin query logging is enabled, prepend a comment
# with the username and calling function
# to the SQL string. This is useful when running mysql's
# SHOW PROCESSLIST to learn what exact
# code is issueing the slow query.
bt = debug_backtrace()
# t() may not be available yet so we don't wrap 'Anonymous'
name = (lib_appglobals.user.name if (lib_appglobals.user.uid > 0) else \
variable_get('anonymous', 'Anonymous'))
# php.str_replace() to prevent SQL injection via username
# or anonymous name.
name = php.str_replace(['*', '/'], '', name)
query_ = '/* ' + name + ' : '.bt[2]['function'] + ' */ ' + query_
result = DrupyMySQL.mysqli_query(lib_appglobals.active_db, query_)
if (lib_bootstrap.variable_get('dev_query', 0)):
query_ = bt[2]['function'] + "\n" + query_
usec, sec = php.explode(' ', php.microtime())
stop = float(usec) + float(sec)
diff = stop - timer
lib_appglobals.queries.append([query_, diff])
if (debug):
print '<p>query: ' + query_ + '<br />error:' + \
DrupyMySQL.mysqli_error(lib_appglobals.active_db) + '</p>'
if (not DrupyMySQL.mysqli_errno(lib_appglobals.active_db)):
return result
else:
# Indicate to drupal_error_handler that this is a database error.
DB_ERROR = True
php.trigger_error(lib_bootstrap.check_plain(\
DrupyMySQL.mysqli_error(lib_appglobals.active_db) + \
"\nquery: " + query_), php.E_USER_WARNING)
return False
def registry_load_path_files(return_=False):
"""
registry_load_path_files
"""
php.static(registry_load_path_files, 'file_cache_data', [])
if (return_):
sort(registry_load_path_files.file_cache_data)
return registry_load_path_files.file_cache_data
menu = menu_get_item()
cache = cache_get('registry:' + menu['path'], 'cache_registry')
if (not php.empty(cache.data)):
for file in php.explode(';', cache.data):
php.require_once(file)
registry_load_path_files.file_cache_data.append(file)
def registry_load_path_files(return_=False):
"""
registry_load_path_files
"""
php.static(registry_load_path_files, "file_cache_data", [])
if return_:
sort(registry_load_path_files.file_cache_data)
return registry_load_path_files.file_cache_data
menu = menu_get_item()
cache = cache_get("registry:" + menu["path"], "cache_registry")
if not php.empty(cache.data):
for file in php.explode(";", cache.data):
php.require_once(file)
registry_load_path_files.file_cache_data.append(file)
def drupal_page_cache_header(cache):
"""
Set HTTP headers in preparation for a cached page response.
The general approach here is that anonymous users can keep a local
cache of the page, but must revalidate it on every request. Then,
they are given a '304 Not Modified' response as long as they stay
logged out and the page has not been modified.
"""
# Set default values:
last_modified = php.gmdate('D, d M Y H:i:s', cache.created) + ' GMT'
etag = '"' + drupy_md5(last_modified) + '"'
# See if the client has provided the required HTTP headers:
if_modified_since = (php.stripslashes(php.SERVER['HTTP_IF_MODIFIED_SINCE']) \
if php.isset(php.SERVER, 'HTTP_IF_MODIFIED_SINCE') else False)
if_none_match = (php.stripslashes(php.SERVER['HTTP_IF_NONE_MATCH']) \
if php.isset(php.SERVER, 'HTTP_IF_NONE_MATCH') else False)
if (if_modified_since and if_none_match
and if_none_match == etag # etag must match
and if_modified_since
== last_modified): # if-modified-since must match
php.header(php.SERVER['SERVER_PROTOCOL'] + ' 304 Not Modified')
# All 304 responses must send an etag if the 200 response for the same
# object contained an etag
php.header("Etag: %(etag)s" % {'etag': etag})
exit()
# Send appropriate response:
php.header("Last-Modified: %(last_modified)s" % \
{'last_modified':last_modified})
php.header("Etag: %(etag)s" % {'etag': etag})
# The following headers force validation of cache:
php.header("Expires: Sun, 19 Nov 1978 05:00:00 GMT")
php.header("Cache-Control: must-revalidate")
if (variable_get('page_compression', True)):
# Determine if the browser accepts gzipped data.
if (php.strpos(php.SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') == False and \
php.function_exists('gzencode')):
# Strip the gzip php.header and run uncompress.
cache.data = php.gzinflate(
php.substr(php.substr(cache.data, 10), 0, -8))
elif (php.function_exists('gzencode')):
php.header('Content-Encoding: gzip')
# Send the original request's headers. We send them one after
# another so PHP's php.header() def can deal with duplicate
# headers.
headers = php.explode("\n", cache.headers)
for php.header_ in headers:
php.header(php.header_)
print cache.data
def munge_filename(filename, extensions, alerts=True):
"""
Munge the filename as needed for security purposes + For instance the file
name "exploit.php.pps" would become "exploit.php_.pps".
@param filename The name of a file to modify.
@param extensions A space separated list of extensions that should not
be altered.
@param alerts Whether alerts (watchdog, drupal_set_message()) should be
displayed.
@return filename The potentially modified filename.
"""
original = filename
# Allow potentially insecure uploads for very savvy users and admin
if (not variable_get('allow_insecure_uploads', 0)):
whitelist = array_unique(php.explode(' ', php.trim(extensions)))
# Split the filename up by periods + The first part becomes the basename
# the last part the final extension.
filename_parts = php.explode('.', filename)
new_filename = php.array_shift(filename_parts)
# Remove file basename.
final_extension = php.array_pop(filename_parts)
# Remove final extension.
# Loop through the middle parts of the name and add an underscore to the
# end of each section that could be a file extension but isn't in the list
# of allowed extensions.
for filename_part in filename_parts:
new_filename += '.' + filename_part
if (not php.in_array(filename_part, whitelist) and \
php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
new_filename += '_'
filename = new_filename + '.' + final_extension
if (alerts and original != filename):
drupal_set_message(t('For security reasons, your upload has ' + \
'been renamed to %filename.', {'%filename' : filename}))
return filename
def timer_read(name):
"""
Read the current timer value without stopping the timer.
@param name
The name of the timer.
@return
The current timer value in ms.
"""
if (php.isset(lib_appglobals.timers[name], 'start')):
(usec, sec) = php.explode(' ', php.microtime())
stop = float(usec) + float(sec)
diff = round((stop - lib_appglobals.timers[name]['start']) * 1000, 2)
if (php.isset(lib_appglobals.timers[name], 'time')):
diff += lib_appglobals.timers[name]['time']
return diff
def timer_read(name):
"""
Read the current timer value without stopping the timer.
@param name
The name of the timer.
@return
The current timer value in ms.
"""
if php.isset(lib_appglobals.timers[name], "start"):
(usec, sec) = php.explode(" ", php.microtime())
stop = float(usec) + float(sec)
diff = round((stop - lib_appglobals.timers[name]["start"]) * 1000, 2)
if php.isset(lib_appglobals.timers[name], "time"):
diff += lib_appglobals.timers[name]["time"]
return diff
def timer_start(name):
"""
Start the timer with the specified name. If you start and stop
the same timer multiple times, the measured intervals will be
accumulated.
@param name
The name of the timer.
"""
if lib_appglobals.timers == None:
lib_appglobals.timers = {}
if not php.isset(lib_appglobals.timers, name):
lib_appglobals.timers[name] = {}
(usec, sec) = php.explode(" ", php.microtime())
lib_appglobals.timers[name]["start"] = float(usec) + float(sec)
lib_appglobals.timers[name]["count"] = (
(lib_appglobals.timers[name]["count"] + 1) if php.isset(lib_appglobals.timers[name], "count") else 1
)
def timer_start(name):
"""
Start the timer with the specified name. If you start and stop
the same timer multiple times, the measured intervals will be
accumulated.
@param name
The name of the timer.
"""
if lib_appglobals.timers == None:
lib_appglobals.timers = {}
if not php.isset(lib_appglobals.timers, name):
lib_appglobals.timers[name] = {}
(usec, sec) = php.explode(' ', php.microtime())
lib_appglobals.timers[name]['start'] = float(usec) + float(sec)
lib_appglobals.timers[name]['count'] = \
((lib_appglobals.timers[name]['count'] + 1) if \
php.isset(lib_appglobals.timers[name],'count') else 1)
def initialize():
"""
Choose a language for the page, based on language negotiation settings.
"""
# Configured presentation language mode.
mode = variable_get('language_negotiation', \
lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
# Get a list of enabled languages.
languages = lib_bootstrap.language_list('enabled')
languages = languages[1]
if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
for language in languages:
parts = php.parse_url(language.domain)
if (not php.empty(parts['host']) and \
(php.SERVER['php.SERVER_NAME'] == parts['host'])):
return language
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
# _GET['q'] might not be available at this time, because
# path initialization runs after the language bootstrap phase.
args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
prefix = php.array_shift(args)
# Search prefix within enabled languages.
for language in languages:
if (not php.empty(language.prefix) and language.prefix == prefix):
# Rebuild php.GET['q'] with the language removed.
php.GET['q'] = php.implode('/', args)
return language
if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
# If we did not found the language by prefix, choose the default.
return language_default()
# User language.
if (lib_appglobals.user.uid and \
php.isset(languages[lib_appglobals.user.language])):
return languages[lib_appglobals.user.language]
# Browser accept-language parsing.
language = language_from_browser()
if (language):
return language
# Fall back on the default if everything else fails.
return language_default()
def initialize():
"""
Choose a language for the page, based on language negotiation settings.
"""
# Configured presentation language mode.
mode = variable_get('language_negotiation', \
lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
# Get a list of enabled languages.
languages = lib_bootstrap.language_list('enabled')
languages = languages[1]
if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
for language in languages:
parts = php.parse_url(language.domain)
if (not php.empty(parts['host']) and \
(php.SERVER['php.SERVER_NAME'] == parts['host'])):
return language
return language_default()
elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
# _GET['q'] might not be available at this time, because
# path initialization runs after the language bootstrap phase.
args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
prefix = php.array_shift(args)
# Search prefix within enabled languages.
for language in languages:
if (not php.empty(language.prefix) and language.prefix == prefix):
# Rebuild php.GET['q'] with the language removed.
php.GET['q'] = php.implode('/', args)
return language
if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
# If we did not found the language by prefix, choose the default.
return language_default()
# User language.
if (lib_appglobals.user.uid and \
php.isset(languages[lib_appglobals.user.language])):
return languages[lib_appglobals.user.language]
# Browser accept-language parsing.
language = language_from_browser()
if (language):
return language
# Fall back on the default if everything else fails.
return language_default()
def ip_address(reset=False):
"""
If Drupal is behind a reverse proxy, we use the X-Forwarded-For header
instead of $_SERVER['REMOTE_ADDR'], which would be the IP address of
the proxy server, and not the client's. If Drupal is run in a cluster
we use the X-Cluster-Client-Ip header instead.
@param $reset
Reset the current IP address saved in static.
@return
IP address of client machine, adjusted for reverse proxy and/or cluster
environments.
"""
php.static(ip_address, 'ip_address')
if (ip_address.ip_address is None or reset):
ip_address.ip_address = php.SERVER['REMOTE_ADDR']
if (variable_get('reverse_proxy', 0)):
if (php.array_key_exists('HTTP_X_FORWARDED_FOR', php.SERVER)):
# If an array of known reverse proxy IPs is provided, then trust
# the XFF header if request really comes from one of them.
reverse_proxy_addresses = variable_get('reverse_proxy_addresses', \
tuple())
if (not php.empty(reverse_proxy_addresses) and \
php.in_array(ip_address.ip_address, reverse_proxy_addresses, \
True)):
# If there are several arguments, we need to check the most
# recently added one, i.e. the last one.
ip_address.ip_address = php.array_pop(\
php.explode(',', php.SERVER['HTTP_X_FORWARDED_FOR']))
# When Drupal is run in a cluster environment,
# REMOTE_ADDR contains the IP
# address of a server in the cluster, while the IP address
# of the client is
# stored in HTTP_X_CLUSTER_CLIENT_IP.
if (php.array_key_exists('HTTP_X_CLUSTER_CLIENT_IP', php.SERVER)):
ip_address.ip_address = php.SERVER['HTTP_X_CLUSTER_CLIENT_IP']
return ip_address.ip_address
def from_browser():
"""
Identify language from the Accept-language HTTP php.header we got.
"""
# Specified by the user via the browser's Accept Language setting
# Samples: "hu, en-us;q=0.66, en;q=0.33", "hu,en-us;q=0.5"
browser_langs = []
if (php.isset(php.SERVER, 'HTTP_ACCEPT_LANGUAGE')):
browser_accept = php.explode(",", php.SERVER['HTTP_ACCEPT_LANGUAGE'])
for i in range(php.count(browser_accept)):
# The language part is either a code or a code with a quality.
# We cannot do anything with a * code, so it is skipped.
# If the quality is missing, it is assumed to be 1 according to the RFC.
if (php.preg_match("not ([a-z-]+)(;q=([0-9\\.]+))?not ", \
php.trim(browser_accept[i]), found)):
browser_langs[found[1]] = (float(found[3]) if \
php.isset(found, 3) else 1.0)
# Order the codes by quality
arsort(browser_langs)
# Try to find the first preferred language we have
languages = language_list('enabled')
for langcode, q in browser_langs.items():
if (php.isset(languages['1'], langcode)):
return languages['1'][langcode]
def from_browser():
"""
Identify language from the Accept-language HTTP php.header we got.
"""
# Specified by the user via the browser's Accept Language setting
# Samples: "hu, en-us;q=0.66, en;q=0.33", "hu,en-us;q=0.5"
browser_langs = []
if (php.isset(php.SERVER, 'HTTP_ACCEPT_LANGUAGE')):
browser_accept = php.explode(",", php.SERVER['HTTP_ACCEPT_LANGUAGE'])
for i in range(php.count(browser_accept)):
# The language part is either a code or a code with a quality.
# We cannot do anything with a * code, so it is skipped.
# If the quality is missing, it is assumed to be 1 according to the RFC.
if (php.preg_match("not ([a-z-]+)(;q=([0-9\\.]+))?not ", \
php.trim(browser_accept[i]), found)):
browser_langs[found[1]] = (float(found[3]) if \
php.isset(found, 3) else 1.0)
# Order the codes by quality
arsort(browser_langs)
# Try to find the first preferred language we have
languages = language_list('enabled')
for langcode,q in browser_langs.items():
if (php.isset(languages['1'], langcode)):
return languages['1'][langcode]
def conf_init():
"""
Loads the configuration and sets the base URL, cookie domain, and
session name correctly.
"""
# These will come from settings
# db_url, db_prefix, cookie_domain, conf, installed_profile, update_free_access
if lib_appglobals.base_url != None:
# Parse fixed base URL from settings.php.
parts = php.parse_url(lib_appglobals.base_url)
if not php.isset(parts, "path"):
parts["path"] = ""
lib_appglobals.base_path = parts["path"] + "/"
# Build base_root (everything until first slash after "scheme://").
lib_appglobals.base_root = php.substr(
lib_appglobals.base_url, 0, php.strlen(lib_appglobals.base_url) - php.strlen(parts["path"])
)
else:
# Create base URL
lib_appglobals.base_root = (
"https" if (php.isset(php.SERVER, "HTTPS") and php.SERVER["HTTPS"] == "on") else "http"
)
# As php.SERVER['HTTP_HOST'] is user input, ensure it only contains
# characters allowed in hostnames.
lib_appglobals.base_root += "://" + php.preg_replace("/[^a-z0-9-:._]/i", "", php.SERVER["HTTP_HOST"])
lib_appglobals.base_url = lib_appglobals.base_root
# php.SERVER['SCRIPT_NAME'] can, in contrast to php.SERVER['PHP_SELF'], not
# be modified by a visitor.
dir = php.trim(php.dirname(php.SERVER["SCRIPT_NAME"]), "\,/")
if len(dir) > 0:
lib_appglobals.base_path = "/dir"
lib_appglobals.base_url += lib_appglobals.base_path
lib_appglobals.base_path += "/"
else:
lib_appglobals.base_path = "/"
if settings.cookie_domain != None:
# If the user specifies the cookie domain, also use it for session name.
session_name_ = settings.cookie_domain
else:
# Otherwise use base_url as session name, without the protocol
# to use the same session identifiers across http and https.
session_name_ = php.explode("://", lib_appglobals.base_url, 2)[1]
# We escape the hostname because it can be modified by a visitor.
if not php.empty(php.SERVER["HTTP_HOST"]):
settings.cookie_domain = check_plain(php.SERVER["HTTP_HOST"])
# To prevent session cookies from being hijacked, a user can configure the
# SSL version of their website to only transfer session cookies via SSL by
# using PHP's session.cookie_secure setting. The browser will then use two
# separate session cookies for the HTTPS and HTTP versions of the site. So we
# must use different session identifiers for HTTPS and HTTP to prevent a
# cookie collision.
if php.ini_get("session.cookie_secure"):
session_name_ += "SSL"
# Strip leading periods, www., and port numbers from cookie domain.
settings.cookie_domain = php.ltrim(settings.cookie_domain, ".")
if php.strpos(settings.cookie_domain, "www.") == 0:
settings.cookie_domain = php.substr(settings.cookie_domain, 4)
settings.cookie_domain = php.explode(":", settings.cookie_domain)
settings.cookie_domain = "." + settings.cookie_domain[0]
# Per RFC 2109, cookie domains must contain at least one dot other than the
# first. For hosts such as 'localhost' or IP Addresses we don't set a
# cookie domain.
if php.count(php.explode(".", settings.cookie_domain)) > 2 and not php.is_numeric(
php.str_replace(".", "", settings.cookie_domain)
):
php.ini_set("session.cookie_domain", settings.cookie_domain)
# print session_name;
lib_session.name("SESS" + php.md5(session_name_))
def conf_init():
"""
Loads the configuration and sets the base URL, cookie domain, and
session name correctly.
"""
# These will come from settings
# db_url, db_prefix, cookie_domain, conf, installed_profile, update_free_access
if (lib_appglobals.base_url != None):
# Parse fixed base URL from settings.php.
parts = php.parse_url(lib_appglobals.base_url)
if (not php.isset(parts, 'path')):
parts['path'] = ''
lib_appglobals.base_path = parts['path'] + '/'
# Build base_root (everything until first slash after "scheme://").
lib_appglobals.base_root = \
php.substr(lib_appglobals.base_url, 0, \
php.strlen(lib_appglobals.base_url) - \
php.strlen(parts['path']))
else:
# Create base URL
lib_appglobals.base_root = \
('https' if (php.isset(php.SERVER, 'HTTPS') and \
php.SERVER['HTTPS'] == 'on') else 'http')
# As php.SERVER['HTTP_HOST'] is user input, ensure it only contains
# characters allowed in hostnames.
lib_appglobals.base_root += '://' + \
php.preg_replace('/[^a-z0-9-:._]/i', '', \
php.SERVER['HTTP_HOST'])
lib_appglobals.base_url = lib_appglobals.base_root
# php.SERVER['SCRIPT_NAME'] can, in contrast to php.SERVER['PHP_SELF'], not
# be modified by a visitor.
dir = php.trim(php.dirname(php.SERVER['SCRIPT_NAME']), '\,/')
if (len(dir) > 0):
lib_appglobals.base_path = "/dir"
lib_appglobals.base_url += lib_appglobals.base_path
lib_appglobals.base_path += '/'
else:
lib_appglobals.base_path = '/'
if (settings.cookie_domain != None):
# If the user specifies the cookie domain, also use it for session name.
session_name_ = settings.cookie_domain
else:
# Otherwise use base_url as session name, without the protocol
# to use the same session identifiers across http and https.
session_name_ = php.explode('://', lib_appglobals.base_url, 2)[1]
# We escape the hostname because it can be modified by a visitor.
if (not php.empty(php.SERVER['HTTP_HOST'])):
settings.cookie_domain = check_plain(php.SERVER['HTTP_HOST'])
# To prevent session cookies from being hijacked, a user can configure the
# SSL version of their website to only transfer session cookies via SSL by
# using PHP's session.cookie_secure setting. The browser will then use two
# separate session cookies for the HTTPS and HTTP versions of the site. So we
# must use different session identifiers for HTTPS and HTTP to prevent a
# cookie collision.
if (php.ini_get('session.cookie_secure')):
session_name_ += 'SSL'
# Strip leading periods, www., and port numbers from cookie domain.
settings.cookie_domain = php.ltrim(settings.cookie_domain, '.')
if (php.strpos(settings.cookie_domain, 'www.') == 0):
settings.cookie_domain = php.substr(settings.cookie_domain, 4)
settings.cookie_domain = php.explode(':', settings.cookie_domain)
settings.cookie_domain = '.' + settings.cookie_domain[0]
# Per RFC 2109, cookie domains must contain at least one dot other than the
# first. For hosts such as 'localhost' or IP Addresses we don't set a
# cookie domain.
if (php.count(php.explode('.', settings.cookie_domain)) > 2 and not \
php.is_numeric(php.str_replace('.', '', settings.cookie_domain))):
php.ini_set('session.cookie_domain', settings.cookie_domain)
#print session_name;
lib_session.name('SESS' + php.md5(session_name_))
