summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2007-10-17 21:29:00 +0000
committerNeil Drumm2007-10-17 21:29:00 +0000
commit8506de8190a281bf25b8c6483d5ea4400751064f (patch)
treed80946d76a122fefdc65bc1ee67098d8e7dcf5c3
parent892a627cf508983315930d4ae86fffa91e00ee09 (diff)
Drupal 5.35.3
-rw-r--r--CHANGELOG.txt14
-rw-r--r--includes/common.inc9
-rw-r--r--install.php6
-rw-r--r--modules/comment/comment.module6
-rw-r--r--modules/system/system.module12
-rw-r--r--modules/upload/upload.module6
-rw-r--r--modules/user/user.module18
7 files changed, 44 insertions, 27 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 5a9977e..985cd71 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,13 @@
// $Id$
-Drupal 5.3, xxxx-xx-xx
+Drupal 5.3, 2007-10-17
----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Arbitrary code execution via installer), see SA-2007-025
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (User deletion cross site request forgery), see SA-2007-029
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
Drupal 5.2, 2007-07-26
----------------------
@@ -92,6 +98,12 @@ Drupal 5.0, 2007-01-15
* added nested lists generation.
* added a self-clearing block class.
+Drupal 4.7.8, 2007-10-17
+------------------------
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
+
Drupal 4.7.7, 2007-07-26
------------------------
- fixed security issue (XSS), see SA-2007-018
diff --git a/includes/common.inc b/includes/common.inc
index 28397b5..48066e2 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -267,11 +267,8 @@ function drupal_get_destination() {
* 'user login'-block in a sidebar. The function drupal_get_destination()
* can be used to help set the destination URL.
*
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid". In addition, Drupal will ensure that
- * messages set by drupal_set_message() and other session data are written to
- * the database before the user is redirected.
+ * Drupal will ensure that messages set by drupal_set_message() and other
+ * session data are written to the database before the user is redirected.
*
* This function ends the request; use it rather than a print theme('page')
* statement in your menu callback.
@@ -304,6 +301,8 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response
}
$url = url($path, $query, $fragment, TRUE);
+ // Remove newlines from the URL to avoid header injection attacks.
+ $url = str_replace(array("\n", "\r"), '', $url);
// Before the redirect, allow modules to react to the end of the page request.
module_invoke_all('exit', $url);
diff --git a/install.php b/install.php
index 79ef2cf..1db0228 100644
--- a/install.php
+++ b/install.php
@@ -166,6 +166,10 @@ function install_change_settings($profile = 'default', $install_locale = '') {
if ($db_url == 'mysql://username:password@localhost/databasename') {
$db_user = $db_pass = $db_path = '';
}
+ elseif (!empty($db_url)) {
+ // Do not install over a configured settings.php.
+ install_already_done_error();
+ }
$output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
drupal_set_title(st('Database configuration'));
print theme('install_page', $output);
@@ -506,7 +510,7 @@ function install_already_done_error() {
drupal_maintenance_theme();
drupal_set_title(st('Drupal already installed'));
- print theme('install_page', st('<ul><li>To start over, you must empty your existing database.</li><li>To install to a different database, edit the appropriate <em>settings.php</em> file in the <em>sites</em> folder.</li><li>To upgrade an existing installation, proceed to the <a href="@base-url/update.php">update script</a>.</li></ul>', array('@base-url' => $base_url)));
+ print theme('install_page', st('<ul><li>To start over, you must empty your existing database and replace the appropriate <em>settings.php</em> with an unmodified copy.</li><li>To install to a different database, edit the appropriate <em>settings.php</em> file in the <em>sites</em> folder.</li><li>To upgrade an existing installation, proceed to the <a href="@base-url/update.php">update script</a>.</li></ul>', array('@base-url' => $base_url)));
exit;
}
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 32007e3..c095d62 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -723,7 +723,7 @@ function comment_save($edit) {
}
// Add the comment to database.
- $status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
+ $edit['status'] = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
$roles = variable_get('comment_roles', array());
$score = 0;
@@ -784,7 +784,7 @@ function comment_save($edit) {
$edit['name'] = $user->name;
}
- db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
+ db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $edit['status'], $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
_comment_update_node_statistics($edit['nid']);
@@ -800,7 +800,7 @@ function comment_save($edit) {
// Explain the approval queue if necessary, and then
// redirect the user to the node he's commenting on.
- if ($status == COMMENT_NOT_PUBLISHED) {
+ if ($edit['status'] == COMMENT_NOT_PUBLISHED) {
drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));
}
return $edit['cid'];
diff --git a/modules/system/system.module b/modules/system/system.module
index 3d7aeac..3bbc2bb 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.3 dev');
+define('VERSION', '5.3');
/**
* Implementation of hook_help().
@@ -2116,12 +2116,12 @@ function system_node_type($op, $info) {
* Output a confirmation form
*
* This function returns a complete form for confirming an action. A link is
- * offered to go back to the item that is being changed in case the user changes
- * his/her mind.
+ * offered to go back to the item that is being changed in case the user
+ * changes his/her mind.
*
- * You can check for the existence of $_POST[$name] (where $name
- * is usually 'confirm') to check if the confirmation was successful or
- * use the regular submit model.
+ * If the submit handler for this form is invoked, the user successfully
+ * confirmed the action. You should never directly inspect $_POST to see if an
+ * action was confirmed.
*
* @param $form
* Additional elements to inject into the form, for example hidden elements.
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index e193bef..e3cd151 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -158,7 +158,7 @@ function upload_admin_settings_validate($form_id, $form_values) {
* Menu callback for the upload settings form.
*/
function upload_admin_settings() {
- $upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
+ $upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
$upload_uploadsize_default = variable_get('upload_uploadsize_default', 1);
$upload_usersize_default = variable_get('upload_usersize_default', 1);
@@ -421,7 +421,7 @@ function _upload_validate(&$node) {
$total_usersize = upload_space_used($user->uid) + $filesize;
$error = array();
foreach ($user->roles as $rid => $name) {
- $extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+ $extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
$uploadsize = variable_get("upload_uploadsize_$rid", variable_get('upload_uploadsize_default', 1)) * 1024 * 1024;
$usersize = variable_get("upload_usersize_$rid", variable_get('upload_usersize_default', 1)) * 1024 * 1024;
@@ -641,7 +641,7 @@ function upload_munge_filename($filename, $extensions = NULL, $alerts = 1) {
if (!isset($extensions)) {
$extensions = '';
foreach ($user->roles as $rid => $name) {
- $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+ $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
}
}
diff --git a/modules/user/user.module b/modules/user/user.module
index 9897495..a3b8858 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1415,16 +1415,11 @@ function user_edit($category = 'account') {
drupal_set_message(t('The account does not exist or has already been deleted.'));
drupal_goto('admin/user/user');
}
+
$edit = $_POST['op'] ? $_POST : (array)$account;
if (arg(2) == 'delete') {
- if (!empty($edit['confirm'])) {
- user_delete($edit, $account->uid);
- drupal_goto('admin/user/user');
- }
- else {
- return drupal_get_form('user_confirm_delete', $account->name, $account->uid);
- }
+ return drupal_get_form('user_confirm_delete', $account->name, $account->uid);
}
else if ($_POST['op'] == t('Delete')) {
if ($_REQUEST['destination']) {
@@ -1449,13 +1444,20 @@ function user_edit($category = 'account') {
}
function user_confirm_delete($name, $uid) {
- return confirm_form(array(),
+ $form['uid'] = array('#type' => 'value', '#value' => $uid);
+ return confirm_form($form,
t('Are you sure you want to delete the account %name?', array('%name' => $name)),
'user/'. $uid,
t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'),
t('Delete'), t('Cancel'));
}
+function user_confirm_delete_submit($form_id, $form_values) {
+ $account = user_load(array('uid' => $form_values['uid']));
+ user_delete((array) $account, $form_values['uid']);
+ return 'admin/user/user';
+}
+
/**
* Delete a user.
*