[Pkg-drupal-commits] r2059 - in /branches/drupal6/debian: changelog patches/00list patches/20_SA-CORE-2009-007.dpatch

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Mon Jul 13 15:26:28 UTC 2009 

Author: luigi
Date: Mon Jul 13 15:26:27 2009
New Revision: 2059

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2059
Log:
Integrate NMU

Added:
    branches/drupal6/debian/patches/20_SA-CORE-2009-007.dpatch
Modified:
    branches/drupal6/debian/changelog
    branches/drupal6/debian/patches/00list

Modified: branches/drupal6/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/changelog?rev=2059&op=diff
==============================================================================
--- branches/drupal6/debian/changelog (original)
+++ branches/drupal6/debian/changelog Mon Jul 13 15:26:27 2009
@@ -1,3 +1,14 @@
+drupal6 (6.12-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply upstream patch to fix:
+    - XSS in the forum module
+    - Input format access bypass via signatures
+    - Password leakage via URLs
+    (no CVE id yet; SA-CORE-2009-007; Closes: #535435).
+
+ -- Nico Golde <nion at debian.org>  Mon, 06 Jul 2009 20:27:45 +0200
+
 drupal6 (6.12-1) unstable; urgency=low
 
   [ Luigi Gangitano ]

Modified: branches/drupal6/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/patches/00list?rev=2059&op=diff
==============================================================================
--- branches/drupal6/debian/patches/00list (original)
+++ branches/drupal6/debian/patches/00list Mon Jul 13 15:26:27 2009
@@ -1,1 +1,2 @@
 10_cronjob
+20_SA-CORE-2009-007

Added: branches/drupal6/debian/patches/20_SA-CORE-2009-007.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/patches/20_SA-CORE-2009-007.dpatch?rev=2059&op=file
==============================================================================
--- branches/drupal6/debian/patches/20_SA-CORE-2009-007.dpatch (added)
+++ branches/drupal6/debian/patches/20_SA-CORE-2009-007.dpatch Mon Jul 13 15:26:27 2009
@@ -1,0 +1,202 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_SA-CORE-2009-007.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: SA-CORE-2009-007 various security issues
+
+ at DPATCH@
+diff -urNad drupal6-6.12~/includes/pager.inc drupal6-6.12/includes/pager.inc
+--- drupal6-6.12~/includes/pager.inc	2007-12-06 10:58:30.000000000 +0100
++++ drupal6-6.12/includes/pager.inc	2009-07-06 20:26:04.000000000 +0200
+@@ -85,7 +85,7 @@
+ function pager_get_querystring() {
+   static $string = NULL;
+   if (!isset($string)) {
+-    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
++    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
+   }
+   return $string;
+ }
+diff -urNad drupal6-6.12~/includes/tablesort.inc drupal6-6.12/includes/tablesort.inc
+--- drupal6-6.12~/includes/tablesort.inc	2008-01-04 10:31:48.000000000 +0100
++++ drupal6-6.12/includes/tablesort.inc	2009-07-06 20:26:04.000000000 +0200
+@@ -136,7 +136,7 @@
+  *   except for those pertaining to table sorting.
+  */
+ function tablesort_get_querystring() {
+-  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
++  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
+ }
+ 
+ /**
+diff -urNad drupal6-6.12~/modules/comment/comment.module drupal6-6.12/modules/comment/comment.module
+--- drupal6-6.12~/modules/comment/comment.module	2009-05-13 19:15:10.000000000 +0200
++++ drupal6-6.12/modules/comment/comment.module	2009-07-06 20:26:04.000000000 +0200
+@@ -936,7 +936,7 @@
+ 
+     if ($cid && is_numeric($cid)) {
+       // Single comment view.
+-      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
++      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
+       $query_args = array($cid);
+       if (!user_access('administer comments')) {
+         $query .= ' AND c.status = %d';
+@@ -957,7 +957,7 @@
+     else {
+       // Multiple comment view
+       $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d';
+-      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
++      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
+ 
+       $query_args = array($nid);
+       if (!user_access('administer comments')) {
+@@ -1468,7 +1468,7 @@
+   $output = '';
+ 
+   if ($edit['pid']) {
+-    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
++    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
+     $comment = drupal_unpack($comment);
+     $comment->name = $comment->uid ? $comment->registered_name : $comment->name;
+     $output .= theme('comment_view', $comment, $node);
+@@ -1778,14 +1778,14 @@
+ function theme_comment_post_forbidden($node) {
+   global $user;
+   static $authenticated_post_comments;
+-  
++
+   if (!$user->uid) {
+     if (!isset($authenticated_post_comments)) {
+       // We only output any link if we are certain, that users get permission
+       // to post comments by logging in. We also locally cache this information.
+       $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval'));
+     }
+-    
++
+     if ($authenticated_post_comments) {
+       // We cannot use drupal_get_destination() because these links
+       // sometimes appear on /node and taxonomy listing pages.
+diff -urNad drupal6-6.12~/modules/comment/comment.pages.inc drupal6-6.12/modules/comment/comment.pages.inc
+--- drupal6-6.12~/modules/comment/comment.pages.inc	2008-02-07 19:53:38.000000000 +0100
++++ drupal6-6.12/modules/comment/comment.pages.inc	2009-07-06 20:26:04.000000000 +0200
+@@ -70,7 +70,7 @@
+       // $pid indicates that this is a reply to a comment.
+       if ($pid) {
+         // load the comment whose cid = $pid
+-        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
++        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
+           // If that comment exists, make sure that the current comment and the parent comment both
+           // belong to the same parent node.
+           if ($comment->nid != $node->nid) {
+diff -urNad drupal6-6.12~/modules/forum/forum.pages.inc drupal6-6.12/modules/forum/forum.pages.inc
+--- drupal6-6.12~/modules/forum/forum.pages.inc	2007-07-26 08:48:03.000000000 +0200
++++ drupal6-6.12/modules/forum/forum.pages.inc	2009-07-06 20:26:04.000000000 +0200
+@@ -10,6 +10,11 @@
+  * Menu callback; prints a forum listing.
+  */
+ function forum_page($tid = 0) {
++  if (!is_numeric($tid)) {
++    return MENU_NOT_FOUND;
++  }
++  $tid = (int)$tid;
++
+   $topics = '';
+   $forum_per_page = variable_get('forum_per_page', 25);
+   $sortby = variable_get('forum_order', 1);
+diff -urNad drupal6-6.12~/modules/system/system.install drupal6-6.12/modules/system/system.install
+--- drupal6-6.12~/modules/system/system.install	2009-04-27 14:50:13.000000000 +0200
++++ drupal6-6.12/modules/system/system.install	2009-07-06 20:26:04.000000000 +0200
+@@ -2565,6 +2565,39 @@
+ }
+ 
+ /**
++ * Create a signature_format column.
++ */
++function system_update_6051() {
++  $ret = array();
++
++  if (!db_column_exists('users', 'signature_format')) {
++
++    // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default
++    // when incompatible modules insert into the users table. An actual format
++    // will be assigned when users save their signature.
++
++    $schema = array(
++      'type' => 'int',
++      'size' => 'small',
++      'not null' => TRUE,
++      'default' => FILTER_FORMAT_DEFAULT,
++      'description' => 'The {filter_formats}.format of the signature.',
++    );
++
++    db_add_field($ret, 'users', 'signature_format', $schema);
++
++    // Set the format of existing signatures to the current default input format.
++    if ($current_default_filter = variable_get('filter_default_format', 0)) {
++      $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter);
++    }
++
++    drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format.");
++  }
++
++  return $ret;
++}
++
++/**
+  * @} End of "defgroup updates-6.x-extra"
+  * The next series of updates should start at 7000.
+  */
+diff -urNad drupal6-6.12~/modules/user/user.install drupal6-6.12/modules/user/user.install
+--- drupal6-6.12~/modules/user/user.install	2009-01-06 16:46:38.000000000 +0100
++++ drupal6-6.12/modules/user/user.install	2009-07-06 20:26:04.000000000 +0200
+@@ -191,6 +191,13 @@
+         'default' => '',
+         'description' => "User's signature.",
+       ),
++      'signature_format' => array(
++        'type' => 'int',
++        'size' => 'small',
++        'not null' => TRUE,
++        'default' => 0,
++        'description' => 'The {filter_formats}.format of the signature.',
++      ),
+       'created' => array(
+         'type' => 'int',
+         'not null' => TRUE,
+diff -urNad drupal6-6.12~/modules/user/user.module drupal6-6.12/modules/user/user.module
+--- drupal6-6.12~/modules/user/user.module	2009-04-27 14:02:27.000000000 +0200
++++ drupal6-6.12/modules/user/user.module	2009-07-06 20:26:04.000000000 +0200
+@@ -532,7 +532,7 @@
+     }
+     else {
+       // Make sure we return the default fields at least.
+-      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
++      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'signature_format', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
+     }
+   }
+ 
+@@ -1519,6 +1519,15 @@
+       '#default_value' => $edit['signature'],
+       '#description' => t('Your signature will be publicly displayed at the end of your comments.'),
+     );
++
++    // Prevent a "validation error" message when the user attempts to save with a default value they
++    // do not have access to.
++    if (!filter_access($edit['signature_format']) && empty($_POST)) {
++      drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page."));
++      $edit['signature_format'] = FILTER_FORMAT_DEFAULT;
++    }
++
++    $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format'));
+   }
+ 
+   // Picture/avatar:
+@@ -2031,7 +2040,7 @@
+   // Validate signature.
+   if ($op == 'view') {
+     if (variable_get('user_signatures', 0) && !empty($comment->signature)) {
+-      $comment->signature = check_markup($comment->signature, $comment->format);
++      $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE);
+     }
+     else {
+       $comment->signature = '';

More information about the Pkg-drupal-commits mailing list