security update for uuid xmlsitemap file_field_path

sites/all/modules/uuid/uuid_services/resources/field_collection.resource.inc

@@ -1,12 +0,0 @@
-<?php
-
-function _field_collection_resource_definition() {
-  if (module_exists('field_collection')) {
-    // We will allow uuid_services_services_resources_alter() to add the
-    // default UUID-related operations to this resource.
-    return array('field_collection_item' => array());
-  }
-  else {
-    return array();
-  }
-}

sites/all/modules/uuid/uuid_services/uuid_services.admin.inc

@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * @file
+ * Administration functions for UUID Service module.
+ */
+
+/**
+ * Settings form for UUID Services.
+ *
+ * @return array
+ *   Configuration form structure.
+ */
+function uuid_services_settings() {
+  $form['uuid_services_support_all_entity_types'] = array(
+    '#type' => 'checkbox',
+    '#title' => t('Support all UUID entity types'),
+    '#description' => t('Check this box to automatically provide Services integration for all entity types with UUID support.'),
+    '#default_value' => variable_get('uuid_services_support_all_entity_types', FALSE),
+  );
+  $form['uuid_services_allowed_media_mimes'] = array(
+    '#type' => 'textarea',
+    '#title' => t('Allowed Media Mime type'),
+    '#default_value' => variable_get('uuid_services_allowed_media_mimes', UUID_SERVICES_DEFAULT_ALLOWED_MEDIA_MIMES),
+    '#cols' => 40,
+    '#rows' => 5,
+    '#description' => t("Enter one mime type per line you wish to allow in the system without extension. Example mime type '<em>video/brightcove</em>'."),
+  );
+  return system_settings_form($form);
+}

sites/all/modules/uuid/uuid_services/uuid_services.file_services.test

@@ -0,0 +1,150 @@
+<?php
+
+/**
+ * @file
+ * Test the UUID File Services integration.
+ */
+
+ /**
+  * Test the UUID File Services integration.
+  */
+class UuidFileServicesTest extends ServicesWebTestCase {
+
+  protected $priviledgedUser = NULL;
+
+  protected $endpoint = NULL;
+
+  /**
+   * Implementation of getInfo().
+   */
+  public static function getInfo() {
+    return array(
+      'name' => 'UUID File Services tests',
+      'description' => 'Test the file services resource UUID methods and actions.',
+      'group' => 'UUID',
+    );
+  }
+
+  /**
+   * Implementation of setUp().
+   */
+  public function setUp() {
+    parent::setUp(
+      'ctools',
+      'services',
+      'rest_server',
+      'uuid_services',
+      'entity',
+      'file',
+      'field',
+      'file_entity'
+    );
+    $this->endpoint = $this->saveNewEndpoint();
+
+    variable_set('file_entity_default_allowed_extensions', 'jpg jpeg gif png txt doc docx xls xlsx pdf ppt pptx pps ppsx odt ods odp mp3 mov mp4 m4a m4v mpeg avi ogg oga ogv weba webp webm');
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function saveNewEndpoint() {
+    $edit = $this->populateEndpointFAPI();
+    $endpoint = new stdClass();
+    $endpoint->disabled = FALSE;
+    $endpoint->api_version = 3;
+    $endpoint->name = $edit['name'];
+    $endpoint->server = $edit['server'];
+    $endpoint->path = $edit['path'];
+    $endpoint->authentication = array(
+      'services' => 'services',
+    );
+    $endpoint->server_settings = array(
+      'formatters' => array(
+        'json' => TRUE,
+        'bencode' => TRUE,
+        'rss' => TRUE,
+        'plist' => TRUE,
+        'xmlplist' => TRUE,
+        'php' => TRUE,
+        'yaml' => TRUE,
+        'jsonp' => FALSE,
+        'xml' => FALSE,
+      ),
+      'parsers' => array(
+        'application/x-yaml' => TRUE,
+        'application/json' => TRUE,
+        'application/vnd.php.serialized' => TRUE,
+        'application/plist' => TRUE,
+        'application/plist+xml' => TRUE,
+        'application/x-www-form-urlencoded' => TRUE,
+        'multipart/form-data' => TRUE,
+      ),
+    );
+    $endpoint->resources = array(
+      'file' => array(
+        'operations' => array(
+          'retrieve' => array(
+            'enabled' => '1',
+          ),
+          'delete' => array(
+            'enabled' => '1',
+          ),
+          'index' => array(
+            'enabled' => '1',
+          ),
+          'update' => array(
+            'enabled' => '1',
+          ),
+        ),
+        'actions' => array(
+          'create_raw' => array(
+            'enabled' => '1',
+          ),
+        ),
+      ),
+    );
+    $endpoint->debug = 1;
+    $endpoint->export_type = FALSE;
+    services_endpoint_save($endpoint);
+    $endpoint = services_endpoint_load($endpoint->name);
+    $this->assertTrue($endpoint->name == $edit['name'], 'Endpoint successfully created');
+    return $endpoint;
+  }
+
+  /**
+   * Tests file creation.
+   */
+  public function testFileUpdate() {
+    $this->privilegedUser = $this->drupalCreateUser(array('create files'));
+    $this->drupalLogin($this->privilegedUser);
+
+    // Get a test file.
+    $testfiles = $this->drupalGetTestFiles('php');
+    $testfile = current($testfiles);
+
+    // Setup file to be created.
+    $filepath = file_default_scheme() . '://' . rand() . '/' . rand() . '/' . $testfile->filename;
+    $file_data = array(
+      'uid' => '0',
+      'filesize' => filesize($testfile->uri),
+      'filename' => $testfile->filename,
+      'filepath' => $filepath,
+      'file' => base64_encode(file_get_contents($testfile->uri)),
+      'uuid' => 'ee26fe5d-f781-4a38-bfe0-8bb350b90073',
+      'type' => 'image',
+      'filemime' => 'text/plain',
+      'uri' => $testfile->uri,
+    );
+
+    $response = $this->servicesPut($this->endpoint->path . '/file/create', $file_data);
+
+    // Get the saved file's extension.
+    $file = file_load($response['body']->fid);
+    $name = explode('.', $file->filename);
+    $last = array_pop($name);
+    $extension = strtolower($last);
+
+    $this->assertNotEqual('php', $extension, 'File was not created with a "php" extension.', 'UUID: File Create');
+  }
+
+}

sites/all/modules/uuid/uuid_services/uuid_services.info

@@ -7,9 +7,14 @@ dependencies[] = services
 dependencies[] = uuid
 dependencies[] = entity
 
-; Information added by drupal.org packaging script on 2013-02-03
-version = "7.x-1.0-alpha3+52-dev"
+test_dependencies[] = services
+test_dependencies[] = entity
+test_dependencies[] = file
+test_dependencies[] = field
+test_dependencies[] = file_entity
+
+; Information added by Drupal.org packaging script on 2018-07-19
+version = "7.x-1.2"
 core = "7.x"
 project = "uuid"
-datestamp = "1359858369"
-
+datestamp = "1531990689"

sites/all/modules/uuid/uuid_services/uuid_services.install

@@ -0,0 +1,14 @@
+<?php
+
+/**
+ * @file
+ * UUID module installation functions.
+ */
+
+/**
+ * Implements hook_uninstall().
+ */
+function uuid_services_uninstall() {
+  variable_del('uuid_services_support_all_entity_types');
+  variable_del('uuid_services_allowed_media_mimes');
+}

sites/all/modules/uuid/uuid_services/uuid_services.module

@@ -1,5 +1,33 @@
 <?php
 
+/**
+ * @file
+ * UUID Services module functions.
+ */
+
+/**
+ * Defines defaults for UUID_SERVICES_ALLOWED_MEDIA_MIMES.
+ */
+define('UUID_SERVICES_DEFAULT_ALLOWED_MEDIA_MIMES',
+'video/brightcove
+video/youtube'
+);
+
+/**
+ * Implements hook_menu().
+ */
+function uuid_services_menu() {
+  $items['admin/config/services/uuid-services'] = array(
+    'title' => 'UUID Services',
+    'description' => 'Configure settings for UUID Services.',
+    'access arguments' => array('administer services'),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('uuid_services_settings'),
+    'file' => 'uuid_services.admin.inc',
+  );
+  return $items;
+}
+
 /**
  * Implements hook_services_resources_alter().
  *
@@ -14,7 +42,7 @@
  */
 function uuid_services_services_resources_alter(&$resources, &$endpoint) {
   foreach (entity_get_info() as $entity_type => $entity_info) {
-    if (isset($entity_info['uuid']) && $entity_info['uuid'] == TRUE && isset($resources[$entity_type])) {
+    if (isset($entity_info['uuid']) && $entity_info['uuid'] == TRUE && (isset($resources[$entity_type]) || variable_get('uuid_services_support_all_entity_types', FALSE))) {
       unset($resources[$entity_type]['operations']['create']);
 
       // Alter 'retrieve' method to use UUID enabled functions and arguments.
@@ -126,6 +154,22 @@ function _uuid_services_entity_update($entity_type, $uuid, $entity) {
     else {
       $entity = (object) $entity;
     }
+    $entity->uuid_services = TRUE;
+    // Check that the mime type is whitelisted.
+    $valid_media_mimes = variable_get('uuid_services_allowed_media_mimes', UUID_SERVICES_DEFAULT_ALLOWED_MEDIA_MIMES);
+
+    // Sanitize file user input.
+    if ($entity_type == 'file') {
+      // We have to make sure to whitelist mime types, to avoid the video files
+      // getting converted into text files, when deployed from one env to other.
+      if (!in_array($entity->filemime, preg_split('/\r?\n/', $valid_media_mimes))) {
+        $entity->filename = _services_file_check_name_extension($entity->filename);
+        $entity->uri = _services_file_check_destination_uri($entity->uri);
+        if (!empty($entity->filepath)) {
+          $entity->filepath = _services_file_check_destination($entity->filepath);
+        }
+      }
+    }
     entity_uuid_save($entity_type, $entity);
     return $entity;
   }
@@ -142,7 +186,15 @@ function _uuid_services_entity_update($entity_type, $uuid, $entity) {
  */
 function _uuid_services_entity_delete($entity_type, $uuid) {
   try {
-    $return = entity_uuid_delete($entity_type, array($uuid));
+    $uuid_exist = (bool) entity_get_id_by_uuid($entity_type, array($uuid));
+    if (!$uuid_exist) {
+      /* UUID not found. Don't try to delete something that doesn't exist. */
+      $args = array('@uuid' => $uuid, '@type' => $entity_type);
+      watchdog('uuid_services', 'UUID @uuid not found for entity type @type', $args, WATCHDOG_WARNING);
+      return TRUE;
+    }
+
+    $return = entity_uuid_delete($entity_type, array($uuid)) !== FALSE;
     return $return;
   }
   catch (Exception $exception) {
@@ -154,14 +206,14 @@ function _uuid_services_entity_delete($entity_type, $uuid) {
 /**
  * Access callback.
  *
- * @param $op
+ * @param string $op
  *   The operation we are trying to do on the entity. Can only be:
  *   - "view"
  *   - "update"
  *   - "delete"
  *   See 'uuid_services_services_resources_alter()' for an explanation why
  *   'create' is missing.
- * @param $args
+ * @param array $args
  *   The arguments passed to the method. The keys are holding the following:
  *   0. <entity_type>
  *   1. <uuid>
@@ -182,7 +234,7 @@ function _uuid_services_entity_access($op, $args) {
       entity_make_entity_local($entity_type, $entity);
     }
     // Fetch the local entity if we've got an id.
-    elseif (!empty($entity_id)) {
+    elseif (!empty($entity_ids)) {
       $entities = entity_load($entity_type, $entity_ids);
       $entity = reset($entities);
     }
@@ -192,10 +244,9 @@ function _uuid_services_entity_access($op, $args) {
     if ($op == 'update' && empty($entity_ids)) {
       $op = 'create';
     }
-    // Taxonomy and Comment module uses 'edit' instead of 'update'.
-    // Oh, how I love Drupal consistency.
-    if (($entity_type == 'taxonomy_term' || $entity_type == 'comment') && $op == 'update') {
-      $op = 'edit';
+    // If the user doesn't exist return 406 like services does.
+    if (($entity_type == 'user' && empty($entity) && $op == 'view')) {
+      return services_error(t('There is no user with UUID @uuid.', array('@uuid' => $args[1])), 406);;
     }
     // The following code is taken from entity_access() with some extra logic
     // to handle the case where an entity type is not defining an access
@@ -211,18 +262,3 @@ function _uuid_services_entity_access($op, $args) {
     return services_error($exception, 406, $entity_type);
   }
 }
-
-/**
- * Implements hook_services_resources().
- */
-function uuid_services_services_resources() {
-  module_load_include('inc', 'uuid_services', 'resources/field_collection.resource');
-
-  $resources = array(
-    '#api_version' => 3002,
-  );
-
-  $resources += _field_collection_resource_definition();
-
-  return $resources;
-}