Index: includes/authorize.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/authorize.inc,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 authorize.inc
--- includes/authorize.inc 27 Oct 2009 03:27:00 -0000 1.3
+++ includes/authorize.inc 30 Oct 2009 08:35:04 -0000
@@ -10,10 +10,12 @@
* Build the form for choosing a FileTransfer type and supplying credentials.
*/
function authorize_filetransfer_form($form_state) {
- global $base_url;
+ global $base_url, $is_https;
$form = array();
- $form['#action'] = $base_url . '/authorize.php';
+ // If possible, we want to post this form securely via https.
+ $form['#https'] = TRUE;
+
// CSS we depend on lives in modules/system/maintenance.css, which is loaded
// via the default maintenance theme.
$form['#attached']['js'][] = $base_url . '/misc/authorize.js';
@@ -26,6 +28,10 @@ function authorize_filetransfer_form($fo
$available_backends = $_SESSION['authorize_filetransfer_backends'];
uasort($available_backends, 'drupal_sort_weight');
+ if (!$is_https) {
+ drupal_set_message(t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. Learn more.', array('@https-link' => 'http://drupal.org/https-information')), 'error');
+ }
+
// Decide on a default backend.
if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) {
$authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default'];
Index: includes/common.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/common.inc,v
retrieving revision 1.1031
diff -u -p -u -p -r1.1031 common.inc
--- includes/common.inc 27 Oct 2009 19:29:12 -0000 1.1031
+++ includes/common.inc 30 Oct 2009 08:33:56 -0000
@@ -2352,10 +2352,10 @@ function _format_date_callback(array $ma
* - 'alias': Defaults to FALSE. Whether the given path is a URL alias
* already.
* - 'external': Whether the given path is an external URL.
- * - 'language': An optional language object. Used to build the URL to link to
- * and look up the proper alias for the link.
+ * - 'language': An optional language object. Used to build the URL to link
+ * to and look up the proper alias for the link.
* - 'https': Whether this URL should point to a secure location. If not
- * specified, the current scheme is used, so the user stays on http or https
+ * defined, the current scheme is used, so the user stays on http or https
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
* only be enforced when the variable 'https' is set to TRUE.
* - 'base_url': Only used internally, to modify the base URL when a language
@@ -2376,14 +2376,15 @@ function url($path = NULL, array $option
'query' => array(),
'absolute' => FALSE,
'alias' => FALSE,
- 'https' => FALSE,
'prefix' => ''
);
if (!isset($options['external'])) {
// Return an external link if $path contains an allowed absolute URL.
- // Only call the slow filter_xss_bad_protocol if $path contains a ':' before
- // any / ? or #.
+ // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+ // before any / ? or #.
+ // Note: we could use url_is_external($path) here, but that would
+ // requre another function call, and performance inside url() is critical.
$colonpos = strpos($path, ':');
$options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path));
}
@@ -2411,6 +2412,14 @@ function url($path = NULL, array $option
if ($options['query']) {
$path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']);
}
+ if (isset($options['https']) && variable_get('https', FALSE)) {
+ if ($options['https'] === TRUE) {
+ $path = str_replace('http://', 'https://', $path);
+ }
+ elseif ($options['https'] === FALSE) {
+ $path = str_replace('https://', 'http://', $path);
+ }
+ }
// Reassemble.
return $path . $options['fragment'];
}
@@ -2489,6 +2498,16 @@ function url($path = NULL, array $option
}
/**
+ * Return TRUE if a path is external (e.g. http://example.com).
+ */
+function url_is_external($path) {
+ $colonpos = strpos($path, ':');
+ // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+ // before any / ? or #.
+ return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
+}
+
+/**
* Format an attribute string to insert in a tag.
*
* Each array key and its value will be formatted into an HTML attribute string.
Index: includes/form.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/form.inc,v
retrieving revision 1.387
diff -u -p -u -p -r1.387 form.inc
--- includes/form.inc 27 Oct 2009 04:12:39 -0000 1.387
+++ includes/form.inc 30 Oct 2009 08:33:56 -0000
@@ -1017,7 +1017,7 @@ function form_builder($form_id, $element
// Special handling if we're on the top level form element.
if (isset($element['#type']) && $element['#type'] == 'form') {
if (!empty($element['#https']) && variable_get('https', FALSE) &&
- !menu_path_is_external($element['#action'])) {
+ !url_is_external($element['#action'])) {
global $base_root;
// Not an external URL so ensure that it is secure.
Index: includes/menu.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/menu.inc,v
retrieving revision 1.357
diff -u -p -u -p -r1.357 menu.inc
--- includes/menu.inc 17 Oct 2009 11:39:15 -0000 1.357
+++ includes/menu.inc 30 Oct 2009 08:33:56 -0000
@@ -2517,7 +2517,7 @@ function menu_link_save(&$item) {
// This is the easiest way to handle the unique internal path '',
// since a path marked as external does not need to match a router path.
- $item['external'] = (menu_path_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0;
+ $item['external'] = (url_is_external($item['link_path']) || $item['link_path'] == '') ? 1 : 0;
// Load defaults.
$item += array(
'menu_name' => 'navigation',
@@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks
}
/**
- * Returns TRUE if a path is external (e.g. http://example.com).
- */
-function menu_path_is_external($path) {
- $colonpos = strpos($path, ':');
- return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
-}
-
-/**
* Checks whether the site is in maintenance mode.
*
* This function will log the current user out and redirect to front page
@@ -3254,7 +3246,7 @@ function menu_valid_path($form_item) {
$path = $form_item['link_path'];
// We indicate that a menu administrator is running the menu access check.
$menu_admin = TRUE;
- if ($path == '' || menu_path_is_external($path)) {
+ if ($path == '' || url_is_external($path)) {
$item = array('access' => TRUE);
}
elseif (preg_match('/\/\%/', $path)) {
Index: modules/menu/menu.admin.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/menu/menu.admin.inc,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 menu.admin.inc
--- modules/menu/menu.admin.inc 15 Oct 2009 14:07:29 -0000 1.65
+++ modules/menu/menu.admin.inc 30 Oct 2009 08:33:56 -0000
@@ -355,7 +355,7 @@ function menu_edit_item_validate($form,
drupal_set_message(t('The menu system stores system paths only, but will use the URL alias for display. %link_path has been stored as %normal_path', array('%link_path' => $item['link_path'], '%normal_path' => $normal_path)));
$item['link_path'] = $normal_path;
}
- if (!menu_path_is_external($item['link_path'])) {
+ if (!url_is_external($item['link_path'])) {
$parsed_link = parse_url($item['link_path']);
if (isset($parsed_link['query'])) {
$item['options']['query'] = $parsed_link['query'];
Index: modules/shortcut/shortcut.module
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/shortcut/shortcut.module,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 shortcut.module
--- modules/shortcut/shortcut.module 23 Oct 2009 22:24:17 -0000 1.2
+++ modules/shortcut/shortcut.module 30 Oct 2009 08:33:56 -0000
@@ -482,7 +482,7 @@ function shortcut_valid_link($path) {
$path = $normal_path;
}
// Only accept links that correspond to valid paths on the site itself.
- return !menu_path_is_external($path) && menu_get_item($path);
+ return !url_is_external($path) && menu_get_item($path);
}
/**
Index: modules/system/system.module
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/system/system.module,v
retrieving revision 1.828
diff -u -p -u -p -r1.828 system.module
--- modules/system/system.module 29 Oct 2009 06:58:56 -0000 1.828
+++ modules/system/system.module 30 Oct 2009 08:33:56 -0000
@@ -1534,10 +1534,19 @@ function system_authorized_init($callbac
/**
* Return the URL for the authorize.php script.
+ *
+ * @param array $options
+ * Optional array of options to pass to url().
+ * @return
+ * The full URL to authorize.php, using https if available.
*/
-function system_authorized_get_url() {
+function system_authorized_get_url(array $options = array()) {
global $base_url;
- return $base_url . '/authorize.php';
+ // Force https if available, regardless of what the caller specifies.
+ $options['https'] = TRUE;
+ // We prefix with $base_url so we get a full path even if clean URLs are
+ // disabled.
+ return url($base_url . '/authorize.php', $options);
}
/**
@@ -1551,6 +1560,17 @@ function system_authorized_run($callback
}
/**
+ * Use authorize.php to run batch_process().
+ *
+ * @see batch_process()
+ */
+function system_authorized_batch_process() {
+ $finish_url = system_authorized_get_url();
+ $process_url = system_authorized_get_url(array('query' => array('batch' => '1')));
+ batch_process($finish_url, $process_url);
+}
+
+/**
* @} End of "defgroup authorize".
*/
Index: modules/update/update.authorize.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/update/update.authorize.inc,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 update.authorize.inc
--- modules/update/update.authorize.inc 22 Oct 2009 00:52:03 -0000 1.2
+++ modules/update/update.authorize.inc 30 Oct 2009 08:33:56 -0000
@@ -24,8 +24,6 @@
* - 'local_url': The locally installed location of new code to update with.
*/
function update_authorize_run_update($filetransfer, $projects) {
- global $base_url;
-
$operations = array();
foreach ($projects as $project => $project_info) {
$operations[] = array(
@@ -49,7 +47,7 @@ function update_authorize_run_update($fi
batch_set($batch);
// Invoke the batch via authorize.php.
- batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1');
+ system_authorized_batch_process();
}
/**
@@ -67,8 +65,6 @@ function update_authorize_run_update($fi
* already been downloaded and extracted into.
*/
function update_authorize_run_install($filetransfer, $project, $updater_name, $local_url) {
- global $base_url;
-
$operations[] = array(
'update_authorize_batch_copy_project',
array(
@@ -91,8 +87,7 @@ function update_authorize_run_install($f
batch_set($batch);
// Invoke the batch via authorize.php.
- batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1');
-
+ system_authorized_batch_process();
}
/**