[Pkg-drupal-commits] r2278 - in /branches/drupal7/debian: changelog patches/40_SA-CORE-2012-003 patches/series
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Wed Dec 5 19:45:52 UTC 2012
Author: luigi
Date: Wed Dec 5 19:45:51 2012
New Revision: 2278
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2278
Log:
Integrated NMU
Added:
branches/drupal7/debian/patches/40_SA-CORE-2012-003
Modified:
branches/drupal7/debian/changelog
branches/drupal7/debian/patches/series
Modified: branches/drupal7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/changelog?rev=2278&op=diff
==============================================================================
--- branches/drupal7/debian/changelog (original)
+++ branches/drupal7/debian/changelog Wed Dec 5 19:45:51 2012
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Incorporated the fix for SA-CORE-2012-003 (the full diff between
+ 7.15 and 7.16)
+
+ -- Gunnar Wolf <gwolf at debian.org> Fri, 19 Oct 2012 13:08:29 -0500
+
drupal7 (7.14-1) unstable; urgency=high
[ Luigi Gangitano ]
Added: branches/drupal7/debian/patches/40_SA-CORE-2012-003
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/40_SA-CORE-2012-003?rev=2278&op=file
==============================================================================
--- branches/drupal7/debian/patches/40_SA-CORE-2012-003 (added)
+++ branches/drupal7/debian/patches/40_SA-CORE-2012-003 Wed Dec 5 19:45:51 2012
@@ -1,0 +1,121 @@
+Origin: backport (diff between 7.15 and 7.16)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf at debian.org>
+Last-Update: 2012-10-19
+Applied-Upstream: Yes
+Description: Fixes SA-CORE-2012-003 (arbitrary PHP code execution and information disclosure)
+ This patch is taken from the diff between 7.15 and 7.16, applying it
+ to the currently frozen version (7.14). For further details, the
+ release notes are in:
+ .
+ http://drupal.org/node/1815912
+
+Index: drupal7-7.14/includes/install.core.inc
+===================================================================
+--- drupal7-7.14.orig/includes/install.core.inc 2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/includes/install.core.inc 2012-10-19 13:15:18.000000000 -0500
+@@ -295,12 +295,11 @@
+ else {
+ $task = NULL;
+
+- // Since previous versions of Drupal stored database connection information
+- // in the 'db_url' variable, we should never let an installation proceed if
+- // this variable is defined and the settings file was not verified above
+- // (otherwise we risk installing over an existing site whose settings file
+- // has not yet been updated).
+- if (!empty($GLOBALS['db_url'])) {
++ // Do not install over a configured settings.php. Check the 'db_url'
++ // variable in addition to 'databases', since previous versions of Drupal
++ // used that (and we do not want to allow installations on an existing site
++ // whose settings file has not yet been updated).
++ if (!empty($GLOBALS['databases']) || !empty($GLOBALS['db_url'])) {
+ throw new Exception(install_already_done_error());
+ }
+ }
+Index: drupal7-7.14/modules/openid/openid.inc
+===================================================================
+--- drupal7-7.14.orig/modules/openid/openid.inc 2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/openid.inc 2012-10-19 13:15:18.000000000 -0500
+@@ -138,8 +138,28 @@
+ */
+ function _openid_xrds_parse($raw_xml) {
+ $services = array();
+- try {
+- $xml = @new SimpleXMLElement($raw_xml);
++
++ // For PHP version >= 5.2.11, we can use this function to protect against
++ // malicious doctype declarations and other unexpected entity loading.
++ // However, we will not rely on it, and reject any XML with a DOCTYPE.
++ $disable_entity_loader = function_exists('libxml_disable_entity_loader');
++ if ($disable_entity_loader) {
++ $load_entities = libxml_disable_entity_loader(TRUE);
++ }
++
++ // Load the XML into a DOM document.
++ $dom = new DOMDocument();
++ @$dom->loadXML($raw_xml);
++
++ // Since DOCTYPE declarations from an untrusted source could be malicious, we
++ // stop parsing here and treat the XML as invalid since XRDS documents do not
++ // require, and are not expected to have, a DOCTYPE.
++ if (isset($dom->doctype)) {
++ return array();
++ }
++
++ // Parse the DOM document for the information we need.
++ if ($xml = simplexml_import_dom($dom)) {
+ foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) {
+ foreach ($xrd->children(OPENID_NS_XRD)->Service as $service_element) {
+ $service = array(
+@@ -165,9 +185,12 @@
+ }
+ }
+ }
+- catch (Exception $e) {
+- // Invalid XML.
++
++ // Return the LIBXML options to the previous state before returning.
++ if ($disable_entity_loader) {
++ libxml_disable_entity_loader($load_entities);
+ }
++
+ return $services;
+ }
+
+Index: drupal7-7.14/modules/openid/openid.test
+===================================================================
+--- drupal7-7.14.orig/modules/openid/openid.test 2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/openid.test 2012-10-19 13:15:18.000000000 -0500
+@@ -180,6 +180,15 @@
+
+ // Verify user was redirected away from user/login to an accessible page.
+ $this->assertResponse(200);
++
++ $this->drupalLogout();
++ // Use a User-supplied Identity that is the URL of an XRDS document.
++ // Tell the test module to add a doctype. This should fail.
++ $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE, 'query' => array('doctype' => 1)));
++ // Test logging in via the login block on the front page.
++ $edit = array('openid_identifier' => $identity);
++ $this->drupalPost('', $edit, t('Log in'));
++ $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), 'XML with DOCTYPE was rejected.');
+ }
+
+ /**
+Index: drupal7-7.14/modules/openid/tests/openid_test.module
+===================================================================
+--- drupal7-7.14.orig/modules/openid/tests/openid_test.module 2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/tests/openid_test.module 2012-10-19 13:15:18.000000000 -0500
+@@ -109,7 +109,11 @@
+ }
+ }
+ drupal_add_http_header('Content-Type', 'application/xrds+xml');
+- print '<?xml version="1.0" encoding="UTF-8"?>
++ print '<?xml version="1.0" encoding="UTF-8"?>';
++ if (!empty($_GET['doctype'])) {
++ print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";
++ }
++ print '
+ <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
+ <XRD>
+ <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
Modified: branches/drupal7/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/series?rev=2278&op=diff
==============================================================================
--- branches/drupal7/debian/patches/series (original)
+++ branches/drupal7/debian/patches/series Wed Dec 5 19:45:51 2012
@@ -1,2 +1,3 @@
10_cronjob.patch
30_DFSG-sources.patch
+40_SA-CORE-2012-003
More information about the Pkg-drupal-commits
mailing list