Index: .htaccess =================================================================== RCS file: /cvs/drupal/drupal/.htaccess,v retrieving revision 1.104 diff -u -9 -p -r1.104 .htaccess --- .htaccess 16 Aug 2009 12:10:36 -0000 1.104 +++ .htaccess 2 Dec 2009 22:30:50 -0000 @@ -82,17 +82,18 @@ DirectoryIndex index.php index.html inde # VirtualDocumentRoot and the rewrite rules are not working properly. # For example if your site is at http://example.com/drupal uncomment and # modify the following line: # RewriteBase /drupal # # If your site is running in a VirtualDocumentRoot at http://example.com/, # uncomment the following line: # RewriteBase / - # Rewrite URLs of the form 'x' to the form 'index.php?q=x'. + # Pass all requests not referring directly to files in the filesystem to + # index.php. Clean URLs are handled in drupal_environment_initialize(). RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + RewriteRule ^ index.php [L] # $Id: .htaccess,v 1.104 2009/08/16 12:10:36 dries Exp $ Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.331 diff -u -9 -p -r1.331 bootstrap.inc --- includes/bootstrap.inc 2 Dec 2009 19:26:21 -0000 1.331 +++ includes/bootstrap.inc 2 Dec 2009 22:30:51 -0000 @@ -485,18 +485,30 @@ function drupal_environment_initialize() exit; } } else { // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is // defined for E_ALL compliance. $_SERVER['HTTP_HOST'] = ''; } + // When clean URLs are enabled, emulate ?q=foo/bar using REQUEST_URI. It is + // not possible to append the query string using mod_rewrite without the B + // flag (this was added in Apache 2.2.8), because mod_rewrite unescapes the + // path before passing it on to PHP. This is a problem when the path contains + // e.g. "&" or "%" that have special meanings in URLs and must be encoded. + if (!isset($_GET['q']) && isset($_SERVER['REQUEST_URI'])) { + $request_path = strtok($_SERVER['REQUEST_URI'], '?'); + $base_path_len = strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/')); + // Unescape and strip $base_path prefix, leaving q without a leading slash. + $_GET['q'] = substr(urldecode($request_path), $base_path_len + 1); + } + // Enforce E_ALL, but allow users to set levels not part of E_ALL. error_reporting(E_ALL | error_reporting()); // Override PHP settings required for Drupal to work properly. // sites/default/default.settings.php contains more runtime settings. // The .htaccess file contains settings that cannot be changed at runtime. // Prevent PHP from generating HTML error messages. ini_set('html_errors', 0); @@ -552,20 +564,20 @@ function drupal_settings_initialize() { else { // Create base URL $http_protocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST']; $base_url = $base_root; // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not // be modified by a visitor. - if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { - $base_path = "/$dir"; + if ($dir = rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/')) { + $base_path = $dir; $base_url .= $base_path; $base_path .= '/'; } else { $base_path = '/'; } } $is_https = $http_protocol == 'https'; $base_secure_url = str_replace('http://', 'https://', $base_url); Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.1055 diff -u -9 -p -r1.1055 common.inc --- includes/common.inc 2 Dec 2009 15:09:16 -0000 1.1055 +++ includes/common.inc 2 Dec 2009 22:30:52 -0000 @@ -494,21 +494,19 @@ function drupal_http_build_query(array $ // Recurse into children. if (is_array($value)) { $params[] = drupal_http_build_query($value, $key); } // If a query parameter value is NULL, only append its key. elseif (!isset($value)) { $params[] = $key; } else { - // For better readability of paths in query strings, we decode slashes. - // @see drupal_encode_path() - $params[] = $key . '=' . str_replace('%2F', '/', rawurlencode($value)); + $params[] = $key . '=' . drupal_encode_path($value); } } return implode('&', $params); } /** * Prepare a 'destination' URL query parameter for use in combination with drupal_goto(). * @@ -617,50 +615,31 @@ function drupal_parse_url($url) { if (isset($options['query']['q'])) { $options['path'] = $options['query']['q']; unset($options['query']['q']); } return $options; } /** - * Encode a path for usage in a URL. + * Wrapper around rawurlencode(). * - * Wrapper around rawurlencode() which avoids Apache quirks. Should be used when - * placing arbitrary data into the path component of an URL. + * For aesthetic reasons slashes are not escaped. * - * Do not use this function to pass a path to url(). url() properly handles - * and encodes paths internally. - * This function should only be used on paths, not on query string arguments. - * Otherwise, unwanted double encoding will occur. - * - * Notes: - * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature' - * in Apache where it 404s on any path containing '%2F'. - * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean - * URLs are used, which are interpreted as delimiters by PHP. These - * characters are double escaped so PHP will still see the encoded version. - * - With clean URLs, Apache changes '//' to '/', so every second slash is - * double escaped. + * Should be used when placing arbitrary data in an URL. Note that Drupal paths + * are urlencoded() when passed through url() and do not require urlencoding() + * of individual components. * - * @param $path - * The URL path component to encode. + * @param $text + * String to encode */ -function drupal_encode_path($path) { - if (!empty($GLOBALS['conf']['clean_url'])) { - return str_replace(array('%2F', '%26', '%23', '//'), - array('/', '%2526', '%2523', '/%252F'), - rawurlencode($path) - ); - } - else { - return str_replace('%2F', '/', rawurlencode($path)); - } +function drupal_encode_path($text) { + return str_replace('%2F', '/', rawurlencode($text)); } /** * Send the user to a different Drupal page. * * This issues an on-site HTTP redirect. The function makes sure the redirected * URL is formatted correctly. * * Usually the redirected URL is constructed from this function's input Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.199 diff -u -9 -p -r1.199 file.inc --- includes/file.inc 5 Nov 2009 03:37:08 -0000 1.199 +++ includes/file.inc 2 Dec 2009 22:30:52 -0000 @@ -869,18 +869,21 @@ function file_unmunge_filename($filename * @param $basename * String filename * @param $directory * String containing the directory or parent URI. * @return * File path consisting of $directory and a unique filename based off * of $basename. */ function file_create_filename($basename, $directory) { + // Strip control characters. + $basename = preg_replace('/[\x00-\x1F]/u', '_', $basename); + // A URI or path may already have a trailing slash or look like "public://". if (substr($directory, -1) == '/') { $separator = ''; } else { $separator = '/'; } $destination = $directory . $separator . $basename; Index: includes/stream_wrappers.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/stream_wrappers.inc,v retrieving revision 1.6 diff -u -9 -p -r1.6 stream_wrappers.inc --- includes/stream_wrappers.inc 31 Aug 2009 05:47:33 -0000 1.6 +++ includes/stream_wrappers.inc 2 Dec 2009 22:30:52 -0000 @@ -574,19 +574,19 @@ class DrupalPublicStreamWrapper extends } /** * Overrides getExternalUrl(). * * Return the HTML URI of a public file. */ function getExternalUrl() { $path = str_replace('\\', '/', file_uri_target($this->uri)); - return $GLOBALS['base_url'] . '/' . self::getDirectoryPath() . '/' . $path; + return $GLOBALS['base_url'] . '/' . self::getDirectoryPath() . '/' . drupal_encode_path($path); } } /** * Drupal private (private://) stream wrapper class. * * Provides support for storing privately accessible files with the Drupal file * interface. Index: misc/drupal.js =================================================================== RCS file: /cvs/drupal/drupal/misc/drupal.js,v retrieving revision 1.60 diff -u -9 -p -r1.60 drupal.js --- misc/drupal.js 3 Nov 2009 05:34:37 -0000 1.60 +++ misc/drupal.js 2 Dec 2009 22:30:52 -0000 @@ -283,26 +283,25 @@ Drupal.freezeHeight = function () { /** * Unfreeze the body height. */ Drupal.unfreezeHeight = function () { $('#freeze-height').remove(); }; /** - * Wrapper around encodeURIComponent() which avoids Apache quirks (equivalent of - * drupal_encode_path() in PHP). This function should only be used on paths, not - * on query string arguments. + * Wrapper around encodeURIComponent(). + * + * For aesthetic reasons slashes are not escaped. */ Drupal.encodePath = function (item, uri) { uri = uri || location.href; - item = encodeURIComponent(item).replace(/%2F/g, '/'); - return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F'); + return encodeURIComponent(item).replace(/%2F/g, '/'); }; /** * Get the text selection in a textarea. */ Drupal.getSelection = function (element) { if (typeof element.selectionStart != 'number' && document.selection) { // The current selection. var range1 = document.selection.createRange(); Index: modules/path/path.test =================================================================== RCS file: /cvs/drupal/drupal/modules/path/path.test,v retrieving revision 1.27 diff -u -9 -p -r1.27 path.test --- modules/path/path.test 2 Dec 2009 19:26:22 -0000 1.27 +++ modules/path/path.test 2 Dec 2009 22:30:52 -0000 @@ -59,23 +59,25 @@ class PathTestCase extends DrupalWebTest $edit = array(); $edit['source'] = 'node/' . $node1->nid; $edit['alias'] = $this->randomName(8); $this->drupalPost('admin/config/search/path/add', $edit, t('Create new alias')); // Confirm that the alias works. $this->drupalGet($edit['alias']); $this->assertText($node1->title[LANGUAGE_NONE][0]['value'], 'Alias works.'); - // Change alias. + // Change alias to one containing "exotic" characters. $pid = $this->getPID($edit['alias']); $previous = $edit['alias']; - $edit['alias'] = $this->randomName(8); + $edit['alias'] = "- ._~!$'\"()*@[]?&+%#,;=:" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. $this->drupalPost('admin/config/search/path/edit/' . $pid, $edit, t('Update alias')); // Confirm that the alias works. $this->drupalGet($edit['alias']); $this->assertText($node1->title[LANGUAGE_NONE][0]['value'], 'Changed alias works.'); drupal_static_reset('drupal_lookup_path'); // Confirm that previous alias no longer works. $this->drupalGet($previous); @@ -111,21 +113,23 @@ class PathTestCase extends DrupalWebTest // Create alias. $edit = array(); $edit['path[alias]'] = $this->randomName(8); $this->drupalPost('node/' . $node1->nid . '/edit', $edit, t('Save')); // Confirm that the alias works. $this->drupalGet($edit['path[alias]']); $this->assertText($node1->title[LANGUAGE_NONE][0]['value'], 'Alias works.'); - // Change alias. + // Change alias to one containing "exotic" characters. $previous = $edit['path[alias]']; - $edit['path[alias]'] = $this->randomName(8); + $edit['path[alias]'] = "- ._~!$'\"()*@[]?&+%#,;=:" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. $this->drupalPost('node/' . $node1->nid . '/edit', $edit, t('Save')); // Confirm that the alias works. $this->drupalGet($edit['path[alias]']); $this->assertText($node1->title[LANGUAGE_NONE][0]['value'], 'Changed alias works.'); // Make sure that previous alias no longer works. $this->drupalGet($previous); $this->assertNoText($node1->title[LANGUAGE_NONE][0]['value'], 'Previous alias no longer works.'); Index: modules/simpletest/tests/file.test =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/file.test,v retrieving revision 1.46 diff -u -9 -p -r1.46 file.test --- modules/simpletest/tests/file.test 10 Nov 2009 17:27:53 -0000 1.46 +++ modules/simpletest/tests/file.test 2 Dec 2009 22:30:52 -0000 @@ -1874,18 +1874,20 @@ class FileDownloadTest extends FileTestC return array( 'name' => 'File download', 'description' => 'Tests for file download/transfer functions.', 'group' => 'File API', ); } function setUp() { parent::setUp('file_test'); + // Clear out any hook calls. + file_test_reset(); } /** * Test the public file transfer system. */ function testPublicFileTransfer() { // Test generating an URL to a created file. $file = $this->createFile(); $url = file_create_url($file->uri); @@ -1923,18 +1925,81 @@ class FileDownloadTest extends FileTestC file_test_set_return('download', -1); $this->drupalHead($url); $this->assertResponse(403, t('Correctly denied access to a file when file_test sets the header to -1.')); // Try non-existent file. $url = file_create_url('private://' . $this->randomName()); $this->drupalHead($url); $this->assertResponse(404, t('Correctly returned 404 response for a non-existent file.')); } + + /** + * Test file_create_url(). + */ + function testFileCreateUrl() { + global $base_url; + + $basename = " -._~!$'\"()*@[]?&+%#,;=:\n\x00" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + $basename_encoded = '%20-._%7E%21%24%27%22%28%29%2A%40%5B%5D%3F%26%2B%25%23%2C%3B%3D%3A__' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + + $this->checkUrl('public', '', $basename, $base_url . '/' . file_directory_path() . '/' . $basename_encoded); + $this->checkUrl('private', '', $basename, $base_url . '/system/files/' . $basename_encoded); + $this->checkUrl('private', '', $basename, $base_url . '/?q=system/files/' . $basename_encoded, '0'); + } + + /** + * Download a file from the URL generated by file_create_url(). + * + * Create a file with the specified scheme, directory and filename; check that + * the URL generated by file_create_url() for the specified file equals the + * specified URL; fetch the URL and then compare the contents to the file. + * + * @param $scheme + * A scheme, e.g. "public" + * @param $directory + * A directory, possibly "" + * @param $filename + * A filename + * @param $expected_url + * The expected URL + * @param $clean_url + * The value of the clean_url setting + */ + private function checkUrl($scheme, $directory, $filename, $expected_url, $clean_url = '1') { + variable_set('clean_url', $clean_url); + + // Convert $path to a valid filename, i.e. strip characters not supported + // by the filesystem, and create the file. + $filepath = file_create_filename($filename, $directory); + $directory_uri = $scheme . '://' . dirname($filepath); + file_prepare_directory($directory_uri, FILE_CREATE_DIRECTORY); + $file = $this->createFile($filepath, NULL, $scheme); + + $url = file_create_url($file->uri); + $this->assertEqual($url, $expected_url, t('Generated URL matches expected URL.')); + + if ($scheme == 'private') { + // Tell the implementation of hook_file_download() in file_test.module + // that this file may be downloaded. + file_test_set_return('download', array('x-foo' => 'Bar')); + } + + $this->drupalGet($url); + if ($this->assertResponse(200) == 'pass') { + $this->assertRaw(file_get_contents($file->uri), t('Contents of the file are correct.')); + } + + file_delete($file); + } } /** * Tests for file URL rewriting. */ class FileURLRewritingTest extends FileTestCase { public static function getInfo() { return array( 'name' => 'File URL rewriting', Index: modules/simpletest/tests/menu.test =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu.test,v retrieving revision 1.24 diff -u -9 -p -r1.24 menu.test --- modules/simpletest/tests/menu.test 1 Dec 2009 15:57:40 -0000 1.24 +++ modules/simpletest/tests/menu.test 2 Dec 2009 22:30:52 -0000 @@ -46,18 +46,29 @@ class MenuIncTestCase extends DrupalWebT * Test that the theme callback is properly inherited. */ function testThemeCallbackInheritance() { $this->drupalGet('menu-test/theme-callback/use-admin-theme/inheritance'); $this->assertText('Requested theme: seven. Actual theme: seven. Theme callback inheritance is being tested.', t('Theme callback inheritance correctly uses the administrative theme.')); $this->assertRaw('seven/style.css', t("The administrative theme's CSS appears on the page.")); } /** + * Test path containing "exotic" characters. + */ + function testExoticPath() { + $path = "menu-test/ -._~!$'\"()*@[]?&+%#,;=:" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + $this->drupalGet($path); + $this->assertRaw('This is menu_test_callback().'); + } + + /** * Test the theme callback when the site is in maintenance mode. */ function testThemeCallbackMaintenanceMode() { variable_set('maintenance_mode', TRUE); // For a regular user, the fact that the site is in maintenance mode means // we expect the theme callback system to be bypassed entirely. $this->drupalGet('menu-test/theme-callback/use-admin-theme'); $this->assertRaw('garland/style.css', t("The maintenance theme's CSS appears on the page.")); Index: modules/simpletest/tests/menu_test.module =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu_test.module,v retrieving revision 1.9 diff -u -9 -p -r1.9 menu_test.module --- modules/simpletest/tests/menu_test.module 10 Nov 2009 17:27:54 -0000 1.9 +++ modules/simpletest/tests/menu_test.module 2 Dec 2009 22:30:52 -0000 @@ -52,29 +52,38 @@ function menu_test_menu() { 'theme callback' => 'menu_test_theme_callback', 'theme arguments' => array(2), ); $items['menu-test/theme-callback/%/inheritance'] = array( 'title' => 'Page that tests theme callback inheritance.', 'page callback' => 'menu_test_theme_page_callback', 'page arguments' => array(TRUE), 'access arguments' => array('access content'), ); + // Path containing "exotic" characters. + $path = "menu-test/ -._~!$'\"()*@[]?&+%#,;=:" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + $items[$path] = array( + 'title' => '"Exotic" path', + 'page callback' => 'menu_test_callback', + 'access arguments' => array('access content'), + ); return $items; } /** * Dummy callback for hook_menu() to point to. * * @return * A random string. */ function menu_test_callback() { - return $this->randomName(); + return 'This is menu_test_callback().'; } /** * Page callback to use when testing the theme callback functionality. * * @param $inherited * An optional boolean to set to TRUE when the requested page is intended to * inherit the theme of its parent. * @return Index: modules/system/system.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.admin.inc,v retrieving revision 1.232 diff -u -9 -p -r1.232 system.admin.inc --- modules/system/system.admin.inc 2 Dec 2009 14:56:32 -0000 1.232 +++ modules/system/system.admin.inc 2 Dec 2009 22:30:52 -0000 @@ -1774,19 +1774,19 @@ function system_regional_settings() { '#type' => 'select', '#title' => t('Default time zone'), '#default_value' => variable_get('date_default_timezone', date_default_timezone_get()), '#options' => $zones, ); $configurable_timezones = variable_get('configurable_timezones', 1); $form['timezone']['configurable_timezones'] = array( '#type' => 'checkbox', - '#title' => t('Users may set their own time zone.'), + '#title' => t('Users may set their own time zone.'), '#default_value' => $configurable_timezones, ); $form['timezone']['configurable_timezones_wrapper'] = array( '#type' => 'container', '#states' => array( // Hide the user configured timezone settings when users are forced to use // the default setting. 'invisible' => array(