core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -230,6 +230,10 @@
|
||||
* functions.
|
||||
*/
|
||||
function ajax_render($commands = array()) {
|
||||
// Although ajax_deliver() does this, some contributed and custom modules
|
||||
// render Ajax responses without using that delivery callback.
|
||||
ajax_set_verification_header();
|
||||
|
||||
// Ajax responses aren't rendered with html.tpl.php, so we have to call
|
||||
// drupal_get_css() and drupal_get_js() here, in order to have new files added
|
||||
// during this request to be loaded by the page. We only want to send back
|
||||
@@ -390,7 +394,7 @@ function ajax_form_callback() {
|
||||
if (!empty($form_state['triggering_element'])) {
|
||||
$callback = $form_state['triggering_element']['#ajax']['callback'];
|
||||
}
|
||||
if (!empty($callback) && function_exists($callback)) {
|
||||
if (!empty($callback) && is_callable($callback)) {
|
||||
$result = $callback($form, $form_state);
|
||||
|
||||
if (!(is_array($result) && isset($result['#type']) && $result['#type'] == 'ajax')) {
|
||||
@@ -487,6 +491,9 @@ function ajax_deliver($page_callback_result) {
|
||||
}
|
||||
}
|
||||
|
||||
// Let ajax.js know that this response is safe to process.
|
||||
ajax_set_verification_header();
|
||||
|
||||
// Print the response.
|
||||
$commands = ajax_prepare_response($page_callback_result);
|
||||
$json = ajax_render($commands);
|
||||
@@ -576,6 +583,29 @@ function ajax_prepare_response($page_callback_result) {
|
||||
return $commands;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets a response header for ajax.js to trust the response body.
|
||||
*
|
||||
* It is not safe to invoke Ajax commands within user-uploaded files, so this
|
||||
* header protects against those being invoked.
|
||||
*
|
||||
* @see Drupal.ajax.options.success()
|
||||
*/
|
||||
function ajax_set_verification_header() {
|
||||
$added = &drupal_static(__FUNCTION__);
|
||||
|
||||
// User-uploaded files cannot set any response headers, so a custom header is
|
||||
// used to indicate to ajax.js that this response is safe. Note that most
|
||||
// Ajax requests bound using the Form API will be protected by having the URL
|
||||
// flagged as trusted in Drupal.settings, so this header is used only for
|
||||
// things like custom markup that gets Ajax behaviors attached.
|
||||
if (empty($added)) {
|
||||
drupal_add_http_header('X-Drupal-Ajax-Token', '1');
|
||||
// Avoid sending the header twice.
|
||||
$added = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Performs end-of-Ajax-request tasks.
|
||||
*
|
||||
@@ -764,7 +794,12 @@ function ajax_pre_render_element($element) {
|
||||
|
||||
$element['#attached']['js'][] = array(
|
||||
'type' => 'setting',
|
||||
'data' => array('ajax' => array($element['#id'] => $settings)),
|
||||
'data' => array(
|
||||
'ajax' => array($element['#id'] => $settings),
|
||||
'urlIsAjaxTrusted' => array(
|
||||
$settings['url'] => TRUE,
|
||||
),
|
||||
),
|
||||
);
|
||||
|
||||
// Indicate that Ajax processing was successful.
|
||||
|
||||
Reference in New Issue
Block a user