summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordsnopek2018-10-17 23:03:26 (GMT)
committerDavid Snopek2018-10-17 23:03:26 (GMT)
commite2145fab449a964774eceb972a89df943392c4c0 (patch)
tree07b19be81d5488c1e8358c6056235d05e50d5dcf
parente6c755bfcfd7f38eafd6cafe8c2de00242fb480a (diff)
Issue #3007462 by dsnopek: [core, htmlmail] Add D6LTS patch for SA-CORE-2018-006
-rw-r--r--common/contrib/htmlmail/SA-CONTRIB-2018-069.patch40
-rw-r--r--common/core/SA-CORE-2018-006.patch15
2 files changed, 55 insertions, 0 deletions
diff --git a/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch b/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch
new file mode 100644
index 0000000..bcaa4e2
--- /dev/null
+++ b/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch
@@ -0,0 +1,40 @@
+diff --git a/htmlmail.mail.inc b/htmlmail.mail.inc
+index e1126de..d6043e2 100644
+--- a/htmlmail.mail.inc
++++ b/htmlmail.mail.inc
+@@ -262,7 +262,7 @@ class HTMLMailSystem implements MailSystemInterface {
+ // if the parameter is NULL.
+ $result = @mail($to, $subject, $body, $txt_headers);
+ }
+- else {
++ elseif ((variable_get('site_mail', ini_get('sendmail_from')) == $message['headers']['Return-Path'] || self::_isShellSafe($message['headers']['Return-Path']))) {
+ // On most non-Windows systems, the "-f" option to the sendmail command
+ // is used to set the Return-Path.
+ $extra = '-f' . $message['headers']['Return-Path'];
+@@ -319,4 +319,26 @@ class HTMLMailSystem implements MailSystemInterface {
+ }
+ return implode("\n", $output);
+ }
++
++ /**
++ * Disallows potentially unsafe shell characters.
++ *
++ * @param string $string
++ * The string to be validated.
++ *
++ * @return bool
++ * True if the string is shell-safe.
++ *
++ * @see https://api.drupal.org/api/drupal/modules%21system%21system.mail.inc/7.x
++ */
++ protected static function _isShellSafe($string) {
++ if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++ return FALSE;
++ }
++ if (preg_match('/[^a-zA-Z0-9@_\-.]/', $string) !== 0) {
++ return FALSE;
++ }
++ return TRUE;
++ }
++
+ }
diff --git a/common/core/SA-CORE-2018-006.patch b/common/core/SA-CORE-2018-006.patch
new file mode 100644
index 0000000..f975964
--- /dev/null
+++ b/common/core/SA-CORE-2018-006.patch
@@ -0,0 +1,15 @@
+diff --git a/includes/common.inc b/includes/common.inc
+index 9a28c06..56e493b 100644
+--- a/includes/common.inc
++++ b/includes/common.inc
+@@ -1558,6 +1558,10 @@ function url($path = NULL, $options = array()) {
+ }
+ elseif (!empty($path) && !$options['alias']) {
+ $path = drupal_get_path_alias($path, isset($options['language']) ? $options['language']->language : '');
++ // Strip leading slashes from internal paths to prevent them becoming external
++ // URLs without protocol. /example.com should not be turned into
++ // //example.com.
++ $path = ltrim($path, '/');
+ }
+
+ if (function_exists('custom_url_rewrite_outbound')) {