[Pkg-drupal-commits] r2027 - in /branches/lenny-security/debian: changelog patches/00list patches/14_SA-CORE-2009-005.dpatch
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Mon May 4 18:06:38 UTC 2009
Author: luigi
Date: Mon May 4 18:06:37 2009
New Revision: 2027
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2027
Log:
Added upstream patch fixing an XSS vulnerability (Ref: SA-CORE-2009-005, CVE-TBD)
Added:
branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch (with props)
Modified:
branches/lenny-security/debian/changelog
branches/lenny-security/debian/patches/00list
Modified: branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/changelog?rev=2027&op=diff
==============================================================================
--- branches/lenny-security/debian/changelog (original)
+++ branches/lenny-security/debian/changelog Mon May 4 18:06:37 2009
@@ -1,3 +1,14 @@
+drupal6 (6.6-3lenny1) stable-security; urgency=high
+
+ [ Luigi Gangitano ]
+ * Urgency high due to security fixes
+
+ * debian/patches/14_SA-CORE-2009-005
+ - Added upstream patch fixing an XSS vulnerability
+ (Ref: SA-CORE-2009-005, CVE-TBD)
+
+ -- Luigi Gangitano <luigi at debian.org> Mon, 04 May 2009 20:04:05 +0200
+
drupal6 (6.6-3) unstable; urgency=high
[ Luigi Gangitano ]
Modified: branches/lenny-security/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/patches/00list?rev=2027&op=diff
==============================================================================
--- branches/lenny-security/debian/patches/00list (original)
+++ branches/lenny-security/debian/patches/00list Mon May 4 18:06:37 2009
@@ -1,3 +1,4 @@
10_cronjob
12_SA-2008-073
13_SA-CORE-2009-001
+14_SA-CORE-2009-005
Added: branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch?rev=2027&op=file
==============================================================================
--- branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch (added)
+++ branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch Mon May 4 18:06:37 2009
@@ -1,0 +1,144 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 14_SA-CORE-2009-005.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad lenny~/includes/bootstrap.inc lenny/includes/bootstrap.inc
+--- lenny~/includes/bootstrap.inc 2009-05-04 20:01:21.000000000 +0200
++++ lenny/includes/bootstrap.inc 2009-05-04 20:02:59.000000000 +0200
+@@ -757,6 +757,8 @@
+ $uri = $_SERVER['SCRIPT_NAME'];
+ }
+ }
++ // Prevent multiple slashes to avoid cross site requests via the FAPI.
++ $uri = '/'. ltrim($uri, '/');
+
+ return $uri;
+ }
+diff -urNad lenny~/includes/common.inc lenny/includes/common.inc
+--- lenny~/includes/common.inc 2009-05-04 20:02:32.000000000 +0200
++++ lenny/includes/common.inc 2009-05-04 20:02:59.000000000 +0200
+@@ -152,6 +152,15 @@
+ }
+
+ /**
++ * Make any final alterations to the rendered xhtml.
++ */
++function drupal_final_markup($content) {
++ // Make sure that the charset is always specified as the first element of the
++ // head region to prevent encoding-based attacks.
++ return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
++}
++
++/**
+ * Add a feed URL for the current page.
+ *
+ * @param $url
+diff -urNad lenny~/includes/theme.inc lenny/includes/theme.inc
+--- lenny~/includes/theme.inc 2009-05-04 20:01:21.000000000 +0200
++++ lenny/includes/theme.inc 2009-05-04 20:02:59.000000000 +0200
+@@ -667,6 +667,10 @@
+ }
+ // restore path_to_theme()
+ $theme_path = $temp;
++ // Add final markup to the full page.
++ if ($hook == 'page') {
++ $output = drupal_final_markup($output);
++ }
+ return $output;
+ }
+
+diff -urNad lenny~/modules/system/maintenance-page.tpl.php lenny/modules/system/maintenance-page.tpl.php
+--- lenny~/modules/system/maintenance-page.tpl.php 2009-02-16 19:33:38.000000000 +0100
++++ lenny/modules/system/maintenance-page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -19,8 +19,8 @@
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+
+ <head>
+- <title><?php print $head_title; ?></title>
+ <?php print $head; ?>
++ <title><?php print $head_title; ?></title>
+ <?php print $styles; ?>
+ <?php print $scripts; ?>
+ <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
+diff -urNad lenny~/modules/system/page.tpl.php lenny/modules/system/page.tpl.php
+--- lenny~/modules/system/page.tpl.php 2009-02-16 19:33:38.000000000 +0100
++++ lenny/modules/system/page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -80,8 +80,8 @@
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+
+ <head>
+- <title><?php print $head_title; ?></title>
+ <?php print $head; ?>
++ <title><?php print $head_title; ?></title>
+ <?php print $styles; ?>
+ <?php print $scripts; ?>
+ <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
+diff -urNad lenny~/themes/bluemarine/page.tpl.php lenny/themes/bluemarine/page.tpl.php
+--- lenny~/themes/bluemarine/page.tpl.php 2009-05-04 20:01:20.000000000 +0200
++++ lenny/themes/bluemarine/page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -4,8 +4,8 @@
+ <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+
+ <head>
+- <title><?php print $head_title ?></title>
+ <?php print $head ?>
++ <title><?php print $head_title ?></title>
+ <?php print $styles ?>
+ <?php print $scripts ?>
+ <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
+diff -urNad lenny~/themes/chameleon/chameleon.theme lenny/themes/chameleon/chameleon.theme
+--- lenny~/themes/chameleon/chameleon.theme 2009-05-04 20:01:20.000000000 +0200
++++ lenny/themes/chameleon/chameleon.theme 2009-05-04 20:02:59.000000000 +0200
+@@ -30,8 +30,8 @@
+ $output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
+ $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\" dir=\"$direction\">\n";
+ $output .= "<head>\n";
+- $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
+ $output .= drupal_get_html_head();
++ $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
+ $output .= drupal_get_css();
+ $output .= drupal_get_js();
+ $output .= "</head>";
+diff -urNad lenny~/themes/garland/maintenance-page.tpl.php lenny/themes/garland/maintenance-page.tpl.php
+--- lenny~/themes/garland/maintenance-page.tpl.php 2009-05-04 20:01:20.000000000 +0200
++++ lenny/themes/garland/maintenance-page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -15,8 +15,8 @@
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+ <head>
+- <title><?php print $head_title ?></title>
+ <?php print $head ?>
++ <title><?php print $head_title ?></title>
+ <?php print $styles ?>
+ <?php print $scripts ?>
+ <!--[if lt IE 7]>
+diff -urNad lenny~/themes/garland/page.tpl.php lenny/themes/garland/page.tpl.php
+--- lenny~/themes/garland/page.tpl.php 2009-05-04 20:01:20.000000000 +0200
++++ lenny/themes/garland/page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -4,8 +4,8 @@
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+ <head>
+- <title><?php print $head_title ?></title>
+ <?php print $head ?>
++ <title><?php print $head_title ?></title>
+ <?php print $styles ?>
+ <?php print $scripts ?>
+ <!--[if lt IE 7]>
+diff -urNad lenny~/themes/pushbutton/page.tpl.php lenny/themes/pushbutton/page.tpl.php
+--- lenny~/themes/pushbutton/page.tpl.php 2009-05-04 20:01:21.000000000 +0200
++++ lenny/themes/pushbutton/page.tpl.php 2009-05-04 20:02:59.000000000 +0200
+@@ -3,9 +3,9 @@
+ ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
+ <head>
+- <title><?php print $head_title ?></title>
+ <meta http-equiv="Content-Style-Type" content="text/css" />
+ <?php print $head ?>
++ <title><?php print $head_title ?></title>
+ <?php print $styles ?>
+ <?php print $scripts ?>
+ </head>
Propchange: branches/lenny-security/debian/patches/14_SA-CORE-2009-005.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-drupal-commits
mailing list