diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 79d9910b1f9ca0a6bd6cf1cde0fa80100da679d8..e97215da1c3f75722776e980e12c1765cc538b86 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,7 +1,11 @@ -Drupal 7.34, xxxx-xx-xx (development version) +Drupal 7.35, xxxx-xx-xx (development version) ----------------------- +Drupal 7.34, 2014-11-19 +---------------------- +- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-006. + Drupal 7.33, 2014-11-07 ----------------------- - Began storing the file modification time of each module and theme in the diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index b6c531c3bf9b5de62df9463cee30c598545cabd2..9f37dfcf18283d5d7117092f08d443081c86363a 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.34-dev'); +define('VERSION', '7.35-dev'); /** * Core API compatibility. diff --git a/includes/password.inc b/includes/password.inc index 3d5a400d26037cd6c233b9775c380edcb608804d..8228e61113f761bc230c4d36aa865383408526fe 100644 --- a/includes/password.inc +++ b/includes/password.inc @@ -140,7 +140,7 @@ function _password_enforce_log2_boundaries($count_log2) { * @param $algo * The string name of a hashing algorithm usable by hash(), like 'sha256'. * @param $password - * The plain-text password to hash. + * Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash. * @param $setting * An existing hash or the output of _password_generate_salt(). Must be * at least 12 characters (the settings and salt). @@ -150,6 +150,10 @@ function _password_enforce_log2_boundaries($count_log2) { * The return string will be truncated at DRUPAL_HASH_LENGTH characters max. */ function _password_crypt($algo, $password, $setting) { + // Prevent DoS attacks by refusing to hash large passwords. + if (strlen($password) > 512) { + return FALSE; + } // The first 12 characters of an existing hash are its setting string. $setting = substr($setting, 0, 12); diff --git a/includes/session.inc b/includes/session.inc index 9589e06fc953aa728e86519cea9f910d8bcd4302..84d1983b42ea50e7d50b8fa7ee6003561682832e 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -79,7 +79,7 @@ function _drupal_session_read($sid) { // Handle the case of first time visitors and clients that don't store // cookies (eg. web crawlers). $insecure_session_name = substr(session_name(), 1); - if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) { + if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) { $user = drupal_anonymous_user(); return ''; } diff --git a/modules/simpletest/tests/password.test b/modules/simpletest/tests/password.test index 5259d19e80d08c1eb360839ce0dc68f63f30cbc5..7105f3b7add0db0e878d3901b50025484609ba2a 100644 --- a/modules/simpletest/tests/password.test +++ b/modules/simpletest/tests/password.test @@ -57,4 +57,25 @@ class PasswordHashingTest extends DrupalWebTestCase { $this->assertFalse(user_needs_new_hash($account), 'Re-hashed password does not need a new hash.'); $this->assertTrue(user_check_password($password, $account), 'Password check succeeds with re-hashed password.'); } + + /** + * Verifies that passwords longer than 512 bytes are not hashed. + */ + public function testLongPassword() { + $password = str_repeat('x', 512); + $result = user_hash_password($password); + $this->assertFalse(empty($result), '512 byte long password is allowed.'); + $password = str_repeat('x', 513); + $result = user_hash_password($password); + $this->assertFalse($result, '513 byte long password is not allowed.'); + // Check a string of 3-byte UTF-8 characters. + $password = str_repeat('€', 170); + $result = user_hash_password($password); + $this->assertFalse(empty($result), '510 byte long password is allowed.'); + $password .= 'xx'; + $this->assertFalse(empty($result), '512 byte long password is allowed.'); + $password = str_repeat('€', 171); + $result = user_hash_password($password); + $this->assertFalse($result, '513 byte long password is not allowed.'); + } }