summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.txt6
-rw-r--r--includes/bootstrap.inc2
-rw-r--r--includes/file.inc3
-rw-r--r--modules/user/user.module8
-rw-r--r--modules/user/user.test22
5 files changed, 35 insertions, 6 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 5c7c8b2..ba4a4ac 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,5 +1,5 @@
-Drupal 7.18, xxxx-xx-xx (development version)
+Drupal 7.19, xxxx-xx-xx (development version)
-----------------------
- Added an assertThemeOutput() method to Simpletest to allow tests to check
that themed output matches an expected HTML string (API addition).
@@ -17,6 +17,10 @@ Drupal 7.18, xxxx-xx-xx (development version)
sites which use HTTPS and redirect between "www" and non-"www" versions of
the page.
+Drupal 7.18, 2012-12-19
+-----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2012-004.
+
Drupal 7.17, 2012-11-07
-----------------------
- Changed the default value of the '404_fast_html' variable to have a DOCTYPE
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 9bd37fd..dcab7df 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '7.18-dev');
+define('VERSION', '7.19-dev');
/**
* Core API compatibility.
diff --git a/includes/file.inc b/includes/file.inc
index 1e256c6..278be3d 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -1113,6 +1113,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
+ // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
+ $filename = str_replace(chr(0), '', $filename);
+
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
diff --git a/modules/user/user.module b/modules/user/user.module
index 2c02f8c..622fe4d 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -933,14 +933,18 @@ function user_search_execute($keys = NULL, $conditions = NULL) {
$query = db_select('users')->extend('PagerDefault');
$query->fields('users', array('uid'));
if (user_access('administer users')) {
- // Administrators can also search in the otherwise private email field.
+ // Administrators can also search in the otherwise private email field,
+ // and they don't need to be restricted to only active users.
$query->fields('users', array('mail'));
$query->condition(db_or()->
condition('name', '%' . db_like($keys) . '%', 'LIKE')->
condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
}
else {
- $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
+ // Regular users can only search via usernames, and we do not show them
+ // blocked accounts.
+ $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
+ ->condition('status', 1);
}
$uids = $query
->limit(15)
diff --git a/modules/user/user.test b/modules/user/user.test
index 92af9fa..123beee 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -2106,7 +2106,7 @@ class UserUserSearchTestCase extends DrupalWebTestCase {
public static function getInfo() {
return array(
'name' => 'User search',
- 'description' => 'Testing that only user with the right permission can see the email address in the user search.',
+ 'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
'group' => 'User',
);
}
@@ -2126,11 +2126,29 @@ class UserUserSearchTestCase extends DrupalWebTestCase {
$edit = array('keys' => $keys);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($keys);
+
+ // Create a blocked user.
+ $blocked_user = $this->drupalCreateUser();
+ $edit = array('status' => 0);
+ $blocked_user = user_save($blocked_user, $edit);
+
+ // Verify that users with "administer users" permissions can see blocked
+ // accounts in search results.
+ $edit = array('keys' => $blocked_user->name);
+ $this->drupalPost('search/user/', $edit, t('Search'));
+ $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
+
+ // Verify that users without "administer users" permissions do not see
+ // blocked accounts in search results.
+ $this->drupalLogin($user1);
+ $edit = array('keys' => $blocked_user->name);
+ $this->drupalPost('search/user/', $edit, t('Search'));
+ $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
+
$this->drupalLogout();
}
}
-
/**
* Test role assignment.
*/