summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2014-01-15 20:35:48 +0100
committerGábor Hojtsy2014-01-15 20:35:48 +0100
commit203f323c8813f60c634ca23e025934d1527b0418 (patch)
treebe8426e3762d02fbed96f2d100cdc8066bf6e86b
parent351a44722d91b8e166d0cb48d84d7fe1cf7a864a (diff)
Drupal 6.30 fixes6.30
-rw-r--r--CHANGELOG.txt3
-rw-r--r--includes/common.inc2
-rw-r--r--modules/openid/openid.install72
-rw-r--r--modules/openid/openid.module2
-rw-r--r--modules/system/system.module2
5 files changed, 74 insertions, 7 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 7c7926f..b36af69 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,7 @@
-Drupal 6.30-dev, xxxx-xx-xx (development release)
+Drupal 6.30, 2014-01-15
----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2014-001.
Drupal 6.29, 2013-11-20
----------------------
diff --git a/includes/common.inc b/includes/common.inc
index 61a3bac..80fc911 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -665,7 +665,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL ^ E_DEPRECATED)) {
+ if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/modules/openid/openid.install b/modules/openid/openid.install
index 0abc24f..0b0c95d 100644
--- a/modules/openid/openid.install
+++ b/modules/openid/openid.install
@@ -26,13 +26,14 @@ function openid_schema() {
'idp_endpoint_uri' => array(
'type' => 'varchar',
'length' => 255,
- 'description' => 'URI of the OpenID Provider endpoint.',
+ 'not null' => TRUE,
+ 'description' => 'Primary Key: URI of the OpenID Provider endpoint.',
),
'assoc_handle' => array(
'type' => 'varchar',
'length' => 255,
'not null' => TRUE,
- 'description' => 'Primary Key: Used to refer to this association in subsequent messages.',
+ 'description' => 'Used to refer to this association in subsequent messages.',
),
'assoc_type' => array(
'type' => 'varchar',
@@ -62,7 +63,10 @@ function openid_schema() {
'description' => 'The lifetime, in seconds, of this association.',
),
),
- 'primary key' => array('assoc_handle'),
+ 'primary key' => array('idp_endpoint_uri'),
+ 'unique keys' => array(
+ 'assoc_handle' => array('assoc_handle'),
+ ),
);
$schema['openid_nonce'] = array(
@@ -139,6 +143,68 @@ function openid_update_6000() {
}
/**
+ * Bind associations to their providers.
+ */
+function openid_update_6001() {
+ $ret = array();
+
+ db_drop_table($ret, 'openid_association');
+
+ $schema['openid_association'] = array(
+ 'description' => 'Stores temporary shared key association information for OpenID authentication.',
+ 'fields' => array(
+ 'idp_endpoint_uri' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'not null' => TRUE,
+ 'description' => 'Primary Key: URI of the OpenID Provider endpoint.',
+ ),
+ 'assoc_handle' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'not null' => TRUE,
+ 'description' => 'Used to refer to this association in subsequent messages.',
+ ),
+ 'assoc_type' => array(
+ 'type' => 'varchar',
+ 'length' => 32,
+ 'description' => 'The signature algorithm used: one of HMAC-SHA1 or HMAC-SHA256.',
+ ),
+ 'session_type' => array(
+ 'type' => 'varchar',
+ 'length' => 32,
+ 'description' => 'Valid association session types: "no-encryption", "DH-SHA1", and "DH-SHA256".',
+ ),
+ 'mac_key' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'description' => 'The MAC key (shared secret) for this association.',
+ ),
+ 'created' => array(
+ 'type' => 'int',
+ 'not null' => TRUE,
+ 'default' => 0,
+ 'description' => 'UNIX timestamp for when the association was created.',
+ ),
+ 'expires_in' => array(
+ 'type' => 'int',
+ 'not null' => TRUE,
+ 'default' => 0,
+ 'description' => 'The lifetime, in seconds, of this association.',
+ ),
+ ),
+ 'primary key' => array('idp_endpoint_uri'),
+ 'unique keys' => array(
+ 'assoc_handle' => array('assoc_handle'),
+ ),
+ );
+
+ db_create_table($ret, 'openid_association', $schema['openid_association']);
+
+ return $ret;
+}
+
+/**
* @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 809e07e..4a7c57b 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -551,7 +551,7 @@ function openid_verify_assertion($service, $response) {
// http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4
// Verify the signatures.
$valid = FALSE;
- $association = db_fetch_object(db_query("SELECT * FROM {openid_association} WHERE assoc_handle = '%s'", $response['openid.assoc_handle']));
+ $association = db_fetch_object(db_query("SELECT * FROM {openid_association} WHERE idp_endpoint_uri = '%s' AND assoc_handle = '%s'", $service['uri'], $response['openid.assoc_handle']));
if ($association && isset($association->session_type)) {
// http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2
// Verification using an association.
diff --git a/modules/system/system.module b/modules/system/system.module
index 6ef4699..09b9dde 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.30-dev');
+define('VERSION', '6.30');
/**
* Core API compatibility.