[Pkg-drupal-commits] r1832 - in /branches/drupal-4.7: CHANGELOG.txt debian/changelog includes/common.inc modules/comment.module modules/system.module modules/upload.module modules/user.module themes/chameleon/common.css
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Sat Oct 20 08:07:18 UTC 2007
Author: luigi
Date: Sat Oct 20 08:07:17 2007
New Revision: 1832
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1832
Log:
New upstream release
Modified:
branches/drupal-4.7/CHANGELOG.txt
branches/drupal-4.7/debian/changelog
branches/drupal-4.7/includes/common.inc
branches/drupal-4.7/modules/comment.module
branches/drupal-4.7/modules/system.module
branches/drupal-4.7/modules/upload.module
branches/drupal-4.7/modules/user.module
branches/drupal-4.7/themes/chameleon/common.css
Modified: branches/drupal-4.7/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/CHANGELOG.txt?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/CHANGELOG.txt (original)
+++ branches/drupal-4.7/CHANGELOG.txt Sat Oct 20 08:07:17 2007
@@ -1,4 +1,10 @@
-// $Id: CHANGELOG.txt,v 1.117.2.12 2007/07/26 19:17:24 killes Exp $
+// $Id: CHANGELOG.txt,v 1.117.2.13 2007/10/17 21:35:41 goba Exp $
+
+Drupal 4.7.8, 2007-10-17
+----------------------
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
Drupal 4.7.7, 2007-07-26
------------------------
Modified: branches/drupal-4.7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/debian/changelog?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/debian/changelog (original)
+++ branches/drupal-4.7/debian/changelog Sat Oct 20 08:07:17 2007
@@ -1,3 +1,12 @@
+drupal (4.7.8-1) UNRELEASED; urgency=low
+
+ * (NOT RELEASED YET)
+
+ [ Luigi Gangitano ]
+ * New upstream release
+
+ -- Luigi Gangitano <luigi at debian.org> Sat, 20 Oct 2007 10:06:39 +0200
+
drupal (4.7.7-1) unstable; urgency=high
* Urgency high due to security fixes
Modified: branches/drupal-4.7/includes/common.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/includes/common.inc?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/includes/common.inc (original)
+++ branches/drupal-4.7/includes/common.inc Sat Oct 20 08:07:17 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: common.inc,v 1.537.2.24 2007/07/26 19:17:24 killes Exp $
+// $Id: common.inc,v 1.537.2.25 2007/10/17 21:35:41 goba Exp $
/**
* @file
@@ -235,10 +235,6 @@
* 'user login'-block in a sidebar. The function drupal_get_destination()
* can be used to help set the destination URL.
*
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid".
- *
* This function ends the request; use it rather than a print theme('page')
* statement in your menu callback.
*
@@ -260,6 +256,8 @@
}
$url = url($path, $query, $fragment, TRUE);
+ // Remove newlines from the URL to avoid header injection attacks.
+ $url = str_replace(array("\n", "\r"), '', $url);
// Before the redirect, allow modules to react to the end of the page request.
module_invoke_all('exit', $url);
Modified: branches/drupal-4.7/modules/comment.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/comment.module?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/modules/comment.module (original)
+++ branches/drupal-4.7/modules/comment.module Sat Oct 20 08:07:17 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: comment.module,v 1.455.2.16 2007/05/27 16:11:26 killes Exp $
+// $Id: comment.module,v 1.455.2.17 2007/10/17 21:35:42 goba Exp $
/**
* @file
@@ -568,7 +568,7 @@
}
// Add the comment to database.
- $status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
+ $edit['status'] = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
$roles = variable_get('comment_roles', array());
$score = 0;
@@ -629,7 +629,7 @@
$edit['name'] = $user->name;
}
- db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
+ db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $edit['status'], $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
_comment_update_node_statistics($edit['nid']);
@@ -645,7 +645,7 @@
// Explain the approval queue if necessary, and then
// redirect the user to the node he's commenting on.
- if ($status == COMMENT_NOT_PUBLISHED) {
+ if ($edit['status'] == COMMENT_NOT_PUBLISHED) {
drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));
}
return $edit['cid'];
Modified: branches/drupal-4.7/modules/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/system.module?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/modules/system.module (original)
+++ branches/drupal-4.7/modules/system.module Sat Oct 20 08:07:17 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: system.module,v 1.320.2.23 2007/07/26 21:25:22 killes Exp $
+// $Id: system.module,v 1.320.2.25 2007/10/17 21:35:42 goba Exp $
/**
* @file
@@ -1235,8 +1235,9 @@
* offered to go back to the item that is being changed in case the user changes
* his/her mind.
*
- * You should use $GLOBALS['values']['edit'][$name] (where $name is usually 'confirm') to
- * check if the confirmation was successful.
+ * If the submit handler for this form is invoked, the user successfully
+ * confirmed the action. You should never directly inspect $_POST to see if an
+ * action was confirmed.
*
* @param $form_id
* The unique form identifier. Used by the form API to construct the theme.
Modified: branches/drupal-4.7/modules/upload.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/upload.module?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/modules/upload.module (original)
+++ branches/drupal-4.7/modules/upload.module Sat Oct 20 08:07:17 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: upload.module,v 1.100.2.13 2007/03/08 08:22:07 killes Exp $
+// $Id: upload.module,v 1.100.2.14 2007/10/17 21:35:42 goba Exp $
/**
* @file
@@ -157,7 +157,7 @@
foreach ($roles as $rid => $role) {
$form["settings_role_$rid"] = array('#type' => 'fieldset', '#title' => t('Settings for %role', array('%role' => theme('placeholder', $role))), '#collapsible' => TRUE, '#collapsed' => TRUE);
$form["settings_role_$rid"]["upload_extensions_$rid"] = array(
- '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'),
+ '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'),
'#maxlength' => 255, '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.')
);
$form["settings_role_$rid"]["upload_uploadsize_$rid"] = array(
@@ -326,7 +326,7 @@
$total_usersize = upload_space_used($user->uid) + $filesize;
$error = array();
foreach ($user->roles as $rid => $name) {
- $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
+ $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp');
$uploadsize = variable_get("upload_uploadsize_$rid", 1) * 1024 * 1024;
$usersize = variable_get("upload_usersize_$rid", 10) * 1024 * 1024;
@@ -538,7 +538,7 @@
if (!isset($extensions)) {
$extensions = '';
foreach ($user->roles as $rid => $name) {
- $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+ $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'));
}
}
Modified: branches/drupal-4.7/modules/user.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/user.module?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/modules/user.module (original)
+++ branches/drupal-4.7/modules/user.module Sat Oct 20 08:07:17 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: user.module,v 1.612.2.31 2007/07/26 19:17:24 killes Exp $
+// $Id: user.module,v 1.612.2.32 2007/09/13 20:42:42 killes Exp $
/**
* @file
@@ -397,32 +397,10 @@
* <em>When sending mail, the mail must contain a From header.</em>
* @return Returns TRUE if the mail was successfully accepted for delivery, FALSE otherwise.
*/
-function user_mail($mail, $subject, $message, $header = NULL) {
- $defaults = array(
- 'MIME-Version' => '1.0',
- 'Content-Type' => 'text/plain; charset=UTF-8; format=flowed',
- 'Content-Transfer-Encoding' => '8Bit',
- 'X-Mailer' => 'Drupal'
- );
- // To prevent e-mail from looking like spam, the addresses in the Sender and
- // Return-Path headers should have a domain authorized to use the originating
- // SMTP server. Errors-To is redundant, but shouldn't hurt.
- $default_from = variable_get('site_mail', ini_get('sendmail_from'));
- if ($default_from) {
- $defaults['From'] = $defaults['Reply-To'] = $defaults['Sender'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $default_from;
- }
- $mimeheaders = array();
- foreach ($defaults as $name => $value) {
- $mimeheaders[] = $name .': '. mime_header_encode($value);
- }
- $headers = join("\n", $mimeheaders);
- if (!is_null($header)) {
- $headers .="\n".$header;
- }
-
+function user_mail($mail, $subject, $message, $header) {
if (variable_get('smtp_library', '') && file_exists(variable_get('smtp_library', ''))) {
include_once './' . variable_get('smtp_library', '');
- return user_mail_wrapper($mail, $subject, $message, $headers);
+ return user_mail_wrapper($mail, $subject, $message, $header);
}
else {
/*
@@ -449,7 +427,7 @@
$mail,
mime_header_encode($subject),
str_replace("\r", '', $message),
- $headers
+ "MIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8; format=flowed\nContent-transfer-encoding: 8Bit\n" . $header
);
}
}
@@ -1095,12 +1073,14 @@
global $base_url;
$account = $form_values['account'];
+ $from = variable_get('site_mail', ini_get('sendmail_from'));
// Mail one time login URL and instructions.
$variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%login_url' => user_pass_reset_url($account), '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
$subject = _user_mail_text('pass_subject', $variables);
$body = _user_mail_text('pass_body', $variables);
- $mail_success = user_mail($account->mail, $subject, $body);
+ $headers = "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from";
+ $mail_success = user_mail($account->mail, $subject, $body, $headers);
if ($mail_success) {
watchdog('user', t('Password reset instructions mailed to %name at %email.', array('%name' => theme('placeholder', $account->name), '%email' => theme('placeholder', $account->mail))));
@@ -1259,6 +1239,7 @@
$name = $form_values['name'];
$pass = $admin ? $form_values['pass'] : user_password();
$notify = $form_values['notify'];
+ $from = variable_get('site_mail', ini_get('sendmail_from'));
if (!$admin && array_intersect(array_keys($form_values), array('uid', 'roles', 'init', 'session', 'status'))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
@@ -1274,7 +1255,7 @@
// The first user may login immediately, and receives a customized welcome e-mail.
if ($account->uid == 1) {
- user_mail($mail, t('Drupal user account details for %s', array('%s' => $name)), strtr(t("%username,\n\nYou may now login to %uri using the following username and password:\n\n username: %username\n password: %password\n\n%edit_uri\n\n--drupal"), $variables));
+ user_mail($mail, t('Drupal user account details for %s', array('%s' => $name)), strtr(t("%username,\n\nYou may now login to %uri using the following username and password:\n\n username: %username\n password: %password\n\n%edit_uri\n\n--drupal"), $variables), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
drupal_set_message(t('<p>Welcome to Drupal. You are user #1, which gives you full and immediate access. All future registrants will receive their passwords via e-mail, so please make sure your website e-mail address is set properly under the general settings on the <a href="%settings">settings page</a>.</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass, '%settings' => url('admin/settings'))));
user_authenticate($account->name, trim($pass));
@@ -1295,7 +1276,7 @@
$subject = $notify ? _user_mail_text('admin_subject', $variables) : _user_mail_text('welcome_subject', $variables);
$body = $notify ? _user_mail_text('admin_body', $variables) : _user_mail_text('welcome_body', $variables);
- user_mail($mail, $subject, $body);
+ user_mail($mail, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
if ($notify) {
drupal_set_message(t('Password and further instructions have been e-mailed to the new user %user.', array('%user' => theme('placeholder', $name))));
@@ -1311,8 +1292,8 @@
$subject = _user_mail_text('approval_subject', $variables);
$body = _user_mail_text('approval_body', $variables);
- user_mail($mail, $subject, $body);
- user_mail(variable_get('site_mail', ini_get('sendmail_from')), $subject, t("%u has applied for an account.\n\n%uri", array('%u' => $account->name, '%uri' => url("user/$account->uid/edit", NULL, NULL, TRUE))));
+ user_mail($mail, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
+ user_mail(variable_get('site_mail', ini_get('sendmail_from')), $subject, t("%u has applied for an account.\n\n%uri", array('%u' => $account->name, '%uri' => url("user/$account->uid/edit", NULL, NULL, TRUE))), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />In the meantime, your password and further instructions have been sent to your e-mail address.'));
}
Modified: branches/drupal-4.7/themes/chameleon/common.css
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/themes/chameleon/common.css?rev=1832&op=diff
==============================================================================
--- branches/drupal-4.7/themes/chameleon/common.css (original)
+++ branches/drupal-4.7/themes/chameleon/common.css Sat Oct 20 08:07:17 2007
@@ -1,4 +1,4 @@
-/* $Id: common.css,v 1.9 2006/01/20 09:09:18 dries Exp $ */
+/* $Id: common.css,v 1.9.2.1 2007/09/13 18:53:32 killes Exp $ */
/*
** HTML elements
@@ -82,6 +82,7 @@
font-size: 0.8em;
padding-top: 2em;
text-align: center;
+ clear: both;
}
/*
More information about the Pkg-drupal-commits
mailing list