diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 7c7926fc064e57182619c858adf2e306343bd849..b36af69f3e625f881902fb2ee4b6552bdade93c5 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,7 @@ -Drupal 6.30-dev, xxxx-xx-xx (development release) +Drupal 6.30, 2014-01-15 ---------------------- +- Fixed security issues (multiple vulnerabilities), see SA-CORE-2014-001. Drupal 6.29, 2013-11-20 ---------------------- diff --git a/includes/common.inc b/includes/common.inc index 61a3bac8a246d61c2a6a7e530c0bc5eed03e62c7..80fc9110f492bac27f79606961d13b987eb88cfb 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -665,7 +665,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) { return; } - if ($errno & (E_ALL ^ E_DEPRECATED)) { + if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) { $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error'); // For database errors, we want the line number/file name of the place that diff --git a/modules/openid/openid.install b/modules/openid/openid.install index 0abc24f6f29392241c102863a475739240d0a9e1..0b0c95d293e29f65001bfe3ee4d18453790c6985 100644 --- a/modules/openid/openid.install +++ b/modules/openid/openid.install @@ -26,13 +26,14 @@ function openid_schema() { 'idp_endpoint_uri' => array( 'type' => 'varchar', 'length' => 255, - 'description' => 'URI of the OpenID Provider endpoint.', + 'not null' => TRUE, + 'description' => 'Primary Key: URI of the OpenID Provider endpoint.', ), 'assoc_handle' => array( 'type' => 'varchar', 'length' => 255, 'not null' => TRUE, - 'description' => 'Primary Key: Used to refer to this association in subsequent messages.', + 'description' => 'Used to refer to this association in subsequent messages.', ), 'assoc_type' => array( 'type' => 'varchar', @@ -62,7 +63,10 @@ function openid_schema() { 'description' => 'The lifetime, in seconds, of this association.', ), ), - 'primary key' => array('assoc_handle'), + 'primary key' => array('idp_endpoint_uri'), + 'unique keys' => array( + 'assoc_handle' => array('assoc_handle'), + ), ); $schema['openid_nonce'] = array( @@ -138,6 +142,68 @@ function openid_update_6000() { return $ret; } +/** + * Bind associations to their providers. + */ +function openid_update_6001() { + $ret = array(); + + db_drop_table($ret, 'openid_association'); + + $schema['openid_association'] = array( + 'description' => 'Stores temporary shared key association information for OpenID authentication.', + 'fields' => array( + 'idp_endpoint_uri' => array( + 'type' => 'varchar', + 'length' => 255, + 'not null' => TRUE, + 'description' => 'Primary Key: URI of the OpenID Provider endpoint.', + ), + 'assoc_handle' => array( + 'type' => 'varchar', + 'length' => 255, + 'not null' => TRUE, + 'description' => 'Used to refer to this association in subsequent messages.', + ), + 'assoc_type' => array( + 'type' => 'varchar', + 'length' => 32, + 'description' => 'The signature algorithm used: one of HMAC-SHA1 or HMAC-SHA256.', + ), + 'session_type' => array( + 'type' => 'varchar', + 'length' => 32, + 'description' => 'Valid association session types: "no-encryption", "DH-SHA1", and "DH-SHA256".', + ), + 'mac_key' => array( + 'type' => 'varchar', + 'length' => 255, + 'description' => 'The MAC key (shared secret) for this association.', + ), + 'created' => array( + 'type' => 'int', + 'not null' => TRUE, + 'default' => 0, + 'description' => 'UNIX timestamp for when the association was created.', + ), + 'expires_in' => array( + 'type' => 'int', + 'not null' => TRUE, + 'default' => 0, + 'description' => 'The lifetime, in seconds, of this association.', + ), + ), + 'primary key' => array('idp_endpoint_uri'), + 'unique keys' => array( + 'assoc_handle' => array('assoc_handle'), + ), + ); + + db_create_table($ret, 'openid_association', $schema['openid_association']); + + return $ret; +} + /** * @} End of "addtogroup updates-6.x-extra". * The next series of updates should start at 7000. diff --git a/modules/openid/openid.module b/modules/openid/openid.module index 809e07e437d42c0d4e66a6a1c228842081484fce..4a7c57b9b89309aa392f3caa9edcf823b9d241cf 100644 --- a/modules/openid/openid.module +++ b/modules/openid/openid.module @@ -551,7 +551,7 @@ function openid_verify_assertion($service, $response) { // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4 // Verify the signatures. $valid = FALSE; - $association = db_fetch_object(db_query("SELECT * FROM {openid_association} WHERE assoc_handle = '%s'", $response['openid.assoc_handle'])); + $association = db_fetch_object(db_query("SELECT * FROM {openid_association} WHERE idp_endpoint_uri = '%s' AND assoc_handle = '%s'", $service['uri'], $response['openid.assoc_handle'])); if ($association && isset($association->session_type)) { // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2 // Verification using an association. diff --git a/modules/system/system.module b/modules/system/system.module index 6ef4699a7b0c28851059d2e18c853f8077ddb65a..09b9dde79af16a5861a515a65462f0abcff72074 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '6.30-dev'); +define('VERSION', '6.30'); /** * Core API compatibility.