Index: modules/menu/menu.admin.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/modules/menu/menu.admin.inc,v retrieving revision 1.65 diff -u -p -r1.65 menu.admin.inc --- modules/menu/menu.admin.inc 15 Oct 2009 14:07:29 -0000 1.65 +++ modules/menu/menu.admin.inc 28 Oct 2009 19:49:22 -0000 @@ -355,7 +355,7 @@ function menu_edit_item_validate($form, drupal_set_message(t('The menu system stores system paths only, but will use the URL alias for display. %link_path has been stored as %normal_path', array('%link_path' => $item['link_path'], '%normal_path' => $normal_path))); $item['link_path'] = $normal_path; } - if (!menu_path_is_external($item['link_path'])) { + if (!url_is_external($item['link_path'])) { $parsed_link = parse_url($item['link_path']); if (isset($parsed_link['query'])) { $item['options']['query'] = $parsed_link['query']; Index: modules/shortcut/shortcut.module =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/modules/shortcut/shortcut.module,v retrieving revision 1.2 diff -u -p -r1.2 shortcut.module --- modules/shortcut/shortcut.module 23 Oct 2009 22:24:17 -0000 1.2 +++ modules/shortcut/shortcut.module 28 Oct 2009 19:49:51 -0000 @@ -482,7 +482,7 @@ function shortcut_valid_link($path) { $path = $normal_path; } // Only accept links that correspond to valid paths on the site itself. - return !menu_path_is_external($path) && menu_get_item($path); + return !url_is_external($path) && menu_get_item($path); } /** Index: modules/system/system.module =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/modules/system/system.module,v retrieving revision 1.827 diff -u -p -r1.827 system.module --- modules/system/system.module 27 Oct 2009 04:16:39 -0000 1.827 +++ modules/system/system.module 28 Oct 2009 19:47:48 -0000 @@ -1492,7 +1492,18 @@ function system_run_authorized($callback } // Finally, redirect to authorize.php. - drupal_goto($base_url . '/authorize.php'); + drupal_goto($base_url . '/authorize.php', array('https' => TRUE)); +} + +/** + * Use authorize.php to run batch_process(). + * + * @see batch_process() + */ +function system_authorized_batch_process() { + global $base_url, $base_secure_url; + $authorize_url = (variable_get('https', FALSE) ? $base_secure_url : $base_url) . '/authorize.php'; + batch_process($authorize_url, $authorize_url . '?batch=1'); } /** Index: modules/update/update.authorize.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/modules/update/update.authorize.inc,v retrieving revision 1.2 diff -u -p -r1.2 update.authorize.inc --- modules/update/update.authorize.inc 22 Oct 2009 00:52:03 -0000 1.2 +++ modules/update/update.authorize.inc 28 Oct 2009 19:47:48 -0000 @@ -24,8 +24,6 @@ * - 'local_url': The locally installed location of new code to update with. */ function update_authorize_run_update($filetransfer, $projects) { - global $base_url; - $operations = array(); foreach ($projects as $project => $project_info) { $operations[] = array( @@ -49,7 +47,7 @@ function update_authorize_run_update($fi batch_set($batch); // Invoke the batch via authorize.php. - batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1'); + system_authorized_batch_process(); } /** @@ -67,8 +65,6 @@ function update_authorize_run_update($fi * already been downloaded and extracted into. */ function update_authorize_run_install($filetransfer, $project, $updater_name, $local_url) { - global $base_url; - $operations[] = array( 'update_authorize_batch_copy_project', array( @@ -91,8 +87,7 @@ function update_authorize_run_install($f batch_set($batch); // Invoke the batch via authorize.php. - batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1'); - + system_authorized_batch_process(); } /** cvs diff: Diffing includes Index: includes/authorize.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/includes/authorize.inc,v retrieving revision 1.3 diff -u -p -r1.3 authorize.inc --- includes/authorize.inc 27 Oct 2009 03:27:00 -0000 1.3 +++ includes/authorize.inc 28 Oct 2009 19:47:48 -0000 @@ -10,10 +10,12 @@ * Build the form for choosing a FileTransfer type and supplying credentials. */ function authorize_filetransfer_form($form_state) { - global $base_url; + global $base_url, $is_https; $form = array(); - $form['#action'] = $base_url . '/authorize.php'; + // If possible, we want to post this form securely via https. + $form['#https'] = TRUE; + // CSS we depend on lives in modules/system/maintenance.css, which is loaded // via the default maintenance theme. $form['#attached']['js'][] = $base_url . '/misc/authorize.js'; @@ -26,6 +28,16 @@ function authorize_filetransfer_form($fo $available_backends = $_SESSION['authorize_filetransfer_backends']; uasort($available_backends, 'drupal_sort_weight'); + if (!$is_https) { + if (isset($available_backends['ssh']) && !variable_get('allow_ssh_authorization_over_http', FALSE)) { + drupal_set_message(t('WARNING: you are not using an encrypted connection via https, so your password will be sent in plain text over the network. The SSH backend was disabled to protect the integrity of your password.'), 'error'); + unset($available_backends['ssh']); + } + else { + drupal_set_message(t('WARNING: you are not using an encrypted connection via https, so your password will be sent in plain text over the network.'), 'error'); + } + } + // Decide on a default backend. if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) { $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default']; Index: includes/common.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/includes/common.inc,v retrieving revision 1.1031 diff -u -p -r1.1031 common.inc --- includes/common.inc 27 Oct 2009 19:29:12 -0000 1.1031 +++ includes/common.inc 28 Oct 2009 19:48:32 -0000 @@ -2352,10 +2352,10 @@ function _format_date_callback(array $ma * - 'alias': Defaults to FALSE. Whether the given path is a URL alias * already. * - 'external': Whether the given path is an external URL. - * - 'language': An optional language object. Used to build the URL to link to - * and look up the proper alias for the link. + * - 'language': An optional language object. Used to build the URL to link + * to and look up the proper alias for the link. * - 'https': Whether this URL should point to a secure location. If not - * specified, the current scheme is used, so the user stays on http or https + * defined, the current scheme is used, so the user stays on http or https * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can * only be enforced when the variable 'https' is set to TRUE. * - 'base_url': Only used internally, to modify the base URL when a language @@ -2376,14 +2376,15 @@ function url($path = NULL, array $option 'query' => array(), 'absolute' => FALSE, 'alias' => FALSE, - 'https' => FALSE, 'prefix' => '' ); if (!isset($options['external'])) { // Return an external link if $path contains an allowed absolute URL. - // Only call the slow filter_xss_bad_protocol if $path contains a ':' before - // any / ? or #. + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + // Note: we could use url_is_external($path) here, but that would + // requre another function call, and performance inside url() is critical. $colonpos = strpos($path, ':'); $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); } @@ -2411,6 +2412,14 @@ function url($path = NULL, array $option if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']); } + if (isset($options['https']) && variable_get('https', FALSE)) { + if ($options['https'] === TRUE) { + $path = str_replace('http://', 'https://', $path); + } + elseif ($options['https'] === FALSE) { + $path = str_replace('https://', 'http://', $path); + } + } // Reassemble. return $path . $options['fragment']; } @@ -2489,6 +2498,16 @@ function url($path = NULL, array $option } /** + * Return TRUE if a path is external (e.g. http://example.com). + */ +function url_is_external($path) { + $colonpos = strpos($path, ':'); + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); +} + +/** * Format an attribute string to insert in a tag. * * Each array key and its value will be formatted into an HTML attribute string. Index: includes/form.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/includes/form.inc,v retrieving revision 1.387 diff -u -p -r1.387 form.inc --- includes/form.inc 27 Oct 2009 04:12:39 -0000 1.387 +++ includes/form.inc 28 Oct 2009 19:48:56 -0000 @@ -1017,7 +1017,7 @@ function form_builder($form_id, $element // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && variable_get('https', FALSE) && - !menu_path_is_external($element['#action'])) { + !url_is_external($element['#action'])) { global $base_root; // Not an external URL so ensure that it is secure. Index: includes/menu.inc =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/includes/menu.inc,v retrieving revision 1.357 diff -u -p -r1.357 menu.inc --- includes/menu.inc 17 Oct 2009 11:39:15 -0000 1.357 +++ includes/menu.inc 28 Oct 2009 19:48:46 -0000 @@ -2517,7 +2517,7 @@ function menu_link_save(&$item) { // This is the easiest way to handle the unique internal path '', // since a path marked as external does not need to match a router path. - $item['external'] = (menu_path_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0; + $item['external'] = (url_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0; // Load defaults. $item += array( 'menu_name' => 'navigation', @@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks } /** - * Returns TRUE if a path is external (e.g. http://example.com). - */ -function menu_path_is_external($path) { - $colonpos = strpos($path, ':'); - return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); -} - -/** * Checks whether the site is in maintenance mode. * * This function will log the current user out and redirect to front page @@ -3254,7 +3246,7 @@ function menu_valid_path($form_item) { $path = $form_item['link_path']; // We indicate that a menu administrator is running the menu access check. $menu_admin = TRUE; - if ($path == '' || menu_path_is_external($path)) { + if ($path == '' || url_is_external($path)) { $item = array('access' => TRUE); } elseif (preg_match('/\/\%/', $path)) { cvs diff: Diffing includes/database cvs diff: Diffing includes/database/mysql cvs diff: Diffing includes/database/pgsql cvs diff: Diffing includes/database/sqlite cvs diff: Diffing includes/filetransfer