diff --git a/.htaccess b/.htaccess
index f4024c632ac6d117bfbaf3e816878574db8dc98c..4716fa12c8cb1f0caac10eebdb946c4dff28ce66 100644
--- a/.htaccess
+++ b/.htaccess
@@ -180,8 +180,10 @@ AddEncoding gzip svgz
-# Add headers to all responses.
+# Various header fixes.
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
diff --git a/composer.lock b/composer.lock
index f2c6c183ae9c1dde0450ef31dcf0bf8109cb928b..9f9324119d71512209ed74a7f6b1846e4a27d598 100644
--- a/composer.lock
+++ b/composer.lock
@@ -678,32 +678,32 @@
},
{
"name": "guzzlehttp/guzzle",
- "version": "6.1.0",
+ "version": "6.2.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81"
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/guzzle/zipball/66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
+ "url": "https://api.github.com/repos/guzzle/guzzle/zipball/3f808fba627f2c5b69e2501217bf31af349c1427",
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427",
"shasum": ""
},
"require": {
- "guzzlehttp/promises": "~1.0",
- "guzzlehttp/psr7": "~1.1",
- "php": ">=5.5.0"
+ "guzzlehttp/promises": "^1.0",
+ "guzzlehttp/psr7": "^1.3.1",
+ "php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
- "phpunit/phpunit": "~4.0",
- "psr/log": "~1.0"
+ "phpunit/phpunit": "^4.0",
+ "psr/log": "^1.0"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "6.1-dev"
+ "dev-master": "6.2-dev"
}
},
"autoload": {
@@ -736,20 +736,20 @@
"rest",
"web service"
],
- "time": "2015-09-08 17:36:26"
+ "time": "2016-07-15 17:22:37"
},
{
"name": "guzzlehttp/promises",
- "version": "1.0.2",
+ "version": "1.2.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
- "reference": "97fe7210def29451ec74923b27e552238defd75a"
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/promises/zipball/97fe7210def29451ec74923b27e552238defd75a",
- "reference": "97fe7210def29451ec74923b27e552238defd75a",
+ "url": "https://api.github.com/repos/guzzle/promises/zipball/c10d860e2a9595f8883527fa0021c7da9e65f579",
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579",
"shasum": ""
},
"require": {
@@ -787,20 +787,20 @@
"keywords": [
"promise"
],
- "time": "2015-08-15 19:37:21"
+ "time": "2016-05-18 16:56:05"
},
{
"name": "guzzlehttp/psr7",
- "version": "1.2.0",
+ "version": "1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e"
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/psr7/zipball/4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
+ "url": "https://api.github.com/repos/guzzle/psr7/zipball/5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"shasum": ""
},
"require": {
@@ -816,7 +816,7 @@
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.0-dev"
+ "dev-master": "1.4-dev"
}
},
"autoload": {
@@ -845,7 +845,7 @@
"stream",
"uri"
],
- "time": "2015-08-15 19:32:36"
+ "time": "2016-06-24 23:00:38"
},
{
"name": "ircmaxell/password-compat",
@@ -1057,12 +1057,12 @@
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
- "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
+ "reference": "1.0.0"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
- "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
+ "url": "https://api.github.com/repos/php-fig/log/zipball/1.0.0",
+ "reference": "1.0.0",
"shasum": ""
},
"type": "library",
@@ -1183,7 +1183,7 @@
],
"authors": [
{
- "name": "Symfony CMF Community",
+ "name": "Symfony CMF community",
"homepage": "https://github.com/symfony-cmf/Routing/contributors"
}
],
diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt
index 64ad16798df190118cd481aa6d221ce2a894ff91..f6fad6c590bb566340b1985329c8251b96f8bc3d 100644
--- a/core/CHANGELOG.txt
+++ b/core/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 8.1.7, 2016-07-18
+------------------------
+- Fixed security issue. SA-CORE-2016-003.
+
Drupal 8.1.3, 2016-06-15
------------------------
- Fixed security issue. SA-CORE-2016-002.
diff --git a/core/composer.json b/core/composer.json
index a8ee73e4cb4a2097c254f0fdaa2abe17338202e9..fbe4c1b7c23fdf6fc7e7884bcb64f5557ededad9 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
- "guzzlehttp/guzzle": "~6.1",
+ "guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "1.3.*",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index f27c6d2281ed730bf1d708ce8803bd8d7aaab5f8..9582f0e434ccb8416f4b6840f91532e692381a5a 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -81,7 +81,7 @@ class Drupal {
/**
* The current system version.
*/
- const VERSION = '8.1.6';
+ const VERSION = '8.1.7';
/**
* Core API compatibility.
diff --git a/core/lib/Drupal/Core/Http/ClientFactory.php b/core/lib/Drupal/Core/Http/ClientFactory.php
index a68f0851757f98132bd8976f1a77a489c45557a9..3dcf35374ebd2f81f6694f854a0ea3e1bc8c903c 100644
--- a/core/lib/Drupal/Core/Http/ClientFactory.php
+++ b/core/lib/Drupal/Core/Http/ClientFactory.php
@@ -52,6 +52,13 @@ public function fromOptions(array $config = []) {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
+ // Security consideration: prevent Guzzle from using environment variables
+ // to configure the outbound proxy.
+ 'proxy' => [
+ 'http' => NULL,
+ 'https' => NULL,
+ 'no' => [],
+ ]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 7f28c29e65bd13c409146312615dce7f29b1c24c..d42962d5d5f824e3499a37596f01c162fc066a27 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -325,9 +325,6 @@
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
- *
- * If these settings are not configured, the system environment variables
- * HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
diff --git a/web.config b/web.config
index a0535a10db23e3245063b5390625b46cf349c594..562847125fa7e4b09d83d605af2684f9ab5ec5d7 100644
--- a/web.config
+++ b/web.config
@@ -34,6 +34,14 @@
+
+
+
+
+
+
+
+