Index: D6-core-simpletest.patch =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/simpletest/Attic/D6-core-simpletest.patch,v retrieving revision 1.1.2.5 diff -u -p -r1.1.2.5 D6-core-simpletest.patch --- D6-core-simpletest.patch 14 Sep 2009 23:16:07 -0000 1.1.2.5 +++ D6-core-simpletest.patch 25 Sep 2009 16:18:20 -0000 @@ -1,11 +1,33 @@ +Index: install.php +=================================================================== +RCS file: /cvs/drupal/drupal/install.php,v +retrieving revision 1.113.2.9 +diff -u -p -r1.113.2.9 install.php +--- install.php 27 Apr 2009 10:50:35 -0000 1.113.2.9 ++++ install.php 25 Sep 2009 16:17:02 -0000 +@@ -20,6 +20,14 @@ function install_main() { + require_once './includes/bootstrap.inc'; + drupal_bootstrap(DRUPAL_BOOTSTRAP_CONFIGURATION); + ++ // The user agent header is used to pass a database prefix in the request when ++ // running tests. However, for security reasons, it is imperative that no ++ // installation be permitted using such a prefix. ++ if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], "simpletest") !== FALSE) { ++ header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); ++ exit; ++ } ++ + // This must go after drupal_bootstrap(), which unsets globals! + global $profile, $install_locale, $conf; + Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.206.2.13 -diff -u -r1.206.2.13 bootstrap.inc ---- includes/bootstrap.inc 14 Sep 2009 13:33:39 -0000 1.206.2.13 -+++ includes/bootstrap.inc 14 Sep 2009 23:15:19 -0000 -@@ -991,7 +991,7 @@ +diff -u -p -r1.206.2.13 bootstrap.inc +--- includes/bootstrap.inc 14 Sep 2009 13:33:39 -0000 1.206.2.13 ++++ includes/bootstrap.inc 25 Sep 2009 16:17:02 -0000 +@@ -991,7 +991,7 @@ function drupal_bootstrap($phase) { } function _drupal_bootstrap($phase) { @@ -14,7 +36,7 @@ diff -u -r1.206.2.13 bootstrap.inc switch ($phase) { -@@ -1017,6 +1017,18 @@ +@@ -1017,6 +1017,18 @@ function _drupal_bootstrap($phase) { break; case DRUPAL_BOOTSTRAP_DATABASE: @@ -22,18 +44,18 @@ diff -u -r1.206.2.13 bootstrap.inc + // running tests. However, for security reasons, it is imperative that we + // validate we ourselves made the request. + $GLOBALS['simpletest_installed'] = TRUE; -+ if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], "simpletest") !== FALSE) && !drupal_valid_test_ua($_SERVER['HTTP_USER_AGENT'])) { -+ header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); -+ exit; -+ } + if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^(simpletest\d+);/", $_SERVER['HTTP_USER_AGENT'], $matches)) { ++ if (!drupal_valid_test_ua($_SERVER['HTTP_USER_AGENT'])) { ++ header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); ++ exit; ++ } + $db_prefix .= $matches[1]; + } + // Initialize the default database. require_once './includes/database.inc'; db_set_active(); -@@ -1205,3 +1217,46 @@ +@@ -1205,3 +1217,46 @@ function ip_address() { return $ip_address; } @@ -84,10 +106,19 @@ Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.756.2.65 -diff -u -r1.756.2.65 common.inc ---- includes/common.inc 14 Sep 2009 14:55:09 -0000 1.756.2.65 -+++ includes/common.inc 14 Sep 2009 23:15:19 -0000 -@@ -2595,6 +2595,15 @@ +diff -u -p -r1.756.2.65 common.inc +--- includes/common.inc 14 Sep 2009 14:55:09 -0000 1.756.2.65 ++++ includes/common.inc 25 Sep 2009 16:17:03 -0000 +@@ -510,7 +510,7 @@ function drupal_http_request($url, $head + // same time won't interfere with each other as they would if the database + // prefix were stored statically in a file or database variable. + if (is_string($db_prefix) && preg_match("/^simpletest\d+$/", $db_prefix, $matches)) { +- $defaults['User-Agent'] = 'User-Agent: ' . $matches[0]; ++ $defaults['User-Agent'] = 'User-Agent: ' . drupal_generate_test_ua($matches[0]); + } + + foreach ($headers as $header => $value) { +@@ -2595,6 +2595,15 @@ function _drupal_bootstrap_full() { unicode_check(); // Undo magic quotes fix_gpc_magic(); @@ -103,7 +134,7 @@ diff -u -r1.756.2.65 common.inc // Load all enabled modules module_load_all(); // Let all modules take action before menu system handles the request -@@ -3712,3 +3721,262 @@ +@@ -3712,3 +3721,262 @@ function _drupal_flush_css_js() { } variable_set('css_js_query_string', $new_character . substr($string_history, 0, 19)); } @@ -366,25 +397,3 @@ diff -u -r1.756.2.65 common.inc + $string = $print_r ? print_r($data, TRUE) : var_export($data, TRUE); + trigger_error(trim($label ? "$label: $string" : $string)); +} -Index: install.php -=================================================================== -RCS file: /cvs/drupal/drupal/install.php,v -retrieving revision 1.113.2.9 -diff -u -r1.113.2.9 install.php ---- install.php 27 Apr 2009 10:50:35 -0000 1.113.2.9 -+++ install.php 14 Sep 2009 23:15:19 -0000 -@@ -20,6 +20,14 @@ - require_once './includes/bootstrap.inc'; - drupal_bootstrap(DRUPAL_BOOTSTRAP_CONFIGURATION); - -+ // The user agent header is used to pass a database prefix in the request when -+ // running tests. However, for security reasons, it is imperative that no -+ // installation be permitted using such a prefix. -+ if (isset($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], "simpletest") !== FALSE) { -+ header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); -+ exit; -+ } -+ - // This must go after drupal_bootstrap(), which unsets globals! - global $profile, $install_locale, $conf; -