summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2010-03-04 00:15:28 +0000
committerGábor Hojtsy2010-03-04 00:15:28 +0000
commit77b6714fb3e0bcec9ef7df1a610eb6bdbf09636e (patch)
treea19fa5760faa9d804cd06ef865a7a93602d455f7
parentd3aa92531643b65854920cad747f4224dec220ee (diff)
Drupal 6.166.16
-rw-r--r--CHANGELOG.txt16
-rw-r--r--includes/common.inc16
-rw-r--r--includes/locale.inc23
-rw-r--r--includes/session.inc8
-rw-r--r--includes/theme.maintenance.inc4
-rw-r--r--modules/locale/locale.install20
-rw-r--r--modules/locale/locale.module4
-rw-r--r--modules/system/system.module2
8 files changed, 79 insertions, 14 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index d343072..1d4d4e5 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,16 @@
// $Id$
-Drupal 6.16-dev, xxxx-xx-xx (development release)
+Drupal 6.16, 2010-03-03
----------------------
+- Fixed security issues (Installation cross site scripting, Open redirection,
+ Locale module cross site scripting, Blocked user session regeneration),
+ see SA-CORE-2010-001.
+- Better support for updated jQuery versions.
+- Reduced resource usage of update.module.
+- Fixed several issues relating to support of install profiles and
+ distributions.
+- Added a locking framework to avoid data corruption on long operations.
+- Fixed a variety of other bugs.
Drupal 6.15, 2009-12-16
----------------------
@@ -209,6 +218,11 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
+Drupal 5.22, 2010-03-03
+-----------------------
+- Fixed security issues (Open redirection, Locale module cross site scripting,
+ Blocked user session regeneration), see SA-CORE-2010-001.
+
Drupal 5.21, 2009-12-16
-----------------------
- Fixed a security issue (Cross site scripting), see SA-CORE-2009-009.
diff --git a/includes/common.inc b/includes/common.inc
index 27c3ad4..879bf75 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -311,11 +311,21 @@ function drupal_get_destination() {
*/
function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) {
+ $destination = FALSE;
if (isset($_REQUEST['destination'])) {
- extract(parse_url(urldecode($_REQUEST['destination'])));
+ $destination = $_REQUEST['destination'];
}
else if (isset($_REQUEST['edit']['destination'])) {
- extract(parse_url(urldecode($_REQUEST['edit']['destination'])));
+ $destination = $_REQUEST['edit']['destination'];
+ }
+
+ if ($destination) {
+ // Do not redirect to an absolute URL originating from user input.
+ $colonpos = strpos($destination, ':');
+ $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos)));
+ if (!$absolute) {
+ extract(parse_url(urldecode($destination)));
+ }
}
$url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE));
@@ -617,7 +627,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL ^ E_DEPRECATED)) {
+ if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/includes/locale.inc b/includes/locale.inc
index 7e38875..63e47cd 100644
--- a/includes/locale.inc
+++ b/includes/locale.inc
@@ -34,6 +34,9 @@ function locale_languages_overview_form() {
$options = array();
$form['weight'] = array('#tree' => TRUE);
foreach ($languages as $langcode => $language) {
+ // Language code should contain no markup, but is emitted
+ // by radio and checkbox options.
+ $langcode = check_plain($langcode);
$options[$langcode] = '';
if ($language->enabled) {
@@ -335,6 +338,17 @@ function locale_languages_predefined_form_submit($form, &$form_state) {
* Validate the language editing form. Reused for custom language addition too.
*/
function locale_languages_edit_form_validate($form, &$form_state) {
+ // Validate that the name, native, and langcode variables are safe.
+ if (preg_match('/["<>\']/', $form_state['values']['langcode'])) {
+ form_set_error('langcode', t('The characters &lt;, &gt;, " and \' are not allowed in the language code field.'));
+ }
+ if (preg_match('/["<>\']/', $form_state['values']['name'])) {
+ form_set_error('name', t('The characters &lt;, &gt;, " and \' are not allowed in the language name in English field.'));
+ }
+ if (preg_match('/["<>\']/', $form_state['values']['native'])) {
+ form_set_error('native', t('The characters &lt;, &gt;, " and \' are not allowed in the native language name field.'));
+ }
+
if (!empty($form_state['values']['domain']) && !empty($form_state['values']['prefix'])) {
form_set_error('prefix', t('Domain and path prefix values should not be set at the same time.'));
}
@@ -536,8 +550,13 @@ function locale_translate_seek_screen() {
*/
function locale_translate_seek_form() {
// Get all languages, except English
- $languages = locale_language_list('name', TRUE);
- unset($languages['en']);
+ $raw_languages = locale_language_list('name', TRUE);
+ unset($raw_languages['en']);
+ // Sanitize the values to be used in radios.
+ $languages = array();
+ foreach ($raw_languages as $key => $value) {
+ $languages[check_plain($key)] = check_plain($value);
+ }
// Present edit form preserving previous user settings
$query = _locale_translate_seek_query();
diff --git a/includes/session.inc b/includes/session.inc
index 725c45d..ebba273 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -31,8 +31,9 @@ function sess_read($key) {
// Otherwise, if the session is still active, we have a record of the client's session in the database.
$user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key));
- // We found the client's session record and they are an authenticated user
- if ($user && $user->uid > 0) {
+ // We found the client's session record and they are an authenticated,
+ // active user.
+ if ($user && $user->uid > 0 && $user->status == 1) {
// This is done to unserialize the data member of $user
$user = drupal_unpack($user);
@@ -44,7 +45,8 @@ function sess_read($key) {
$user->roles[$role->rid] = $role->name;
}
}
- // We didn't find the client's record (session has expired), or they are an anonymous user.
+ // We didn't find the client's record (session has expired), or they are
+ // blocked, or they are an anonymous user.
else {
$session = isset($user->session) ? $user->session : '';
$user = drupal_anonymous_user($session);
diff --git a/includes/theme.maintenance.inc b/includes/theme.maintenance.inc
index 1c088b1..9bd20cc 100644
--- a/includes/theme.maintenance.inc
+++ b/includes/theme.maintenance.inc
@@ -125,9 +125,9 @@ function theme_install_page($content) {
$title = count($messages['error']) > 1 ? st('The following errors must be resolved before you can continue the installation process') : st('The following error must be resolved before you can continue the installation process');
$variables['messages'] .= '<h3>'. $title .':</h3>';
$variables['messages'] .= theme('status_messages', 'error');
- $variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => request_uri())) .'</p>';
+ $variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => check_url(request_uri()))) .'</p>';
}
-
+
// Special handling of warning messages
if (isset($messages['warning'])) {
$title = count($messages['warning']) > 1 ? st('The following installation warnings should be carefully reviewed') : st('The following installation warning should be carefully reviewed');
diff --git a/modules/locale/locale.install b/modules/locale/locale.install
index 51b374f..2246917 100644
--- a/modules/locale/locale.install
+++ b/modules/locale/locale.install
@@ -202,6 +202,26 @@ function locale_update_6005() {
}
/**
+ * Neutralize unsafe language names in the database.
+ */
+function locale_update_6006() {
+ $ret = array();
+ $matches = db_result(db_query("SELECT 1 FROM {languages} WHERE native LIKE '%<%' OR native LIKE '%>%' OR name LIKE '%<%' OR name LIKE '%>%'"));
+ if ($matches) {
+ $ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '<', ''), native = REPLACE(native, '<', '')");
+ $ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '>', ''), native = REPLACE(native, '>', '')");
+ drupal_set_message('The language name in English and the native language name values of all the existing custom languages of your site have been sanitized for security purposes. Visit the <a href="'. url('admin/settings/language') .'">Languages</a> page to check these and fix them if necessary.', 'warning');
+ }
+ // Check if some langcode values contain potentially dangerous characters and
+ // warn the user if so. These are not fixed since they are referenced in other
+ // tables (e.g. {node}).
+ if (db_result(db_query("SELECT 1 FROM {languages} WHERE language LIKE '%<%' OR language LIKE '%>%' OR language LIKE '%\"%' OR language LIKE '%\\\\\%'"))) {
+ drupal_set_message('Some of your custom language code values contain invalid characters. You should examine the <a href="'. url('admin/settings/language') .'">Languages</a> page. These must be fixed manually.', 'error');
+ }
+ return $ret;
+}
+
+/**
* @} End of "defgroup updates-5.x-to-6.x"
*/
diff --git a/modules/locale/locale.module b/modules/locale/locale.module
index 70f4958..a69205d 100644
--- a/modules/locale/locale.module
+++ b/modules/locale/locale.module
@@ -215,7 +215,7 @@ function locale_user($type, $edit, &$user, $category = NULL) {
$names = array();
foreach ($languages as $langcode => $item) {
$name = t($item->name);
- $names[$langcode] = $name . ($item->native != $name ? ' ('. $item->native .')' : '');
+ $names[check_plain($langcode)] = check_plain($name . ($item->native != $name ? ' ('. $item->native .')' : ''));
}
$form['locale'] = array(
'#type' => 'fieldset',
@@ -228,7 +228,7 @@ function locale_user($type, $edit, &$user, $category = NULL) {
$form['locale']['language'] = array(
'#type' => (count($names) <= 5 ? 'radios' : 'select'),
'#title' => t('Language'),
- '#default_value' => $user_preferred_language->language,
+ '#default_value' => check_plain($user_preferred_language->language),
'#options' => $names,
'#description' => ($mode == LANGUAGE_NEGOTIATION_PATH) ? t("This account's default language for e-mails, and preferred language for site presentation.") : t("This account's default language for e-mails."),
);
diff --git a/modules/system/system.module b/modules/system/system.module
index f232a99..9975280 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.16-dev');
+define('VERSION', '6.16');
/**
* Core API compatibility.