summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2012-10-17 20:57:48 (GMT)
committer David Rothstein2012-10-17 20:57:48 (GMT)
commit88e9b836125a529b3a05f535733d20e230366783 (patch)
tree3e6dc0b76d8c0c0b87ebfaf4bcc80647e836f085
parent654335b245eb4dd8b0a915a4295ae9b9253dfe4f (diff)
parentb9127101ffeca819e74a03fa9f5a48d026c562e5 (diff)
Merge branch '7.15-security' into 7.x
-rw-r--r--CHANGELOG.txt7
-rw-r--r--includes/bootstrap.inc2
-rw-r--r--includes/install.core.inc11
-rw-r--r--modules/openid/openid.inc31
-rw-r--r--modules/openid/openid.test9
-rw-r--r--modules/openid/tests/openid_test.module6
6 files changed, 53 insertions, 13 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 64e00f1..5bae473 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,5 +1,5 @@
-Drupal 7.16, xxxx-xx-xx (development version)
+Drupal 7.17, xxxx-xx-xx (development version)
-----------------------
- Fixed the theme settings form to properly clean up submitted values in
$form_state['values'] when the form is submitted (data structure change).
@@ -21,6 +21,11 @@ Drupal 7.16, xxxx-xx-xx (development version)
- Added hook_entity_view_mode_alter() to allow modules to change entity view
modes on display.
+Drupal 7.16, 2012-10-17
+-----------------------
+- Fixed security issues (Arbitrary PHP code execution and information
+ disclosure). See SA-CORE-2012-003.
+
Drupal 7.15, 2012-08-01
-----------------------
- Introduced a 'user_password_reset_timeout' variable to allow the 24-hour
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 709789b..d9ad856 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '7.16-dev');
+define('VERSION', '7.17-dev');
/**
* Core API compatibility.
diff --git a/includes/install.core.inc b/includes/install.core.inc
index 273acd9..9805e1c 100644
--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -293,12 +293,11 @@ function install_begin_request(&$install_state) {
else {
$task = NULL;
- // Since previous versions of Drupal stored database connection information
- // in the 'db_url' variable, we should never let an installation proceed if
- // this variable is defined and the settings file was not verified above
- // (otherwise we risk installing over an existing site whose settings file
- // has not yet been updated).
- if (!empty($GLOBALS['db_url'])) {
+ // Do not install over a configured settings.php. Check the 'db_url'
+ // variable in addition to 'databases', since previous versions of Drupal
+ // used that (and we do not want to allow installations on an existing site
+ // whose settings file has not yet been updated).
+ if (!empty($GLOBALS['databases']) || !empty($GLOBALS['db_url'])) {
throw new Exception(install_already_done_error());
}
}
diff --git a/modules/openid/openid.inc b/modules/openid/openid.inc
index bf9318a..74a08d5 100644
--- a/modules/openid/openid.inc
+++ b/modules/openid/openid.inc
@@ -138,8 +138,28 @@ function openid_redirect_form($form, &$form_state, $url, $message) {
*/
function _openid_xrds_parse($raw_xml) {
$services = array();
- try {
- $xml = @new SimpleXMLElement($raw_xml);
+
+ // For PHP version >= 5.2.11, we can use this function to protect against
+ // malicious doctype declarations and other unexpected entity loading.
+ // However, we will not rely on it, and reject any XML with a DOCTYPE.
+ $disable_entity_loader = function_exists('libxml_disable_entity_loader');
+ if ($disable_entity_loader) {
+ $load_entities = libxml_disable_entity_loader(TRUE);
+ }
+
+ // Load the XML into a DOM document.
+ $dom = new DOMDocument();
+ @$dom->loadXML($raw_xml);
+
+ // Since DOCTYPE declarations from an untrusted source could be malicious, we
+ // stop parsing here and treat the XML as invalid since XRDS documents do not
+ // require, and are not expected to have, a DOCTYPE.
+ if (isset($dom->doctype)) {
+ return array();
+ }
+
+ // Parse the DOM document for the information we need.
+ if ($xml = simplexml_import_dom($dom)) {
foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) {
foreach ($xrd->children(OPENID_NS_XRD)->Service as $service_element) {
$service = array(
@@ -165,9 +185,12 @@ function _openid_xrds_parse($raw_xml) {
}
}
}
- catch (Exception $e) {
- // Invalid XML.
+
+ // Return the LIBXML options to the previous state before returning.
+ if ($disable_entity_loader) {
+ libxml_disable_entity_loader($load_entities);
}
+
return $services;
}
diff --git a/modules/openid/openid.test b/modules/openid/openid.test
index 1752924..bd871a8 100644
--- a/modules/openid/openid.test
+++ b/modules/openid/openid.test
@@ -180,6 +180,15 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
// Verify user was redirected away from user/login to an accessible page.
$this->assertResponse(200);
+
+ $this->drupalLogout();
+ // Use a User-supplied Identity that is the URL of an XRDS document.
+ // Tell the test module to add a doctype. This should fail.
+ $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE, 'query' => array('doctype' => 1)));
+ // Test logging in via the login block on the front page.
+ $edit = array('openid_identifier' => $identity);
+ $this->drupalPost('', $edit, t('Log in'));
+ $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), 'XML with DOCTYPE was rejected.');
}
/**
diff --git a/modules/openid/tests/openid_test.module b/modules/openid/tests/openid_test.module
index 1b0de4e..bcf9f42 100644
--- a/modules/openid/tests/openid_test.module
+++ b/modules/openid/tests/openid_test.module
@@ -109,7 +109,11 @@ function openid_test_yadis_xrds() {
}
}
drupal_add_http_header('Content-Type', 'application/xrds+xml');
- print '<?xml version="1.0" encoding="UTF-8"?>
+ print '<?xml version="1.0" encoding="UTF-8"?>';
+ if (!empty($_GET['doctype'])) {
+ print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";
+ }
+ print '
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
<XRD>
<Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>