[Pkg-drupal-commits] r2279 - in /branches/drupal7/debian: changelog patches/50_SA-CORE-2012-004 patches/series

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Sat Feb 23 13:34:40 UTC 2013 

Author: luigi
Date: Sat Feb 23 13:34:39 2013
New Revision: 2279

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2279
Log:
Integrate NMU from Gunnar Wolf

Added:
    branches/drupal7/debian/patches/50_SA-CORE-2012-004
Modified:
    branches/drupal7/debian/changelog
    branches/drupal7/debian/patches/series

Modified: branches/drupal7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/changelog?rev=2279&op=diff
==============================================================================
--- branches/drupal7/debian/changelog (original)
+++ branches/drupal7/debian/changelog Sat Feb 23 13:34:39 2013
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2012-004 (the full diff between
+    7.17 and 7.18)
+
+ -- Gunnar Wolf <gwolf at debian.org>  Fri, 11 Jan 2013 17:57:47 -0600
+
 drupal7 (7.14-1.1) unstable; urgency=low
 
   * Non-maintainer upload.

Added: branches/drupal7/debian/patches/50_SA-CORE-2012-004
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/50_SA-CORE-2012-004?rev=2279&op=file
==============================================================================
--- branches/drupal7/debian/patches/50_SA-CORE-2012-004 (added)
+++ branches/drupal7/debian/patches/50_SA-CORE-2012-004 Sat Feb 23 13:34:39 2013
@@ -1,0 +1,83 @@
+Index: drupal7-7.14/includes/file.inc
+===================================================================
+--- drupal7-7.14.orig/includes/file.inc	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/includes/file.inc	2013-01-11 17:49:01.000000000 -0600
+@@ -1113,6 +1113,9 @@
+ 
+   // Allow potentially insecure uploads for very savvy users and admin
+   if (!variable_get('allow_insecure_uploads', 0)) {
++    // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
++    $filename = str_replace(chr(0), '', $filename);
++
+     $whitelist = array_unique(explode(' ', trim($extensions)));
+ 
+     // Split the filename up by periods. The first part becomes the basename
+Index: drupal7-7.14/modules/user/user.test
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.test	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/user/user.test	2013-01-11 17:50:51.000000000 -0600
+@@ -2020,7 +2020,7 @@
+   public static function getInfo() {
+     return array(
+       'name' => 'User search',
+-      'description' => 'Testing that only user with the right permission can see the email address in the user search.',
++      'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
+       'group' => 'User',
+     );
+   }
+@@ -2040,11 +2040,29 @@
+     $edit = array('keys' => $keys);
+     $this->drupalPost('search/user/', $edit, t('Search'));
+     $this->assertText($keys);
++
++    // Create a blocked user.
++    $blocked_user = $this->drupalCreateUser();
++    $edit = array('status' => 0);
++    $blocked_user = user_save($blocked_user, $edit);
++
++    // Verify that users with "administer users" permissions can see blocked
++    // accounts in search results.
++    $edit = array('keys' => $blocked_user->name);
++    $this->drupalPost('search/user/', $edit, t('Search'));
++    $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
++
++    // Verify that users without "administer users" permissions do not see
++    // blocked accounts in search results.
++    $this->drupalLogin($user1);
++    $edit = array('keys' => $blocked_user->name);
++    $this->drupalPost('search/user/', $edit, t('Search'));
++    $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
++
+     $this->drupalLogout();
+   }
+ }
+ 
+-
+ /**
+  * Test role assignment.
+  */
+Index: drupal7-7.14/modules/user/user.module
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.module	2013-01-11 17:56:26.000000000 -0600
++++ drupal7-7.14/modules/user/user.module	2013-01-11 17:56:39.000000000 -0600
+@@ -924,14 +924,18 @@
+   $query = db_select('users')->extend('PagerDefault');
+   $query->fields('users', array('uid'));
+   if (user_access('administer users')) {
+-    // Administrators can also search in the otherwise private email field.
++    // Administrators can also search in the otherwise private email field,
++    // and they don't need to be restricted to only active users.
+     $query->fields('users', array('mail'));
+     $query->condition(db_or()->
+       condition('name', '%' . db_like($keys) . '%', 'LIKE')->
+       condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
+   }
+   else {
+-    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
++    // Regular users can only search via usernames, and we do not show them
++    // blocked accounts.
++    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
++      ->condition('status', 1);
+   }
+   $uids = $query
+     ->limit(15)

Modified: branches/drupal7/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/series?rev=2279&op=diff
==============================================================================
--- branches/drupal7/debian/patches/series (original)
+++ branches/drupal7/debian/patches/series Sat Feb 23 13:34:39 2013
@@ -1,3 +1,4 @@
 10_cronjob.patch
 30_DFSG-sources.patch
 40_SA-CORE-2012-003
+50_SA-CORE-2012-004

More information about the Pkg-drupal-commits mailing list