bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security update core+modules

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2015-04-26 18:38:56 +02:00
parent 2f45ea820a
commit 7c96373038
1022 changed files with 30319 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/php/php.info
View File

@@ -4,3 +4,9 @@ package = Core
version = VERSION
core = 7.x
files[] = php.test
; Information added by Drupal.org packaging script on 2015-04-02
version = "7.36"
project = "drupal"
datestamp = "1427943826"

8
modules/php/php.module
View File

@@ -17,7 +17,7 @@ function php_help($path, $arg) {
$output .= '<h3>' . t('Uses') . '</h3>';
$output .= '<dl>';
$output .= '<dt>' . t('Enabling execution of PHP in text fields') . '</dt>';
$output .= '<dd>' . t('The PHP filter module allows users with the proper permissions to include custom PHP code that will get executed when pages of your site are processed. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious or inexperienced user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use. <a href="@php-snippets">Example PHP snippets</a> can be found on Drupal.org.', array('@php-snippets' => url('http://http://drupal.org/documentation/customization/php-snippets'))) . '</dd>';
$output .= '<dd>' . t('The PHP filter module allows users with the proper permissions to include custom PHP code that will get executed when pages of your site are processed. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious or inexperienced user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use. <a href="@php-snippets">Example PHP snippets</a> can be found on Drupal.org.', array('@php-snippets' => url('http://drupal.org/documentation/customization/php-snippets'))) . '</dd>';
$output .= '</dl>';
return $output;
}
@@ -47,7 +47,7 @@ function php_permission() {
* overwrite any variables in the calling code, unlike a regular eval() call.
*
* This function is also used as an implementation of
* hook_filter_FILTER_process().
* callback_filter_process().
*
* @param $code
* The code to evaluate.
@@ -88,7 +88,7 @@ function php_eval($code) {
}
/**
* Implements hook_filter_FILTER_tips().
* Implements callback_filter_tips().
*
* @see php_filter_info()
*/
@@ -122,7 +122,7 @@ else {
print t(\'Welcome visitor! Thank you for visiting.\');
}
</pre>') . '</li></ul>';
$output .= '<p>' . t('<a href="@drupal">Drupal.org</a> offers <a href="@php-snippets">some example PHP snippets</a>, or you can create your own with some PHP experience and knowledge of the Drupal system.', array('@drupal' => url('http://drupal.org'), '@php-snippets' => url('http://http://drupal.org/documentation/customization/php-snippets'))) . '</p>';
$output .= '<p>' . t('<a href="@drupal">Drupal.org</a> offers <a href="@php-snippets">some example PHP snippets</a>, or you can create your own with some PHP experience and knowledge of the Drupal system.', array('@drupal' => url('http://drupal.org'), '@php-snippets' => url('http://drupal.org/documentation/customization/php-snippets'))) . '</p>';
return $output;
}
else {

22
modules/php/php.test
View File

@@ -21,20 +21,20 @@ class PHPTestCase extends DrupalWebTestCase {
// Verify that the PHP code text format was inserted.
$php_format_id = 'php_code';
$this->php_code_format = filter_format_load($php_format_id);
$this->assertEqual($this->php_code_format->name, 'PHP code', t('PHP code text format was created.'));
$this->assertEqual($this->php_code_format->name, 'PHP code', 'PHP code text format was created.');
// Verify that the format has the PHP code filter enabled.
$filters = filter_list_format($php_format_id);
$this->assertTrue($filters['php_code']->status, t('PHP code filter is enabled.'));
$this->assertTrue($filters['php_code']->status, 'PHP code filter is enabled.');
// Verify that the format exists on the administration page.
$this->drupalGet('admin/config/content/formats');
$this->assertText('PHP code', t('PHP code text format was created.'));
$this->assertText('PHP code', 'PHP code text format was created.');
// Verify that anonymous and authenticated user roles do not have access.
$this->drupalGet('admin/config/content/formats/' . $php_format_id);
$this->assertFieldByName('roles[' . DRUPAL_ANONYMOUS_RID . ']', FALSE, t('Anonymous users do not have access to PHP code format.'));
$this->assertFieldByName('roles[' . DRUPAL_AUTHENTICATED_RID . ']', FALSE, t('Authenticated users do not have access to PHP code format.'));
$this->assertFieldByName('roles[' . DRUPAL_ANONYMOUS_RID . ']', FALSE, 'Anonymous users do not have access to PHP code format.');
$this->assertFieldByName('roles[' . DRUPAL_AUTHENTICATED_RID . ']', FALSE, 'Authenticated users do not have access to PHP code format.');
}
/**
@@ -73,18 +73,18 @@ class PHPFilterTestCase extends PHPTestCase {
// Make sure that the PHP code shows up as text.
$this->drupalGet('node/' . $node->nid);
$this->assertText('print "SimpleTest PHP was executed!"', t('PHP code is displayed.'));
$this->assertText('print "SimpleTest PHP was executed!"', 'PHP code is displayed.');
// Change filter to PHP filter and see that PHP code is evaluated.
$edit = array();
$langcode = LANGUAGE_NONE;
$edit["body[$langcode][0][format]"] = $this->php_code_format->format;
$this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
$this->assertRaw(t('Basic page %title has been updated.', array('%title' => $node->title)), t('PHP code filter turned on.'));
$this->assertRaw(t('Basic page %title has been updated.', array('%title' => $node->title)), 'PHP code filter turned on.');
// Make sure that the PHP code shows up as text.
$this->assertNoText('print "SimpleTest PHP was executed!"', t("PHP code isn't displayed."));
$this->assertText('SimpleTest PHP was executed!', t('PHP code has been evaluated.'));
$this->assertNoText('print "SimpleTest PHP was executed!"', "PHP code isn't displayed.");
$this->assertText('SimpleTest PHP was executed!', 'PHP code has been evaluated.');
}
}
@@ -111,10 +111,10 @@ class PHPAccessTestCase extends PHPTestCase {
// Make sure that the PHP code shows up as text.
$this->drupalGet('node/' . $node->nid);
$this->assertText('print', t('PHP code was not evaluated.'));
$this->assertText('print', 'PHP code was not evaluated.');
// Make sure that user doesn't have access to filter.
$this->drupalGet('node/' . $node->nid . '/edit');
$this->assertNoRaw('<option value="' . $this->php_code_format->format . '">', t('PHP code format not available.'));
$this->assertNoRaw('<option value="' . $this->php_code_format->format . '">', 'PHP code format not available.');
}
}