summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.txt3
-rw-r--r--includes/common.inc2
-rw-r--r--includes/file.inc3
-rw-r--r--modules/system/system.module2
-rw-r--r--modules/upload/upload.module4
-rw-r--r--modules/user/user.module7
6 files changed, 14 insertions, 7 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8a450ce..428daf8 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,7 @@
-Drupal 6.27-dev, xxxx-xx-xx (development release)
+Drupal 6.27, 2012-12-19
----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
diff --git a/includes/common.inc b/includes/common.inc
index ea353d1..2abf198 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -665,7 +665,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL ^ E_DEPRECATED)) {
+ if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/includes/file.inc b/includes/file.inc
index a07c302..0736f8b 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -403,6 +403,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
+ // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
+ $filename = str_replace(chr(0), '', $filename);
+
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
diff --git a/modules/system/system.module b/modules/system/system.module
index 6c7ac0e..1581cd8 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.27-dev');
+define('VERSION', '6.27');
/**
* Core API compatibility.
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index 3a9e973..ee5b127 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -314,10 +314,10 @@ function upload_nodeapi(&$node, $op, $teaser = NULL) {
break;
case 'search result':
- return isset($node->files) && is_array($node->files) ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
+ return isset($node->files) && is_array($node->files) && user_access('view uploaded files') ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
case 'rss item':
- if (is_array($node->files)) {
+ if (is_array($node->files) && user_access('view uploaded files')) {
$files = array();
foreach ($node->files as $file) {
if ($file->list) {
diff --git a/modules/user/user.module b/modules/user/user.module
index 99dbba9..9339c44 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -604,14 +604,17 @@ function user_search($op = 'search', $keys = NULL, $skip_access_check = FALSE) {
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
if (user_access('administer users')) {
- // Administrators can also search in the otherwise private email field.
+ // Administrators can also search in the otherwise private email
+ // field, and they don't need to be restricted to only active users.
$result = pager_query("SELECT name, uid, mail FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%') OR LOWER(mail) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name .' ('. $account->mail .')', 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}
}
else {
- $result = pager_query("SELECT name, uid FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
+ // Regular users can only search via user names, and we do not show
+ // them blocked accounts.
+ $result = pager_query("SELECT name, uid FROM {users} WHERE status = 1 AND LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}