cvs diff: Diffing includes Index: includes/authorize.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/authorize.inc,v retrieving revision 1.3 diff -u -p -r1.3 authorize.inc --- includes/authorize.inc 27 Oct 2009 03:27:00 -0000 1.3 +++ includes/authorize.inc 29 Oct 2009 08:04:37 -0000 @@ -10,10 +10,12 @@ * Build the form for choosing a FileTransfer type and supplying credentials. */ function authorize_filetransfer_form($form_state) { - global $base_url; + global $base_url, $is_https; $form = array(); - $form['#action'] = $base_url . '/authorize.php'; + // If possible, we want to post this form securely via https. + $form['#https'] = TRUE; + // CSS we depend on lives in modules/system/maintenance.css, which is loaded // via the default maintenance theme. $form['#attached']['js'][] = $base_url . '/misc/authorize.js'; @@ -26,6 +28,10 @@ function authorize_filetransfer_form($fo $available_backends = $_SESSION['authorize_filetransfer_backends']; uasort($available_backends, 'drupal_sort_weight'); + if (!$is_https) { + drupal_set_message(t('WARNING: you are not using an encrypted connection via https, so your password will be sent in plain text over the network.'), 'error'); + } + // Decide on a default backend. if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) { $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default']; Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.1031 diff -u -p -r1.1031 common.inc --- includes/common.inc 27 Oct 2009 19:29:12 -0000 1.1031 +++ includes/common.inc 29 Oct 2009 08:04:41 -0000 @@ -2352,10 +2352,10 @@ function _format_date_callback(array $ma * - 'alias': Defaults to FALSE. Whether the given path is a URL alias * already. * - 'external': Whether the given path is an external URL. - * - 'language': An optional language object. Used to build the URL to link to - * and look up the proper alias for the link. + * - 'language': An optional language object. Used to build the URL to link + * to and look up the proper alias for the link. * - 'https': Whether this URL should point to a secure location. If not - * specified, the current scheme is used, so the user stays on http or https + * defined, the current scheme is used, so the user stays on http or https * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can * only be enforced when the variable 'https' is set to TRUE. * - 'base_url': Only used internally, to modify the base URL when a language @@ -2376,14 +2376,15 @@ function url($path = NULL, array $option 'query' => array(), 'absolute' => FALSE, 'alias' => FALSE, - 'https' => FALSE, 'prefix' => '' ); if (!isset($options['external'])) { // Return an external link if $path contains an allowed absolute URL. - // Only call the slow filter_xss_bad_protocol if $path contains a ':' before - // any / ? or #. + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + // Note: we could use url_is_external($path) here, but that would + // requre another function call, and performance inside url() is critical. $colonpos = strpos($path, ':'); $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path)); } @@ -2411,6 +2412,14 @@ function url($path = NULL, array $option if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']); } + if (isset($options['https']) && variable_get('https', FALSE)) { + if ($options['https'] === TRUE) { + $path = str_replace('http://', 'https://', $path); + } + elseif ($options['https'] === FALSE) { + $path = str_replace('https://', 'http://', $path); + } + } // Reassemble. return $path . $options['fragment']; } @@ -2489,6 +2498,16 @@ function url($path = NULL, array $option } /** + * Return TRUE if a path is external (e.g. http://example.com). + */ +function url_is_external($path) { + $colonpos = strpos($path, ':'); + // Only call the slow filter_xss_bad_protocol if $path contains a ':' + // before any / ? or #. + return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); +} + +/** * Format an attribute string to insert in a tag. * * Each array key and its value will be formatted into an HTML attribute string. Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.387 diff -u -p -r1.387 form.inc --- includes/form.inc 27 Oct 2009 04:12:39 -0000 1.387 +++ includes/form.inc 29 Oct 2009 08:04:43 -0000 @@ -1017,7 +1017,7 @@ function form_builder($form_id, $element // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && variable_get('https', FALSE) && - !menu_path_is_external($element['#action'])) { + !url_is_external($element['#action'])) { global $base_root; // Not an external URL so ensure that it is secure. Index: includes/menu.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/menu.inc,v retrieving revision 1.357 diff -u -p -r1.357 menu.inc --- includes/menu.inc 17 Oct 2009 11:39:15 -0000 1.357 +++ includes/menu.inc 29 Oct 2009 08:04:45 -0000 @@ -2517,7 +2517,7 @@ function menu_link_save(&$item) { // This is the easiest way to handle the unique internal path '', // since a path marked as external does not need to match a router path. - $item['external'] = (menu_path_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0; + $item['external'] = (url_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0; // Load defaults. $item += array( 'menu_name' => 'navigation', @@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks } /** - * Returns TRUE if a path is external (e.g. http://example.com). - */ -function menu_path_is_external($path) { - $colonpos = strpos($path, ':'); - return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path); -} - -/** * Checks whether the site is in maintenance mode. * * This function will log the current user out and redirect to front page @@ -3254,7 +3246,7 @@ function menu_valid_path($form_item) { $path = $form_item['link_path']; // We indicate that a menu administrator is running the menu access check. $menu_admin = TRUE; - if ($path == '' || menu_path_is_external($path)) { + if ($path == '' || url_is_external($path)) { $item = array('access' => TRUE); } elseif (preg_match('/\/\%/', $path)) { cvs diff: Diffing modules/menu Index: modules/menu/menu.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/menu/menu.admin.inc,v retrieving revision 1.65 diff -u -p -r1.65 menu.admin.inc --- modules/menu/menu.admin.inc 15 Oct 2009 14:07:29 -0000 1.65 +++ modules/menu/menu.admin.inc 29 Oct 2009 08:04:45 -0000 @@ -355,7 +355,7 @@ function menu_edit_item_validate($form, drupal_set_message(t('The menu system stores system paths only, but will use the URL alias for display. %link_path has been stored as %normal_path', array('%link_path' => $item['link_path'], '%normal_path' => $normal_path))); $item['link_path'] = $normal_path; } - if (!menu_path_is_external($item['link_path'])) { + if (!url_is_external($item['link_path'])) { $parsed_link = parse_url($item['link_path']); if (isset($parsed_link['query'])) { $item['options']['query'] = $parsed_link['query']; cvs diff: Diffing modules/shortcut Index: modules/shortcut/shortcut.module =================================================================== RCS file: /cvs/drupal/drupal/modules/shortcut/shortcut.module,v retrieving revision 1.2 diff -u -p -r1.2 shortcut.module --- modules/shortcut/shortcut.module 23 Oct 2009 22:24:17 -0000 1.2 +++ modules/shortcut/shortcut.module 29 Oct 2009 08:04:47 -0000 @@ -482,7 +482,7 @@ function shortcut_valid_link($path) { $path = $normal_path; } // Only accept links that correspond to valid paths on the site itself. - return !menu_path_is_external($path) && menu_get_item($path); + return !url_is_external($path) && menu_get_item($path); } /** cvs diff: Diffing modules/system Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.828 diff -u -p -r1.828 system.module --- modules/system/system.module 29 Oct 2009 06:58:56 -0000 1.828 +++ modules/system/system.module 29 Oct 2009 08:04:48 -0000 @@ -1534,10 +1534,19 @@ function system_authorized_init($callbac /** * Return the URL for the authorize.php script. + * + * @param array $options + * Optional array of options to pass to url(). + * @return + * The full URL to authorize.php, using https if available. */ -function system_authorized_get_url() { +function system_authorized_get_url(array $options = array()) { global $base_url; - return $base_url . '/authorize.php'; + // Force https if available, regardless of what the caller specifies. + $options['https'] = TRUE; + // We prefix with $base_url so we get a full path even if clean URLs are + // disabled. + return url($base_url . '/authorize.php', $options); } /** @@ -1551,6 +1560,17 @@ function system_authorized_run($callback } /** + * Use authorize.php to run batch_process(). + * + * @see batch_process() + */ +function system_authorized_batch_process() { + $finish_url = system_authorized_get_url(); + $process_url = system_authorized_get_url(array('query' => array('batch' => '1'))); + batch_process($finish_url, $process_url); +} + +/** * @} End of "defgroup authorize". */ cvs diff: Diffing modules/update Index: modules/update/update.authorize.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/update/update.authorize.inc,v retrieving revision 1.2 diff -u -p -r1.2 update.authorize.inc --- modules/update/update.authorize.inc 22 Oct 2009 00:52:03 -0000 1.2 +++ modules/update/update.authorize.inc 29 Oct 2009 08:04:48 -0000 @@ -24,8 +24,6 @@ * - 'local_url': The locally installed location of new code to update with. */ function update_authorize_run_update($filetransfer, $projects) { - global $base_url; - $operations = array(); foreach ($projects as $project => $project_info) { $operations[] = array( @@ -49,7 +47,7 @@ function update_authorize_run_update($fi batch_set($batch); // Invoke the batch via authorize.php. - batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1'); + system_authorized_batch_process(); } /** @@ -67,8 +65,6 @@ function update_authorize_run_update($fi * already been downloaded and extracted into. */ function update_authorize_run_install($filetransfer, $project, $updater_name, $local_url) { - global $base_url; - $operations[] = array( 'update_authorize_batch_copy_project', array( @@ -91,8 +87,7 @@ function update_authorize_run_install($f batch_set($batch); // Invoke the batch via authorize.php. - batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1'); - + system_authorized_batch_process(); } /**