1539976194: Proposed release for 7.x-1.15.4 (#70)

* SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm, mlhess, larowlan, pwolanin, alexpott, dsnopek, Pere Orga, cashwilliams, dawehner, tim.plunkett, drumm

* Drupal 7.58

* SA-CORE-2018-004 by alexpott, Heine, larowlan, David_Rothstein, xjm, Pere Orga, mlhess, tim.plunkett, Jasu_M, quicksketch, cashwilliams, samuel.mortenson, pwolanin, drumm, dawehner

* Drupal 7.59

* Update to http://git.drupal.org/project/drupal.git 7.59.

* Update to Drupal 7.59. For more information, see https://www.drupal.org/project/drupal/releases/7.59

* Update to PHP 7.1. For details see https://pantheon.io/blog/speed-your-site-php-72/

* Updated db.check.php healthcheck to be PHP7-compatible.

* SA-CORE-2018-006 by alexpott, attilatilman, bkosborne, catch, bonus, Wim Leers, Sam152, Berdir, Damien Tournoud, Dave Reid, Kova101, David_Rothstein, dawehner, dsnopek, samuel.mortenson, stefan.r, tedbow, xjm, timmillwood, pwolanin, njbooher, dyates, effulgentsia, klausi, mlhess, larowlan

* Drupal 7.60

* Update to Drupal 7.60. For more information, see https://www.drupal.org/project/drupal/releases/7.60.

* 7.x-1.15.4 release

CHANGELOG.txt

@@ -1,3 +1,14 @@
+Drupal 7.60, 2018-10-18
+------------------------
+- Fixed security issues. See SA-CORE-2018-006.
+
+Drupal 7.59, 2018-04-25
+-----------------------
+- Fixed security issues (remote code execution). See SA-CORE-2018-004.
+
+Drupal 7.58, 2018-03-28
+-----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002.
 
 Drupal 7.59, 2018-04-25
 -----------------------

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.59');
+define('VERSION', '7.60');
 
 /**
  * Core API compatibility.

includes/common.inc

@@ -2311,7 +2311,10 @@ function url($path = NULL, array $options = array()) {
     $language = isset($options['language']) && isset($options['language']->language) ? $options['language']->language : '';
     $alias = drupal_get_path_alias($original_path, $language);
     if ($alias != $original_path) {
-      $path = $alias;
+      // Strip leading slashes from internal path aliases to prevent them
+      // becoming external URLs without protocol. /example.com should not be
+      // turned into //example.com.
+      $path = ltrim($alias, '/');
     }
   }
 

misc/healthchecks/db.check.php

@@ -3,12 +3,12 @@
 if (isset($_SERVER['PRESSFLOW_SETTINGS'])) {
   $pressflow_config = json_decode($_SERVER['PRESSFLOW_SETTINGS'], TRUE);
   $db = $pressflow_config['databases']['default']['default'];
-  $link = mysql_connect($db['host'] . ':' . $db['port'], $db['username'], $db['password']);
+  $link = mysqli_connect($db['host'] . ':' . $db['port'], $db['username'], $db['password']);
   if (!$link) {
-      fail('Could not connect: ' . mysql_error());
+      fail('Could not connect: ' . mysqli_error());
   }
   echo "OK\n";
-  mysql_close($link);
+  mysqli_close($link);
 }
 else {
   fail("No config found.\n");

modules/path/path.test

@@ -21,7 +21,7 @@ class PathTestCase extends DrupalWebTestCase {
     parent::setUp('path');
 
     // Create test user and login.
-    $web_user = $this->drupalCreateUser(array('create page content', 'edit own page content', 'administer url aliases', 'create url aliases'));
+    $web_user = $this->drupalCreateUser(array('create page content', 'edit own page content', 'administer url aliases', 'create url aliases', 'access content overview'));
     $this->drupalLogin($web_user);
   }
 
@@ -160,6 +160,34 @@ class PathTestCase extends DrupalWebTestCase {
     $this->drupalGet($edit['path[alias]']);
     $this->assertNoText($node1->title, 'Alias was successfully deleted.');
     $this->assertResponse(404);
+
+    // Create third test node.
+    $node3 = $this->drupalCreateNode();
+
+    // Create an invalid alias with a leading slash and verify that the slash
+    // is removed when the link is generated. This ensures that URL aliases
+    // cannot be used to inject external URLs.
+    // @todo The user interface should either display an error message or
+    //   automatically trim these invalid aliases, rather than allowing them to
+    //   be silently created, at which point the functional aspects of this
+    //   test will need to be moved elsewhere and switch to using a
+    //   programmatically-created alias instead.
+    $alias = $this->randomName(8);
+    $edit = array('path[alias]' => '/' . $alias);
+    $this->drupalPost('node/' . $node3->nid . '/edit', $edit, t('Save'));
+    $this->drupalGet('admin/content');
+    // This checks the link href before clicking it, rather than using
+    // DrupalWebTestCase::assertUrl() after clicking it, because the test
+    // browser does not always preserve the correct number of slashes in the
+    // URL when it visits internal links; using DrupalWebTestCase::assertUrl()
+    // would actually make the test pass unconditionally on the testbot (or
+    // anywhere else where Drupal is installed in a subdirectory).
+    $link_xpath = $this->xpath('//a[normalize-space(text())=:label]', array(':label' => $node3->title));
+    $link_href = (string) $link_xpath[0]['href'];
+    $link_prefix = base_path() . (variable_get('clean_url', 0) ? '' : '?q=');
+    $this->assertEqual($link_href, $link_prefix . $alias);
+    $this->clickLink($node3->title);
+    $this->assertResponse(404);
   }
 
   /**

modules/system/system.mail.inc

@@ -70,7 +70,9 @@ class DefaultMailSystem implements MailSystemInterface {
     // hosts. The return value of this method will still indicate whether mail
     // was sent successfully.
     if (!isset($_SERVER['WINDIR']) && strpos($_SERVER['SERVER_SOFTWARE'], 'Win32') === FALSE) {
-      if (isset($message['Return-Path']) && !ini_get('safe_mode')) {
+      // We validate the return path, unless it is equal to the site mail, which
+      // we assume to be safe.
+      if (isset($message['Return-Path']) && !ini_get('safe_mode') && (variable_get('site_mail', ini_get('sendmail_from')) === $message['Return-Path'] || self::_isShellSafe($message['Return-Path']))) {
         // On most non-Windows systems, the "-f" option to the sendmail command
         // is used to set the Return-Path. There is no space between -f and
         // the value of the return path.
@@ -109,6 +111,36 @@ class DefaultMailSystem implements MailSystemInterface {
      }
      return $mail_result;
   }
+
+  /**
+   * Disallows potentially unsafe shell characters.
+   *
+   * Functionally similar to PHPMailer::isShellSafe() which resulted from
+   * CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate
+   * for this purpose.
+   *
+   * @param string $string
+   *   The string to be validated.
+   *
+   * @return bool
+   *   True if the string is shell-safe.
+   *
+   * @see https://github.com/PHPMailer/PHPMailer/issues/924
+   * @see https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php#L1430
+   *
+   * @todo Rename to ::isShellSafe() and/or discuss whether this is the correct
+   *   location for this helper.
+   */
+  protected static function _isShellSafe($string) {
+    if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
+      return FALSE;
+    }
+    if (preg_match('/[^a-zA-Z0-9@_\-.]/', $string) !== 0) {
+      return FALSE;
+    }
+    return TRUE;
+  }
+
 }
 
 /**

profiles/dkan/.ahoy/docker-compose.common.yml

@@ -3,7 +3,7 @@ version: "2"
 services:
   web:
     hostname: web
-    image: nuams/drupal-apache-php:1.0-5.6
+    image: getdkan/dkan-docker:php7-web
     ports:
       - "80"
       - "443"
@@ -51,7 +51,7 @@ services:
   # Used for all console commands and tools.
   cli:
     hostname: cli
-    image: getdkan/dkan-docker:php5-cli
+    image: getdkan/dkan-docker:php7-cli
     environment:
       - XDEBUG_CONFIG=idekey=PHPSTORM
     env_file:

profiles/dkan/.circleci/config.yml

@@ -54,8 +54,9 @@ jobs:
       - run:
           name: Install Drush
           command: |
-            composer global require consolidation/cgr
-            cgr drush/drush
+            composer global require drush/drush:8.0.2
+            cd /usr/local/bin
+            ln -s /root/.composer/vendor/bin/drush drush
             drush --version
       - run:
           name: Setup DKAN

profiles/dkan/CHANGELOG.txt

@@ -1,17 +1,34 @@
+7.x-1.15.4
+----------
+ - #2701 Update drupal core to 7.60
+ - #2541 Updates for php 7.1 compatibility
+ - #2702 Fix 'a non-numeric value encountered' error
+ - #2696 Peg drush to a specific version
+ - #2670 Update ODSM to 2.1 for php 7 compatibility
+ - #2692 Patch the radix theme to use local bootstrap.min.js file
+ - #2664 Add UI to change allowed extensions on resources
+ - #2668 Add environment and environment_indicator modules to DKAN
+ - #2656 Update workbench_moderation, drafty, and dkan_sitewide_panels to fix 'View draft' button
+ - #2658 Fix behat test @workflow_19 to avoid false positive result
+ - #2644 Automate group role assignments
+ - #2650 & #2634 Documentation updates
+ - #2637 Fix version check on available updates for empty value
+ - #2636 Add created date as a sort option on search pages
+ - #2628 Update Datastore API documentation
+
 7.x-1.15.3
 ----------
-- #2599 Adds additional helper function to get remote file info
-- #2605 Remove group member count and link from the group block
-- #2604 Update select_or_other to 2.24
-- #2601 Update file_resup to 1.5
-- #2418, #2600 & #2606 Documentation updates
-- #2599 Fix for getting remote file info when the server doesn't support HTTP HEAD
-- #2592 CSS updated to add ppt/pptx file icons
-- #2589 Security update for uuid (1.1)
-- #2586 Switch to saving the data.json url by default when harvesting remote files rather than the effective url
-- #2585 Add kml, kmz, shp to allowed extensions on resource file upload and remote file fields
-- #2588 More granular field validation for datasets and resources.
-- #2557 Wrap Dkan defined string to improve multilingual support
+ - #2605 Remove group member count and link from the group block
+ - #2604 Update select_or_other to 2.24
+ - #2601 Update file_resup to 1.5
+ - #2418, #2600 & #2606 Documentation updates
+ - #2599 Adds additional helper function to get remote file info
+ - #2592 CSS updated to add ppt/pptx file icons
+ - #2589 Security update for uuid (1.1)
+ - #2586 Switch to saving the data.json url by default when harvesting remote files rather than the effective url
+ - #2585 Add kml, kmz, shp to allowed extensions on resource file upload and remote file fields
+ - #2588 More granular field validation for datasets and resources.
+ - #2557 Wrap Dkan defined string to improve multilingual support
 
 7.x-1.15.2
 ----------