Index: .htaccess =================================================================== RCS file: /cvs/drupal/drupal/.htaccess,v retrieving revision 1.104 diff -u -9 -p -r1.104 .htaccess --- .htaccess 16 Aug 2009 12:10:36 -0000 1.104 +++ .htaccess 29 Sep 2009 18:31:35 -0000 @@ -82,17 +82,16 @@ DirectoryIndex index.php index.html inde # VirtualDocumentRoot and the rewrite rules are not working properly. # For example if your site is at http://example.com/drupal uncomment and # modify the following line: # RewriteBase /drupal # # If your site is running in a VirtualDocumentRoot at http://example.com/, # uncomment the following line: # RewriteBase / - # Rewrite URLs of the form 'x' to the form 'index.php?q=x'. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + RewriteRule ^ index.php [L] # $Id: .htaccess,v 1.104 2009/08/16 12:10:36 dries Exp $ Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.306 diff -u -9 -p -r1.306 bootstrap.inc --- includes/bootstrap.inc 21 Sep 2009 08:07:07 -0000 1.306 +++ includes/bootstrap.inc 29 Sep 2009 18:31:36 -0000 @@ -455,18 +455,32 @@ function drupal_environment_initialize() exit; } } else { // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is // defined for E_ALL compliance. $_SERVER['HTTP_HOST'] = ''; } + // When clean URLs are enabled, emulate ?q=foo/bar using REQUEST_URI. It is + // not possible to append the query string using mod_rewrite without the B + // flag (this was added in Apache 2.2.8), because mod_rewrite unescapes the + // path before passing it on to PHP. + if (!isset($_GET['q']) && isset($_SERVER['REQUEST_URI'])) { + $request_path = $_SERVER['REQUEST_URI']; + $query_pos = strpos($_SERVER['REQUEST_URI'], '?'); + if ($query_pos !== FALSE) { + $request_path = substr($request_path, 0, $query_pos); + } + $base_path_len = strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '\\/')); + $_GET['q'] = substr(urldecode($request_path), $base_path_len + 1); + } + // Enforce E_ALL, but allow users to set levels not part of E_ALL. error_reporting(E_ALL | error_reporting()); // Override PHP settings required for Drupal to work properly. // sites/default/default.settings.php contains more runtime settings. // The .htaccess file contains settings that cannot be changed at runtime. // Prevent PHP from generating HTML error messages. ini_set('html_errors', 0); Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.1000 diff -u -9 -p -r1.1000 common.inc --- includes/common.inc 29 Sep 2009 17:52:46 -0000 1.1000 +++ includes/common.inc 29 Sep 2009 18:31:36 -0000 @@ -419,21 +419,19 @@ function drupal_http_build_query(array $ // Recurse into children. if (is_array($value)) { $params[] = drupal_http_build_query($value, $key); } // If a query parameter value is NULL, only append its key. elseif (!isset($value)) { $params[] = $key; } else { - // For better readability of paths in query strings, we decode slashes. - // @see drupal_encode_path() - $params[] = $key . '=' . str_replace('%2F', '/', rawurlencode($value)); + $params[] = $key . '=' . drupal_urlencode($value); } } return implode('&', $params); } /** * Prepare a 'destination' URL query parameter for use in combination with drupal_goto(). * @@ -528,50 +526,31 @@ function drupal_parse_url($url) { if (isset($parts['fragment'])) { $options['fragment'] = $parts['fragment']; } } return $options; } /** - * Encode a path for usage in a URL. + * Wrapper around rawurlencode(). * - * Wrapper around rawurlencode() which avoids Apache quirks. Should be used when - * placing arbitrary data into the path component of an URL. + * For aesthetic reasons slashes are not escaped. * - * Do not use this function to pass a path to url(). url() properly handles - * and encodes paths internally. - * This function should only be used on paths, not on query string arguments. - * Otherwise, unwanted double encoding will occur. - * - * Notes: - * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature' - * in Apache where it 404s on any path containing '%2F'. - * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean - * URLs are used, which are interpreted as delimiters by PHP. These - * characters are double escaped so PHP will still see the encoded version. - * - With clean URLs, Apache changes '//' to '/', so every second slash is - * double escaped. + * Should be used when placing arbitrary data in an URL. Note that Drupal paths + * are urlencoded() when passed through url() and do not require urlencoding() + * of individual components. * - * @param $path - * The URL path component to encode. + * @param $text + * String to encode */ -function drupal_encode_path($path) { - if (!empty($GLOBALS['conf']['clean_url'])) { - return str_replace(array('%2F', '%26', '%23', '//'), - array('/', '%2526', '%2523', '/%252F'), - rawurlencode($path) - ); - } - else { - return str_replace('%2F', '/', rawurlencode($path)); - } +function drupal_urlencode($text) { + return str_replace('%2F', '/', rawurlencode($text)); } /** * Send the user to a different Drupal page. * * This issues an on-site HTTP redirect. The function makes sure the redirected * URL is formatted correctly. * * Usually the redirected URL is constructed from this function's input @@ -2442,19 +2421,19 @@ function url($path = NULL, array $option // Modules may alter outbound links by reference. custom_url_rewrite_outbound($path, $options, $original_path); } $base = $options['absolute'] ? $options['base_url'] . '/' : base_path(); $prefix = empty($path) ? rtrim($options['prefix'], '/') : $options['prefix']; // With Clean URLs. if (!empty($GLOBALS['conf']['clean_url'])) { - $path = drupal_encode_path($prefix . $path); + $path = drupal_urlencode($prefix . $path); if ($options['query']) { return $base . $path . '?' . drupal_http_build_query($options['query']) . $options['fragment']; } else { return $base . $path . $options['fragment']; } } // Without Clean URLs. else { Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.191 diff -u -9 -p -r1.191 file.inc --- includes/file.inc 28 Sep 2009 22:22:53 -0000 1.191 +++ includes/file.inc 29 Sep 2009 18:31:37 -0000 @@ -862,18 +862,21 @@ function file_unmunge_filename($filename * @param $basename * String filename * @param $directory * String containing the directory or parent URI. * @return * File path consisting of $directory and a unique filename based off * of $basename. */ function file_create_filename($basename, $directory) { + // Strip control characters. + $basename = preg_replace('/[\x00-\x1F]/u', '_', $basename); + // A URI or path may already have a trailing slash or look like "public://". if (substr($directory, -1) == '/') { $separator = ''; } else { $separator = '/'; } $destination = $directory . $separator . $basename; Index: includes/stream_wrappers.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/stream_wrappers.inc,v retrieving revision 1.6 diff -u -9 -p -r1.6 stream_wrappers.inc --- includes/stream_wrappers.inc 31 Aug 2009 05:47:33 -0000 1.6 +++ includes/stream_wrappers.inc 29 Sep 2009 18:31:37 -0000 @@ -574,19 +574,19 @@ class DrupalPublicStreamWrapper extends } /** * Overrides getExternalUrl(). * * Return the HTML URI of a public file. */ function getExternalUrl() { $path = str_replace('\\', '/', file_uri_target($this->uri)); - return $GLOBALS['base_url'] . '/' . self::getDirectoryPath() . '/' . $path; + return $GLOBALS['base_url'] . '/' . self::getDirectoryPath() . '/' . drupal_urlencode($path); } } /** * Drupal private (private://) stream wrapper class. * * Provides support for storing privately accessible files with the Drupal file * interface. Index: misc/autocomplete.js =================================================================== RCS file: /cvs/drupal/drupal/misc/autocomplete.js,v retrieving revision 1.34 diff -u -9 -p -r1.34 autocomplete.js --- misc/autocomplete.js 5 Sep 2009 12:03:31 -0000 1.34 +++ misc/autocomplete.js 29 Sep 2009 18:31:37 -0000 @@ -270,19 +270,19 @@ Drupal.ACDB.prototype.search = function if (this.timer) { clearTimeout(this.timer); } this.timer = setTimeout(function () { db.owner.setStatus('begin'); // Ajax GET request for autocompletion. $.ajax({ type: 'GET', - url: db.uri + '/' + Drupal.encodePath(searchString), + url: db.uri + '/' + Drupal.encodeURIComponent(searchString), dataType: 'json', success: function (matches) { if (typeof matches.status == 'undefined' || matches.status != 0) { db.cache[searchString] = matches; // Verify if these are still the matches the user wants to see. if (db.searchString == searchString) { db.owner.found(matches); } db.owner.setStatus('found'); Index: misc/drupal.js =================================================================== RCS file: /cvs/drupal/drupal/misc/drupal.js,v retrieving revision 1.58 diff -u -9 -p -r1.58 drupal.js --- misc/drupal.js 31 Aug 2009 05:51:07 -0000 1.58 +++ misc/drupal.js 29 Sep 2009 18:31:37 -0000 @@ -261,26 +261,25 @@ Drupal.freezeHeight = function () { /** * Unfreeze the body height. */ Drupal.unfreezeHeight = function () { $('#freeze-height').remove(); }; /** - * Wrapper around encodeURIComponent() which avoids Apache quirks (equivalent of - * drupal_encode_path() in PHP). This function should only be used on paths, not - * on query string arguments. + * Wrapper around encodeURIComponent(). + * + * For aesthetic reasons slashes are not escaped. */ -Drupal.encodePath = function (item, uri) { +Drupal.encodeURIComponent = function (item, uri) { uri = uri || location.href; - item = encodeURIComponent(item).replace(/%2F/g, '/'); - return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F'); + return encodeURIComponent(item).replace(/%2F/g, '/'); }; /** * Get the text selection in a textarea. */ Drupal.getSelection = function (element) { if (typeof element.selectionStart != 'number' && document.selection) { // The current selection. var range1 = document.selection.createRange(); Index: modules/simpletest/tests/file.test =================================================================== RCS file: /cvs/drupal/drupal/modules/simpletest/tests/file.test,v retrieving revision 1.44 diff -u -9 -p -r1.44 file.test --- modules/simpletest/tests/file.test 20 Sep 2009 17:40:41 -0000 1.44 +++ modules/simpletest/tests/file.test 29 Sep 2009 18:31:38 -0000 @@ -1874,18 +1874,20 @@ class FileDownloadTest extends FileTestC return array( 'name' => 'File download', 'description' => 'Tests for file download/transfer functions.', 'group' => 'File API', ); } function setUp() { parent::setUp('file_test'); + // Clear out any hook calls. + file_test_reset(); } /** * Test the public file transfer system. */ function testPublicFileTransfer() { // Test generating an URL to a created file. $file = $this->createFile(); $url = file_create_url($file->uri); @@ -1923,18 +1925,81 @@ class FileDownloadTest extends FileTestC file_test_set_return('download', -1); $this->drupalHead($url); $this->assertResponse(403, t('Correctly denied access to a file when file_test sets the header to -1.')); // Try non-existent file. $url = file_create_url('private://' . $this->randomName()); $this->drupalHead($url); $this->assertResponse(404, t('Correctly returned 404 response for a non-existent file.')); } + + /** + * Test file_create_url(). + */ + function testFileCreateUrl() { + global $base_url; + + $basename = " -._~!$'\"()*@[]?&+%#,;=:\n\x00" . // "Special" ASCII characters. + "%23%25%26%2B%2F%3F" . // Characters that look like a percent-escaped string. + "éøïвβ中國書۞"; // Characters from various non-ASCII alphabets. + $basename_encoded = '%20-._%7E%21%24%27%22%28%29%2A%40%5B%5D%3F%26%2B%25%23%2C%3B%3D%3A__' . + '%2523%2525%2526%252B%252F%253F' . + '%C3%A9%C3%B8%C3%AF%D0%B2%CE%B2%E4%B8%AD%E5%9C%8B%E6%9B%B8%DB%9E'; + + $this->checkUrl('public', '', $basename, $base_url . '/' . file_directory_path() . '/' . $basename_encoded); + $this->checkUrl('private', '', $basename, $base_url . '/system/files/' . $basename_encoded); + $this->checkUrl('private', '', $basename, $base_url . '/?q=system/files/' . $basename_encoded, '0'); + } + + /** + * Download a file from the URL generated by file_create_url(). + * + * Create a file with the specified scheme, directory and filename; check that + * the URL generated by file_create_url() for the specified file equals the + * specified URL; fetch the URL and then compare the contents to the file. + * + * @param $scheme + * A scheme, e.g. "public" + * @param $directory + * A directory, possibly "" + * @param $filename + * A filename + * @param $expected_url + * The expected URL + * @param $clean_url + * The value of the clean_url setting + */ + private function checkUrl($scheme, $directory, $filename, $expected_url, $clean_url = '1') { + variable_set('clean_url', $clean_url); + + // Convert $path to a valid filename, i.e. strip characters not supported + // by the filesystem, and create the file. + $filepath = file_create_filename($filename, $directory); + $directory_uri = $scheme . '://' . dirname($filepath); + file_prepare_directory($directory_uri, FILE_CREATE_DIRECTORY); + $file = $this->createFile($filepath, NULL, $scheme); + + $url = file_create_url($file->uri); + $this->assertEqual($url, $expected_url, t('Generated URL matches expected URL.')); + + if ($scheme == 'private') { + // Tell the implementation of hook_file_download() in file_test.module + // that this file may be downloaded. + file_test_set_return('download', array('x-foo' => 'Bar')); + } + + $this->drupalGet($url); + if ($this->assertResponse(200) == 'pass') { + $this->assertRaw(file_get_contents($file->uri), t('Contents of the file are correct.')); + } + + file_delete($file); + } } /** * Tests for file URL rewriting. */ class FileURLRewritingTest extends FileTestCase { public static function getInfo() { return array( 'name' => 'File URL rewriting',