summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorxjm2016-07-18 17:01:43 +0200
committerxjm2016-07-18 17:01:43 +0200
commit5e60a2770329300866319aac1ab465159688d319 (patch)
tree1f192a0d94b99d8e8c8a65a2a1083eb8e006d156
parentb101f904648a70822b87427007b6228c3824e0ae (diff)
Drupal 8.1.7 (SA-CORE-2016-003) by alexpott, Michael Dowling, mlhess, xjm, Pere Orga, dawehner, greggles, coltrane, pwolanin, larowlan8.1.7
-rw-r--r--.htaccess4
-rw-r--r--composer.lock52
-rw-r--r--core/CHANGELOG.txt4
-rw-r--r--core/composer.json2
-rw-r--r--core/lib/Drupal.php2
-rw-r--r--core/lib/Drupal/Core/Http/ClientFactory.php7
-rw-r--r--sites/default/default.settings.php3
-rw-r--r--web.config8
8 files changed, 50 insertions, 32 deletions
diff --git a/.htaccess b/.htaccess
index f4024c6..4716fa1 100644
--- a/.htaccess
+++ b/.htaccess
@@ -180,8 +180,10 @@ AddEncoding gzip svgz
</IfModule>
</IfModule>
-# Add headers to all responses.
+# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
</IfModule>
diff --git a/composer.lock b/composer.lock
index f2c6c18..9f93241 100644
--- a/composer.lock
+++ b/composer.lock
@@ -678,32 +678,32 @@
},
{
"name": "guzzlehttp/guzzle",
- "version": "6.1.0",
+ "version": "6.2.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81"
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/guzzle/zipball/66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
+ "url": "https://api.github.com/repos/guzzle/guzzle/zipball/3f808fba627f2c5b69e2501217bf31af349c1427",
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427",
"shasum": ""
},
"require": {
- "guzzlehttp/promises": "~1.0",
- "guzzlehttp/psr7": "~1.1",
- "php": ">=5.5.0"
+ "guzzlehttp/promises": "^1.0",
+ "guzzlehttp/psr7": "^1.3.1",
+ "php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
- "phpunit/phpunit": "~4.0",
- "psr/log": "~1.0"
+ "phpunit/phpunit": "^4.0",
+ "psr/log": "^1.0"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "6.1-dev"
+ "dev-master": "6.2-dev"
}
},
"autoload": {
@@ -736,20 +736,20 @@
"rest",
"web service"
],
- "time": "2015-09-08 17:36:26"
+ "time": "2016-07-15 17:22:37"
},
{
"name": "guzzlehttp/promises",
- "version": "1.0.2",
+ "version": "1.2.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
- "reference": "97fe7210def29451ec74923b27e552238defd75a"
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/promises/zipball/97fe7210def29451ec74923b27e552238defd75a",
- "reference": "97fe7210def29451ec74923b27e552238defd75a",
+ "url": "https://api.github.com/repos/guzzle/promises/zipball/c10d860e2a9595f8883527fa0021c7da9e65f579",
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579",
"shasum": ""
},
"require": {
@@ -787,20 +787,20 @@
"keywords": [
"promise"
],
- "time": "2015-08-15 19:37:21"
+ "time": "2016-05-18 16:56:05"
},
{
"name": "guzzlehttp/psr7",
- "version": "1.2.0",
+ "version": "1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e"
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/psr7/zipball/4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
+ "url": "https://api.github.com/repos/guzzle/psr7/zipball/5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"shasum": ""
},
"require": {
@@ -816,7 +816,7 @@
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.0-dev"
+ "dev-master": "1.4-dev"
}
},
"autoload": {
@@ -845,7 +845,7 @@
"stream",
"uri"
],
- "time": "2015-08-15 19:32:36"
+ "time": "2016-06-24 23:00:38"
},
{
"name": "ircmaxell/password-compat",
@@ -1057,12 +1057,12 @@
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
- "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
+ "reference": "1.0.0"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
- "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
+ "url": "https://api.github.com/repos/php-fig/log/zipball/1.0.0",
+ "reference": "1.0.0",
"shasum": ""
},
"type": "library",
@@ -1183,7 +1183,7 @@
],
"authors": [
{
- "name": "Symfony CMF Community",
+ "name": "Symfony CMF community",
"homepage": "https://github.com/symfony-cmf/Routing/contributors"
}
],
diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt
index 64ad167..f6fad6c 100644
--- a/core/CHANGELOG.txt
+++ b/core/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 8.1.7, 2016-07-18
+------------------------
+- Fixed security issue. SA-CORE-2016-003.
+
Drupal 8.1.3, 2016-06-15
------------------------
- Fixed security issue. SA-CORE-2016-002.
diff --git a/core/composer.json b/core/composer.json
index a8ee73e..fbe4c1b 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
- "guzzlehttp/guzzle": "~6.1",
+ "guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "1.3.*",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index f27c6d2..9582f0e 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -81,7 +81,7 @@ class Drupal {
/**
* The current system version.
*/
- const VERSION = '8.1.6';
+ const VERSION = '8.1.7';
/**
* Core API compatibility.
diff --git a/core/lib/Drupal/Core/Http/ClientFactory.php b/core/lib/Drupal/Core/Http/ClientFactory.php
index a68f085..3dcf353 100644
--- a/core/lib/Drupal/Core/Http/ClientFactory.php
+++ b/core/lib/Drupal/Core/Http/ClientFactory.php
@@ -52,6 +52,13 @@ class ClientFactory {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
+ // Security consideration: prevent Guzzle from using environment variables
+ // to configure the outbound proxy.
+ 'proxy' => [
+ 'http' => NULL,
+ 'https' => NULL,
+ 'no' => [],
+ ]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 7f28c29..d42962d 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -325,9 +325,6 @@ $settings['update_free_access'] = FALSE;
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
- *
- * If these settings are not configured, the system environment variables
- * HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
diff --git a/web.config b/web.config
index a0535a1..5628471 100644
--- a/web.config
+++ b/web.config
@@ -34,6 +34,14 @@
</conditions>
</rule>
+ <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
+ <match url="*.*" />
+ <serverVariables>
+ <set name="HTTP_PROXY" value="" />
+ </serverVariables>
+ <action type="None" />
+ </rule>
+
<!-- To redirect all users to access the site WITH the 'www.' prefix,
http://example.com/foo will be redirected to http://www.example.com/foo)
adapt and uncomment the following: -->