コード例 #1
0
ファイル: database.py プロジェクト: vaibbhav/drupy
def _query_callback(match, init = False):
  """
   Helper function for db_query().
  """
  php.static(_query_callback, 'args')
  if (init):
    _query_callback.args = list(match);
    return;
  # We must use type casting to int to convert FALSE/NULL/(TRUE?)
  if match[1] == '%d': 
    # We don't need db_escape_string as numbers are db-safe
    return str(int(php.array_shift(_query_callback.args))); 
  elif match[1] == '%s':
    return db.escape_string(php.array_shift(_query_callback.args));
  elif match[1] == '%n':
    # Numeric values have arbitrary precision, so can't be treated as float.
    # is_numeric() allows hex values (0xFF), but they are not valid.
    value = php.trim(php.array_shift(args));
    return  (value if (php.is_numeric(value) and not \
      php.stripos(value, 'x')) else '0')
  elif match[1] == '%%':
    return '%';
  elif match[1] == '%f':
    return float(php.array_shift(_query_callback.args));
  elif match[1] == '%b': # binary data
    return db.encode_blob(php.array_shift(_query_callback.args));
コード例 #2
0
ファイル: file.py プロジェクト: brendoncrawford/drupy
def munge_filename(filename, extensions, alerts = True):
  """
   Munge the filename as needed for security purposes + For instance the file
   name "exploit.php.pps" would become "exploit.php_.pps".
  
   @param filename The name of a file to modify.
   @param extensions A space separated list of extensions that should not
     be altered.
   @param alerts Whether alerts (watchdog, drupal_set_message()) should be
     displayed.
   @return filename The potentially modified filename.
  """
  original = filename
  # Allow potentially insecure uploads for very savvy users and admin
  if (not variable_get('allow_insecure_uploads', 0)):
    whitelist = array_unique(php.explode(' ', php.trim(extensions)))
    # Split the filename up by periods + The first part becomes the basename
    # the last part the final extension.
    filename_parts = php.explode('.', filename)
    new_filename = php.array_shift(filename_parts); # Remove file basename.
    final_extension = php.array_pop(filename_parts); # Remove final extension.
    # Loop through the middle parts of the name and add an underscore to the
    # end of each section that could be a file extension but isn't in the list
    # of allowed extensions.
    for filename_part in filename_parts:
      new_filename += '.' + filename_part
      if (not php.in_array(filename_part, whitelist) and \
          php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
        new_filename += '_'
    filename = new_filename + '.' + final_extension
    if (alerts and original != filename):
      drupal_set_message(t('For security reasons, your upload has ' + \
        'been renamed to %filename.', {'%filename' : filename}))
  return filename
コード例 #3
0
def query_temporary(query):
  """
   Runs a SELECT query and stores its results in a temporary table.
  
   Use this as a substitute for db_query() when the results need to stored
   in a temporary table. Temporary tables exist for the duration of the page
   request.
   User-supplied arguments to the query should be passed in as
   separate parameters
   so that they can be properly escaped to avoid SQL injection attacks.
  
   Note that if you need to know how many results were returned, you should do
   a SELECT COUNT(*) on the temporary table afterwards. db_affected_rows() does
   not give consistent result across different database types in this case.
  
   @param query
     A string containing a normal SELECT SQL query.
   @param ...
     A variable number of arguments which are substituted into the query
     using printf() syntax. The query arguments can be enclosed in one
     array instead.
     Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
     in '') and %%.
  
     NOTE: using this syntax will cast None and False values to decimal 0,
     and True values to decimal 1.
  
   @param table
     The name of the temporary table to select into. This name will not be
     prefixed as there is no risk of collision.
   @return
     A database query result resource, or False if the query was not executed
     correctly.
  """
  args = func_get_args()
  tablename = php.array_pop(args)
  php.array_shift(args)
  query = php.preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' +  \
    tablename  + ' Engine=HEAP SELECT', db_prefix_tables(query))
  # 'All arguments in one array' syntax
  if (php.isset(args, 0) and php.is_array(args, 0)): 
    args = args[0]
  _db_query_callback(args, True)
  query = php.preg_replace_callback(DB_QUERY_REGEXP, \
    '_db_query_callback', query)
  return _db_query(query)
コード例 #4
0
ファイル: database_mysqli.py プロジェクト: vaibbhav/drupy
def query_temporary(query):
    """
   Runs a SELECT query and stores its results in a temporary table.
  
   Use this as a substitute for db_query() when the results need to stored
   in a temporary table. Temporary tables exist for the duration of the page
   request.
   User-supplied arguments to the query should be passed in as
   separate parameters
   so that they can be properly escaped to avoid SQL injection attacks.
  
   Note that if you need to know how many results were returned, you should do
   a SELECT COUNT(*) on the temporary table afterwards. db_affected_rows() does
   not give consistent result across different database types in this case.
  
   @param query
     A string containing a normal SELECT SQL query.
   @param ...
     A variable number of arguments which are substituted into the query
     using printf() syntax. The query arguments can be enclosed in one
     array instead.
     Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
     in '') and %%.
  
     NOTE: using this syntax will cast None and False values to decimal 0,
     and True values to decimal 1.
  
   @param table
     The name of the temporary table to select into. This name will not be
     prefixed as there is no risk of collision.
   @return
     A database query result resource, or False if the query was not executed
     correctly.
  """
    args = func_get_args()
    tablename = php.array_pop(args)
    php.array_shift(args)
    query = php.preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' +  \
      tablename  + ' Engine=HEAP SELECT', db_prefix_tables(query))
    # 'All arguments in one array' syntax
    if (php.isset(args, 0) and php.is_array(args, 0)):
        args = args[0]
    _db_query_callback(args, True)
    query = php.preg_replace_callback(DB_QUERY_REGEXP, \
      '_db_query_callback', query)
    return _db_query(query)
コード例 #5
0
def query_range(query):
  """
   Runs a limited-range query in the active database.
  
   Use this as a substitute for db_query() when a subset of the query is to be
   returned. User-supplied arguments to the query should be passed in as
   separate parameters so that they can be properly escaped to avoid SQL
   injection attacks.
  
   @param query
     A string containing an SQL query.
   @param ...
     A variable number of arguments which are substituted into the query
     using printf() syntax. The query arguments can be enclosed in one
     array instead.
     Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
     in '') and %%.
     NOTE: using this syntax will cast None and False values to decimal 0,
     and True values to decimal 1.
   @param from
     The first result row to return.
   @param count
     The maximum number of result rows to return.
   @return
     A database query result resource, or False if the query was not executed
     correctly.
  """
  args = func_get_args()
  count = php.array_pop(args)
  from_ = php.array_pop(args)
  php.array_shift(args)
  query = db_prefix_tables(query)
  # 'All arguments in one array' syntax
  if (php.isset(args, 0) and php.is_array(args, 0)): 
    args = args[0]
  _db_query_callback(args, True)
  query = php.preg_replace_callback(DB_QUERY_REGEXP, \
    '_db_query_callback', query)
  query += ' LIMIT ' +  int(from_)  + ', ' . int(count)
  return _db_query(query)
コード例 #6
0
ファイル: database_mysqli.py プロジェクト: vaibbhav/drupy
def query_range(query):
    """
   Runs a limited-range query in the active database.
  
   Use this as a substitute for db_query() when a subset of the query is to be
   returned. User-supplied arguments to the query should be passed in as
   separate parameters so that they can be properly escaped to avoid SQL
   injection attacks.
  
   @param query
     A string containing an SQL query.
   @param ...
     A variable number of arguments which are substituted into the query
     using printf() syntax. The query arguments can be enclosed in one
     array instead.
     Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
     in '') and %%.
     NOTE: using this syntax will cast None and False values to decimal 0,
     and True values to decimal 1.
   @param from
     The first result row to return.
   @param count
     The maximum number of result rows to return.
   @return
     A database query result resource, or False if the query was not executed
     correctly.
  """
    args = func_get_args()
    count = php.array_pop(args)
    from_ = php.array_pop(args)
    php.array_shift(args)
    query = db_prefix_tables(query)
    # 'All arguments in one array' syntax
    if (php.isset(args, 0) and php.is_array(args, 0)):
        args = args[0]
    _db_query_callback(args, True)
    query = php.preg_replace_callback(DB_QUERY_REGEXP, \
      '_db_query_callback', query)
    query += ' LIMIT ' + int(from_) + ', '.int(count)
    return _db_query(query)
コード例 #7
0
ファイル: language.py プロジェクト: brendoncrawford/drupy
def initialize():
  """
    Choose a language for the page, based on language negotiation settings.
  """
  # Configured presentation language mode.
  mode = variable_get('language_negotiation', \
    lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
  # Get a list of enabled languages.
  languages = lib_bootstrap.language_list('enabled')
  languages = languages[1]
  if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
    return language_default()
  elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
    for language in languages:
      parts = php.parse_url(language.domain)
      if (not php.empty(parts['host']) and \
          (php.SERVER['php.SERVER_NAME'] == parts['host'])):
        return language
    return language_default()
  elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
      mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
    # _GET['q'] might not be available at this time, because
    # path initialization runs after the language bootstrap phase.
    args =  (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
    prefix = php.array_shift(args)
    # Search prefix within enabled languages.
    for language in languages:
      if (not php.empty(language.prefix) and language.prefix == prefix):
        # Rebuild php.GET['q'] with the language removed.
        php.GET['q'] = php.implode('/', args)
        return language
    if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
      # If we did not found the language by prefix, choose the default.
      return language_default()
  # User language.
  if (lib_appglobals.user.uid and \
      php.isset(languages[lib_appglobals.user.language])):
    return languages[lib_appglobals.user.language]
  # Browser accept-language parsing.
  language = language_from_browser()
  if (language):
    return language
  # Fall back on the default if everything else fails.
  return language_default()
コード例 #8
0
ファイル: language.py プロジェクト: vaibbhav/drupy
def initialize():
    """
    Choose a language for the page, based on language negotiation settings.
  """
    # Configured presentation language mode.
    mode = variable_get('language_negotiation', \
      lib_bootstrap.LANGUAGE_NEGOTIATION_NONE)
    # Get a list of enabled languages.
    languages = lib_bootstrap.language_list('enabled')
    languages = languages[1]
    if mode == lib_bootstrap.LANGUAGE_NEGOTIATION_NONE:
        return language_default()
    elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_DOMAIN:
        for language in languages:
            parts = php.parse_url(language.domain)
            if (not php.empty(parts['host']) and \
                (php.SERVER['php.SERVER_NAME'] == parts['host'])):
                return language
        return language_default()
    elif mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH_DEFAULT or \
        mode == lib_bootstrap.LANGUAGE_NEGOTIATION_PATH:
        # _GET['q'] might not be available at this time, because
        # path initialization runs after the language bootstrap phase.
        args = (php.explode('/', _GET['q']) if php.isset(_GET, 'q') else [])
        prefix = php.array_shift(args)
        # Search prefix within enabled languages.
        for language in languages:
            if (not php.empty(language.prefix) and language.prefix == prefix):
                # Rebuild php.GET['q'] with the language removed.
                php.GET['q'] = php.implode('/', args)
                return language
        if (mode == LANGUAGE_NEGOTIATION_PATH_DEFAULT):
            # If we did not found the language by prefix, choose the default.
            return language_default()
    # User language.
    if (lib_appglobals.user.uid and \
        php.isset(languages[lib_appglobals.user.language])):
        return languages[lib_appglobals.user.language]
    # Browser accept-language parsing.
    language = language_from_browser()
    if (language):
        return language
    # Fall back on the default if everything else fails.
    return language_default()
コード例 #9
0
ファイル: file.py プロジェクト: vaibbhav/drupy
def munge_filename(filename, extensions, alerts=True):
    """
   Munge the filename as needed for security purposes + For instance the file
   name "exploit.php.pps" would become "exploit.php_.pps".
  
   @param filename The name of a file to modify.
   @param extensions A space separated list of extensions that should not
     be altered.
   @param alerts Whether alerts (watchdog, drupal_set_message()) should be
     displayed.
   @return filename The potentially modified filename.
  """
    original = filename
    # Allow potentially insecure uploads for very savvy users and admin
    if (not variable_get('allow_insecure_uploads', 0)):
        whitelist = array_unique(php.explode(' ', php.trim(extensions)))
        # Split the filename up by periods + The first part becomes the basename
        # the last part the final extension.
        filename_parts = php.explode('.', filename)
        new_filename = php.array_shift(filename_parts)
        # Remove file basename.
        final_extension = php.array_pop(filename_parts)
        # Remove final extension.
        # Loop through the middle parts of the name and add an underscore to the
        # end of each section that could be a file extension but isn't in the list
        # of allowed extensions.
        for filename_part in filename_parts:
            new_filename += '.' + filename_part
            if (not php.in_array(filename_part, whitelist) and \
                php.preg_match("/^[a-zA-Z]{2,5}\d?$/", filename_part)):
                new_filename += '_'
        filename = new_filename + '.' + final_extension
        if (alerts and original != filename):
            drupal_set_message(t('For security reasons, your upload has ' + \
              'been renamed to %filename.', {'%filename' : filename}))
    return filename