Index: .htaccess =================================================================== RCS file: /cvs/drupal/drupal/.htaccess,v retrieving revision 1.104 diff -u -9 -p -r1.104 .htaccess --- .htaccess 16 Aug 2009 12:10:36 -0000 1.104 +++ .htaccess 17 Aug 2009 10:52:15 -0000 @@ -82,17 +82,16 @@ DirectoryIndex index.php index.html inde # VirtualDocumentRoot and the rewrite rules are not working properly. # For example if your site is at http://example.com/drupal uncomment and # modify the following line: # RewriteBase /drupal # # If your site is running in a VirtualDocumentRoot at http://example.com/, # uncomment the following line: # RewriteBase / - # Rewrite URLs of the form 'x' to the form 'index.php?q=x'. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + RewriteRule ^ index.php [L] # $Id: .htaccess,v 1.104 2009/08/16 12:10:36 dries Exp $ Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.295 diff -u -9 -p -r1.295 bootstrap.inc --- includes/bootstrap.inc 16 Aug 2009 23:20:43 -0000 1.295 +++ includes/bootstrap.inc 17 Aug 2009 10:52:16 -0000 @@ -463,18 +463,26 @@ function drupal_environment_initialize() exit; } } else { // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is // defined for E_ALL compliance. $_SERVER['HTTP_HOST'] = ''; } + // When clean URLs are enabled, emulate ?q=foo/bar using REQUEST_URI. It is + // not possible to append the query string using mod_rewrite without the B + // flag (this was added in Apache 2.2.8), because mod_rewrite unescapes the + // path before passing it on to PHP. + if (!isset($_GET['q']) && isset($_SERVER['REQUEST_URI'])) { + $_GET['q'] = rawurldecode(substr(strtok($_SERVER['REQUEST_URI'], '?#'), strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '/\\')) + 1)); + } + // Enforce E_ALL, but allow users to set levels not part of E_ALL. error_reporting(E_ALL | error_reporting()); // Override PHP settings required for Drupal to work properly. // sites/default/default.settings.php contains more runtime settings. // The .htaccess file contains settings that cannot be changed at runtime. // Prevent PHP from generating HTML error messages. ini_set('html_errors', 0); Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.962 diff -u -9 -p -r1.962 common.inc --- includes/common.inc 17 Aug 2009 07:12:15 -0000 1.962 +++ includes/common.inc 17 Aug 2009 10:52:17 -0000 @@ -2148,19 +2148,19 @@ function url($path = NULL, array $option } if (function_exists('custom_url_rewrite_outbound')) { // Modules may alter outbound links by reference. custom_url_rewrite_outbound($path, $options, $original_path); } $base = $options['absolute'] ? $options['base_url'] . '/' : base_path(); $prefix = empty($path) ? rtrim($options['prefix'], '/') : $options['prefix']; - $path = drupal_encode_path($prefix . $path); + $path = drupal_urlencode($prefix . $path); if (variable_get('clean_url', '0')) { // With Clean URLs. if ($options['query']) { return $base . $path . '?' . $options['query'] . $options['fragment']; } else { return $base . $path . $options['fragment']; } @@ -3413,47 +3413,30 @@ function drupal_json($var = NULL) { // We are returning JavaScript, so tell the browser. drupal_set_header('Content-Type', 'text/javascript; charset=utf-8'); if (isset($var)) { echo drupal_to_js($var); } } /** - * Wrapper around urlencode() which avoids Apache quirks. + * Wrapper around rawurlencode() that does not escape slashes (for aesthetic + * reasons). * * Should be used when placing arbitrary data in an URL. Note that Drupal paths * are urlencoded() when passed through url() and do not require urlencoding() * of individual components. * - * Notes: - * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature' - * in Apache where it 404s on any path containing '%2F'. - * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean - * URLs are used, which are interpreted as delimiters by PHP. These - * characters are double escaped so PHP will still see the encoded version. - * - With clean URLs, Apache changes '//' to '/', so every second slash is - * double escaped. - * - This function should only be used on paths, not on query string arguments, - * otherwise unwanted double encoding will occur. - * * @param $text * String to encode */ -function drupal_encode_path($text) { - if (variable_get('clean_url', '0')) { - return str_replace(array('%2F', '%26', '%23', '//'), - array('/', '%2526', '%2523', '/%252F'), - rawurlencode($text)); - } - else { - return str_replace('%2F', '/', rawurlencode($text)); - } +function drupal_urlencode($text) { + return str_replace('%2F', '/', rawurlencode($text)); } /** * Returns a string of highly randomized bytes (over the full 8-bit range). * * This function is better than simply calling mt_rand() or any other built-in * PHP function because it can return a long string of bytes (compared to < 4 * bytes normally from mt_rand()) and uses the best available pseudo-random source. * Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.181 diff -u -9 -p -r1.181 file.inc --- includes/file.inc 17 Aug 2009 06:33:31 -0000 1.181 +++ includes/file.inc 17 Aug 2009 10:52:17 -0000 @@ -299,24 +299,41 @@ function file_stream_wrapper_get_instanc } /** * Create the download path to a file. * * @param $path A string containing the path of the file to generate URL for. * @return A string containing a URL that can be used to download the file. */ function file_create_url($path) { - // Strip file_directory_path from $path. We only include relative paths in - // URLs. $path = file_directory_strip($path); + if (substr(PHP_OS, 0, 3) == 'WIN') { + // On Windows, both "/" and "\" may be used as directory separator, but + // use "/" for prettier URLs. + $path = strtr($path, '\\', '/'); + } switch (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC)) { case FILE_DOWNLOADS_PUBLIC: - return $GLOBALS['base_url'] . '/' . file_directory_path() . '/' . str_replace('\\', '/', $path); + if (substr(PHP_OS, 0, 3) == 'WIN') { + // The filesystem functions in PHP 5 on Windows do not support + // UTF-8-encoded filenames but always assume that filenames are encoded + // in Windows-1252. In order to support filenames containing characters + // not in Windows-1252, Drupal passes UTF-8-encoded filenames to the + // filesystem functions, making PHP treat each octet in the + // UTF-8-encoded string as a Windows-1252 character. This will make the + // filenames look mangled (like viewing an UTF-8-encoded file in a + // text editor without support for UTF-8) when viewed with external + // programs, e.g. Windows Explorer. The web server does not know about + // this convention, so we need to make the URL reflecting the actual + // filenames when using public files. + $path = drupal_convert_to_utf8($path, 'Windows-1252'); + } + return $GLOBALS['base_url'] . '/' . file_directory_path() . '/' . str_replace('%2F', '/', rawurlencode($path)); case FILE_DOWNLOADS_PRIVATE: return url('system/files/' . $path, array('absolute' => TRUE)); } } /** * Make sure the destination is a complete path and resides in the file system * directory, if it is not prepend the file system directory. * @@ -922,18 +939,24 @@ function file_unmunge_filename($filename * @param $basename * String filename * @param $directory * String directory * @return * File path consisting of $directory and a unique filename based off * of $basename. */ function file_create_filename($basename, $directory) { + // Strip control characters. + $basename = preg_replace('/[\x00-\x1F]/u', '_', $basename); + if (substr(PHP_OS, 0, 3) == 'WIN') { + // These characters are not allowed in filenames on Windows. + $basename = str_replace(array(':', '*', '?', '"', '<', '>', '|'), '_', $basename); + } $destination = $directory . '/' . $basename; if (file_exists($destination)) { // Destination file already exists, generate an alternative. $pos = strrpos($basename, '.'); if ($pos !== FALSE) { $name = substr($basename, 0, $pos); $ext = substr($basename, $pos); } Index: misc/autocomplete.js =================================================================== RCS file: /cvs/drupal/drupal/misc/autocomplete.js,v retrieving revision 1.32 diff -u -9 -p -r1.32 autocomplete.js --- misc/autocomplete.js 17 Aug 2009 07:12:15 -0000 1.32 +++ misc/autocomplete.js 17 Aug 2009 10:52:17 -0000 @@ -270,19 +270,19 @@ Drupal.ACDB.prototype.search = function if (this.timer) { clearTimeout(this.timer); } this.timer = setTimeout(function () { db.owner.setStatus('begin'); // Ajax GET request for autocompletion. $.ajax({ type: 'GET', - url: db.uri + '/' + Drupal.encodePath(searchString), + url: db.uri + '/' + Drupal.encodeURIComponent(searchString), dataType: 'json', success: function (matches) { if (typeof matches.status == 'undefined' || matches.status != 0) { db.cache[searchString] = matches; // Verify if these are still the matches the user wants to see. if (db.searchString == searchString) { db.owner.found(matches); } db.owner.setStatus('found'); Index: misc/drupal.js =================================================================== RCS file: /cvs/drupal/drupal/misc/drupal.js,v retrieving revision 1.57 diff -u -9 -p -r1.57 drupal.js --- misc/drupal.js 17 Aug 2009 07:12:15 -0000 1.57 +++ misc/drupal.js 17 Aug 2009 10:52:17 -0000 @@ -257,26 +257,24 @@ Drupal.freezeHeight = function () { /** * Unfreeze the body height. */ Drupal.unfreezeHeight = function () { $('#freeze-height').remove(); }; /** - * Wrapper around encodeURIComponent() which avoids Apache quirks (equivalent of - * drupal_encode_path() in PHP). This function should only be used on paths, not - * on query string arguments. + * Wrapper around encodeURIComponent() that does not escape slashes (for + * aesthetic reasons). */ -Drupal.encodePath = function (item, uri) { +Drupal.encodeURIComponent = function (item, uri) { uri = uri || location.href; - item = encodeURIComponent(item).replace(/%2F/g, '/'); - return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F'); + return encodeURIComponent(item).replace(/%2F/g, '/'); }; /** * Get the text selection in a textarea. */ Drupal.getSelection = function (element) { if (typeof element.selectionStart != 'number' && document.selection) { // The current selection. var range1 = document.selection.createRange(); Index: modules/simpletest/tests/file.test =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/file.test,v retrieving revision 1.38 diff -u -9 -p -r1.38 file.test --- modules/simpletest/tests/file.test 17 Aug 2009 06:33:31 -0000 1.38 +++ modules/simpletest/tests/file.test 17 Aug 2009 10:52:17 -0000 @@ -1940,18 +1940,194 @@ class FileDownloadTest extends FileTestC // Try non-existent file. $url = file_create_url($this->randomName()); $this->drupalHead($url); $this->assertResponse(404, t('Correctly returned 404 response for a non-existent file.')); } } /** + * Test file_create_url() by making round-trips through the web server. + */ +class FileCreateUrlUnitTest extends FileTestCase { + public static function getInfo() { + return array( + 'name' => 'URL generation', + 'description' => 'Test URL generation', + 'group' => 'File', + ); + } + + function setUp() { + parent::setUp('file_test'); + // Clear out any hook calls. + file_test_reset(); + } + + /** + * Test file_create_url() using FILE_DOWNLOADS_PUBLIC. + */ + function testFileCreateUrlPublic() { + global $base_url; + variable_set('file_downloads', FILE_DOWNLOADS_PUBLIC); + + $file = " -._~!$'\"()*@[]?&+%#,;=:\n\x00" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/' . file_directory_path() . '/' . + '%20-._%7E%21%24%27_%28%29_%40%5B%5D_%26%2B%25%23%2C%3B%3D___' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%83%C2%A9%C3%83%C2%B8%C3%83%C2%AF%C3%90%C2%B2%C3%8E%C2%B2%C3%A4%C2%B8%C2%AD%C3%A5%C5%93%E2%80%B9%C3%A6%E2%80%BA%C2%B8%C3%9B%C5%BE'; + } + else { + $expected_url = $base_url . '/' . file_directory_path() . '/' . + '%20-._%7E%21%24%27%22%28%29%2A%40%5B%5D%3F%26%2B%25%23%2C%3B%3D%3A__' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + } + $this->checkUrl($file, $expected_url); + + // On Windows, "\" works as path separator; on other platforms it is + // treated as any other character. + $file = 'foo\bar'; + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/' . file_directory_path() . '/foo/bar'; + } + else { + $expected_url = $base_url . '/' . file_directory_path() . '/foo%5Cbar'; + } + $this->checkUrl($file, $expected_url); + } + + /** + * Test file_create_url() using FILE_DOWNLOADS_PRIVATE and clean URLs enabled. + */ + function testFileCreateUrlPrivateCleanUrlEnabled() { + global $base_url; + variable_set('clean_url', '1'); + variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE); + + $file = " -._~!$'\"()*@[]?&+%#,;=:\n\x00" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/system/files/' . + '%20-._%7E%21%24%27_%28%29_%40%5B%5D_%26%2B%25%23%2C%3B%3D___' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + } + else { + $expected_url = $base_url . '/system/files/' . + '%20-._%7E%21%24%27%22%28%29%2A%40%5B%5D%3F%26%2B%25%23%2C%3B%3D%3A__' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + } + $this->checkUrl($file, $expected_url); + + // "0" is tricky because "0" == FALSE. + $file = '0'; + $expected_url = $base_url . '/system/files/0'; + $this->checkUrl($file, $expected_url); + + // On Windows, "\" works as path separator; on other platforms it is + // treated as any other character. + $file = 'foo\bar'; + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/system/files/foo/bar'; + } + else { + $expected_url = $base_url . '/system/files/foo%5Cbar'; + } + $this->checkUrl($file, $expected_url); + } + + /** + * Test file_create_url() using FILE_DOWNLOADS_PRIVATE and clean URLs + * disabled. + */ + function testFileCreateUrlPrivateCleanUrlDisabled() { + global $base_url; + variable_set('clean_url', '0'); + variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE); + + $file = " -._~!$'\"()*@[]?&+%#,;=:\n\x00" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/?q=system/files/' . + '%20-._%7E%21%24%27_%28%29_%40%5B%5D_%26%2B%25%23%2C%3B%3D___' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + } + else { + $expected_url = $base_url . '/?q=system/files/' . + '%20-._%7E%21%24%27%22%28%29%2A%40%5B%5D%3F%26%2B%25%23%2C%3B%3D%3A__' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + } + $this->checkUrl($file, $expected_url); + + // "0" is tricky because "0" == FALSE. + $file = '0'; + $expected_url = $base_url . '/?q=system/files/0'; + $this->checkUrl($file, $expected_url); + + // On Windows, "\" works as path separator; on other platforms it is + // treated as any other character. + $file = 'foo\bar'; + if (substr(PHP_OS, 0, 3) == 'WIN') { + $expected_url = $base_url . '/?q=system/files/foo/bar'; + } + else { + $expected_url = $base_url . '/?q=system/files/foo%5Cbar'; + } + $file = 'foo\bar'; + $this->checkUrl($file, $expected_url); + } + + /** + * Check that the URL generated by file_create_url() for the specified file + * equals the specified URL, then fetch the URL and compare the contents to + * the file. + * + * @param $path + * A filepath. + * @param $expected_url + * The expected URL. + */ + private function checkUrl($path, $expected_url) { + // Convert $path to a valid filename, i.e. strip characters not supported + // by the filesystem, and create the file. + $filepath = file_create_filename($path, file_directory_path()); + $directory = dirname($filepath); + file_check_directory($directory, FILE_CREATE_DIRECTORY); + $file = $this->createFile($filepath); + + $url = file_create_url($file->filepath); + $this->assertEqual($url, $expected_url, t('Generated URL matches expected URL')); + + if (variable_get('file_downloads', FALSE) == FILE_DOWNLOADS_PRIVATE) { + // Tell the implementation of hook_file_download() in file_test.module + // that this file may be downloaded. + file_test_set_return('download', array('x-foo' => 'Bar')); + } + + $this->drupalGet($url); + if ($this->assertResponse(200) == 'pass') { + $this->assertRaw(file_get_contents($file->filepath), t('Contents of the file are correct.')); + } + + file_delete($file); + } +} + +/** * Tests for file_munge_filename() and file_unmunge_filename(). */ class FileNameMungingTest extends FileTestCase { public static function getInfo() { return array( 'name' => 'File naming', 'description' => 'Test filename munging and unmunging.', 'group' => 'File', );