views:

579

answers:

5

Hiya,

I've got a site where individual pages might require some javascript or CSS files hooked into their heads. I'm trying to keep everything client side when it comes to managing this process, rather than getting on the FTP and sorting everything out in the code so I need to be able to upload css and js files.

I've got CCK filefield up and running, and it works with css files, but it refuses to upload .js files. It instead seems to view every .js as ".js.txt" and then the file appears on the server as thisismyfile.js.txt

Not ideal...

Does anyone know how to work around this. Is it a mime type problem with Drupal or the server, or is Drupal set up to avoid script uploads and n00b hack attacks.

Once the files are uploaded I intend to use PHP mode on the page or node to call drupal_add_css and drupal_add_js.

+4  A: 

Looking at the field_file_save_file() function in field_file.inc from filefield module, you can find the following snippet

// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
  $file->filemime = 'text/plain';
  $file->filepath .= '.txt';
  $file->filename .= '.txt';
}

So yes, it's a 'security thing', as Jeremy guessed.

You could patch that RegEx for an immediate 'fix', but that would remove this otherwise useful security check completely for all filefields used on the site.

So a more specific workaround might be a better approach. Since you want to add the files via drupal_add_js() calls from code anyways, you might as well do the renaming there, adding some kind of verification to make sure you can 'trust' the file (e.g. who uploaded it, whatever).


Edit: Concerning options to rename (and alternatives) when calling drupal_add_js():

  • For renaming the file, look into the file_move() function. A problem with this would be that it won't update the corresponding entry in the files table, so you would have to do that also, if the move operation succeeded. (The filefield just stores the 'fid' of the corresponding entry in the files table, so you'd need to find it there by 'fid' and change the 'filename', 'filepath' and 'filemime' entries according to your rename/move)
  • Alternatively, you could just load the content of the *.js.txt file and add that string with the 'inline' option of drupal_add_js(). This would be less 'elegant' and could be a performance hit, but if those are not important criteria in your specific case, it is less trouble.
  • Yet another option would be just passing the *.js.txt file as is to drupal_add_js(), ignoring the 'wrong' extension. A short local test showed that this works (at least in firefox). This might be the 'least effort' solution, but would need some additional testing concerning different browser behavior concerning usage of 'misnamed' js files.
Henrik Opel
-1 that would be a security risk.
googletorp
Ahem, yes, obviously (and mentioned explicitly!) - that's why I put the _could_ in italics and recommended a more specific approach. I will edit to clarify this.
Henrik Opel
Great, thanks! As I said above, registration will be disabled and only admin accounts will be able to upload files, so the security risk is one I'm willing to take. Cheers for pointing me at the code :D
hfidgen
Wait.. I like your idea of renaming the file within the drupal_add_js() function. Can you expand on how to do that at all? Thanks!
hfidgen
Well, for renaming the file, look into the `file_move()` function (Drupal API). Problem is that this won't update the corresponding entry in the files table, so you would have to do that also, if the move succeeded. (filefield just stores the 'fid' of the corresponding entry in the files table, so you'd need to find it there by 'fid' and change the 'filename', 'filepath' and 'filemime' entries according to your rename/move)
Henrik Opel
Alternatively, you could just load the content of the *.js.txt file and add that string with the 'inline' option of `drupal_add_js`. This would be less 'elegant' and could be a performance hit, but if those are not important criteria in your specific case, it is less trouble.
Henrik Opel
hmm this sounds a little bit outside my knowledge base! I think inline option would be a bad idea, as some of the scripts would be massive, so I'll have to learn how to hook other API functions into the drupal_add_js one.
hfidgen
I moved the suggestions from the comments to the answer **and added a third option** that you might want to try.
Henrik Opel
+2  A: 

Allowing Drupal to upload javascript files would be a security risk, which is also why it doesn't allow you to do it, but instead appends the .txt extension. The reason is that js files are executable along with php, pl, py, cgi, asp. So if Drupal could upload those files to the server, it would be possible for evil doers to upload a file and run it doing all kinds of nasty things on your server, basically anything is possible. Best thing would be to find a different way of uploading files which are secure.

googletorp
Thing is - if anyone hacks my adminstration passwords I'll have more worries than "they might upload a script". Deleting my database for example.. The site won't be open for general users to sign up or do anything, registration will be disabled.
hfidgen
If they hack you admin pass they can only hit the one site, if they upload and execute a js file, they can delete the entire server, change root password and 'overtake' the server. Like I said they can do almost anything. That is they can do anything javascript can which is a lot since it's a programming language.
googletorp
A: 

Drupal also "munges" javascript files. To prevent Drupal from automatically adding underscores to the filename there is a hidden variable that is checked before the filename is "munged".

Setting the variable to 1 solves the issue for me (along with altering the REGEX in includes/file.inc).

I hate hacking core, but this seems like a poor design to me. Javascript files are not server side scripts like php, py, pl, cgi, and asp.

You can use the allowed file extensions settings to prevent php and other server side scripts from being uploaded.

eg:

variable_set('allow_insecure_uploads', 1);

See: http://api.drupal.org/api/function/file_munge_filename/6

speedytwenty
Yeah that's about it i'm afraid! In the end my problem solved itself as the number of users who needed to configure and upload scripts and who didn't have FTP access was zero!
hfidgen
A: 

So uploading .js files to the files directory is pretty much impossible.

Even if you manage to get .js files uploaded cleanly, these files will get deleted when the cache is cleared.

Any js files that live inside the files directory will be deleted whenever the drupal_clear_js_cache() function is executed.

http://api.drupal.org/api/function/drupal_clear_js_cache/6

So Drupal sees .js files living in the file uploads directory as temporary.

Now I understand why they are appending ".txt", it is to prevent them from being removed when the cache is cleared.

So as a compromise I guess I will just be uploading .js files manually (via FTP) to the /misc folder. :(

speedytwenty
A: 

I had a similar need, and found a way to get around the security by first changing the 'allow_insecure_uploads' variable value by running this line of code in your hook_install:

 variable_set('allow_insecure_uploads', 1);

Then in a module add this function

/**
 * Implementation of FileField's hook_file_insert().
 */
function MODULE_NAME_file_insert(&$file) {
  //look for files with the extenstion .js.txt and rename them to just .js
  if(substr($file->filename, -7) == '.js.txt'){
  $file_path = $file->filepath;
  $new_file_path = substr($file_path, 0, strlen($file_path)-4);
  file_move($file_path, $new_file_path);

  $file->filepath = $file_path;
  $file->filename = substr($file->filename, 0, strlen($file->filename)-4);
  $file->filemime = file_get_mimetype($file->filename);
  $file->destination = $file->filepath;
  $file->status = FILE_STATUS_TEMPORARY;
  drupal_write_record('files', $file);
}

What this does is in the hook_insert call it checks if a file has the extension ".js.txt". If it does it copies it to a new location and renames it. This is after the security check so its ok. I don't think you need to worry about the cache clear deleting your js files as long as you don't put them in the files/js directory. Create your own directory for you module and you should be ok.

Mike Dorrell