Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.90.2.4 diff -u -p -r1.90.2.4 file.inc --- includes/file.inc 11 Feb 2008 05:45:48 -0000 1.90.2.4 +++ includes/file.inc 13 Aug 2008 23:30:22 -0000 @@ -227,7 +227,7 @@ function file_check_upload($source = 'up // requires an absolute path, so we use realpath(). $file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_'); - $file->filemime = $_FILES["files"]["type"][$source]; + $file->filemime = file_get_mimetype($file->filename); // Rename potentially executable files, to help prevent exploits. if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { @@ -733,3 +733,375 @@ function file_upload_max_size() { } return $max_size; } + +/** + * Determine an Internet Media Type, or MIME type from a filename. + * + * @param $filename + * Name of the file, including extension. + * @param $mapping + * An optional array of extension to media type mappings in the form + * 'extension1|extension2|...' => 'type'. + * + * @return + * The internet media type registered for the extension or application/octet-stream for unknown extensions. + */ +function file_get_mimetype($filename, $mapping = NULL) { + if (!is_array($mapping)) { + $mapping = variable_get('mime_extension_mapping', array( + 'ez' => 'application/andrew-inset', + 'atom' => 'application/atom', + 'atomcat' => 'application/atomcat+xml', + 'atomsrv' => 'application/atomserv+xml', + 'cap|pcap' => 'application/cap', + 'cu' => 'application/cu-seeme', + 'tsp' => 'application/dsptype', + 'spl' => 'application/x-futuresplash', + 'hta' => 'application/hta', + 'jar' => 'application/java-archive', + 'ser' => 'application/java-serialized-object', + 'class' => 'application/java-vm', + 'hqx' => 'application/mac-binhex40', + 'cpt' => 'image/x-corelphotopaint', + 'nb' => 'application/mathematica', + 'mdb' => 'application/msaccess', + 'doc|dot' => 'application/msword', + 'bin' => 'application/octet-stream', + 'oda' => 'application/oda', + 'ogg|ogx' => 'application/ogg', + 'pdf' => 'application/pdf', + 'key' => 'application/pgp-keys', + 'pgp' => 'application/pgp-signature', + 'prf' => 'application/pics-rules', + 'ps|ai|eps' => 'application/postscript', + 'rar' => 'application/rar', + 'rdf' => 'application/rdf+xml', + 'rss' => 'application/rss+xml', + 'rtf' => 'application/rtf', + 'smi|smil' => 'application/smil', + 'wpd' => 'application/wordperfect', + 'wp5' => 'application/wordperfect5.1', + 'xhtml|xht' => 'application/xhtml+xml', + 'xml|xsl' => 'application/xml', + 'zip' => 'application/zip', + 'cdy' => 'application/vnd.cinderella', + 'kml' => 'application/vnd.google-earth.kml+xml', + 'kmz' => 'application/vnd.google-earth.kmz', + 'xul' => 'application/vnd.mozilla.xul+xml', + 'xls|xlb|xlt' => 'application/vnd.ms-excel', + 'cat' => 'application/vnd.ms-pki.seccat', + 'stl' => 'application/vnd.ms-pki.stl', + 'ppt|pps' => 'application/vnd.ms-powerpoint', + 'odc' => 'application/vnd.oasis.opendocument.chart', + 'odb' => 'application/vnd.oasis.opendocument.database', + 'odf' => 'application/vnd.oasis.opendocument.formula', + 'odg' => 'application/vnd.oasis.opendocument.graphics', + 'otg' => 'application/vnd.oasis.opendocument.graphics-template', + 'odi' => 'application/vnd.oasis.opendocument.image', + 'odp' => 'application/vnd.oasis.opendocument.presentation', + 'otp' => 'application/vnd.oasis.opendocument.presentation-template', + 'ods' => 'application/vnd.oasis.opendocument.spreadsheet', + 'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template', + 'odt' => 'application/vnd.oasis.opendocument.text', + 'odm' => 'application/vnd.oasis.opendocument.text-master', + 'ott' => 'application/vnd.oasis.opendocument.text-template', + 'oth' => 'application/vnd.oasis.opendocument.text-web', + 'docm' => 'application/vnd.ms-word.document.macroEnabled.12', + 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', + 'dotm' => 'application/vnd.ms-word.template.macroEnabled.12', + 'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', + 'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12', + 'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template', + 'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12', + 'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12', + 'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow', + 'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12', + 'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation', + 'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12', + 'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12', + 'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12', + 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', + 'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12', + 'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template', + 'cod' => 'application/vnd.rim.cod', + 'mmf' => 'application/vnd.smaf', + 'sdc' => 'application/vnd.stardivision.calc', + 'sds' => 'application/vnd.stardivision.chart', + 'sda' => 'application/vnd.stardivision.draw', + 'sdd' => 'application/vnd.stardivision.impress', + 'sdf' => 'application/vnd.stardivision.math', + 'sdw' => 'application/vnd.stardivision.writer', + 'sgl' => 'application/vnd.stardivision.writer-global', + 'sxc' => 'application/vnd.sun.xml.calc', + 'stc' => 'application/vnd.sun.xml.calc.template', + 'sxd' => 'application/vnd.sun.xml.draw', + 'std' => 'application/vnd.sun.xml.draw.template', + 'sxi' => 'application/vnd.sun.xml.impress', + 'sti' => 'application/vnd.sun.xml.impress.template', + 'sxm' => 'application/vnd.sun.xml.math', + 'sxw' => 'application/vnd.sun.xml.writer', + 'sxg' => 'application/vnd.sun.xml.writer.global', + 'stw' => 'application/vnd.sun.xml.writer.template', + 'sis' => 'application/vnd.symbian.install', + 'vsd' => 'application/vnd.visio', + 'wbxml' => 'application/vnd.wap.wbxml', + 'wmlc' => 'application/vnd.wap.wmlc', + 'wmlsc' => 'application/vnd.wap.wmlscriptc', + 'wk' => 'application/x-123', + '7z' => 'application/x-7z-compressed', + 'abw' => 'application/x-abiword', + 'dmg' => 'application/x-apple-diskimage', + 'bcpio' => 'application/x-bcpio', + 'torrent' => 'application/x-bittorrent', + 'cab' => 'application/x-cab', + 'cbr' => 'application/x-cbr', + 'cbz' => 'application/x-cbz', + 'cdf' => 'application/x-cdf', + 'vcd' => 'application/x-cdlink', + 'pgn' => 'application/x-chess-pgn', + 'cpio' => 'application/x-cpio', + 'csh' => 'text/x-csh', + 'deb|udeb' => 'application/x-debian-package', + 'dcr|dir|dxr' => 'application/x-director', + 'dms' => 'application/x-dms', + 'wad' => 'application/x-doom', + 'dvi' => 'application/x-dvi', + 'rhtml' => 'application/x-httpd-eruby', + 'flac' => 'application/x-flac', + 'pfa|pfb|gsf|pcf|pcf.Z' => 'application/x-font', + 'mm' => 'application/x-freemind', + 'gnumeric' => 'application/x-gnumeric', + 'sgf' => 'application/x-go-sgf', + 'gcf' => 'application/x-graphing-calculator', + 'gtar|tgz|taz' => 'application/x-gtar', + 'hdf' => 'application/x-hdf', + 'phtml|pht|php' => 'application/x-httpd-php', + 'phps' => 'application/x-httpd-php-source', + 'php3' => 'application/x-httpd-php3', + 'php3p' => 'application/x-httpd-php3-preprocessed', + 'php4' => 'application/x-httpd-php4', + 'ica' => 'application/x-ica', + 'ins|isp' => 'application/x-internet-signup', + 'iii' => 'application/x-iphone', + 'iso' => 'application/x-iso9660-image', + 'jnlp' => 'application/x-java-jnlp-file', + 'js' => 'application/x-javascript', + 'jmz' => 'application/x-jmol', + 'chrt' => 'application/x-kchart', + 'kil' => 'application/x-killustrator', + 'skp|skd|skt|skm' => 'application/x-koan', + 'kpr|kpt' => 'application/x-kpresenter', + 'ksp' => 'application/x-kspread', + 'kwd|kwt' => 'application/x-kword', + 'latex' => 'application/x-latex', + 'lha' => 'application/x-lha', + 'lyx' => 'application/x-lyx', + 'lzh' => 'application/x-lzh', + 'lzx' => 'application/x-lzx', + 'frm|maker|frame|fm|fb|book|fbdoc' => 'application/x-maker', + 'mif' => 'application/x-mif', + 'wmd' => 'application/x-ms-wmd', + 'wmz' => 'application/x-ms-wmz', + 'com|exe|bat|dll' => 'application/x-msdos-program', + 'msi' => 'application/x-msi', + 'nc' => 'application/x-netcdf', + 'pac' => 'application/x-ns-proxy-autoconfig', + 'nwc' => 'application/x-nwc', + 'o' => 'application/x-object', + 'oza' => 'application/x-oz-application', + 'p7r' => 'application/x-pkcs7-certreqresp', + 'crl' => 'application/x-pkcs7-crl', + 'pyc|pyo' => 'application/x-python-code', + 'qtl' => 'application/x-quicktimeplayer', + 'rpm' => 'application/x-redhat-package-manager', + 'sh' => 'text/x-sh', + 'shar' => 'application/x-shar', + 'swf|swfl' => 'application/x-shockwave-flash', + 'sit|sitx' => 'application/x-stuffit', + 'sv4cpio' => 'application/x-sv4cpio', + 'sv4crc' => 'application/x-sv4crc', + 'tar' => 'application/x-tar', + 'tcl' => 'application/x-tcl', + 'gf' => 'application/x-tex-gf', + 'pk' => 'application/x-tex-pk', + 'texinfo|texi' => 'application/x-texinfo', + '~|%|bak|old|sik' => 'application/x-trash', + 't|tr|roff' => 'application/x-troff', + 'man' => 'application/x-troff-man', + 'me' => 'application/x-troff-me', + 'ms' => 'application/x-troff-ms', + 'ustar' => 'application/x-ustar', + 'src' => 'application/x-wais-source', + 'wz' => 'application/x-wingz', + 'crt' => 'application/x-x509-ca-cert', + 'xcf' => 'application/x-xcf', + 'fig' => 'application/x-xfig', + 'xpi' => 'application/x-xpinstall', + 'au|snd' => 'audio/basic', + 'mid|midi|kar' => 'audio/midi', + 'mpga|mpega|mp2|mp3|m4a' => 'audio/mpeg', + 'm3u' => 'audio/x-mpegurl', + 'oga|spx' => 'audio/ogg', + 'sid' => 'audio/prs.sid', + 'aif|aiff|aifc' => 'audio/x-aiff', + 'gsm' => 'audio/x-gsm', + 'wma' => 'audio/x-ms-wma', + 'wax' => 'audio/x-ms-wax', + 'ra|rm|ram' => 'audio/x-pn-realaudio', + 'ra' => 'audio/x-realaudio', + 'pls' => 'audio/x-scpls', + 'sd2' => 'audio/x-sd2', + 'wav' => 'audio/x-wav', + 'alc' => 'chemical/x-alchemy', + 'cac|cache' => 'chemical/x-cache', + 'csf' => 'chemical/x-cache-csf', + 'cbin|cascii|ctab' => 'chemical/x-cactvs-binary', + 'cdx' => 'chemical/x-cdx', + 'cer' => 'chemical/x-cerius', + 'c3d' => 'chemical/x-chem3d', + 'chm' => 'chemical/x-chemdraw', + 'cif' => 'chemical/x-cif', + 'cmdf' => 'chemical/x-cmdf', + 'cml' => 'chemical/x-cml', + 'cpa' => 'chemical/x-compass', + 'bsd' => 'chemical/x-crossfire', + 'csml|csm' => 'chemical/x-csml', + 'ctx' => 'chemical/x-ctx', + 'cxf|cef' => 'chemical/x-cxf', + 'emb|embl' => 'chemical/x-embl-dl-nucleotide', + 'spc' => 'chemical/x-galactic-spc', + 'inp|gam|gamin' => 'chemical/x-gamess-input', + 'fch|fchk' => 'chemical/x-gaussian-checkpoint', + 'cub' => 'chemical/x-gaussian-cube', + 'gau|gjc|gjf' => 'chemical/x-gaussian-input', + 'gal' => 'chemical/x-gaussian-log', + 'gcg' => 'chemical/x-gcg8-sequence', + 'gen' => 'chemical/x-genbank', + 'hin' => 'chemical/x-hin', + 'istr|ist' => 'chemical/x-isostar', + 'jdx|dx' => 'chemical/x-jcamp-dx', + 'kin' => 'chemical/x-kinemage', + 'mcm' => 'chemical/x-macmolecule', + 'mmd|mmod' => 'chemical/x-macromodel-input', + 'mol' => 'chemical/x-mdl-molfile', + 'rd' => 'chemical/x-mdl-rdfile', + 'rxn' => 'chemical/x-mdl-rxnfile', + 'sd|sdf' => 'chemical/x-mdl-sdfile', + 'tgf' => 'chemical/x-mdl-tgf', + 'mcif' => 'chemical/x-mmcif', + 'mol2' => 'chemical/x-mol2', + 'b' => 'chemical/x-molconn-Z', + 'gpt' => 'chemical/x-mopac-graph', + 'mop|mopcrt|mpc|dat|zmt' => 'chemical/x-mopac-input', + 'moo' => 'chemical/x-mopac-out', + 'mvb' => 'chemical/x-mopac-vib', + 'asn' => 'chemical/x-ncbi-asn1-spec', + 'prt|ent' => 'chemical/x-ncbi-asn1-ascii', + 'val|aso' => 'chemical/x-ncbi-asn1-binary', + 'pdb|ent' => 'chemical/x-pdb', + 'ros' => 'chemical/x-rosdal', + 'sw' => 'chemical/x-swissprot', + 'vms' => 'chemical/x-vamas-iso14976', + 'vmd' => 'chemical/x-vmd', + 'xtel' => 'chemical/x-xtel', + 'xyz' => 'chemical/x-xyz', + 'gif' => 'image/gif', + 'ief' => 'image/ief', + 'jpeg|jpg|jpe' => 'image/jpeg', + 'pcx' => 'image/pcx', + 'png' => 'image/png', + 'svg|svgz' => 'image/svg+xml', + 'tiff|tif' => 'image/tiff', + 'djvu|djv' => 'image/vnd.djvu', + 'wbmp' => 'image/vnd.wap.wbmp', + 'ras' => 'image/x-cmu-raster', + 'cdr' => 'image/x-coreldraw', + 'pat' => 'image/x-coreldrawpattern', + 'cdt' => 'image/x-coreldrawtemplate', + 'ico' => 'image/x-icon', + 'art' => 'image/x-jg', + 'jng' => 'image/x-jng', + 'bmp' => 'image/x-ms-bmp', + 'psd' => 'image/x-photoshop', + 'pnm' => 'image/x-portable-anymap', + 'pbm' => 'image/x-portable-bitmap', + 'pgm' => 'image/x-portable-graymap', + 'ppm' => 'image/x-portable-pixmap', + 'rgb' => 'image/x-rgb', + 'xbm' => 'image/x-xbitmap', + 'xpm' => 'image/x-xpixmap', + 'xwd' => 'image/x-xwindowdump', + 'eml' => 'message/rfc822', + 'igs|iges' => 'model/iges', + 'msh|mesh|silo' => 'model/mesh', + 'wrl|vrml' => 'model/vrml', + 'ics|icz' => 'text/calendar', + 'css' => 'text/css', + 'csv' => 'text/csv', + '323' => 'text/h323', + 'html|htm|shtml' => 'text/html', + 'uls' => 'text/iuls', + 'mml' => 'text/mathml', + 'asc|txt|text|pot' => 'text/plain', + 'rtx' => 'text/richtext', + 'sct|wsc' => 'text/scriptlet', + 'tm|ts' => 'text/texmacs', + 'tsv' => 'text/tab-separated-values', + 'jad' => 'text/vnd.sun.j2me.app-descriptor', + 'wml' => 'text/vnd.wap.wml', + 'wmls' => 'text/vnd.wap.wmlscript', + 'bib' => 'text/x-bibtex', + 'boo' => 'text/x-boo', + 'h++|hpp|hxx|hh' => 'text/x-c++hdr', + 'c++|cpp|cxx|cc' => 'text/x-c++src', + 'h' => 'text/x-chdr', + 'htc' => 'text/x-component', + 'c' => 'text/x-csrc', + 'd' => 'text/x-dsrc', + 'diff|patch' => 'text/x-diff', + 'hs' => 'text/x-haskell', + 'java' => 'text/x-java', + 'lhs' => 'text/x-literate-haskell', + 'moc' => 'text/x-moc', + 'p|pas' => 'text/x-pascal', + 'gcd' => 'text/x-pcs-gcd', + 'pl|pm' => 'text/x-perl', + 'py' => 'text/x-python', + 'etx' => 'text/x-setext', + 'tcl|tk' => 'text/x-tcl', + 'tex|ltx|sty|cls' => 'text/x-tex', + 'vcs' => 'text/x-vcalendar', + 'vcf' => 'text/x-vcard', + '3gp' => 'video/3gpp', + 'dl' => 'video/dl', + 'dif|dv' => 'video/dv', + 'fli' => 'video/fli', + 'gl' => 'video/gl', + 'mpeg|mpg|mpe' => 'video/mpeg', + 'mp4' => 'video/mp4', + 'ogv' => 'video/ogg', + 'qt|mov' => 'video/quicktime', + 'mxu' => 'video/vnd.mpegurl', + 'lsf|lsx' => 'video/x-la-asf', + 'mng' => 'video/x-mng', + 'asf|asx' => 'video/x-ms-asf', + 'wm' => 'video/x-ms-wm', + 'wmv' => 'video/x-ms-wmv', + 'wmx' => 'video/x-ms-wmx', + 'wvx' => 'video/x-ms-wvx', + 'avi' => 'video/x-msvideo', + 'movie' => 'video/x-sgi-movie', + 'ice' => 'x-conference/x-cooltalk', + 'sisx' => 'x-epoc/x-sisx-app', + 'vrm|vrml|wrl' => 'x-world/x-vrml', + 'xps' => 'application/vnd.ms-xpsdocument', + )); + } + foreach ($mapping as $ext_preg => $mime_match) { + if (preg_match('!\.('. $ext_preg .')$!i', $filename)) { + return $mime_match; + } + } + + return 'application/octet-stream'; +} Index: modules/blogapi/blogapi.install =================================================================== RCS file: modules/blogapi/blogapi.install diff -N modules/blogapi/blogapi.install --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ modules/blogapi/blogapi.install 13 Aug 2008 23:30:17 -0000 @@ -0,0 +1,90 @@ +roles); + + foreach ($roles as $rid => $name) { + $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'))); + $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024); + $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024); + } + + $filesize = strlen($file['bits']); + + if ($filesize > $uploadsize) { + return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize)))); + } + + if (_blogapi_space_used($user->uid) + $filesize > $usersize) { + return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize)))); + } + + // Only allow files with whitelisted extensions and convert remaining dots to + // underscores to prevent attacks via non-terminal executable extensions with + // files such as exploit.php.jpg. + + $whitelist = array_unique(explode(' ', trim($extensions))); + $name = basename($file['name']); + + if ($extension_position = strrpos($name, '.')) { + $filename = drupal_substr($name, 0, $extension_position); + $final_extension = drupal_substr($name, $extension_position + 1); + + if (!in_array(strtolower($final_extension), $whitelist)) { + return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist)))); + } + + $filename = str_replace('.', '_', $filename); + $filename .= '.'. $final_extension; + } + $data = $file['bits']; if (!$data) { return blogapi_error(t('No file sent.')); } - if (!$file = file_save_data($data, $name)) { + if (!$file = file_save_data($data, $filename)) { return blogapi_error(t('Error storing file.')); } + db_query("INSERT INTO {blogapi_files} (uid, filepath, filesize) VALUES (%d, '%s', %d)", $user->uid, $file, $filesize); + // Return the successful result. return array('url' => file_create_url($file), 'struct'); } + /** * Blogging API callback. Returns a list of the taxonomy terms that can be * associated with a blog node. @@ -555,6 +598,82 @@ function blogapi_admin_settings() { '#description' => t('Select the content types for which you wish to enable posting via blogapi. Each type will appear as a different "blog" in the client application (if supported).') ); + + $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'); + $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1); + $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1); + + $form['settings_general'] = array( + '#type' => 'fieldset', + '#title' => t('File settings'), + '#collapsible' => TRUE, + ); + + $form['settings_general']['blogapi_extensions_default'] = array( + '#type' => 'textfield', + '#title' => t('Default permitted file extensions'), + '#default_value' => $blogapi_extensions_default, + '#maxlength' => 255, + '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'), + ); + + $form['settings_general']['blogapi_uploadsize_default'] = array( + '#type' => 'textfield', + '#title' => t('Default maximum file size per upload'), + '#default_value' => $blogapi_uploadsize_default, + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The default maximum file size a user can upload.'), + '#field_suffix' => t('MB') + ); + + $form['settings_general']['blogapi_usersize_default'] = array( + '#type' => 'textfield', + '#title' => t('Default total file size per user'), + '#default_value' => $blogapi_usersize_default, + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The default maximum size of all files a user can have on the site.'), + '#field_suffix' => t('MB') + ); + + $form['settings_general']['upload_max_size'] = array('#value' => '

'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'

'); + + $roles = user_roles(0, 'administer content with blog api'); + $form['roles'] = array('#type' => 'value', '#value' => $roles); + + foreach ($roles as $rid => $role) { + $form['settings_role_'. $rid] = array( + '#type' => 'fieldset', + '#title' => t('Settings for @role', array('@role' => $role)), + '#collapsible' => TRUE, + '#collapsed' => TRUE, + ); + $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Permitted file extensions'), + '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default), + '#maxlength' => 255, + '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'), + ); + $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Maximum file size per upload'), + '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default), + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The maximum size of a file a user can upload (in megabytes).'), + ); + $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Total file size per user'), + '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default), + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'), + ); + } + return system_settings_form($form); } @@ -720,3 +839,7 @@ function _blogapi_get_node_types() { return $types; } + +function _blogapi_space_used($uid) { + return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid)); +} \ No newline at end of file Index: modules/filter/filter.module =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v retrieving revision 1.160.2.7 diff -u -p -r1.160.2.7 filter.module --- modules/filter/filter.module 9 Jul 2008 21:48:41 -0000 1.160.2.7 +++ modules/filter/filter.module 13 Aug 2008 23:30:12 -0000 @@ -1295,7 +1295,7 @@ function filter_xss($string, $allowed_ta ( <(?=[^a-zA-Z!/]) # a lone < | # or - <[^>]*.(>|$) # a string that starts with a <, up until the > or the end of the string + <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > )%x', '_filter_xss_split', $string); Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.745.2.31 diff -u -p -r1.745.2.31 user.module --- modules/user/user.module 16 Jul 2008 19:46:02 -0000 1.745.2.31 +++ modules/user/user.module 13 Aug 2008 23:30:28 -0000 @@ -1658,21 +1658,10 @@ function user_admin_access_check_submit( * Menu callback: add an access rule */ function user_admin_access_add($mask = NULL, $type = NULL) { - if ($edit = $_POST) { - if (!$edit['mask']) { - form_set_error('mask', t('You must enter a mask.')); - } - else { - $aid = db_next_id('{access}_aid'); - db_query("INSERT INTO {access} (aid, mask, type, status) VALUES ('%s', '%s', '%s', %d)", $aid, $edit['mask'], $edit['type'], $edit['status']); - drupal_set_message(t('The access rule has been added.')); - drupal_goto('admin/user/rules'); - } - } - else { - $edit['mask'] = $mask; - $edit['type'] = $type; - } + $edit = array(); + $edit['aid'] = 0; + $edit['mask'] = $mask; + $edit['type'] = $type; return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule')); } @@ -1704,23 +1693,16 @@ function user_admin_access_delete_confir * Menu callback: edit an access rule */ function user_admin_access_edit($aid = 0) { - if ($edit = $_POST) { - if (!$edit['mask']) { - form_set_error('mask', t('You must enter a mask.')); - } - else { - db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid); - drupal_set_message(t('The access rule has been saved.')); - drupal_goto('admin/user/rules'); - } - } - else { - $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid)); - } + $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid)); return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule')); } function user_admin_access_form($edit, $submit) { + $form = array(); + $form['aid'] = array( + '#type' => 'value', + '#value' => $edit['aid'], + ); $form['status'] = array( '#type' => 'radios', '#title' => t('Access type'), @@ -1744,11 +1726,27 @@ function user_admin_access_form($edit, $ '#required' => TRUE, ); $form['submit'] = array('#type' => 'submit', '#value' => $submit); + $form['#base'] = 'user_admin_access_form'; return $form; } /** + * Submit callback for user_admin_access_form(). + */ +function user_admin_access_form_submit($form_id, $form_values) { + if ($form_values['aid']) { + db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $form_values['mask'], $form_values['type'], $form_values['status'], $form_values['aid']); + drupal_set_message(t('The access rule has been saved.')); + } + else { + db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $form_values['mask'], $form_values['type'], $form_values['status']); + drupal_set_message(t('The access rule has been added.')); + } + return 'admin/user/rules'; +} + +/** * Menu callback: list all access rules */ function user_admin_access() {