[Pkg-drupal-commits] r2132 - in /branches/lenny-security/debian: changelog patches/00list patches/19_SA-CORE-2010-001.dpatch
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Fri Mar 12 13:48:43 UTC 2010
Author: luigi
Date: Fri Mar 12 13:48:42 2010
New Revision: 2132
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2132
Log:
Fixes multiple XSS vulnerabilities (Closes: #572439) (Ref: SA-CORE-2010-001, CVE-TBA)
Added:
branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch (with props)
Modified:
branches/lenny-security/debian/changelog
branches/lenny-security/debian/patches/00list
Modified: branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/changelog?rev=2132&op=diff
==============================================================================
--- branches/lenny-security/debian/changelog (original)
+++ branches/lenny-security/debian/changelog Fri Mar 12 13:48:42 2010
@@ -1,6 +1,9 @@
drupal6 (6.6-3lenny5) stable-security; urgency=high
- *
+ [ Luigi Gangitano ]
+ * debian/patches/19_SA-CORE-2010-001
+ - Fixes multiple XSS vulnerabilities (Closes: #572439)
+ (Ref: SA-CORE-2010-001, CVE-TBA)
-- Luigi Gangitano <luigi at debian.org> Fri, 12 Mar 2010 14:43:38 +0100
Modified: branches/lenny-security/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/patches/00list?rev=2132&op=diff
==============================================================================
--- branches/lenny-security/debian/patches/00list (original)
+++ branches/lenny-security/debian/patches/00list Fri Mar 12 13:48:42 2010
@@ -6,3 +6,4 @@
16_SA-CORE-2009-007
17_SA-CORE-2009-008
18_SA-CORE-2009-009
+19_SA-CORE-2010-001
Added: branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch?rev=2132&op=file
==============================================================================
--- branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch (added)
+++ branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch Fri Mar 12 13:48:42 2010
@@ -1,0 +1,172 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 19_SA-CORE-2010-001.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes multiple vulnerabilities
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/includes/common.inc lenny/includes/common.inc
+--- lenny~/includes/common.inc 2010-03-12 14:45:41.000000000 +0100
++++ lenny/includes/common.inc 2010-03-12 14:45:43.000000000 +0100
+@@ -304,11 +304,21 @@
+ */
+ function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) {
+
++ $destination = FALSE;
+ if (isset($_REQUEST['destination'])) {
+- extract(parse_url(urldecode($_REQUEST['destination'])));
++ $destination = $_REQUEST['destination'];
+ }
+ else if (isset($_REQUEST['edit']['destination'])) {
+- extract(parse_url(urldecode($_REQUEST['edit']['destination'])));
++ $destination = $_REQUEST['edit']['destination'];
++ }
++
++ if ($destination) {
++ // Do not redirect to an absolute URL originating from user input.
++ $colonpos = strpos($destination, ':');
++ $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos)));
++ if (!$absolute) {
++ extract(parse_url(urldecode($destination)));
++ }
+ }
+
+ $url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE));
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/includes/locale.inc lenny/includes/locale.inc
+--- lenny~/includes/locale.inc 2009-08-05 02:51:00.000000000 +0200
++++ lenny/includes/locale.inc 2010-03-12 14:45:43.000000000 +0100
+@@ -34,6 +34,9 @@
+ $options = array();
+ $form['weight'] = array('#tree' => TRUE);
+ foreach ($languages as $langcode => $language) {
++ // Language code should contain no markup, but is emitted
++ // by radio and checkbox options.
++ $langcode = check_plain($langcode);
+
+ $options[$langcode] = '';
+ if ($language->enabled) {
+@@ -335,6 +338,17 @@
+ * Validate the language editing form. Reused for custom language addition too.
+ */
+ function locale_languages_edit_form_validate($form, &$form_state) {
++ // Validate that the name, native, and langcode variables are safe.
++ if (preg_match('/["<>\']/', $form_state['values']['langcode'])) {
++ form_set_error('langcode', t('The characters <, >, " and \' are not allowed in the language code field.'));
++ }
++ if (preg_match('/["<>\']/', $form_state['values']['name'])) {
++ form_set_error('name', t('The characters <, >, " and \' are not allowed in the language name in English field.'));
++ }
++ if (preg_match('/["<>\']/', $form_state['values']['native'])) {
++ form_set_error('native', t('The characters <, >, " and \' are not allowed in the native language name field.'));
++ }
++
+ if (!empty($form_state['values']['domain']) && !empty($form_state['values']['prefix'])) {
+ form_set_error('prefix', t('Domain and path prefix values should not be set at the same time.'));
+ }
+@@ -536,8 +550,13 @@
+ */
+ function locale_translate_seek_form() {
+ // Get all languages, except English
+- $languages = locale_language_list('name', TRUE);
+- unset($languages['en']);
++ $raw_languages = locale_language_list('name', TRUE);
++ unset($raw_languages['en']);
++ // Sanitize the values to be used in radios.
++ $languages = array();
++ foreach ($raw_languages as $key => $value) {
++ $languages[check_plain($key)] = check_plain($value);
++ }
+
+ // Present edit form preserving previous user settings
+ $query = _locale_translate_seek_query();
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/includes/session.inc lenny/includes/session.inc
+--- lenny~/includes/session.inc 2009-08-05 02:50:58.000000000 +0200
++++ lenny/includes/session.inc 2010-03-12 14:45:44.000000000 +0100
+@@ -31,8 +31,9 @@
+ // Otherwise, if the session is still active, we have a record of the client's session in the database.
+ $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key));
+
+- // We found the client's session record and they are an authenticated user
+- if ($user && $user->uid > 0) {
++ // We found the client's session record and they are an authenticated,
++ // active user.
++ if ($user && $user->uid > 0 && $user->status == 1) {
+ // This is done to unserialize the data member of $user
+ $user = drupal_unpack($user);
+
+@@ -44,7 +45,8 @@
+ $user->roles[$role->rid] = $role->name;
+ }
+ }
+- // We didn't find the client's record (session has expired), or they are an anonymous user.
++ // We didn't find the client's record (session has expired), or they are
++ // blocked, or they are an anonymous user.
+ else {
+ $session = isset($user->session) ? $user->session : '';
+ $user = drupal_anonymous_user($session);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/includes/theme.maintenance.inc lenny/includes/theme.maintenance.inc
+--- lenny~/includes/theme.maintenance.inc 2009-08-05 02:50:58.000000000 +0200
++++ lenny/includes/theme.maintenance.inc 2010-03-12 14:45:44.000000000 +0100
+@@ -122,9 +122,9 @@
+ $title = count($messages['error']) > 1 ? st('The following errors must be resolved before you can continue the installation process') : st('The following error must be resolved before you can continue the installation process');
+ $variables['messages'] .= '<h3>'. $title .':</h3>';
+ $variables['messages'] .= theme('status_messages', 'error');
+- $variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => request_uri())) .'</p>';
++ $variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => check_url(request_uri()))) .'</p>';
+ }
+-
++
+ // Special handling of warning messages
+ if (isset($messages['warning'])) {
+ $title = count($messages['warning']) > 1 ? st('The following installation warnings should be carefully reviewed') : st('The following installation warning should be carefully reviewed');
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/modules/locale/locale.install lenny/modules/locale/locale.install
+--- lenny~/modules/locale/locale.install 2009-08-05 02:51:22.000000000 +0200
++++ lenny/modules/locale/locale.install 2010-03-12 14:45:44.000000000 +0100
+@@ -202,6 +202,26 @@
+ }
+
+ /**
++ * Neutralize unsafe language names in the database.
++ */
++function locale_update_6006() {
++ $ret = array();
++ $matches = db_result(db_query("SELECT 1 FROM {languages} WHERE native LIKE '%<%' OR native LIKE '%>%' OR name LIKE '%<%' OR name LIKE '%>%'"));
++ if ($matches) {
++ $ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '<', ''), native = REPLACE(native, '<', '')");
++ $ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '>', ''), native = REPLACE(native, '>', '')");
++ drupal_set_message('The language name in English and the native language name values of all the existing custom languages of your site have been sanitized for security purposes. Visit the <a href="'. url('admin/settings/language') .'">Languages</a> page to check these and fix them if necessary.', 'warning');
++ }
++ // Check if some langcode values contain potentially dangerous characters and
++ // warn the user if so. These are not fixed since they are referenced in other
++ // tables (e.g. {node}).
++ if (db_result(db_query("SELECT 1 FROM {languages} WHERE language LIKE '%<%' OR language LIKE '%>%' OR language LIKE '%\"%' OR language LIKE '%\\\\\%'"))) {
++ drupal_set_message('Some of your custom language code values contain invalid characters. You should examine the <a href="'. url('admin/settings/language') .'">Languages</a> page. These must be fixed manually.', 'error');
++ }
++ return $ret;
++}
++
++/**
+ * @} End of "defgroup updates-5.x-to-6.x"
+ */
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/modules/locale/locale.module lenny/modules/locale/locale.module
+--- lenny~/modules/locale/locale.module 2009-08-05 02:51:22.000000000 +0200
++++ lenny/modules/locale/locale.module 2010-03-12 14:45:44.000000000 +0100
+@@ -226,7 +226,7 @@
+ $names = array();
+ foreach ($languages as $langcode => $item) {
+ $name = t($item->name);
+- $names[$langcode] = $name . ($item->native != $name ? ' ('. $item->native .')' : '');
++ $names[check_plain($langcode)] = check_plain($name . ($item->native != $name ? ' ('. $item->native .')' : ''));
+ }
+ $form['locale'] = array(
+ '#type' => 'fieldset',
+@@ -239,7 +239,7 @@
+ $form['locale']['language'] = array(
+ '#type' => (count($names) <= 5 ? 'radios' : 'select'),
+ '#title' => t('Language'),
+- '#default_value' => $user_preferred_language->language,
++ '#default_value' => check_plain($user_preferred_language->language),
+ '#options' => $names,
+ '#description' => ($mode == LANGUAGE_NEGOTIATION_PATH) ? t("This account's default language for e-mails, and preferred language for site presentation.") : t("This account's default language for e-mails."),
+ );
Propchange: branches/lenny-security/debian/patches/19_SA-CORE-2010-001.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-drupal-commits
mailing list