diff --git a/CHANGELOG.txt b/CHANGELOG.txt index c74f95a98c1d8ada405cd089f9bbe5007caec081..e694a84513bb800f47297dd9811e7d13f18d906f 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -9,6 +9,10 @@ Drupal 7.xx, xxxx-xx-xx (development version) Host header. - Allowed the + character to appear in usernames. +Drupal 7.58, 2018-03-28 +----------------------- +- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002. + Drupal 7.57, 2018-02-21 ----------------------- - Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-001. diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index f789712cb7fe163f6dd26c6282b4fb5a52e345f8..2abc7f044b58789b6056146851c7e73e914a8729 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.58-dev'); +define('VERSION', '7.59-dev'); /** * Core API compatibility. @@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() { timer_start('page'); // Initialize the configuration, including variables from settings.php. drupal_settings_initialize(); + + // Sanitize unsafe keys from the request. + require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; + DrupalRequestSanitizer::sanitize(); } /** diff --git a/includes/request-sanitizer.inc b/includes/request-sanitizer.inc new file mode 100644 index 0000000000000000000000000000000000000000..1daa6b53485d76715541e5d4ce6ddffa90293a43 --- /dev/null +++ b/includes/request-sanitizer.inc @@ -0,0 +1,82 @@ + implode(', ', $get_sanitized_keys))), E_USER_NOTICE); + } + + // Process request body parameters. + $post_sanitized_keys = array(); + $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys); + if ($log_sanitized_keys && $post_sanitized_keys) { + _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE); + } + + // Process cookie parameters. + $cookie_sanitized_keys = array(); + $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys); + if ($log_sanitized_keys && $cookie_sanitized_keys) { + _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE); + } + + $request_sanitized_keys = array(); + $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys); + + self::$sanitized = TRUE; + } + } + + /** + * Strips dangerous keys from the provided input. + * + * @param mixed $input + * The input to sanitize. + * @param string[] $whitelist + * An array of keys to whitelist as safe. + * @param string[] $sanitized_keys + * An array of keys that have been removed. + * + * @return mixed + * The sanitized input. + */ + protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { + if (is_array($input)) { + foreach ($input as $key => $value) { + if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { + unset($input[$key]); + $sanitized_keys[] = $key; + } + else { + $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); + } + } + } + return $input; + } + +}