summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2014-11-19 20:26:08 (GMT)
committer David Rothstein2014-11-19 20:26:08 (GMT)
commit84092f3d051c7d8904a63d38c81eb5f671b6e71b (patch)
treef46e2445757354aca51c46fe94e8b66fde943ecc
parent76faa7de48e759cff770269c25d6ed6f92cf6b29 (diff)
parent81586d9e9d04dcee487c50de426c04221899b6d0 (diff)
Merge tag '7.34' into 7.x7.x
7.34 release Conflicts: CHANGELOG.txt includes/bootstrap.inc
-rw-r--r--CHANGELOG.txt6
-rw-r--r--includes/bootstrap.inc2
-rw-r--r--includes/password.inc6
-rw-r--r--includes/session.inc2
-rw-r--r--modules/simpletest/tests/password.test21
5 files changed, 33 insertions, 4 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 79d9910..e97215d 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,11 @@
-Drupal 7.34, xxxx-xx-xx (development version)
+Drupal 7.35, xxxx-xx-xx (development version)
-----------------------
+Drupal 7.34, 2014-11-19
+----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-006.
+
Drupal 7.33, 2014-11-07
-----------------------
- Began storing the file modification time of each module and theme in the
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index b6c531c..9f37dfc 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '7.34-dev');
+define('VERSION', '7.35-dev');
/**
* Core API compatibility.
diff --git a/includes/password.inc b/includes/password.inc
index 3d5a400..8228e61 100644
--- a/includes/password.inc
+++ b/includes/password.inc
@@ -140,7 +140,7 @@ function _password_enforce_log2_boundaries($count_log2) {
* @param $algo
* The string name of a hashing algorithm usable by hash(), like 'sha256'.
* @param $password
- * The plain-text password to hash.
+ * Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash.
* @param $setting
* An existing hash or the output of _password_generate_salt(). Must be
* at least 12 characters (the settings and salt).
@@ -150,6 +150,10 @@ function _password_enforce_log2_boundaries($count_log2) {
* The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
*/
function _password_crypt($algo, $password, $setting) {
+ // Prevent DoS attacks by refusing to hash large passwords.
+ if (strlen($password) > 512) {
+ return FALSE;
+ }
// The first 12 characters of an existing hash are its setting string.
$setting = substr($setting, 0, 12);
diff --git a/includes/session.inc b/includes/session.inc
index 9589e06..84d1983 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -79,7 +79,7 @@ function _drupal_session_read($sid) {
// Handle the case of first time visitors and clients that don't store
// cookies (eg. web crawlers).
$insecure_session_name = substr(session_name(), 1);
- if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) {
+ if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) {
$user = drupal_anonymous_user();
return '';
}
diff --git a/modules/simpletest/tests/password.test b/modules/simpletest/tests/password.test
index 5259d19..7105f3b 100644
--- a/modules/simpletest/tests/password.test
+++ b/modules/simpletest/tests/password.test
@@ -57,4 +57,25 @@ class PasswordHashingTest extends DrupalWebTestCase {
$this->assertFalse(user_needs_new_hash($account), 'Re-hashed password does not need a new hash.');
$this->assertTrue(user_check_password($password, $account), 'Password check succeeds with re-hashed password.');
}
+
+ /**
+ * Verifies that passwords longer than 512 bytes are not hashed.
+ */
+ public function testLongPassword() {
+ $password = str_repeat('x', 512);
+ $result = user_hash_password($password);
+ $this->assertFalse(empty($result), '512 byte long password is allowed.');
+ $password = str_repeat('x', 513);
+ $result = user_hash_password($password);
+ $this->assertFalse($result, '513 byte long password is not allowed.');
+ // Check a string of 3-byte UTF-8 characters.
+ $password = str_repeat('€', 170);
+ $result = user_hash_password($password);
+ $this->assertFalse(empty($result), '510 byte long password is allowed.');
+ $password .= 'xx';
+ $this->assertFalse(empty($result), '512 byte long password is allowed.');
+ $password = str_repeat('€', 171);
+ $result = user_hash_password($password);
+ $this->assertFalse($result, '513 byte long password is not allowed.');
+ }
}