Index: includes/filetransfer/filetransfer.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/filetransfer/filetransfer.inc,v retrieving revision 1.1 diff -u -p -r1.1 filetransfer.inc --- includes/filetransfer/filetransfer.inc 23 Jun 2009 12:11:19 -0000 1.1 +++ includes/filetransfer/filetransfer.inc 26 Jun 2009 03:44:18 -0000 @@ -2,28 +2,34 @@ // $Id: filetransfer.inc,v 1.1 2009/06/23 12:11:19 dries Exp $ /* - * Connection class. + * Base FileTransfer class. * - * This class does file operations on directories not writeable by the - * webserver. It connects back to the server using some backend (for example - * FTP or SSH). To keep security the password should always be asked from the - * user and never stored. + * Classes extending this class perform file operations on directories not + * writeable by the webserver. To achieve this, the class should connect back + * to the server using some backend (for example FTP or SSH). To keep security, + * the password should always be asked from the user and never stored. For + * safety, all methods operate only inside a "jail", by default the Drupal root. */ abstract class FileTransfer { + protected $username; + protected $password; + protected $hostname = 'localhost'; + protected $port; /** * The constructer for the UpdateConnection class. This method is also called * from the classes that extend this class and override this method. */ - function __construct($settings) { - $this->username = $settings['username']; - $this->password = $settings['password']; - $this->hostname = isset($settings['hostname']) ? $settings['hostname'] : 'localhost'; - if (isset($settings['port'])) { - $this->port = $settings['port']; - } + function __construct($jail, $username, $password, $hostname, $port) { + $this->username = $username; + $this->password = $password; + $this->hostname = $hostname; + $this->port = $port; + $this->jail = $jail; } + abstract static function factory($jail, $settings); + /** * Implementation of the magic __get() method. If the connection isn't set to * anything, this will call the connect() method and set it to and return the @@ -31,14 +37,18 @@ abstract class FileTransfer { * this method. */ function __get($name) { - static $connection; if ($name == 'connection') { - $this->connection = $this->connect(); + $this->connect(); return $this->connection; } } /** + * Connect to the server. + */ + abstract protected function connect(); + + /** * Copies a directory. * * @param $source @@ -46,15 +56,88 @@ abstract class FileTransfer { * @param $destination * The destination path. */ - protected function copyDirectory($source, $destination) { - $this->createDirectory($destination . basename($source)); + public final function copyDirectory($source, $destination) { + $this->checkPath($destination); + $this->copyDirectoryJailed($source, $destination); + } + + /** + * Creates a directory. + * + * @param $directory + * The directory to be created. + */ + public final function createDirectory($directory) { + $this->checkPath($directory); + $this->createDirectoryJailed($directory); + } + + /** + * Removes a directory. + * + * @param $directory + * The directory to be removed. + */ + public final function removeDirectory($directory) { + $this->checkPath($directory); + $this->removeDirectoryJailed($directory); + } + + /** + * Copies a file. + * + * @param $source + * The source file. + * @param $destination + * The destination file. + */ + public final function copyFile($source, $destination) { + $this->checkPath($destination); + $this->copyFileJailed($source, $destination); + } + + /** + * Removes a file. + * + * @param $destination + * The destination file to be removed. + */ + public final function removeFile($destination) { + $this->checkPath($destination); + $this->removeFileJailed($destination); + } + + /** + * Checks that the path is inside the jail and throws an exception if not. + * + * @param $path + * A path to check against the jail. + */ + protected final function checkPath($path) { + if (realpath(substr($path, 0, strlen($this->jail))) !== $this->jail) { + throw new FileTransferException('@directory is outside of the @jail', NULL, array('@directory' => $path, '@jail' => $this->jail)); + } + } + + /** + * Copies a directory. + * + * We need a separate method to make the $destination is in the jail. + * + * @param $source + * The source path. + * @param $destination + * The destination path. + */ + protected function copyDirectoryJailed($source, $destination) { + $this->createDirectory($destination . '/' . basename($source)); foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($source), RecursiveIteratorIterator::SELF_FIRST) as $filename => $file) { $relative_path = basename($source) . substr($filename, strlen($source)); if ($file->isDir()) { - $this->createDirectory($destination . $relative_path); + $this->createDirectory($destination . '/' . $relative_path); } else { - $this->copyFile($file->getPathName(), $destination . $relative_path); + $this->copyFile($file->getPathName(), $destination . '/' . $relative_path); } } } @@ -65,7 +148,7 @@ abstract class FileTransfer { * @param $directory * The directory to be created. */ - abstract function createDirectory($directory); + abstract protected function createDirectoryJailed($directory); /** * Removes a directory. @@ -73,7 +156,7 @@ abstract class FileTransfer { * @param $directory * The directory to be removed. */ - abstract function removeDirectory($directory); + abstract protected function removeDirectoryJailed($directory); /** * Copies a file. @@ -83,8 +166,7 @@ abstract class FileTransfer { * @param $destination * The destination file. */ - abstract function copyFile($source, $destination); - + abstract protected function copyFileJailed($source, $destination); /** * Removes a file. @@ -92,11 +174,17 @@ abstract class FileTransfer { * @param $destination * The destination file to be removed. */ - abstract function removeFile($destination); + abstract protected function removeFileJailed($destination); } /** * FileTransferException class. */ class FileTransferException extends Exception { + public $arguments; + + function __construct($message, $code = 0, $arguments = array()) { + parent::__construct($message, $code); + $this->arguments = $arguments; + } } Index: includes/filetransfer/ftp.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/filetransfer/ftp.inc,v retrieving revision 1.3 diff -u -p -r1.3 ftp.inc --- includes/filetransfer/ftp.inc 24 Jun 2009 01:45:09 -0000 1.3 +++ includes/filetransfer/ftp.inc 26 Jun 2009 04:50:00 -0000 @@ -5,17 +5,27 @@ * Common code for the FTP connections. */ abstract class FileTransferFTP extends FileTransfer { - function __construct($settings) { - // This is the default, if $settings contains a port, this will be overridden. - $this->port = 21; - parent::__construct($settings); + function __construct($jail, $username, $password, $hostname = 'localhost', $port = 21) { + parent::__construct($jail, $username, $password, $hostname, $port); + } + + static function factory($jail, $settings) { + $settings['hostname'] = empty($settings['hostname']) ? 'localhost' : $settings['hostname']; + $settings['port'] = empty($settings['port']) ? 21 : $settings['port']; + // If we can use the extension, use it. + if (function_exists('ftp_connect')) { + return new FileTransferFTPExtension($jail, $settings['username'], $settings['password'], $settings['hostname'], $settings['port']); + } + elseif (ini_get('allow_url_fopen') == TRUE) { + return new FileTransferFTPWrapper($jail, $settings['username'], $settings['password'], $settings['hostname'], $settings['port']); + } } } /** * Connection class using the FTP URL wrapper. */ -class FileTransferFTPWrapper extends FileTransfer { +class FileTransferFTPWrapper extends FileTransferFTP { function connect() { $this->connection = 'ftp://' . urlencode($this->username) . ':' . urlencode($this->password) . '@' . $this->hostname . ':' . $this->port . '/'; if (!is_dir($this->connection)) { @@ -23,14 +33,15 @@ class FileTransferFTPWrapper extends Fil } } - function createDirectory($directory) { - if (!@createDirectory($directory)) { + function createDirectoryJailed($directory) { + if (!@mkdir($directory)) { $exception = new FileTransferException('Cannot create directory @directory.', NULL, array('@directory' => $directory)); throw $exception; } + throw new FileTransferException('FAILED'); } - function removeDirectory($directory) { + function removeDirectoryJailed($directory) { if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) { throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory)); } @@ -49,51 +60,52 @@ class FileTransferFTPWrapper extends Fil } } closedir($dh); - if (!removeDirectory($directory)) { + if (!rmdir($directory)) { $exception = new FileTransferException('Cannot remove @directory.', NULL, array('@directory' => $directory)); throw $exception; } } } - function copyFile($source, $destination) { + function copyFileJailed($source, $destination) { if (!@copy($this->connection . '/' . $source, $this->connection . '/' . $destination)) { throw new FileTransferException('Cannot copy @source_file to @destination_file.', NULL, array('@source' => $source, '@destination' => $destination)); } } - function removeFile($destination) { + function removeFileJailed($destination) { if (!@unlink($destination)) { throw new FileTransferException('Cannot remove @destination', NULL, array('@destination' => $destination)); } } } -class FileTransferFTPExtension extends FileTransfer { - function connect() { - $this->connection = ftp_connect($this->hostname, $this->port); +class FileTransferFTPExtension extends FileTransferFTP { + protected function connect() { + $connection = ftp_connect($this->hostname, $this->port); - if (!$this->connection) { + if (!$connection) { throw new FileTransferException("Cannot connect to FTP Server, please check settings"); } - if (!ftp_login($this->connection, $this->username, $this->password)) { + if (!ftp_login($connection, $this->username, $this->password)) { throw new FileTransferException("Cannot login to FTP server, please check username and password"); } + return $connection; } - function copyFile($source, $destination) { + protected function copyFileJailed($source, $destination) { if (!@ftp_put($this->connection, $destination, $source, FTP_BINARY)) { throw new FileTransferException("Cannot move @source to @destination", NULL, array("@source" => $source, "@destination" => $destination)); } } - function createDirectory($directory) { - if (!@ftp_createDirectory($this->connection, $directory)) { + protected function createDirectoryJailed($directory) { + if (!@ftp_mkdir($this->connection, $directory)) { throw new FileTransferException("Cannot create directory @directory", NULL, array("@directory" => $directory)); } } - function removeDirectory($directory) { + protected function removeDirectoryJailed($directory) { if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) { throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory)); } @@ -115,12 +127,12 @@ class FileTransferFTPExtension extends F } } ftp_chdir($this->connection, $pwd); - if (!ftp_removeDirectory($this->connection, $directory)) { + if (!ftp_rmdir($this->connection, $directory)) { throw new FileTransferException("Unable to remove to directory @directory", NULL, array('@directory' => $directory)); } } - function removeFile($destination) { + protected function removeFileJailed($destination) { if (!ftp_delete($this->connection, $item)) { throw new FileTransferException("Unable to remove to file @file", NULL, array('@file' => $item)); } Index: includes/filetransfer/ssh.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/filetransfer/ssh.inc,v retrieving revision 1.1 diff -u -p -r1.1 ssh.inc --- includes/filetransfer/ssh.inc 23 Jun 2009 12:11:19 -0000 1.1 +++ includes/filetransfer/ssh.inc 26 Jun 2009 03:30:17 -0000 @@ -6,50 +6,51 @@ */ class FileTransferSSH extends FileTransfer { - function __construct($settings) { - // This is the default, if $settings contains a port, this will be overridden. - $this->port = 22; - parent::__construct($settings); + function __construct($jail, $username, $password, $hostname = "localhost", $port = 22) { + parent::__construct($jail, $username, $password, $hostname, $port); } function connect() { - $this->connection = @ssh2_connect($setings['hostname'], $this->port); + $this->connection = @ssh2_connect($this->hostname, $this->port); if (!$this->connection) { - throw new FileTransferException('SSH Connection failed.'); + throw new FileTransferException('SSH Connection failed to @host:@port', NULL, array('@host' => $this->hostname, '@port' => 21)); } if (!@ssh2_auth_password($this->connection, $this->username, $this->password)) { throw new FileTransferException('The supplied username/password combination was not accepted.'); } } - function copyFile($source, $destination) { + static function factory($jail, $settings) { + $settings['hostname'] = empty($settings['hostname']) ? 'localhost' : $settings['hostname']; + $settings['port'] = empty($settings['port']) ? 22 : $settings['port']; + return new FileTransferSSH($jail, $settings['username'], $settings['password'], $settings['hostname'], $settings['port']); + } + + protected function copyFileJailed($source, $destination) { if (!@ssh2_scp_send($this->connection, $source, $destination)) { throw new FileTransferException('Cannot copy @source_file to @destination_file.', NULL, array('@source' => $source, '@destination' => $destination)); } } - function copyDirectory($source, $destination) { + protected function copyDirectoryJailed($source, $destination) { if (!@ssh2_exec($this->connection, 'cp -Rp ' . escapeshellarg($source) . ' ' . escapeshellarg($destination))) { throw new FileTransferException('Cannot copy directory @directory.', NULL, array('@directory' => $source)); } } - function createDirectory($directory) { + protected function createDirectoryJailed($directory) { if (!@ssh2_exec($this->connection, 'mkdir ' . escapeshellarg($directory))) { throw new FileTransferException('Cannot create directory @directory.', NULL, array('@directory' => $directory)); } } - function removeDirectory($directory) { - if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) { - throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory)); - } - if (!@ssh2_exec($this->connection, 'rm -Rf ' . escapeshellarg($directory))) { + protected function removeDirectoryJailed($directory) { + if (!@ssh2_exec($this->connection, $directory)) { throw new FileTransferException('Cannot remove @directory.', NULL, array('@directory' => $directory)); } } - - function removeFile($destination) { + + protected function removeFileJailed($destination) { if (!@ssh2_exec($this->connection, 'rm ' . escapeshellarg($destination))) { throw new FileTransferException('Cannot remove @directory.', NULL, array('@directory' => $destination)); } Index: modules/simpletest/simpletest.info =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/simpletest.info,v retrieving revision 1.6 diff -u -p -r1.6 simpletest.info --- modules/simpletest/simpletest.info 8 Jun 2009 09:23:53 -0000 1.6 +++ modules/simpletest/simpletest.info 26 Jun 2009 03:35:24 -0000 @@ -19,6 +19,7 @@ files[] = tests/common.test files[] = tests/database_test.test files[] = tests/error.test files[] = tests/file.test +files[] = tests/filetransfer.test files[] = tests/form.test files[] = tests/graph.test files[] = tests/image.test Index: modules/simpletest/tests/filetransfer.test =================================================================== RCS file: modules/simpletest/tests/filetransfer.test diff -N modules/simpletest/tests/filetransfer.test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ modules/simpletest/tests/filetransfer.test 26 Jun 2009 03:43:58 -0000 @@ -0,0 +1,172 @@ + t('FileTransfer unit tests'), + 'description' => t('Test that the jail is respected and that protocols using recursive file move operations work.'), + 'group' => t('System') + ); + } + + function setUp() { + $this->testConnection = TestFileTransfer::factory(DRUPAL_ROOT, array('hostname' => $this->hostname, 'username' => $this->username, 'password' => $this->password, 'port' => $this->port)); + } + + function _getFakeModuleFiles() { + $files = array( + 'fake.module', + 'fake.info', + 'theme' => array( + 'fake.tpl.php' + ), + 'inc' => array( + 'fake.inc' + ) + ); + return $files; + } + + function _buildFakeModule() { + $location = file_directory_temp() . '/fake'; + if (is_dir($location)) { + $ret = 0; + $output = array(); + exec('rm -Rf ' . escapeshellarg($location), $output, $ret); + if ($ret != 0) { + throw new Exception('Error removing fake module directory.'); + } + } + + $files = $this->_getFakeModuleFiles(); + $this->_writeDirectory($location, $files); + return $location; + } + + function _writeDirectory($base, $files = array()) { + mkdir($base); + foreach ($files as $key => $file) { + if (is_array($file)) { + $this->_writeDirectory($base . DIRECTORY_SEPARATOR . $key, $file); + } + else { + //just write the filename into the file + file_put_contents($base . DIRECTORY_SEPARATOR . $file, $file); + } + } + } + + function testJail() { + $source = $this->_buildFakeModule(); + + // This convoluted piece of code is here because our testing framework does + // not support expecting exceptions. + $gotit = FALSE; + try { + $this->testConnection->copyDirectory($source, '/tmp'); + } + catch (FileTransferException $e) { + $gotit = TRUE; + } + $this->assertTrue($gotit, 'Was not able to copy a directory outside of the jailed area.'); + + $gotit = TRUE; + try { + $this->testConnection->copyDirectory($source, DRUPAL_ROOT . '/'. file_directory_path()); + } + catch (FileTransferException $e) { + $gotit = FALSE; + } + $this->assertTrue($gotit, 'Was able to copy a directory inside of the jailed area'); + } + + function testCopyDirectory() { + $directory = $this->_buildFakeModule(); + $drupal_root = DRUPAL_ROOT; + + $this->testConnection->copyDirectory($directory, "{$drupal_root}/sites/all/modules"); + $expected_commands = array( + "mkdir {$drupal_root}/sites/all/modules/fake", + "copyFile {$directory}/fake.info {$drupal_root}/sites/all/modules/fake/fake.info", + "copyFile {$directory}/fake.module {$drupal_root}/sites/all/modules/fake/fake.module", + "mkdir {$drupal_root}/sites/all/modules/fake/inc", + "copyFile {$directory}/inc/fake.inc {$drupal_root}/sites/all/modules/fake/inc/fake.inc", + "mkdir {$drupal_root}/sites/all/modules/fake/theme", + "copyFile {$directory}/theme/fake.tpl.php {$drupal_root}/sites/all/modules/fake/theme/fake.tpl.php", + ); + + $received_commands = $this->testConnection->connection->flushCommands(); + dd($expected_commands); + dd($received_commands); + $this->assertEqual($received_commands, $expected_commands, 'Expected copy files operations made.'); + } +} + +/** + * Mock FileTransfer object for test case. + */ +class TestFileTransfer extends FileTransfer { + protected $host = NULL; + protected $username = NULL; + protected $password = NULL; + protected $port = NULL; + + function __construct($jail, $username, $password, $hostname = 'localhost', $port = 9999) { + parent::__construct($jail, $username, $password, $hostname, $port); + } + + static function factory($jail, $settings) { + return new TestFileTransfer($jail, $settings['username'], $settings['password'], $settings['hostname'], $settings['port']); + } + + function connect() { + $parts = explode(':', $this->hostname); + $port = (count($parts) == 2) ? $parts[1] : $this->port; + $this->connection = new MockTestConnection(); + $this->connection->connectionString = 'test://' . urlencode($this->username) . ':' . urlencode($this->password) . "@$this->host:$this->port/"; + } + + function copyFileJailed($source, $destination) { + $this->connection->run("copyFile $source $destination"); + } + + protected function removeDirectoryJailed($directory) { + $this->connection->run("rmdir $directory"); + } + + function createDirectoryJailed($directory) { + $this->connection->run("mkdir $directory"); + } + + function removeFileJailed($destination) { + if (!ftp_delete($this->connection, $item)) { + throw new FileTransferException('Unable to remove to file @file.', NULL, array('@file' => $item)); + } + } +} + +/** + * Mock connection object for test case. + */ +class MockTestConnection { + + var $commandsRun = array(); + var $connectionString; + + function run($cmd) { + $this->commandsRun[] = $cmd; + } + + function flushCommands() { + $out = $this->commandsRun; + $this->commandsRun = array(); + return $out; + } +} Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.715 diff -u -p -r1.715 system.module --- modules/system/system.module 23 Jun 2009 12:11:19 -0000 1.715 +++ modules/system/system.module 26 Jun 2009 03:15:09 -0000 @@ -828,7 +828,7 @@ function system_admin_menu_block_access( } /** - * Implementation of hook_filetransfer_backends(). + * Implement hook_filetransfer_backends(). */ function system_filetransfer_backends() { $backends = array(); @@ -839,24 +839,60 @@ function system_filetransfer_backends() $backends['ssh'] = array( 'title' => t('SSH'), 'class' => 'FileTransferSSH', + 'settings_form' => 'system_filetransfer_backend_form_ssh' ); } - if (function_exists('ftp_connect')) { - $backends['ftp_extension'] = array( - 'title' => t('FTP Extension'), - 'class' => 'FileTransferFTPExtension', - ); - } - - if (ini_get('allow_url_fopen')) { - $backends['ftp_wrapper'] = array( - 'title' => t('FTP Wrapper'), - 'class' => 'FileTransferFTPWrapper', + if (function_exists('ftp_connect') || ini_get('allow_url_fopen')) { + $backends['FTP'] = array( + 'title' => t('FTP'), + 'class' => 'FileTransferFTP', + 'settings_form' => 'system_filetransfer_backend_form_ftp' ); } return $backends; } +function system_filetransfer_backend_form_ftp() { + $form = _system_filetransfer_backend_form_common(); + $form['port']['#default_value'] = 21; + return $form; +} + +function system_filetransfer_backend_form_ssh() { + $form = _system_filetransfer_backend_form_common(); + $form['port']['#default_value'] = 22; + return $form; +} + +function _system_filetransfer_backend_form_common() { + $form = array(); + + $form['hostname'] = array ( + '#type' => 'textfield', + '#title' => t('Host'), + '#default_value' => 'localhost', + ); + + $form['port'] = array ( + '#type' => 'textfield', + '#title' => t('Port'), + '#default_value' => NULL, + ); + + $form['username'] = array ( + '#type' => 'textfield', + '#title' => t('Username'), + ); + + $form['password'] = array ( + '#type' => 'password', + '#title' => t('Password'), + '#description' => t('This is not saved in the database and is only used to test the connection'), + ); + + return $form; +} + /** * Implement hook_init(). */ @@ -2543,29 +2579,37 @@ function system_image_toolkits() { /** * Attempts to get a file using drupal_http_request and to store it locally. * - * @param $path + * @param $url * The URL of the file to grab. + * + * @param $destination + * Where the file should be saved, if a directory is provided, file is saved + * in that directory with its original name. If a filename is provided, + * remote fileis stored to that location. NOTE: Relative to drupal "files" directory" + * + * @param $overwrite boolean + * Defaults to TRUE, will overwrite existing files of the same name. + * * @return * On success the address the files was saved to, FALSE on failure. */ -function system_retrieve_file($path) { - // Get each of the specified files. - $parsed_url = parse_url($path); - $local = file_directory_temp() . '/update-cache/' . basename($parsed_url['path']); - if (!file_exists(file_directory_temp() . '/update-cache/')) { - mkdir(file_directory_temp() . '/update-cache/'); - } - - // Check the cache and download the file if needed. - if (!file_exists($local)) { - // $result->data is the actual contents of the downloaded file. This saves - // it into a local file, whose path is stored in $local. $local is stored - // relative to the Drupal installation. - $result = drupal_http_request($path); - if ($result->code != 200 || !file_save_data($result->data, $local)) { - drupal_set_message(t('@remote could not be saved.', array('@remote' => $path)), 'error'); - return FALSE; - } +function system_retrieve_file($url, $destination = NULL, $overwrite = TRUE) { + if (!$destination) { + $destination = file_directory_temp(); + } + $parsed_url = parse_url($url); + $local = is_dir(file_directory_path() . '/' . $destination) ? $destination . '/' . basename($parsed_url['path']) : $destination; + + if (!$overwrite && file_exists($local)) { + drupal_set_message(t('@remote could not be saved. @local already exists', array('@remote' => $url, '@local' => $local)), 'error'); + return FALSE; + } + + $result = drupal_http_request($url); + if ($result->code != 200 || !file_save_data($result->data, $local)) { + drupal_set_message(t('@remote could not be saved.', array('@remote' => $url)), 'error'); + return FALSE; } + return $local; }