summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2014-08-06 17:10:01 (GMT)
committer David Rothstein2014-08-06 17:10:01 (GMT)
commit18498306fff77f978e523792f616c1bfcc842e3b (patch)
tree46bc04918f66e7761e844ef81f69866bf7d56052
parentb099845776f789069f590617c2cfb34479731c73 (diff)
parentc71b15f68010db028f07839c226d31563f220890 (diff)
Merge tag '6.33' into 6.x6.x
6.33 release Conflicts: CHANGELOG.txt modules/system/system.module
-rw-r--r--CHANGELOG.txt6
-rw-r--r--includes/xmlrpc.inc33
-rw-r--r--modules/openid/xrds.inc16
-rw-r--r--modules/system/system.module2
4 files changed, 54 insertions, 3 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 251ee96..a312181 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,11 @@
-Drupal 6.33-dev, xxxx-xx-xx (development release)
+Drupal 6.34-dev, xxxx-xx-xx (development release)
----------------------
+Drupal 6.33, 2014-08-06
+----------------------
+- Fixed security issues (denial of service). See SA-CORE-2014-004.
+
Drupal 6.32, 2014-07-16
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-003.
diff --git a/includes/xmlrpc.inc b/includes/xmlrpc.inc
index 13ebf09..9236d88 100644
--- a/includes/xmlrpc.inc
+++ b/includes/xmlrpc.inc
@@ -163,7 +163,38 @@ function xmlrpc_message_parse(&$xmlrpc_message) {
xml_set_element_handler($xmlrpc_message->_parser, 'xmlrpc_message_tag_open', 'xmlrpc_message_tag_close');
xml_set_character_data_handler($xmlrpc_message->_parser, 'xmlrpc_message_cdata');
xmlrpc_message_set($xmlrpc_message);
- if (!xml_parse($xmlrpc_message->_parser, $xmlrpc_message->message)) {
+
+ // Strip XML declaration.
+ $header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xmlrpc_message->message, 0, 100), 1);
+ $xml = trim(substr_replace($xmlrpc_message->message, $header, 0, 100));
+ if ($xml == '') {
+ return FALSE;
+ }
+ // Strip DTD.
+ $header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($xml, 0, 200), 1);
+ $xml = trim(substr_replace($xml, $header, 0, 200));
+ if ($xml == '') {
+ return FALSE;
+ }
+ // Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
+ $root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n"));
+ // Reject a second DTD.
+ if (strtoupper($root_tag) == '<!DOCTYPE') {
+ return FALSE;
+ }
+ if (!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault'))) {
+ return FALSE;
+ }
+ // Skip parsing if there is an unreasonably large number of tags.
+ // substr_count() has much better performance (compared to preg_match_all())
+ // for large payloads but is less accurate, so we check for twice the desired
+ // number of allowed tags (to take into account opening/closing tags as well
+ // as false positives).
+ if (substr_count($xml, '<') > 2 * variable_get('xmlrpc_message_maximum_tag_count', 30000)) {
+ return FALSE;
+ }
+
+ if (!xml_parse($xmlrpc_message->_parser, $xml)) {
return FALSE;
}
xml_parser_free($xmlrpc_message->_parser);
diff --git a/modules/openid/xrds.inc b/modules/openid/xrds.inc
index 36f5282..7810b3c 100644
--- a/modules/openid/xrds.inc
+++ b/modules/openid/xrds.inc
@@ -15,6 +15,22 @@ function xrds_parse($xml) {
xml_set_element_handler($parser, '_xrds_element_start', '_xrds_element_end');
xml_set_character_data_handler($parser, '_xrds_cdata');
+ // Since DOCTYPE declarations from an untrusted source could be malicious, we
+ // stop parsing here and treat the XML as invalid. XRDS documents do not
+ // require, and are not expected to have, a DOCTYPE.
+ if (preg_match('/<!DOCTYPE/i', $xml)) {
+ return array();
+ }
+
+ // Also stop parsing if there is an unreasonably large number of tags.
+ // substr_count() has much better performance (compared to preg_match_all())
+ // for large payloads but is less accurate, so we check for twice the desired
+ // number of allowed tags (to take into account opening/closing tags as well
+ // as false positives).
+ if (substr_count($xml, '<') > 2 * variable_get('openid_xrds_maximum_tag_count', 30000)) {
+ return array();
+ }
+
xml_parse($parser, $xml);
xml_parser_free($parser);
diff --git a/modules/system/system.module b/modules/system/system.module
index 60d9b3e..e83e4ec 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.33-dev');
+define('VERSION', '6.34-dev');
/**
* Core API compatibility.