summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2007-10-17 21:35:42 +0000
committerGábor Hojtsy2007-10-17 21:35:42 +0000
commit44d6dbd86e3b3974a676a223dd97356ad905e4b3 (patch)
tree0b27ad3381e5caafa68505c7ee2d00b72daf4d55
parent0e80cf76e64b8189cbf0a358665fa04574ccee55 (diff)
Drupal 4.7.84.7.8
-rw-r--r--CHANGELOG.txt6
-rw-r--r--includes/common.inc6
-rw-r--r--modules/comment.module6
-rw-r--r--modules/system.module7
-rw-r--r--modules/upload.module6
5 files changed, 18 insertions, 13 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 38d527f..e7d28ab 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,5 +1,11 @@
// $Id$
+Drupal 4.7.8, 2007-10-17
+----------------------
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
+
Drupal 4.7.7, 2007-07-26
------------------------
- fixed security issue (XSS), see SA-2007-018
diff --git a/includes/common.inc b/includes/common.inc
index f307ea8..92651ae 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -235,10 +235,6 @@ function drupal_get_destination() {
* 'user login'-block in a sidebar. The function drupal_get_destination()
* can be used to help set the destination URL.
*
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid".
- *
* This function ends the request; use it rather than a print theme('page')
* statement in your menu callback.
*
@@ -260,6 +256,8 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) {
}
$url = url($path, $query, $fragment, TRUE);
+ // Remove newlines from the URL to avoid header injection attacks.
+ $url = str_replace(array("\n", "\r"), '', $url);
// Before the redirect, allow modules to react to the end of the page request.
module_invoke_all('exit', $url);
diff --git a/modules/comment.module b/modules/comment.module
index 9caea76..2d7591a 100644
--- a/modules/comment.module
+++ b/modules/comment.module
@@ -568,7 +568,7 @@ function comment_save($edit) {
}
// Add the comment to database.
- $status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
+ $edit['status'] = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
$roles = variable_get('comment_roles', array());
$score = 0;
@@ -629,7 +629,7 @@ function comment_save($edit) {
$edit['name'] = $user->name;
}
- db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
+ db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $edit['status'], $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
_comment_update_node_statistics($edit['nid']);
@@ -645,7 +645,7 @@ function comment_save($edit) {
// Explain the approval queue if necessary, and then
// redirect the user to the node he's commenting on.
- if ($status == COMMENT_NOT_PUBLISHED) {
+ if ($edit['status'] == COMMENT_NOT_PUBLISHED) {
drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));
}
return $edit['cid'];
diff --git a/modules/system.module b/modules/system.module
index a92f9f9..66a17c6 100644
--- a/modules/system.module
+++ b/modules/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '4.7.8 dev');
+define('VERSION', '4.7.8');
/**
* Implementation of hook_help().
@@ -1235,8 +1235,9 @@ function system_theme_settings($key = '') {
* offered to go back to the item that is being changed in case the user changes
* his/her mind.
*
- * You should use $GLOBALS['values']['edit'][$name] (where $name is usually 'confirm') to
- * check if the confirmation was successful.
+ * If the submit handler for this form is invoked, the user successfully
+ * confirmed the action. You should never directly inspect $_POST to see if an
+ * action was confirmed.
*
* @param $form_id
* The unique form identifier. Used by the form API to construct the theme.
diff --git a/modules/upload.module b/modules/upload.module
index 7dc47b6..2112444 100644
--- a/modules/upload.module
+++ b/modules/upload.module
@@ -157,7 +157,7 @@ function upload_settings() {
foreach ($roles as $rid => $role) {
$form["settings_role_$rid"] = array('#type' => 'fieldset', '#title' => t('Settings for %role', array('%role' => theme('placeholder', $role))), '#collapsible' => TRUE, '#collapsed' => TRUE);
$form["settings_role_$rid"]["upload_extensions_$rid"] = array(
- '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'),
+ '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'),
'#maxlength' => 255, '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.')
);
$form["settings_role_$rid"]["upload_uploadsize_$rid"] = array(
@@ -326,7 +326,7 @@ function _upload_validate(&$node) {
$total_usersize = upload_space_used($user->uid) + $filesize;
$error = array();
foreach ($user->roles as $rid => $name) {
- $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
+ $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp');
$uploadsize = variable_get("upload_uploadsize_$rid", 1) * 1024 * 1024;
$usersize = variable_get("upload_usersize_$rid", 10) * 1024 * 1024;
@@ -538,7 +538,7 @@ function upload_munge_filename($filename, $extensions = NULL, $alerts = 1) {
if (!isset($extensions)) {
$extensions = '';
foreach ($user->roles as $rid => $name) {
- $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+ $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'));
}
}