summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2008-01-10 22:14:24 +0000
committerNeil Drumm2008-01-10 22:14:24 +0000
commita54823f7b88859b51fe1d635fb4dbf65d5a7fc14 (patch)
tree8cea7422628b1ec4e669886040e65ddcf3485090
parent56e69958c5efa2609f2ef66806b06b9b96558547 (diff)
Drupal 5.6.5.6
-rw-r--r--CHANGELOG.txt13
-rw-r--r--INSTALL.txt2
-rw-r--r--includes/bootstrap.inc41
-rw-r--r--modules/aggregator/aggregator.module34
-rw-r--r--modules/filter/filter.module5
-rw-r--r--modules/system/system.install6
-rw-r--r--modules/system/system.module2
7 files changed, 90 insertions, 13 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 03845a6..c5f5887 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,8 +1,11 @@
// $Id$
-Drupal 5.6, xxxx-xx-xx
+Drupal 5.6, 2008-01-10
----------------------
-
+- fixed a variety of small bugs.
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
Drupal 5.5, 2007-12-06
----------------------
@@ -112,6 +115,12 @@ Drupal 5.0, 2007-01-15
* added nested lists generation.
* added a self-clearing block class.
+Drupal 4.7.11, 2008-01-10
+-------------------------
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
+
Drupal 4.7.10, 2007-12-06
-------------------------
- fixed taxonomy feed bug introduced by SA-2007-031
diff --git a/INSTALL.txt b/INSTALL.txt
index 8aeccbc..043c448 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -22,7 +22,7 @@ are created automatically.
REQUIREMENTS
------------
-Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5
+Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5
(http://www.php.net/) and either MySQL (http://www.mysql.com/) or PostgreSQL
(http://www.postgresql.org/). The Apache web server and MySQL database are
recommended; other web server and database combinations such as IIS and
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 21c77fc..d2793e6 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -626,9 +626,48 @@ function referer_uri() {
/**
* Encode special characters in a plain-text string for display as HTML.
+ *
+ * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Internet Explorer 6.
*/
function check_plain($text) {
- return htmlspecialchars($text, ENT_QUOTES);
+ return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+}
+
+/**
+ * Checks whether a string is valid UTF-8.
+ *
+ * All functions designed to filter input should use drupal_validate_utf8
+ * to ensure they operate on valid UTF-8 strings to prevent bypass of the
+ * filter.
+ *
+ * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
+ * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
+ * bytes. When these subsequent bytes are HTML control characters such as
+ * quotes or angle brackets, parts of the text that were deemed safe by filters
+ * end up in locations that are potentially unsafe; An onerror attribute that
+ * is outside of a tag, and thus deemed safe by a filter, can be interpreted
+ * by the browser as if it were inside the tag.
+ *
+ * This function exploits preg_match behaviour (since PHP 4.3.5) when used
+ * with the u modifier, as a fast way to find invalid UTF-8. When the matched
+ * string contains an invalid byte sequence, it will fail silently.
+ *
+ * preg_match may not fail on 4 and 5 octet sequences, even though they
+ * are not supported by the specification.
+ *
+ * The specific preg_match behaviour is present since PHP 4.3.5.
+ *
+ * @param $text
+ * The text to check.
+ * @return
+ * TRUE if the text is valid UTF-8, FALSE if not.
+ */
+function drupal_validate_utf8($text) {
+ if (strlen($text) == 0) {
+ return TRUE;
+ }
+ return (preg_match('/^./us', $text) == 1);
}
/**
diff --git a/modules/aggregator/aggregator.module b/modules/aggregator/aggregator.module
index e8be291..9c60c19 100644
--- a/modules/aggregator/aggregator.module
+++ b/modules/aggregator/aggregator.module
@@ -51,11 +51,14 @@ function aggregator_menu($may_cache) {
'callback arguments' => array('aggregator_form_category'),
'access' => $edit,
'type' => MENU_LOCAL_TASK);
- $items[] = array('path' => 'admin/content/aggregator/remove',
+ $items[] = array(
+ 'path' => 'admin/content/aggregator/remove',
'title' => t('Remove items'),
- 'callback' => 'aggregator_admin_remove_feed',
+ 'callback' => 'drupal_get_form',
+ 'callback arguments' => array('aggregator_admin_remove_feed'),
'access' => $edit,
- 'type' => MENU_CALLBACK);
+ 'type' => MENU_CALLBACK,
+ );
$items[] = array('path' => 'admin/content/aggregator/update',
'title' => t('Update items'),
'callback' => 'aggregator_admin_refresh_feed',
@@ -1001,12 +1004,29 @@ function aggregator_view() {
return $output;
}
+function aggregator_admin_remove_feed($fid) {
+ $feed = aggregator_get_feed($fid);
+ return confirm_form(
+ array(
+ 'feed' => array(
+ '#type' => 'value',
+ '#value' => $feed,
+ ),
+ ),
+ t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => $feed['title'])),
+ 'admin/content/aggregator',
+ t('This action cannot be undone.'),
+ t('Remove items'),
+ t('Cancel')
+ );
+}
+
/**
- * Menu callback; removes all items from a feed, then redirects to the overview page.
+ * Remove all items from a feed and redirect to the overview page.
*/
-function aggregator_admin_remove_feed($feed) {
- aggregator_remove(aggregator_get_feed($feed));
- drupal_goto('admin/content/aggregator');
+function aggregator_admin_remove_feed_submit($form_id, $form_values) {
+ aggregator_remove($form_values['feed']);
+ return 'admin/content/aggregator';
}
/**
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index d2db856..746d94f 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -1268,6 +1268,11 @@ function filter_xss_admin($string) {
* The format to use.
*/
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+ // Only operate on valid UTF-8 strings. This is necessary to prevent cross
+ // site scripting issues on Internet Explorer 6.
+ if (!drupal_validate_utf8($string)) {
+ return '';
+ }
// Store the input format
_filter_xss_split($allowed_tags, TRUE);
// Remove NUL characters (ignored by some browsers)
diff --git a/modules/system/system.install b/modules/system/system.install
index 2bee543..66f304d 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -1,7 +1,7 @@
<?php
// $Id$
-define('DRUPAL_MINIMUM_PHP', '4.3.3');
+define('DRUPAL_MINIMUM_PHP', '4.3.5');
define('DRUPAL_MINIMUM_MYSQL', '3.23.17'); // If using MySQL
define('DRUPAL_MINIMUM_PGSQL', '7.3'); // If using PostgreSQL
@@ -39,6 +39,10 @@ function system_requirements($phase) {
$requirements['php']['description'] = $t('Your PHP installation is too old. Drupal requires at least PHP %version.', array('%version' => DRUPAL_MINIMUM_PHP));
$requirements['php']['severity'] = REQUIREMENT_ERROR;
}
+ if (ini_get('register_globals')) {
+ $requirements['php']['description'] = $t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.');
+ $requirements['php']['severity'] = REQUIREMENT_ERROR;
+ }
// Test DB version
global $db_type;
diff --git a/modules/system/system.module b/modules/system/system.module
index f2be99f..2a93a9f 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.6-dev');
+define('VERSION', '5.6');
/**
* Implementation of hook_help().