1524753275: Proposed release for 7.x-1.14.7 (#67)

* SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm, mlhess, larowlan, pwolanin, alexpott, dsnopek, Pere Orga, cashwilliams, dawehner, tim.plunkett, drumm * Drupal 7.58 * SA-CORE-2018-004 by alexpott, Heine, larowlan, David_Rothstein, xjm, Pere Orga, mlhess, tim.plunkett, Jasu_M, quicksketch, cashwilliams, samuel.mortenson, pwolanin, drumm, dawehner * Drupal 7.59 * Update to http://git.drupal.org/project/drupal.git 7.59. * Update to Drupal 7.59. For more information, see https://www.drupal.org/project/drupal/releases/7.59 * 7.x-1.14.7 release
GetDKAN · Apr 26, 2018 · 9fc535c · 9fc535c
1 parent cce3e9b
commit 9fc535c
Show file tree

Hide file tree

Showing 150 changed files with 880 additions and 4,256 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,4 +1,8 @@
 
+Drupal 7.59, 2018-04-25
+-----------------------
+- Fixed security issues (remote code execution). See SA-CORE-2018-004.
+
 Drupal 7.58, 2018-03-28
 -----------------------
 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002.

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.58');
+define('VERSION', '7.59');
 
 /**
  * Core API compatibility.
@@ -2819,6 +2819,11 @@ function _drupal_bootstrap_variables() {
       unset($_GET['destination']);
       unset($_REQUEST['destination']);
     }
+    // Use the DrupalRequestSanitizer to ensure that the destination's query
+    // parameters are not dangerous.
+    if (isset($_GET['destination'])) {
+      DrupalRequestSanitizer::cleanDestination();
+    }
     // If there's still something in $_REQUEST['destination'] that didn't come
     // from $_GET, check it too.
     if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {

diff --git a/includes/common.inc b/includes/common.inc
@@ -611,8 +611,9 @@ function drupal_parse_url($url) {
   }
   // The 'q' parameter contains the path of the current page if clean URLs are
   // disabled. It overrides the 'path' of the URL when present, even if clean
-  // URLs are enabled, due to how Apache rewriting rules work.
-  if (isset($options['query']['q'])) {
+  // URLs are enabled, due to how Apache rewriting rules work. The path
+  // parameter must be a string.
+  if (isset($options['query']['q']) && is_string($options['query']['q'])) {
     $options['path'] = $options['query']['q'];
     unset($options['query']['q']);
   }

diff --git a/includes/request-sanitizer.inc b/includes/request-sanitizer.inc
@@ -51,6 +51,38 @@ class DrupalRequestSanitizer {
     }
   }
 
+  /**
+   * Removes the destination if it is dangerous.
+   *
+   * Note this can only be called after common.inc has been included.
+   *
+   * @return bool
+   *   TRUE if the destination has been removed from $_GET, FALSE if not.
+   */
+  public static function cleanDestination() {
+    $dangerous_keys = array();
+    $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
+
+    $parts = drupal_parse_url($_GET['destination']);
+    // If there is a query string, check its query parameters.
+    if (!empty($parts['query'])) {
+      $whitelist = variable_get('sanitize_input_whitelist', array());
+
+      self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
+      if (!empty($dangerous_keys)) {
+        // The destination is removed rather than sanitized to mirror the
+        // handling of external destinations.
+        unset($_GET['destination']);
+        unset($_REQUEST['destination']);
+        if ($log_sanitized_keys) {
+          trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
+        }
+        return TRUE;
+      }
+    }
+    return FALSE;
+  }
+
   /**
    * Strips dangerous keys from the provided input.
    *

diff --git a/modules/file/file.module b/modules/file/file.module
@@ -239,6 +239,9 @@ function file_ajax_upload() {
   $form_parents = func_get_args();
   $form_build_id = (string) array_pop($form_parents);
 
+  // Sanitize form parents before using them.
+  $form_parents = array_filter($form_parents, 'element_child');
+
   if (empty($_POST['form_build_id']) || $form_build_id != $_POST['form_build_id']) {
     // Invalid request.
     drupal_set_message(t('An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (@size) that this server supports.', array('@size' => format_size(file_upload_max_size()))), 'error');

diff --git a/profiles/dkan/.ahoy/.docker/etc/solr/3.x/elevate.xml b/profiles/dkan/.ahoy/.docker/etc/solr/3.x/elevate.xml
@@ -15,7 +15,7 @@
  Otherwise, place it with the other configuration files into the conf/
  directory.
 
- See http://wiki.apache.org/solr/QueryElevationComponent for more information.
+ See https://wiki.apache.org/solr/QueryElevationComponent for more information.
 -->
 
 <elevate>

diff --git a/profiles/dkan/.ahoy/.docker/etc/solr/3.x/schema.xml b/profiles/dkan/.ahoy/.docker/etc/solr/3.x/schema.xml
@@ -7,7 +7,7 @@
  or located where the classloader for the Solr webapp can find it.
 
  For more information, on how to customize this file, please see
- http://wiki.apache.org/solr/SchemaXml
+ https://wiki.apache.org/solr/SchemaXml
 -->
 
 <schema name="drupal-4.3-solr-3.x" version="1.3">
@@ -101,7 +101,7 @@
 
     <!-- The format for this date field is of the form 1995-12-31T23:59:59Z, and
          is a more restricted form of the canonical representation of dateTime
-         http://www.w3.org/TR/xmlschema-2/#dateTime
+         https://www.w3.org/TR/xmlschema-2/#dateTime
          The trailing "Z" designates UTC time and is mandatory.
          Optional fractional seconds are allowed: 1995-12-31T23:59:59.999Z
          All other components are mandatory.
@@ -133,7 +133,7 @@
          matching across fields.
 
          For more info on customizing your analyzer chain, please see
-         http://wiki.apache.org/solr/AnalyzersTokenizersTokenFilters
+         https://wiki.apache.org/solr/AnalyzersTokenizersTokenFilters
      -->
 
     <!-- One can also specify an existing Analyzer class that has a
@@ -326,14 +326,14 @@
     <fieldType name="location" class="solr.LatLonType" subFieldType="tdouble"/>
 
     <!-- A Geohash is a compact representation of a latitude longitude pair in a single field.
-         See http://wiki.apache.org/solr/SpatialSearch
+         See https://wiki.apache.org/solr/SpatialSearch
      -->
     <fieldtype name="geohash" class="solr.GeoHashField"/>
     <!-- End added Solr 3.4+ types -->
   </types>
 
   <!-- Following is a dynamic way to include other types, added by other contrib modules -->
-  <xi:include href="schema_extra_types.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <xi:include href="schema_extra_types.xml" xmlns:xi="https://www.w3.org/2001/XInclude">
     <xi:fallback></xi:fallback>
   </xi:include>
 
@@ -499,7 +499,7 @@
     <dynamicField name="zm_*" type="string"   indexed="false"  stored="true" multiValued="true"/>
 
     <!-- Begin added fields to use features in Solr 3.4+
-         http://wiki.apache.org/solr/SpatialSearch#geodist_-_The_distance_function -->
+         https://wiki.apache.org/solr/SpatialSearch#geodist_-_The_distance_function -->
     <dynamicField name="points_*" type="point" indexed="true"  stored="true" multiValued="false"/>
     <dynamicField name="pointm_*" type="point" indexed="true"  stored="true" multiValued="true"/>
     <dynamicField name="locs_*" type="location" indexed="true"  stored="true" multiValued="false"/>
@@ -528,7 +528,7 @@
   </fields>
 
   <!-- Following is a dynamic way to include other fields, added by other contrib modules -->
-  <xi:include href="schema_extra_fields.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <xi:include href="schema_extra_fields.xml" xmlns:xi="https://www.w3.org/2001/XInclude">
     <xi:fallback></xi:fallback>
   </xi:include>