modules/drutex/drutex_security.inc

<?php
// $Id$

/**
 * @file
 * Provide security features for DruTeX.
 *
 * This module covers functions to restrict the set of allowed
 * LaTeX commands and environments.
 */

/**
 * Implementation of subhook_info().
 */
function drutex_security_info($format = -1) {
  return (object) array(
    'title' => t('Security restrictions'),
    'description' => t('Restricts the set of allowed LaTeX commands.'),
    'toggle' => true,
    'weight' => 20
  );
}

/**
 * Implementation of subhook_defaults().
 */
function drutex_security_defaults() {
  $D['drutex_security_active'] = false;
  $D['drutex_security_allowedcommands'] = '\atop \binom \cdot \cfrac \choose \frac \int \ln \over \sum \to';
  $D['drutex_security_allowedenvironments'] = 'align array equation equations gather matrix split';

  return $D;
}

/**
 * Checks if $text only includes allowed commands/environments.
 */
function drutex_security($text, $format = -1) {
  static $allowed_commands = array();

  if (empty($allowed_commands[$format])) {
    $allowed_commands[$format] = explode(' ', drutex_var_get("drutex_security_allowedcommands_$format"));
    $allowed_environments = explode(' ', drutex_var_get("drutex_security_allowedenvironments_$format"));

    foreach ($allowed_environments as $env) {
      $allowed_commands[$format] = array_merge($allowed_commands[$format],
        array("\\begin\{$env}", "\\begin\{$env*}", "\\end\{$env}", "\\end\{$env*}"));
    }
  }

  $matches = array();
  preg_match_all('/(\\\\begin\{[a-zA-Z*]+\})|(\\\\end\{[a-zA-Z*]+\})|(\\\\[a-zA-Z]+)/s', $text, $matches);

  $commands = $matches[0];

  foreach ($commands as $command) {
    if (array_search($command, $allowed_commands[$format]) === false) {
      watchdog('DruTeX', "Unallowed command (by security submodule): $command", WATCHDOG_WARNING);
      return false;
    }
  }

  return true;
}

/**
 * Implementation of subhook_filter_settings().
 */
function drutex_security_filter_settings($format = -1) {
  $form["drutex_security_allowedcommands_$format"] = array(
    '#type' => 'textarea',
    '#title' => t('Allowed commands'),
    '#rows' => 4,
    '#cols' => 50,
    '#default_value' => drutex_var_get("drutex_security_allowedcommands_$format"),
    '#description' => t('Commands are seperated by single space.')
  );

  $form["drutex_security_allowedenvironments_$format"] = array(
    '#type' => 'textarea',
    '#title' => t('Allowed environments'),
    '#rows' => 4,
    '#cols' => 50,
    '#default_value' => drutex_var_get("drutex_security_allowedenvironments_$format"),
    '#description' => t('Environments are seperated by single space.')
  );

  return $form;
}

1	<?php
2	// $Id$
3
4	/**
5	* @file
6	* Provide security features for DruTeX.
7	*
8	* This module covers functions to restrict the set of allowed
9	* LaTeX commands and environments.
10	*/
11
12	/**
13	* Implementation of subhook_info().
14	*/
15	function drutex_security_info($format = -1) {
16	return (object) array(
17	'title' => t('Security restrictions'),
18	'description' => t('Restricts the set of allowed LaTeX commands.'),
19	'toggle' => true,
20	'weight' => 20
21	);
22	}
23
24	/**
25	* Implementation of subhook_defaults().
26	*/
27	function drutex_security_defaults() {
28	$D['drutex_security_active'] = false;
29	$D['drutex_security_allowedcommands'] = '\atop \binom \cdot \cfrac \choose \frac \int \ln \over \sum \to';
30	$D['drutex_security_allowedenvironments'] = 'align array equation equations gather matrix split';
31
32	return $D;
33	}
34
35	/**
36	* Checks if $text only includes allowed commands/environments.
37	*/
38	function drutex_security($text, $format = -1) {
39	static $allowed_commands = array();
40
41	if (empty($allowed_commands[$format])) {
42	$allowed_commands[$format] = explode(' ', drutex_var_get("drutex_security_allowedcommands_$format"));
43	$allowed_environments = explode(' ', drutex_var_get("drutex_security_allowedenvironments_$format"));
44
45	foreach ($allowed_environments as $env) {
46	$allowed_commands[$format] = array_merge($allowed_commands[$format],
47	array("\\begin\{$env}", "\\begin\{$env}", "\\end\{$env}", "\\end\{$env}"));
48	}
49	}
50
51	$matches = array();
52	preg_match_all('/(\\\\begin\{[a-zA-Z]+\})\|(\\\\end\{[a-zA-Z]+\})\|(\\\\[a-zA-Z]+)/s', $text, $matches);
53
54	$commands = $matches[0];
55
56	foreach ($commands as $command) {
57	if (array_search($command, $allowed_commands[$format]) === false) {
58	watchdog('DruTeX', "Unallowed command (by security submodule): $command", WATCHDOG_WARNING);
59	return false;
60	}
61	}
62
63	return true;
64	}
65
66	/**
67	* Implementation of subhook_filter_settings().
68	*/
69	function drutex_security_filter_settings($format = -1) {
70	$form["drutex_security_allowedcommands_$format"] = array(
71	'#type' => 'textarea',
72	'#title' => t('Allowed commands'),
73	'#rows' => 4,
74	'#cols' => 50,
75	'#default_value' => drutex_var_get("drutex_security_allowedcommands_$format"),
76	'#description' => t('Commands are seperated by single space.')
77	);
78
79	$form["drutex_security_allowedenvironments_$format"] = array(
80	'#type' => 'textarea',
81	'#title' => t('Allowed environments'),
82	'#rows' => 4,
83	'#cols' => 50,
84	'#default_value' => drutex_var_get("drutex_security_allowedenvironments_$format"),
85	'#description' => t('Environments are seperated by single space.')
86	);
87
88	return $form;
89	}
90