SA-CONTRIB-2009-052: remove multiple XSS vulnerabilities
[project/print.git] / print_pdf / print_pdf.module
1 <?php
2 // $Id$
3
4 /**
5 * @file
6 * Displays Printer-friendly versions of Drupal pages.
7 *
8 * @ingroup print
9 */
10
11 define('PRINTPDF_PATH', 'printpdf');
12
13 define('PRINT_PDF_FORMAT', 'pdf');
14
15 define('PRINT_PDF_LINK_POS_DEFAULT', 'link');
16 define('PRINT_PDF_SHOW_LINK_DEFAULT', 1);
17 define('PRINT_PDF_NODE_LINK_VISIBILITY_DEFAULT', 0);
18 define('PRINT_PDF_NODE_LINK_PAGES_DEFAULT', '');
19 define('PRINT_PDF_LINK_CLASS_DEFAULT', 'print-pdf');
20 define('PRINT_PDF_SYS_LINK_VISIBILITY_DEFAULT', 1);
21 define('PRINT_PDF_SYS_LINK_PAGES_DEFAULT', '');
22 define('PRINT_PDF_LINK_USE_ALIAS_DEFAULT', 0);
23 define('PRINT_PDF_BOOK_LINK_DEFAULT', 1);
24 define('PRINT_PDF_PDF_TOOL_DEFAULT', 0);
25 define('PRINT_PDF_CONTENT_DISPOSITION_DEFAULT', 2);
26 define('PRINT_PDF_PAPER_SIZE_DEFAULT', 'A4');
27 define('PRINT_PDF_PAGE_ORIENTATION_DEFAULT', 'portrait');
28 define('PRINT_PDF_AUTOCONFIG_DEFAULT', 1);
29 define('PRINT_PDF_FONT_FAMILY_DEFAULT', 'dejavusans');
30 define('PRINT_PDF_FONT_SIZE_DEFAULT', 10);
31 define('PRINT_PDF_FILENAME_DEFAULT', '[site-name] - [title] - [mod-yyyy]-[mod-mm]-[mod-dd]');
32 define('PRINT_PDF_WKHTMLTOPDF_OPTIONS', "--footer-font-size 7 --footer-right '[page]'");
33 define('PRINT_PDF_XVFB_OPTIONS', '');
34 // define('PRINT_PDF_XVFB_OPTIONS', ' -fp /usr/share/fonts/X11/misc/,/usr/share/fonts/X11/Type1/,/usr/share/fonts/X11/75dpi/,/usr/share/fonts/X11/100dpi/');
35
36 /**
37 * Implementation of hook_perm().
38 */
39 function print_pdf_perm() {
40 return array('access PDF version');
41 }
42
43 /**
44 * Implementation of hook_theme().
45 */
46 function print_pdf_theme() {
47 return array(
48 'print_pdf_format_link' => array(
49 'arguments' => array(),
50 ),
51 'print_pdf_dompdf_footer' => array(
52 'arguments' => array(),
53 'file' => 'print_pdf.pages.inc',
54 ),
55 'print_pdf_tcpdf_header' => array(
56 'arguments' => array(),
57 'file' => 'print_pdf.pages.inc',
58 ),
59 'print_pdf_tcpdf_page' => array(
60 'arguments' => array(),
61 'file' => 'print_pdf.pages.inc',
62 ),
63 'print_pdf_tcpdf_content' => array(
64 'arguments' => array(),
65 'file' => 'print_pdf.pages.inc',
66 ),
67 'print_pdf_tcpdf_footer' => array(
68 'arguments' => array(),
69 'file' => 'print_pdf.pages.inc',
70 ),
71 'print_pdf_tcpdf_footer2' => array(
72 'arguments' => array(),
73 'file' => 'print_pdf.pages.inc',
74 ),
75 );
76 }
77
78 /**
79 * Implementation of hook_menu().
80 */
81 function print_pdf_menu() {
82 $items = array();
83
84 $items[PRINTPDF_PATH] = array(
85 'title' => 'Printer-friendly PDF',
86 'page callback' => 'print_pdf_controller',
87 'access arguments' => array('access PDF version'),
88 'type' => MENU_CALLBACK,
89 'file' => 'print_pdf.pages.inc',
90 );
91 $items[PRINTPDF_PATH .'/'. PRINTPDF_PATH] = array(
92 'page callback' => 'drupal_access_denied',
93 );
94 $items['admin/settings/print/pdf'] = array(
95 'title' => 'PDF',
96 'page callback' => 'drupal_get_form',
97 'page arguments' => array('print_pdf_settings'),
98 'access arguments' => array('administer print'),
99 'weight' => 3,
100 'type' => MENU_LOCAL_TASK,
101 'file' => 'print_pdf.admin.inc',
102 );
103 $items['admin/settings/print/pdf/options'] = array(
104 'title' => 'Options',
105 'weight' => 1,
106 'type' => MENU_DEFAULT_LOCAL_TASK,
107 );
108 $items['admin/settings/print/pdf/strings'] = array(
109 'title' => 'Text strings',
110 'page callback' => 'drupal_get_form',
111 'page arguments' => array('print_pdf_strings_settings'),
112 'access arguments' => array('administer print'),
113 'weight' => 2,
114 'type' => MENU_LOCAL_TASK,
115 'file' => 'print_pdf.admin.inc',
116 );
117
118 return $items;
119 }
120
121 /**
122 * Implementation of hook_block().
123 */
124 function print_pdf_block($op = 'list', $delta = 0, $edit = array()) {
125 switch ($op) {
126 case 'list':
127 $block[0]['info'] = t('Most PDFd');
128 return $block;
129 break;
130 case 'configure':
131 return '';
132 case 'save':
133 return;
134 case 'view':
135 switch ($delta) {
136 case 0:
137 $block['subject'] = t('Most PDFd');
138 $result = db_query_range("SELECT path FROM {print_pdf_page_counter} ORDER BY totalcount DESC", 0, 3);
139 if (db_affected_rows()) {
140 $block['content'] = '<div class="item-list"><ul>';
141 while ($obj = db_fetch_object($result)) {
142 $block['content'] .= '<li>'. l(_print_get_title($obj->path), $obj->path) .'</li>';
143 }
144 $block['content'] .= '</ul></div>';
145 }
146 break;
147 }
148 return $block;
149 break;
150 }
151 }
152
153 /**
154 * Implementation of hook_requirements().
155 */
156 function print_pdf_requirements($phase) {
157 $requirements = array();
158 $t = get_t();
159 switch ($phase) {
160 // At runtime, make sure that a PDF generation tool is selected
161 case 'runtime':
162 $print_pdf_pdf_tool = variable_get('print_pdf_pdf_tool', PRINT_PDF_PDF_TOOL_DEFAULT);
163 if (empty($print_pdf_pdf_tool)) {
164 $requirements['print_pdf_tool'] = array(
165 'title' => $t('PDF version'),
166 'value' => $t('No PDF tool selected'),
167 'description' => $t('Please configure it in the <a href="@url">PDF settings page</a>.', array('@url' => url('admin/settings/print/pdf'))),
168 'severity' => REQUIREMENT_ERROR,
169 );
170 }
171 break;
172 }
173 return $requirements;
174 }
175
176 /**
177 * Implementation of hook_link().
178 */
179 function print_pdf_link($type, $node = NULL, $teaser = FALSE) {
180 $print_pdf_link_pos = variable_get('print_pdf_link_pos', array(PRINT_PDF_LINK_POS_DEFAULT => PRINT_PDF_LINK_POS_DEFAULT));
181 $print_pdf_link_use_alias = variable_get('print_pdf_link_use_alias', PRINT_PDF_LINK_USE_ALIAS_DEFAULT);
182 $allowed_type = print_pdf_link_allowed(array('type' => $type, 'node' => $node, 'teaser' => $teaser));
183 if (($allowed_type) && !empty($print_pdf_link_pos['link'])) {
184 drupal_add_css(drupal_get_path('module', 'print') .'/css/printlinks.css');
185 $links = array();
186 $format = theme('print_pdf_format_link');
187
188 // Show book link
189 if ($allowed_type === PRINT_ALLOW_BOOK_LINK) {
190 $links['book_pdf'] = array('href' => PRINTPDF_PATH .'/book/export/html/'. $node->nid,
191 'title' => $format['text'],
192 'attributes' => $format['attributes'],
193 'html' => $format['html'],
194 );
195
196 return $links;
197 }
198 elseif ($allowed_type === PRINT_ALLOW_NORMAL_LINK) {
199 $query_arr = $_GET;
200 if ($type == 'comment') {
201 $query_arr['comment'] = $node->cid;
202 }
203 $query = print_query_string_encode($query_arr, array('q'));
204 if (empty($query)) $query = NULL;
205
206 if ($print_pdf_link_use_alias) {
207 $path = drupal_get_path_alias('node/'. $node->nid);
208 }
209 else {
210 $path = $node->nid;
211 }
212
213 $links['print_pdf'] = array('href' => PRINTPDF_PATH .'/'. $path,
214 'title' => $format['text'],
215 'attributes' => $format['attributes'],
216 'html' => $format['html'],
217 'query' => $query,
218 );
219
220 return $links;
221 }
222 }
223 else {
224 return;
225 }
226 }
227
228 /**
229 * Implementation of hook_help().
230 */
231 function print_pdf_help($path, $arg) {
232 $print_pdf_link_pos = variable_get('print_pdf_link_pos', array(PRINT_PDF_LINK_POS_DEFAULT => PRINT_PDF_LINK_POS_DEFAULT));
233 if (($path !== 'node/%') && !(empty($print_pdf_link_pos['link']) && empty($print_pdf_link_pos['corner']))) {
234 static $output = FALSE;
235
236 if ($output === FALSE) {
237 $output = TRUE;
238
239 $link = print_pdf_insert_link();
240 if ($link) {
241 return "<span class='print-syslink'>$link</span>";
242 }
243 }
244 }
245 }
246
247 /**
248 * Implementation of hook_nodeapi().
249 */
250 function print_pdf_nodeapi(&$node, $op = 'view', $teaser, $page) {
251 switch ($op) {
252 case 'view':
253 // Insert content corner links
254 $print_pdf_link_pos = variable_get('print_pdf_link_pos', array(PRINT_PDF_LINK_POS_DEFAULT => PRINT_PDF_LINK_POS_DEFAULT));
255 if (($teaser === FALSE) && !empty($print_pdf_link_pos['corner']) &&
256 isset($node->build_mode) && ($node->build_mode == NODE_BUILD_NORMAL)) {
257 $link = print_pdf_insert_link(NULL, $node);
258 if ($link) {
259 $node->content['print_links']['#value'] = preg_replace('!</span>$!', $link .'</span>', $node->content['print_links']['#value']);
260 }
261 }
262 break;
263 case 'load':
264 _print_pdf_set_node_fields($node);
265 break;
266 case 'update':
267 if (user_access('administer print') || user_access('node-specific print configuration')) {
268 _print_pdf_node_conf_modify($node->nid, $node->print_pdf_display, $node->print_pdf_display_comment, $node->print_pdf_display_urllist);
269 }
270 break;
271 case 'delete':
272 db_query("DELETE FROM {print_pdf_node_conf} WHERE nid = %d", $node->nid);
273 db_query("DELETE FROM {print_pdf_page_counter} WHERE path = 'node/%d'", $node->nid);
274 break;
275 }
276 }
277
278 /**
279 * Implementation of hook_form_alter().
280 */
281 function print_pdf_form_alter(&$form, $form_state, $form_id) {
282 // Add the node-type settings option to activate the PDF version link
283 if ((user_access('administer print') || user_access('node-specific print configuration')) && (($form_id == 'node_type_form') ||
284 (isset($form['type']) && isset($form['#node']) && $form['type']['#value'] .'_node_form' == $form_id))) {
285 $form['print']['pdf_label'] = array(
286 '#type' => 'markup',
287 '#value' => '<p><strong>'. t('PDF version') .'</strong></p>',
288 );
289
290 $form['print']['print_pdf_display'] = array(
291 '#type' => 'checkbox',
292 '#title' => t('Show link'),
293 );
294 $form['print']['print_pdf_display_comment'] = array(
295 '#type' => 'checkbox',
296 '#title' => t('Show link in individual comments'),
297 );
298 $form['print']['print_pdf_display_urllist'] = array(
299 '#type' => 'checkbox',
300 '#title' => t('Show Printer-friendly URLs list'),
301 );
302
303 if ($form_id == 'node_type_form') {
304 $form['print']['print_pdf_display']['#default_value'] = variable_get('print_pdf_display_'. $form['#node_type']->type, PRINT_TYPE_SHOW_LINK_DEFAULT);
305 $form['print']['print_pdf_display_comment']['#default_value'] = variable_get('print_pdf_display_comment_'. $form['#node_type']->type, PRINT_TYPE_COMMENT_LINK_DEFAULT);
306 $form['print']['print_pdf_display_urllist']['#default_value'] = variable_get('print_pdf_display_urllist_'. $form['#node_type']->type, PRINT_TYPE_URLLIST_DEFAULT);
307 }
308 else {
309 $node = $form['#node'];
310 $form['print']['print_pdf_display']['#default_value'] = isset($node->print_pdf_display) ? $node->print_pdf_display : PRINT_TYPE_SHOW_LINK_DEFAULT;
311 $form['print']['print_pdf_display_comment']['#default_value'] = isset($node->print_pdf_display_comment) ? $node->print_pdf_display_comment : PRINT_TYPE_COMMENT_LINK_DEFAULT;
312 $form['print']['print_pdf_display_urllist']['#default_value'] = isset($node->print_pdf_display_urllist) ? $node->print_pdf_display_urllist : PRINT_TYPE_URLLIST_DEFAULT;
313 }
314 }
315 }
316
317 /**
318 * Auxiliary function to assign the per-node settings to the node object fields
319 *
320 * @param $node
321 * node to be modified
322 */
323 function _print_pdf_set_node_fields(&$node) {
324 if (isset($node->nid)) {
325 $res = db_fetch_object(db_query("SELECT link, comments, url_list FROM {print_pdf_node_conf} WHERE nid = %d", $node->nid));
326 }
327 else {
328 $res = FALSE;
329 }
330 $node->print_pdf_display = $res ? intval($res->link) : PRINT_TYPE_SHOW_LINK_DEFAULT;
331 $node->print_pdf_display_comment = $res ? intval($res->comments) : PRINT_TYPE_COMMENT_LINK_DEFAULT;
332 $node->print_pdf_display_urllist = $res ? intval($res->url_list) : PRINT_TYPE_URLLIST_DEFAULT;
333 }
334
335 /**
336 * Update the print_pdf_node_conf table to reflect the given attributes
337 * If updating to the default values, delete the record.
338 *
339 * @param $nid
340 * value of the nid field (primary key)
341 * @param $link
342 * value of the link field (0 or 1)
343 * @param $comments
344 * value of the comments field (0 or 1)
345 * @param $url_list
346 * value of the url_list field (0 or 1)
347 */
348 function _print_pdf_node_conf_modify($nid, $link, $comments, $url_list) {
349 if (($link == PRINT_TYPE_SHOW_LINK_DEFAULT) && ($comments == PRINT_TYPE_COMMENT_LINK_DEFAULT) &&
350 ($url_list == PRINT_TYPE_URLLIST_DEFAULT)) {
351 db_query("DELETE FROM {print_pdf_node_conf} WHERE nid = %d", $nid);
352 }
353 else {
354 db_query("UPDATE {print_pdf_node_conf} SET link = %d, comments = %d, url_list = %d WHERE nid = %d", $link, $comments, $url_list, $nid);
355 if (!db_affected_rows()) {
356 db_query("INSERT INTO {print_pdf_node_conf} (nid, link, comments, url_list) VALUES (%d, %d, %d, %d)", $nid, $link, $comments, $url_list);
357 }
358 }
359 }
360
361 /**
362 * Format the PDF version link
363 *
364 * @return
365 * array of formatted attributes
366 * @ingroup themeable
367 */
368 function theme_print_pdf_format_link() {
369 $print_pdf_link_class = variable_get('print_pdf_link_class', PRINT_PDF_LINK_CLASS_DEFAULT);
370 $print_pdf_content_disposition = variable_get('print_pdf_content_disposition', PRINT_PDF_CONTENT_DISPOSITION_DEFAULT);
371 $print_pdf_show_link = variable_get('print_pdf_show_link', PRINT_PDF_SHOW_LINK_DEFAULT);
372 $print_pdf_link_text = filter_xss(variable_get('print_pdf_link_text', t('PDF version')));
373
374 $img = drupal_get_path('module', 'print') .'/icons/pdf_icon.gif';
375 $title = t('Display a PDF version of this page.');
376 $class = strip_tags($print_pdf_link_class);
377 $new_window = ($print_pdf_content_disposition == 1);
378 $format = _print_format_link_aux($print_pdf_show_link, $print_pdf_link_text, $img);
379
380 return array('text' => $format['text'],
381 'html' => $format['html'],
382 'attributes' => print_fill_attributes($title, $class, $new_window),
383 );
384 }
385
386 /**
387 * Auxiliary function to display a formatted PDF version link
388 *
389 * Function made available so that developers may call this function from
390 * their defined pages/blocks.
391 *
392 * @param $path
393 * path of the original page (optional). If not specified, the current URL
394 * is used
395 * @param $node
396 * an optional node object, to be used in defining the path, if used, the
397 * path argument is irrelevant
398 * @return
399 * string with the HTML link to the printer-friendly page
400 */
401 function print_pdf_insert_link($path = NULL, $node = NULL) {
402 if ($node !== NULL) {
403 $nid = $node->nid;
404 $path = 'node/'. $nid;
405 $allowed_type = print_pdf_link_allowed(array('node' => $node));
406 }
407 else {
408 if ($path === NULL) {
409 $nid = preg_replace('!^node/!', '', $_GET['q']);
410 $path = $_GET['q'];
411 }
412 else {
413 $nid = NULL;
414 }
415 $allowed_type = print_pdf_link_allowed(array('path' => $path));
416 }
417
418 if ($allowed_type) {
419 if ($nid !== NULL) {
420 if ($allowed_type === PRINT_ALLOW_BOOK_LINK) {
421 $path = 'book/export/html/'. $nid;
422 }
423 else {
424 if (variable_get('print_pdf_link_use_alias', PRINT_PDF_LINK_USE_ALIAS_DEFAULT)) {
425 $path = drupal_get_path_alias($path);
426 }
427 else {
428 $path = $nid;
429 }
430 }
431 $path = PRINTPDF_PATH .'/'. $path;
432 $query = print_query_string_encode($_GET, array('q'));
433 if (empty($query)) {
434 $query = NULL;
435 }
436 }
437 else {
438 $query = NULL;
439 }
440 drupal_add_css(drupal_get_path('module', 'print') .'/css/printlinks.css');
441 $format = theme('print_pdf_format_link');
442 return '<span class="print_pdf">'. l($format['text'], $path, array('attributes' => $format['attributes'], 'query' => $query, 'absolute' => TRUE, 'html' => $format['html'])) .'</span>';
443 }
444 else {
445 return FALSE;
446 }
447 }
448
449 /**
450 * Determine a the link to the PDF version is allowed depending on all possible settings
451 *
452 * @param $args
453 * array containing the possible parameters:
454 * teaser, node, type, path
455 * @return
456 * FALSE if not allowed
457 * PRINT_ALLOW_NORMAL_LINK if a normal link is allowed
458 * PRINT_ALLOW_BOOK_LINK if a link is allowed in a book node
459 */
460 function print_pdf_link_allowed($args) {
461 $print_pdf_pdf_tool = variable_get('print_pdf_pdf_tool', PRINT_PDF_PDF_TOOL_DEFAULT);
462 if (!empty($args['teaser']) || !user_access('access PDF version') || (empty($print_pdf_pdf_tool))) {
463 // If showing only the teaser or the user is not allowed or link is disabled
464 return FALSE;
465 }
466 if (!empty($args['path'])) {
467 $nid = preg_replace('!^node/!', '', drupal_get_normal_path($args['path']));
468 if (is_numeric($nid)) {
469 $args['node'] = node_load($nid);
470 }
471 }
472 if (!empty($args['node'])) {
473 static $node_type = FALSE;
474
475 $node = $args['node'];
476 if ($node_type === FALSE) {
477 if (isset($node->type)) {
478 $node_type = $node->type;
479 }
480 else {
481 $node_type = '';
482 }
483 }
484 // Node
485 $print_pdf_node_link_visibility = variable_get('print_pdf_node_link_visibility', PRINT_PDF_NODE_LINK_VISIBILITY_DEFAULT);
486 $print_pdf_node_link_pages = variable_get('print_pdf_node_link_pages', PRINT_PDF_NODE_LINK_PAGES_DEFAULT);
487
488 if (!_print_page_match($print_pdf_node_link_visibility, $print_pdf_node_link_pages)) {
489 // Page not in visibility list
490 return FALSE;
491 }
492 elseif (isset($args['type']) && ($args['type'] == 'comment') && isset($node_type)) {
493 // Link is for a comment, return the configured setting
494 $res = db_fetch_object(db_query("SELECT comments FROM {print_pdf_node_conf} WHERE nid = %d", $node->nid));
495 $print_display_comment = $res ? intval($res->comments) : PRINT_TYPE_COMMENT_LINK_DEFAULT;
496 if (($print_display_comment) ||
497 variable_get('print_pdf_display_comment_'. $node_type, PRINT_TYPE_COMMENT_LINK_DEFAULT)) {
498 return PRINT_ALLOW_NORMAL_LINK;
499 }
500 }
501 else {
502 // Node link
503 if ((!$node->print_pdf_display) || (isset($node_type) &&
504 !variable_get('print_pdf_display_'. $node_type, PRINT_TYPE_SHOW_LINK_DEFAULT))) {
505 // Link for this node type is disabled
506 return FALSE;
507 }
508 elseif (isset($node->book)) {
509 // Node is a book;
510 $print_pdf_book_link = variable_get('print_pdf_book_link', PRINT_PDF_BOOK_LINK_DEFAULT);
511 switch ($print_pdf_book_link) {
512 case 1:
513 if (user_access('access printer-friendly version')) {
514 return PRINT_ALLOW_BOOK_LINK;
515 }
516 break;
517 case 2:
518 return PRINT_ALLOW_NORMAL_LINK;
519 }
520 }
521 else {
522 return PRINT_ALLOW_NORMAL_LINK;
523 }
524 }
525 }
526 else {
527 // 'System' page
528 $print_pdf_sys_link_visibility = variable_get('print_pdf_sys_link_visibility', PRINT_PDF_SYS_LINK_VISIBILITY_DEFAULT);
529 $print_pdf_sys_link_pages = variable_get('print_pdf_sys_link_pages', PRINT_PDF_SYS_LINK_PAGES_DEFAULT);
530
531 return _print_page_match($print_pdf_sys_link_visibility, $print_pdf_sys_link_pages);
532 }
533 return FALSE;
534 }