[Pkg-drupal-commits] r2280 - in /branches/drupal7/debian: changelog patches/50_SA-CORE-2012-004 patches/60_SA-CORE-2013-001 patches/series

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Sat Feb 23 13:35:36 UTC 2013 

Author: luigi
Date: Sat Feb 23 13:35:36 2013
New Revision: 2280

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2280
Log:
Integrate NMU from Gunnar Wolf

Added:
    branches/drupal7/debian/patches/60_SA-CORE-2013-001
Modified:
    branches/drupal7/debian/changelog
    branches/drupal7/debian/patches/50_SA-CORE-2012-004
    branches/drupal7/debian/patches/series

Modified: branches/drupal7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/changelog?rev=2280&op=diff
==============================================================================
--- branches/drupal7/debian/changelog (original)
+++ branches/drupal7/debian/changelog Sat Feb 23 13:35:36 2013
@@ -1,3 +1,12 @@
+drupal7 (7.14-1.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
+    and 7.19) (Closes: #698334)
+  * Added the missing DEP3 header to the patch introduced in 7.14-1.2
+
+ -- Gunnar Wolf <gwolf at debian.org>  Tue, 29 Jan 2013 12:21:13 -0600
+
 drupal7 (7.14-1.2) unstable; urgency=low
 
   * Non-maintainer upload.

Modified: branches/drupal7/debian/patches/50_SA-CORE-2012-004
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/50_SA-CORE-2012-004?rev=2280&op=diff
==============================================================================
--- branches/drupal7/debian/patches/50_SA-CORE-2012-004 (original)
+++ branches/drupal7/debian/patches/50_SA-CORE-2012-004 Sat Feb 23 13:35:36 2013
@@ -1,3 +1,15 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf at debian.org>
+Last-Update: 2013-01-11
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution)
+ This patch is taken from the diff between 7.17 and 7.18, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2012-004
+
 Index: drupal7-7.14/includes/file.inc
 ===================================================================
 --- drupal7-7.14.orig/includes/file.inc	2012-05-02 17:10:42.000000000 -0500

Added: branches/drupal7/debian/patches/60_SA-CORE-2013-001
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/60_SA-CORE-2013-001?rev=2280&op=file
==============================================================================
--- branches/drupal7/debian/patches/60_SA-CORE-2013-001 (added)
+++ branches/drupal7/debian/patches/60_SA-CORE-2013-001 Sat Feb 23 13:35:36 2013
@@ -1,0 +1,127 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf at debian.org>
+Last-Update: 2013-01-29
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2013-001 (Cross-site scripting, Access bypass)
+ This patch is taken from the diff between 7.18 and 7.19, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2013-001
+
+Index: drupal7-7.14/misc/collapse.js
+===================================================================
+--- drupal7-7.14.orig/misc/collapse.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/collapse.js	2013-01-29 12:15:58.000000000 -0600
+@@ -58,9 +58,9 @@
+     $('fieldset.collapsible', context).once('collapse', function () {
+       var $fieldset = $(this);
+       // Expand fieldset if there are errors inside, or if it contains an
+-      // element that is targeted by the uri fragment identifier. 
++      // element that is targeted by the uri fragment identifier.
+       var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : '';
+-      if ($('.error' + anchor, $fieldset).length) {
++      if ($fieldset.find('.error' + anchor).length) {
+         $fieldset.removeClass('collapsed');
+       }
+ 
+Index: drupal7-7.14/misc/drupal.js
+===================================================================
+--- drupal7-7.14.orig/misc/drupal.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/drupal.js	2013-01-29 12:14:56.000000000 -0600
+@@ -7,6 +7,27 @@
+ (function ($) {
+ 
+ /**
++ * Override jQuery.fn.init to guard against XSS attacks.
++ *
++ * See http://bugs.jquery.com/ticket/9521
++ */
++var jquery_init = $.fn.init;
++$.fn.init = function (selector, context, rootjQuery) {
++  // If the string contains a "#" before a "<", treat it as invalid HTML.
++  if (selector && typeof selector === 'string') {
++    var hash_position = selector.indexOf('#');
++    if (hash_position >= 0) {
++      var bracket_position = selector.indexOf('<');
++      if (bracket_position > hash_position) {
++        throw 'Syntax error, unrecognized expression: ' + selector;
++      }
++    }
++  }
++  return jquery_init.call(this, selector, context, rootjQuery);
++};
++$.fn.init.prototype = jquery_init.prototype;
++
++/**
+  * Attach all registered behaviors to a page element.
+  *
+  * Behaviors are event-triggered actions that attach to page elements, enhancing
+Index: drupal7-7.14/misc/vertical-tabs.js
+===================================================================
+--- drupal7-7.14.orig/misc/vertical-tabs.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/vertical-tabs.js	2013-01-29 12:14:56.000000000 -0600
+@@ -50,8 +50,8 @@
+       if (!tab_focus) {
+         // If the current URL has a fragment and one of the tabs contains an
+         // element that matches the URL fragment, activate that tab.
+-        if (window.location.hash && $(window.location.hash, this).length) {
+-          tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane');
++        if (window.location.hash && $(this).find(window.location.hash).length) {
++          tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane');
+         }
+         else {
+           tab_focus = $('> .vertical-tabs-pane:first', this);
+Index: drupal7-7.14/modules/book/book.pages.inc
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.pages.inc	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.pages.inc	2013-01-29 12:14:56.000000000 -0600
+@@ -38,6 +38,15 @@
+  *   format determined by the $type parameter.
+  */
+ function book_export($type, $nid) {
++  // Check that the node exists and that the current user has access to it.
++  $node = node_load($nid);
++  if (!$node) {
++    return MENU_NOT_FOUND;
++  }
++  if (!node_access('view', $node)) {
++    return MENU_ACCESS_DENIED;
++  }
++
+   $type = drupal_strtolower($type);
+ 
+   $export_function = 'book_export_' . $type;
+Index: drupal7-7.14/modules/book/book.test
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.test	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.test	2013-01-29 12:14:56.000000000 -0600
+@@ -258,6 +258,13 @@
+     // Try getting the URL directly, and verify it fails.
+     $this->drupalGet('book/export/html/' . $this->book->nid);
+     $this->assertResponse('403', t('Anonymous user properly forbidden.'));
++
++    // Now grant anonymous users permission to view the printer-friendly
++    // version and verify that node access restrictions still prevent them from
++    // seeing it.
++    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
++    $this->drupalGet('book/export/html/' . $this->book->nid);
++    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
+   }
+ 
+   /**
+Index: drupal7-7.14/modules/image/image.module
+===================================================================
+--- drupal7-7.14.orig/modules/image/image.module	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/image/image.module	2013-01-29 12:14:56.000000000 -0600
+@@ -292,7 +292,8 @@
+     if ($info = image_get_info($uri)) {
+       // Check the permissions of the original to grant access to this image.
+       $headers = module_invoke_all('file_download', $original_uri);
+-      if (!in_array(-1, $headers)) {
++      // Confirm there's at least one module granting access and none denying access.
++      if (!empty($headers) && !in_array(-1, $headers)) {
+         return array(
+           // Send headers describing the image's size, and MIME-type...
+           'Content-Type' => $info['mime_type'],

Modified: branches/drupal7/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal7/debian/patches/series?rev=2280&op=diff
==============================================================================
--- branches/drupal7/debian/patches/series (original)
+++ branches/drupal7/debian/patches/series Sat Feb 23 13:35:36 2013
@@ -2,3 +2,4 @@
 30_DFSG-sources.patch
 40_SA-CORE-2012-003
 50_SA-CORE-2012-004
+60_SA-CORE-2013-001

More information about the Pkg-drupal-commits mailing list