[Pkg-drupal-commits] r2278 - in /branches/drupal7/debian: changelog patches/40_SA-CORE-2012-003 patches/series

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Wed Dec 5 19:45:52 UTC 2012 

Author: luigi
Date: Wed Dec  5 19:45:51 2012
New Revision: 2278

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2278
Log:
Integrated NMU

Added:
    branches/drupal7/debian/patches/40_SA-CORE-2012-003
Modified:
    branches/drupal7/debian/changelog
    branches/drupal7/debian/patches/series

Modified: branches/drupal7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/changelog?rev=2278&op=diff
==============================================================================
--- branches/drupal7/debian/changelog (original)
+++ branches/drupal7/debian/changelog Wed Dec  5 19:45:51 2012
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2012-003 (the full diff between
+    7.15 and 7.16)
+
+ -- Gunnar Wolf <gwolf at debian.org>  Fri, 19 Oct 2012 13:08:29 -0500
+
 drupal7 (7.14-1) unstable; urgency=high
 
   [ Luigi Gangitano ]

Added: branches/drupal7/debian/patches/40_SA-CORE-2012-003
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/40_SA-CORE-2012-003?rev=2278&op=file
==============================================================================
--- branches/drupal7/debian/patches/40_SA-CORE-2012-003 (added)
+++ branches/drupal7/debian/patches/40_SA-CORE-2012-003 Wed Dec  5 19:45:51 2012
@@ -1,0 +1,121 @@
+Origin: backport (diff between 7.15 and 7.16)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf at debian.org>
+Last-Update: 2012-10-19
+Applied-Upstream: Yes
+Description: Fixes SA-CORE-2012-003 (arbitrary PHP code execution and information disclosure)
+ This patch is taken from the diff between 7.15 and 7.16, applying it
+ to the currently frozen version (7.14). For further details, the
+ release notes are in:
+ .
+ http://drupal.org/node/1815912
+
+Index: drupal7-7.14/includes/install.core.inc
+===================================================================
+--- drupal7-7.14.orig/includes/install.core.inc	2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/includes/install.core.inc	2012-10-19 13:15:18.000000000 -0500
+@@ -295,12 +295,11 @@
+   else {
+     $task = NULL;
+ 
+-    // Since previous versions of Drupal stored database connection information
+-    // in the 'db_url' variable, we should never let an installation proceed if
+-    // this variable is defined and the settings file was not verified above
+-    // (otherwise we risk installing over an existing site whose settings file
+-    // has not yet been updated).
+-    if (!empty($GLOBALS['db_url'])) {
++    // Do not install over a configured settings.php. Check the 'db_url'
++    // variable in addition to 'databases', since previous versions of Drupal
++    // used that (and we do not want to allow installations on an existing site
++    // whose settings file has not yet been updated).
++    if (!empty($GLOBALS['databases']) || !empty($GLOBALS['db_url'])) {
+       throw new Exception(install_already_done_error());
+     }
+   }
+Index: drupal7-7.14/modules/openid/openid.inc
+===================================================================
+--- drupal7-7.14.orig/modules/openid/openid.inc	2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/openid.inc	2012-10-19 13:15:18.000000000 -0500
+@@ -138,8 +138,28 @@
+  */
+ function _openid_xrds_parse($raw_xml) {
+   $services = array();
+-  try {
+-    $xml = @new SimpleXMLElement($raw_xml);
++
++  // For PHP version >= 5.2.11, we can use this function to protect against
++  // malicious doctype declarations and other unexpected entity loading.
++  // However, we will not rely on it, and reject any XML with a DOCTYPE.
++  $disable_entity_loader = function_exists('libxml_disable_entity_loader');
++  if ($disable_entity_loader) {
++    $load_entities = libxml_disable_entity_loader(TRUE);
++  }
++
++  // Load the XML into a DOM document.
++  $dom = new DOMDocument();
++  @$dom->loadXML($raw_xml);
++
++  // Since DOCTYPE declarations from an untrusted source could be malicious, we
++  // stop parsing here and treat the XML as invalid since XRDS documents do not
++  // require, and are not expected to have, a DOCTYPE.
++  if (isset($dom->doctype)) {
++    return array();
++  }
++
++  // Parse the DOM document for the information we need.
++  if ($xml = simplexml_import_dom($dom)) {
+     foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) {
+       foreach ($xrd->children(OPENID_NS_XRD)->Service as $service_element) {
+         $service = array(
+@@ -165,9 +185,12 @@
+       }
+     }
+   }
+-  catch (Exception $e) {
+-    // Invalid XML.
++
++  // Return the LIBXML options to the previous state before returning.
++  if ($disable_entity_loader) {
++    libxml_disable_entity_loader($load_entities);
+   }
++
+   return $services;
+ }
+ 
+Index: drupal7-7.14/modules/openid/openid.test
+===================================================================
+--- drupal7-7.14.orig/modules/openid/openid.test	2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/openid.test	2012-10-19 13:15:18.000000000 -0500
+@@ -180,6 +180,15 @@
+ 
+     // Verify user was redirected away from user/login to an accessible page.
+     $this->assertResponse(200);
++
++    $this->drupalLogout();
++    // Use a User-supplied Identity that is the URL of an XRDS document.
++    // Tell the test module to add a doctype. This should fail.
++    $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE, 'query' => array('doctype' => 1)));
++    // Test logging in via the login block on the front page.
++    $edit = array('openid_identifier' => $identity);
++    $this->drupalPost('', $edit, t('Log in'));
++    $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), 'XML with DOCTYPE was rejected.');
+   }
+ 
+   /**
+Index: drupal7-7.14/modules/openid/tests/openid_test.module
+===================================================================
+--- drupal7-7.14.orig/modules/openid/tests/openid_test.module	2012-10-19 13:13:30.000000000 -0500
++++ drupal7-7.14/modules/openid/tests/openid_test.module	2012-10-19 13:15:18.000000000 -0500
+@@ -109,7 +109,11 @@
+       }
+     }
+     drupal_add_http_header('Content-Type', 'application/xrds+xml');
+-    print '<?xml version="1.0" encoding="UTF-8"?>
++    print '<?xml version="1.0" encoding="UTF-8"?>';
++    if (!empty($_GET['doctype'])) {
++      print "\n<!DOCTYPE dct [ <!ELEMENT blue (#PCDATA)> ]>\n";
++    }
++    print '
+       <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
+         <XRD>
+           <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>

Modified: branches/drupal7/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/series?rev=2278&op=diff
==============================================================================
--- branches/drupal7/debian/patches/series (original)
+++ branches/drupal7/debian/patches/series Wed Dec  5 19:45:51 2012
@@ -1,2 +1,3 @@
 10_cronjob.patch
 30_DFSG-sources.patch
+40_SA-CORE-2012-003

More information about the Pkg-drupal-commits mailing list