[Pkg-drupal-commits] r1997 - in /branches/drupal6/debian: changelog patches/00list patches/13_SA-CORE-2009-001.dpatch

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Fri Jan 16 00:50:35 UTC 2009 

Author: luigi
Date: Fri Jan 16 00:50:34 2009
New Revision: 1997

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1997
Log:
Added upstream patch fixing multiple vulnerabilities (Ref: SA-CORE-2009-001, CVE-TBD)

Added:
    branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch   (with props)
Modified:
    branches/drupal6/debian/changelog
    branches/drupal6/debian/patches/00list

Modified: branches/drupal6/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/changelog?rev=1997&op=diff
==============================================================================
--- branches/drupal6/debian/changelog (original)
+++ branches/drupal6/debian/changelog Fri Jan 16 00:50:34 2009
@@ -1,6 +1,10 @@
 drupal6 (6.6-3) UNRELEASED; urgency=low
 
   * NOT RELEASED YET
+
+  * debian/patches/13_SA-CORE-2009-001
+    - Added upstream patch fixing multiple vulnerabilities
+      (Ref: SA-CORE-2009-001, CVE-TBD)
 
  -- Luigi Gangitano <luigi at debian.org>  Fri, 16 Jan 2009 01:49:58 +0100
 

Modified: branches/drupal6/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/patches/00list?rev=1997&op=diff
==============================================================================
--- branches/drupal6/debian/patches/00list (original)
+++ branches/drupal6/debian/patches/00list Fri Jan 16 00:50:34 2009
@@ -1,2 +1,3 @@
 10_cronjob
 12_SA-2008-073
+13_SA-CORE-2009-001

Added: branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch?rev=1997&op=file
==============================================================================
--- branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch (added)
+++ branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch Fri Jan 16 00:50:34 2009
@@ -1,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 13_SA-CORE-2009-001.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream patch fixing SQL Injection vulnerability (SA-CORE-2009-001)
+
+ at DPATCH@
+diff -urNad drupal6~/modules/node/node.module drupal6/modules/node/node.module
+--- drupal6~/modules/node/node.module	2008-08-11 19:12:42.000000000 +0200
++++ drupal6/modules/node/node.module	2009-01-16 01:46:45.000000000 +0100
+@@ -1979,7 +1979,9 @@
+ function node_access($op, $node, $account = NULL) {
+   global $user;
+ 
+-  if (!$node) {
++  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
++    // If there was no node to check against, or the $op was not one of the
++    // supported ones, we return access denied.
+     return FALSE;
+   }
+   // Convert the node to an object if necessary:
+diff -urNad drupal6~/modules/translation/translation.module drupal6/modules/translation/translation.module
+--- drupal6~/modules/translation/translation.module	2008-10-24 23:07:18.000000000 +0200
++++ drupal6/modules/translation/translation.module	2009-01-16 01:46:56.000000000 +0100
+@@ -76,10 +76,7 @@
+  * all languages).
+  */
+ function _translation_tab_access($node) {
+-  if (!empty($node->language) && translation_supported_type($node->type)) {
+-    return user_access('translate content');
+-  }
+-  return FALSE;
++  return !empty($node->language) && translation_supported_type($node->type) && node_access('view', $node) && user_access('translate content');
+ }
+ 
+ /**
+@@ -192,15 +189,27 @@
+ 
+   switch ($op) {
+     case 'prepare':
+-      if (empty($node->nid) && isset($_GET['translation']) && isset($_GET['language']) &&
+-          ($source_nid = $_GET['translation']) && ($language = $_GET['language']) &&
+-          (user_access('translate content'))) {
+-        // We are translating a node from a source node, so
+-        // load the node to be translated and populate fields.
+-        $node->language = $language;
+-        $node->translation_source = node_load($source_nid);
+-        $node->title = $node->translation_source->title;
+-        $node->body = $node->translation_source->body;
++      if (empty($node->nid) && user_access('translate content') && isset($_GET['translation']) && isset($_GET['language']) && is_numeric($_GET['translation'])) {
++        $translation_source = node_load($_GET['translation']);
++        if (empty($translation_source) || !node_access('view', $translation_source)) {
++          // Source node not found or no access to view. We should not check
++          // for edit access, since the translator might not have permissions
++          // to edit the source node but should still be able to translate.
++          return;
++        }
++        $language_list = language_list();
++        if (!isset($language_list[$_GET['language']]) || ($translation_source->language == $_GET['language'])) {
++          // If not supported language, or same language as source node, break.
++          return;
++        }
++        // Populate fields based on source node.
++        $node->language = $_GET['language'];
++        $node->translation_source = $translation_source;
++        $node->title = $translation_source->title;
++        // If user has no access to the filter used for the body, Drupal core
++        // does not let the edit form to appear, so we should avoid exposing
++        // the source text here too.
++        $node->body = filter_access($translation_source->format) ? $translation_source->body : '';
+         // Let every module add custom translated fields.
+         node_invoke_nodeapi($node, 'prepare translation');
+       }
+diff -urNad drupal6~/modules/user/user.module drupal6/modules/user/user.module
+--- drupal6~/modules/user/user.module	2008-10-21 00:00:36.000000000 +0200
++++ drupal6/modules/user/user.module	2009-01-16 01:47:05.000000000 +0100
+@@ -1532,6 +1532,7 @@
+       $form['picture']['picture_delete'] = array('#type' => 'hidden');
+     }
+     $form['picture']['picture_upload'] = array('#type' => 'file', '#title' => t('Upload picture'), '#size' => 48, '#description' => t('Your virtual face or picture. Maximum dimensions are %dimensions and the maximum size is %size kB.', array('%dimensions' => variable_get('user_picture_dimensions', '85x85'), '%size' => variable_get('user_picture_file_size', '30'))) .' '. variable_get('user_picture_guidelines', ''));
++    $form['#validate'][] = 'user_profile_form_validate';
+     $form['#validate'][] = 'user_validate_picture';
+   }
+   $form['#uid'] = $uid;

Propchange: branches/drupal6/debian/patches/13_SA-CORE-2009-001.dpatch
------------------------------------------------------------------------------
    svn:executable = *

More information about the Pkg-drupal-commits mailing list