[Pkg-drupal-commits] r2203 - in /branches/squeeze-security/debian: changelog patches/00list patches/21_SA-CORE-2011-001.dpatch
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Sun Jun 19 23:58:35 UTC 2011
Author: luigi
Date: Sun Jun 19 23:58:35 2011
New Revision: 2203
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2203
Log:
Included upsteam security fix for XSS in color module (Ref: SA-CORE-2011-001, CVE: TBA)(Closes: #628896)
Added:
branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch (with props)
Modified:
branches/squeeze-security/debian/changelog
branches/squeeze-security/debian/patches/00list
Modified: branches/squeeze-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/changelog?rev=2203&op=diff
==============================================================================
--- branches/squeeze-security/debian/changelog (original)
+++ branches/squeeze-security/debian/changelog Sun Jun 19 23:58:35 2011
@@ -1,6 +1,8 @@
drupal6 (6.18-1lenny1) UNREALEASED; urgency=high
- *
+ * debian/patches/21_SA-CORE-2011-001
+ - Included upsteam security fix for XSS in color module
+ (Ref: SA-CORE-2011-001, CVE: TBA)(Closes: #628896)
-- Luigi Gangitano <luigi at debian.org> Mon, 20 Jun 2011 01:39:05 +0200
Modified: branches/squeeze-security/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/patches/00list?rev=2203&op=diff
==============================================================================
--- branches/squeeze-security/debian/patches/00list (original)
+++ branches/squeeze-security/debian/patches/00list Sun Jun 19 23:58:35 2011
@@ -1,2 +1,3 @@
10_cronjob
20_drupal_core_updates
+21_SA-CORE-2011-001
Added: branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch?rev=2203&op=file
==============================================================================
--- branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch (added)
+++ branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch Sun Jun 19 23:58:35 2011
@@ -1,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 21_SA-CORE-2011-001.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upsteam security patch fixing XSS in color module
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/includes/common.inc squeeze/includes/common.inc
+--- squeeze~/includes/common.inc 2011-06-20 01:48:42.000000000 +0200
++++ squeeze/includes/common.inc 2011-06-20 01:49:20.000000000 +0200
+@@ -653,7 +653,7 @@
+ }
+ }
+
+- $entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
++ $entry = check_plain($types[$errno]) .': '. filter_xss($message) .' in '. check_plain($filename) .' on line '. check_plain($line) .'.';
+
+ // Force display of error messages in update.php.
+ if (variable_get('error_level', 1) == 1 || strstr($_SERVER['SCRIPT_NAME'], 'update.php')) {
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/modules/color/color.install squeeze/modules/color/color.install
+--- squeeze~/modules/color/color.install 2011-06-20 01:36:25.000000000 +0200
++++ squeeze/modules/color/color.install 2011-06-20 01:50:16.000000000 +0200
+@@ -33,3 +33,20 @@
+
+ return $requirements;
+ }
++
++/**
++ * Warn site administrator if unsafe CSS color codes are found in the database.
++ */
++function color_update_6001() {
++ $ret = array();
++ $result = db_query("SELECT name FROM {variable} WHERE name LIKE 'color_%_palette'");
++ while ($variable = db_fetch_array($result)) {
++ $palette = variable_get($variable['name'], array());
++ foreach ($palette as $key => $color) {
++ if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
++ drupal_set_message('Some of the custom CSS color codes specified via the color module are invalid. Please examine the themes which are making use of the color module at the <a href="'. url('admin/appearance/settings') .'">Appearance settings</a> page to verify their CSS color values.', 'warning');
++ }
++ }
++ }
++ return $ret;
++}
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/modules/color/color.module squeeze/modules/color/color.module
+--- squeeze~/modules/color/color.module 2011-06-20 01:36:25.000000000 +0200
++++ squeeze/modules/color/color.module 2011-06-20 01:50:44.000000000 +0200
+@@ -46,6 +46,7 @@
+ '#theme' => 'color_scheme_form',
+ );
+ $form['color'] += color_scheme_form($form_state, arg(4));
++ $form['#validate'][] = 'color_scheme_form_validate';
+ $form['#submit'][] = 'color_scheme_form_submit';
+ }
+ }
+@@ -237,6 +238,18 @@
+ }
+
+ /**
++ * Validation handler for color change form.
++ */
++function color_scheme_form_validate($form, &$form_state) {
++ // Only accept hexadecimal CSS color strings to avoid XSS upon use.
++ foreach ($form_state['values']['palette'] as $key => $color) {
++ if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
++ form_set_error('palette][' . $key, t('%name must be a valid hexadecimal CSS color value.', array('%name' => $form['color']['palette'][$key]['#title'])));
++ }
++ }
++}
++
++/**
+ * Submit handler for color change form.
+ */
+ function color_scheme_form_submit($form, &$form_state) {
Propchange: branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-drupal-commits
mailing list