=== modified file 'includes/bootstrap.inc' --- includes/bootstrap.inc 2009-01-31 16:50:56 +0000 +++ includes/bootstrap.inc 2009-02-01 21:56:37 +0000 @@ -1570,7 +1570,7 @@ function _registry_check_code($type, $na // first letter to keep the cache key unique. $cache_key = $type[0] . $name; if (isset($lookup_cache[$cache_key])) { - if ($lookup_cache[$cache_key]) { + if ($lookup_cache[$cache_key] && _drupal_valid_include($lookup_cache[$cache_key])) { require_once DRUPAL_ROOT . '/' . $lookup_cache[$cache_key]; } return $lookup_cache[$cache_key]; @@ -1592,7 +1592,7 @@ function _registry_check_code($type, $na // $file is FALSE. $lookup_cache[$cache_key] = $file; - if ($file) { + if ($file && _drupal_valid_include($file)) { require_once DRUPAL_ROOT . '/' . $file; return TRUE; } @@ -1601,6 +1601,15 @@ function _registry_check_code($type, $na } } +function _drupal_valid_include($file) { + static $pattern; + if (!isset($pattern)) { + $directories = drupal_system_directories('modules'); + $pattern = '#^(?:'. implode($directories, '|') . '|includes)(?:.(?!\.\.))+$#'; + } + return preg_match($pattern, $file); +} + /** * Rescan all enabled modules and rebuild the registry. * @@ -1615,3 +1624,33 @@ function registry_rebuild() { /** * @} End of "ingroup registry". */ + +function drupal_system_directories($directory) { + global $profile; + $config = conf_path(); + + // When this function is called during Drupal's initial installation process, + // the name of the profile that's about to be installed is stored in the global + // $profile variable. At all other times, the standard Drupal systems variable + // table contains the name of the current profile, and we can call variable_get() + // to determine what one is active. + if (!isset($profile)) { + $profile = variable_get('install_profile', 'default'); + } + + // Always search sites/all/* as well as the global directories + $directories = array($directory, 'sites/all/' . $directory); + + // The 'profiles' directory contains pristine collections of modules and + // themes as organized by a distribution. It is pristine in the same way + // that /modules is pristine for core; users should avoid changing anything + // there in favor of sites/all or sites/ directories. + if (file_exists("profiles/$profile/$directory")) { + $directories[] = "profiles/$profile/$directory"; + } + + if (file_exists("$config/$directory")) { + $directories[] = "$config/$directory"; + } + return $directories; +} === modified file 'includes/common.inc' --- includes/common.inc 2009-01-31 19:07:45 +0000 +++ includes/common.inc 2009-02-01 20:40:20 +0000 @@ -3115,35 +3115,8 @@ function drupal_cron_cleanup() { * An array of file objects of the specified type. */ function drupal_system_listing($mask, $directory, $key = 'name', $min_depth = 1) { - global $profile; - $config = conf_path(); - - // When this function is called during Drupal's initial installation process, - // the name of the profile that's about to be installed is stored in the global - // $profile variable. At all other times, the standard Drupal systems variable - // table contains the name of the current profile, and we can call variable_get() - // to determine what one is active. - if (!isset($profile)) { - $profile = variable_get('install_profile', 'default'); - } - $searchdir = array($directory); + $searchdir = drupal_system_directories($directory); $files = array(); - - // Always search sites/all/* as well as the global directories - $searchdir[] = 'sites/all/' . $directory; - - // The 'profiles' directory contains pristine collections of modules and - // themes as organized by a distribution. It is pristine in the same way - // that /modules is pristine for core; users should avoid changing anything - // there in favor of sites/all or sites/ directories. - if (file_exists("profiles/$profile/$directory")) { - $searchdir[] = "profiles/$profile/$directory"; - } - - if (file_exists("$config/$directory")) { - $searchdir[] = "$config/$directory"; - } - // Get current list of items foreach ($searchdir as $dir) { $files = array_merge($files, file_scan_directory($dir, $mask, '/(\.\.?|CVS)$/', 0, TRUE, $key, $min_depth));