[Pkg-drupal-commits] r2203 - in /branches/squeeze-security/debian: changelog patches/00list patches/21_SA-CORE-2011-001.dpatch

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Sun Jun 19 23:58:35 UTC 2011 

Author: luigi
Date: Sun Jun 19 23:58:35 2011
New Revision: 2203

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2203
Log:
Included upsteam security fix for XSS in color module (Ref: SA-CORE-2011-001, CVE: TBA)(Closes: #628896)

Added:
    branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch   (with props)
Modified:
    branches/squeeze-security/debian/changelog
    branches/squeeze-security/debian/patches/00list

Modified: branches/squeeze-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/changelog?rev=2203&op=diff
==============================================================================
--- branches/squeeze-security/debian/changelog (original)
+++ branches/squeeze-security/debian/changelog Sun Jun 19 23:58:35 2011
@@ -1,6 +1,8 @@
 drupal6 (6.18-1lenny1) UNREALEASED; urgency=high
 
-  * 
+  * debian/patches/21_SA-CORE-2011-001
+    - Included upsteam security fix for XSS in color module
+      (Ref: SA-CORE-2011-001, CVE: TBA)(Closes: #628896)
 
  -- Luigi Gangitano <luigi at debian.org>  Mon, 20 Jun 2011 01:39:05 +0200
 

Modified: branches/squeeze-security/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/patches/00list?rev=2203&op=diff
==============================================================================
--- branches/squeeze-security/debian/patches/00list (original)
+++ branches/squeeze-security/debian/patches/00list Sun Jun 19 23:58:35 2011
@@ -1,2 +1,3 @@
 10_cronjob
 20_drupal_core_updates
+21_SA-CORE-2011-001

Added: branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch?rev=2203&op=file
==============================================================================
--- branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch (added)
+++ branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch Sun Jun 19 23:58:35 2011
@@ -1,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 21_SA-CORE-2011-001.dpatch by Luigi Gangitano <luigi at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upsteam security patch fixing XSS in color module
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/includes/common.inc squeeze/includes/common.inc
+--- squeeze~/includes/common.inc	2011-06-20 01:48:42.000000000 +0200
++++ squeeze/includes/common.inc	2011-06-20 01:49:20.000000000 +0200
+@@ -653,7 +653,7 @@
+       }
+     }
+ 
+-    $entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
++    $entry = check_plain($types[$errno]) .': '. filter_xss($message) .' in '. check_plain($filename) .' on line '. check_plain($line) .'.';
+ 
+     // Force display of error messages in update.php.
+     if (variable_get('error_level', 1) == 1 || strstr($_SERVER['SCRIPT_NAME'], 'update.php')) {
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/modules/color/color.install squeeze/modules/color/color.install
+--- squeeze~/modules/color/color.install	2011-06-20 01:36:25.000000000 +0200
++++ squeeze/modules/color/color.install	2011-06-20 01:50:16.000000000 +0200
+@@ -33,3 +33,20 @@
+ 
+   return $requirements;
+ }
++
++/**
++ * Warn site administrator if unsafe CSS color codes are found in the database.
++ */
++function color_update_6001() {
++  $ret = array();
++  $result = db_query("SELECT name FROM {variable} WHERE name LIKE 'color_%_palette'");
++  while ($variable = db_fetch_array($result)) {
++    $palette = variable_get($variable['name'], array());
++    foreach ($palette as $key => $color) {
++      if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
++        drupal_set_message('Some of the custom CSS color codes specified via the color module are invalid. Please examine the themes which are making use of the color module at the <a href="'. url('admin/appearance/settings') .'">Appearance settings</a> page to verify their CSS color values.', 'warning');
++      }
++    }
++  }
++  return $ret;
++}
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze~/modules/color/color.module squeeze/modules/color/color.module
+--- squeeze~/modules/color/color.module	2011-06-20 01:36:25.000000000 +0200
++++ squeeze/modules/color/color.module	2011-06-20 01:50:44.000000000 +0200
+@@ -46,6 +46,7 @@
+         '#theme' => 'color_scheme_form',
+       );
+       $form['color'] += color_scheme_form($form_state, arg(4));
++      $form['#validate'][] = 'color_scheme_form_validate';
+       $form['#submit'][] = 'color_scheme_form_submit';
+     }
+   }
+@@ -237,6 +238,18 @@
+ }
+ 
+ /**
++ * Validation handler for color change form.
++ */
++function color_scheme_form_validate($form, &$form_state) {
++  // Only accept hexadecimal CSS color strings to avoid XSS upon use.
++  foreach ($form_state['values']['palette'] as $key => $color) {
++    if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
++      form_set_error('palette][' . $key, t('%name must be a valid hexadecimal CSS color value.', array('%name' => $form['color']['palette'][$key]['#title'])));
++    }
++  }
++}
++
++/**
+  * Submit handler for color change form.
+  */
+ function color_scheme_form_submit($form, &$form_state) {

Propchange: branches/squeeze-security/debian/patches/21_SA-CORE-2011-001.dpatch
------------------------------------------------------------------------------
    svn:executable = *

More information about the Pkg-drupal-commits mailing list