diff --git a/common/core/SA-CORE-2018-002.patch b/common/core/SA-CORE-2018-002.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e882391a4cecbb9c2996ccbe0f8dc681c513008
--- /dev/null
+++ b/common/core/SA-CORE-2018-002.patch
@@ -0,0 +1,70 @@
+diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
+index 23179ca98d..bfbbb81876 100644
+--- a/includes/bootstrap.inc
++++ b/includes/bootstrap.inc
+@@ -1142,6 +1142,7 @@ function _drupal_bootstrap($phase) {
+       timer_start('page');
+       // Initialize the configuration
+       conf_init();
++      _drupal_bootstrap_sanitize_request();
+       break;
+ 
+     case DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE:
+@@ -1603,3 +1604,57 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
+   } while ($before != $string);
+   return check_plain($string);
+ }
++
++/**
++ * Sanitizes unsafe keys from the request.
++ */
++function _drupal_bootstrap_sanitize_request() {
++  global $conf;
++  static $sanitized;
++
++  if (!$sanitized) {
++    // Ensure the whitelist array exists.
++    if (!isset($conf['sanitize_input_whitelist']) || !is_array($conf['sanitize_input_whitelist'])) {
++      $conf['sanitize_input_whitelist'] = array();
++    }
++
++    $sanitized_keys = _drupal_bootstrap_sanitize_input($_GET, $conf['sanitize_input_whitelist']);
++    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_POST, $conf['sanitize_input_whitelist']));
++    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_REQUEST, $conf['sanitize_input_whitelist']));
++    $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($_COOKIE, $conf['sanitize_input_whitelist']));
++    $sanitized_keys = array_unique($sanitized_keys);
++
++    if (count($sanitized_keys) && !empty($conf['sanitize_input_logging'])) {
++      trigger_error(check_plain(sprintf('Potentially unsafe keys removed from request parameters: %s', implode(', ', $sanitized_keys)), E_USER_WARNING));
++    }
++
++    $sanitized = TRUE;
++  }
++}
++
++/**
++ * Sanitizes unsafe keys from user input.
++ *
++ * @param mixed $input
++ *   Input to sanitize.
++ * @param array $whitelist
++ *   Whitelist of values.
++ * @return array
++ */
++function _drupal_bootstrap_sanitize_input(&$input, $whitelist = array()) {
++  $sanitized_keys = array();
++
++  if (is_array($input)) {
++    foreach ($input as $key => $value) {
++      if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
++        unset($input[$key]);
++        $sanitized_keys[] = $key;
++      }
++      elseif (is_array($input[$key])) {
++        $sanitized_keys = array_merge($sanitized_keys, _drupal_bootstrap_sanitize_input($input[$key], $whitelist));
++      }
++    }
++  }
++
++  return $sanitized_keys;
++}