Skip to content

Commit

Permalink
#63 Update Core
Browse files Browse the repository at this point in the history
  • Loading branch information
iAugur committed Aug 21, 2015
1 parent fccfd9c commit fa99d97
Show file tree
Hide file tree
Showing 138 changed files with 678 additions and 408 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@

Drupal 7.39, 2015-08-19
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.

Drupal 7.38, 2015-06-17
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-002.
Expand Down
37 changes: 36 additions & 1 deletion includes/ajax.inc
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,10 @@
* functions.
*/
function ajax_render($commands = array()) {
// Although ajax_deliver() does this, some contributed and custom modules
// render Ajax responses without using that delivery callback.
ajax_set_verification_header();

// Ajax responses aren't rendered with html.tpl.php, so we have to call
// drupal_get_css() and drupal_get_js() here, in order to have new files added
// during this request to be loaded by the page. We only want to send back
Expand Down Expand Up @@ -487,6 +491,9 @@ function ajax_deliver($page_callback_result) {
}
}

// Let ajax.js know that this response is safe to process.
ajax_set_verification_header();

// Print the response.
$commands = ajax_prepare_response($page_callback_result);
$json = ajax_render($commands);
Expand Down Expand Up @@ -576,6 +583,29 @@ function ajax_prepare_response($page_callback_result) {
return $commands;
}

/**
* Sets a response header for ajax.js to trust the response body.
*
* It is not safe to invoke Ajax commands within user-uploaded files, so this
* header protects against those being invoked.
*
* @see Drupal.ajax.options.success()
*/
function ajax_set_verification_header() {
$added = &drupal_static(__FUNCTION__);

// User-uploaded files cannot set any response headers, so a custom header is
// used to indicate to ajax.js that this response is safe. Note that most
// Ajax requests bound using the Form API will be protected by having the URL
// flagged as trusted in Drupal.settings, so this header is used only for
// things like custom markup that gets Ajax behaviors attached.
if (empty($added)) {
drupal_add_http_header('X-Drupal-Ajax-Token', '1');
// Avoid sending the header twice.
$added = TRUE;
}
}

/**
* Performs end-of-Ajax-request tasks.
*
Expand Down Expand Up @@ -764,7 +794,12 @@ function ajax_pre_render_element($element) {

$element['#attached']['js'][] = array(
'type' => 'setting',
'data' => array('ajax' => array($element['#id'] => $settings)),
'data' => array(
'ajax' => array($element['#id'] => $settings),
'urlIsAjaxTrusted' => array(
$settings['url'] => TRUE,
),
),
);

// Indicate that Ajax processing was successful.
Expand Down
2 changes: 1 addition & 1 deletion includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.38');
define('VERSION', '7.39');

/**
* Core API compatibility.
Expand Down
2 changes: 1 addition & 1 deletion includes/database/database.inc
Original file line number Diff line number Diff line change
Expand Up @@ -626,7 +626,7 @@ abstract class DatabaseConnection extends PDO {
* A sanitized version of the query comment string.
*/
protected function filterComment($comment = '') {
return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment);
return strtr($comment, array('*' => ' * '));
}

/**
Expand Down
101 changes: 88 additions & 13 deletions includes/form.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1128,6 +1128,17 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
drupal_alter($hooks, $form, $form_state, $form_id);
}

/**
* Helper function to call form_set_error() if there is a token error.
*/
function _drupal_invalid_token_set_form_error() {
$path = current_path();
$query = drupal_get_query_parameters();
$url = url($path, array('query' => $query));

// Setting this error will cause the form to fail validation.
form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
}

/**
* Validates user-submitted form data in the $form_state array.
Expand Down Expand Up @@ -1162,16 +1173,11 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
}

// If the session token was set by drupal_prepare_form(), ensure that it
// matches the current user's session.
// matches the current user's session. This is duplicate to code in
// form_builder() but left to protect any custom form handling code.
if (isset($form['#token'])) {
if (!drupal_valid_token($form_state['values']['form_token'], $form['#token'])) {
$path = current_path();
$query = drupal_get_query_parameters();
$url = url($path, array('query' => $query));

// Setting this error will cause the form to fail validation.
form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));

if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) {
_drupal_invalid_token_set_form_error();
// Stop here and don't run any further validation handlers, because they
// could invoke non-safe operations which opens the door for CSRF
// vulnerabilities.
Expand Down Expand Up @@ -1827,6 +1833,20 @@ function form_builder($form_id, &$element, &$form_state) {
// from the POST data is set and matches the current form_id.
if ($form_state['programmed'] || (!empty($form_state['input']) && (isset($form_state['input']['form_id']) && ($form_state['input']['form_id'] == $form_id)))) {
$form_state['process_input'] = TRUE;
// If the session token was set by drupal_prepare_form(), ensure that it
// matches the current user's session.
$form_state['invalid_token'] = FALSE;
if (isset($element['#token'])) {
if (empty($form_state['input']['form_token']) || !drupal_valid_token($form_state['input']['form_token'], $element['#token'])) {
// Set an early form error to block certain input processing since that
// opens the door for CSRF vulnerabilities.
_drupal_invalid_token_set_form_error();
// This value is checked in _form_builder_handle_input_element().
$form_state['invalid_token'] = TRUE;
// Make sure file uploads do not get processed.
$_FILES = array();
}
}
}
else {
$form_state['process_input'] = FALSE;
Expand Down Expand Up @@ -1930,6 +1950,18 @@ function form_builder($form_id, &$element, &$form_state) {
$element['#attributes']['enctype'] = 'multipart/form-data';
}

// Allow Ajax submissions to the form action to bypass verification. This is
// especially useful for multipart forms, which cannot be verified via a
// response header.
$element['#attached']['js'][] = array(
'type' => 'setting',
'data' => array(
'urlIsAjaxTrusted' => array(
$element['#action'] => TRUE,
),
),
);

// If a form contains a single textfield, and the ENTER key is pressed
// within it, Internet Explorer submits the form with no POST data
// identifying any submit button. Other browsers submit POST data as though
Expand Down Expand Up @@ -1978,6 +2010,19 @@ function form_builder($form_id, &$element, &$form_state) {
* Adds the #name and #value properties of an input element before rendering.
*/
function _form_builder_handle_input_element($form_id, &$element, &$form_state) {
static $safe_core_value_callbacks = array(
'form_type_token_value',
'form_type_textarea_value',
'form_type_textfield_value',
'form_type_checkbox_value',
'form_type_checkboxes_value',
'form_type_radios_value',
'form_type_password_confirm_value',
'form_type_select_value',
'form_type_tableselect_value',
'list_boolean_allowed_values_callback',
);

if (!isset($element['#name'])) {
$name = array_shift($element['#parents']);
$element['#name'] = $name;
Expand Down Expand Up @@ -2056,7 +2101,14 @@ function _form_builder_handle_input_element($form_id, &$element, &$form_state) {
// property, optionally filtered through $value_callback.
if ($input_exists) {
if (function_exists($value_callback)) {
$element['#value'] = $value_callback($element, $input, $form_state);
// Skip all value callbacks except safe ones like text if the CSRF
// token was invalid.
if (empty($form_state['invalid_token']) || in_array($value_callback, $safe_core_value_callbacks)) {
$element['#value'] = $value_callback($element, $input, $form_state);
}
else {
$input = NULL;
}
}
if (!isset($element['#value']) && isset($input)) {
$element['#value'] = $input;
Expand Down Expand Up @@ -3910,6 +3962,29 @@ function theme_hidden($variables) {
return '<input' . drupal_attributes($element['#attributes']) . " />\n";
}

/**
* Process function to prepare autocomplete data.
*
* @param $element
* A textfield or other element with a #autocomplete_path.
*
* @return array
* The processed form element.
*/
function form_process_autocomplete($element) {
$element['#autocomplete_input'] = array();
if ($element['#autocomplete_path'] && drupal_valid_path($element['#autocomplete_path'])) {
$element['#autocomplete_input']['#id'] = $element['#id'] .'-autocomplete';
// Force autocomplete to use non-clean URLs since this protects against the
// browser interpreting the path plus search string as an actual file.
$current_clean_url = isset($GLOBALS['conf']['clean_url']) ? $GLOBALS['conf']['clean_url'] : NULL;
$GLOBALS['conf']['clean_url'] = 0;
$element['#autocomplete_input']['#url_value'] = url($element['#autocomplete_path'], array('absolute' => TRUE));
$GLOBALS['conf']['clean_url'] = $current_clean_url;
}
return $element;
}

/**
* Returns HTML for a textfield form element.
*
Expand All @@ -3928,14 +4003,14 @@ function theme_textfield($variables) {
_form_set_class($element, array('form-text'));

$extra = '';
if ($element['#autocomplete_path'] && drupal_valid_path($element['#autocomplete_path'])) {
if ($element['#autocomplete_path'] && !empty($element['#autocomplete_input'])) {
drupal_add_library('system', 'drupal.autocomplete');
$element['#attributes']['class'][] = 'form-autocomplete';

$attributes = array();
$attributes['type'] = 'hidden';
$attributes['id'] = $element['#attributes']['id'] . '-autocomplete';
$attributes['value'] = url($element['#autocomplete_path'], array('absolute' => TRUE));
$attributes['id'] = $element['#autocomplete_input']['#id'];
$attributes['value'] = $element['#autocomplete_input']['#url_value'];
$attributes['disabled'] = 'disabled';
$attributes['class'][] = 'autocomplete';
$extra = '<input' . drupal_attributes($attributes) . ' />';
Expand Down
8 changes: 2 additions & 6 deletions includes/menu.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1487,7 +1487,7 @@ function menu_tree_collect_node_links(&$tree, &$node_links) {
* menu_tree_collect_node_links().
*/
function menu_tree_check_access(&$tree, $node_links = array()) {
if ($node_links) {
if ($node_links && (user_access('access content') || user_access('bypass node access'))) {
$nids = array_keys($node_links);
$select = db_select('node', 'n');
$select->addField('n', 'nid');
Expand All @@ -1511,11 +1511,7 @@ function _menu_tree_check_access(&$tree) {
$new_tree = array();
foreach ($tree as $key => $v) {
$item = &$tree[$key]['link'];
// Prevent translating menu links twice.
if (!isset($item['menu_link_translated'])) {
_menu_link_translate($item);
$item['menu_link_translated'] = TRUE;
}
_menu_link_translate($item);
if ($item['access'] || ($item['in_active_trail'] && strpos($item['href'], '%') !== FALSE)) {
if ($tree[$key]['below']) {
_menu_tree_check_access($tree[$key]['below']);
Expand Down
40 changes: 34 additions & 6 deletions misc/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@

Drupal.ajax = Drupal.ajax || {};

Drupal.settings.urlIsAjaxTrusted = Drupal.settings.urlIsAjaxTrusted || {};

/**
* Attaches the Ajax behavior to each Ajax form element.
*/
Expand Down Expand Up @@ -130,6 +132,11 @@ Drupal.ajax = function (base, element, element_settings) {
// 5. /nojs# - Followed by a fragment.
// E.g.: path/nojs#myfragment
this.url = element_settings.url.replace(/\/nojs(\/|$|\?|&|#)/g, '/ajax$1');
// If the 'nojs' version of the URL is trusted, also trust the 'ajax' version.
if (Drupal.settings.urlIsAjaxTrusted[element_settings.url]) {
Drupal.settings.urlIsAjaxTrusted[this.url] = true;
}

this.wrapper = '#' + element_settings.wrapper;

// If there isn't a form, jQuery.ajax() will be used instead, allowing us to
Expand All @@ -155,18 +162,36 @@ Drupal.ajax = function (base, element, element_settings) {
ajax.ajaxing = true;
return ajax.beforeSend(xmlhttprequest, options);
},
success: function (response, status) {
success: function (response, status, xmlhttprequest) {
// Sanity check for browser support (object expected).
// When using iFrame uploads, responses must be returned as a string.
if (typeof response == 'string') {
response = $.parseJSON(response);
}

// Prior to invoking the response's commands, verify that they can be
// trusted by checking for a response header. See
// ajax_set_verification_header() for details.
// - Empty responses are harmless so can bypass verification. This avoids
// an alert message for server-generated no-op responses that skip Ajax
// rendering.
// - Ajax objects with trusted URLs (e.g., ones defined server-side via
// #ajax) can bypass header verification. This is especially useful for
// Ajax with multipart forms. Because IFRAME transport is used, the
// response headers cannot be accessed for verification.
if (response !== null && !Drupal.settings.urlIsAjaxTrusted[ajax.url]) {
if (xmlhttprequest.getResponseHeader('X-Drupal-Ajax-Token') !== '1') {
var customMessage = Drupal.t("The response failed verification so will not be processed.");
return ajax.error(xmlhttprequest, ajax.url, customMessage);
}
}

return ajax.success(response, status);
},
complete: function (response, status) {
complete: function (xmlhttprequest, status) {
ajax.ajaxing = false;
if (status == 'error' || status == 'parsererror') {
return ajax.error(response, ajax.url);
return ajax.error(xmlhttprequest, ajax.url);
}
},
dataType: 'json',
Expand All @@ -175,6 +200,9 @@ Drupal.ajax = function (base, element, element_settings) {

// Bind the ajaxSubmit function to the element event.
$(ajax.element).bind(element_settings.event, function (event) {
if (!Drupal.settings.urlIsAjaxTrusted[ajax.url] && !Drupal.urlIsLocal(ajax.url)) {
throw new Error(Drupal.t('The callback URL is not local and not trusted: !url', {'!url': ajax.url}));
}
return ajax.eventResponse(this, event);
});

Expand Down Expand Up @@ -447,8 +475,8 @@ Drupal.ajax.prototype.getEffect = function (response) {
/**
* Handler for the form redirection error.
*/
Drupal.ajax.prototype.error = function (response, uri) {
alert(Drupal.ajaxError(response, uri));
Drupal.ajax.prototype.error = function (xmlhttprequest, uri, customMessage) {
alert(Drupal.ajaxError(xmlhttprequest, uri, customMessage));
// Remove the progress element.
if (this.progress.element) {
$(this.progress.element).remove();
Expand All @@ -462,7 +490,7 @@ Drupal.ajax.prototype.error = function (response, uri) {
$(this.element).removeClass('progress-disabled').removeAttr('disabled');
// Reattach behaviors, if they were detached in beforeSerialize().
if (this.form) {
var settings = response.settings || this.settings || Drupal.settings;
var settings = this.settings || Drupal.settings;
Drupal.attachBehaviors(this.form, settings);
}
};
Expand Down
7 changes: 5 additions & 2 deletions misc/autocomplete.js
Original file line number Diff line number Diff line change
Expand Up @@ -271,8 +271,11 @@ Drupal.ACDB.prototype.search = function (searchString) {
var db = this;
this.searchString = searchString;

// See if this string needs to be searched for anyway.
searchString = searchString.replace(/^\s+|\s+$/, '');
// See if this string needs to be searched for anyway. The pattern ../ is
// stripped since it may be misinterpreted by the browser.
searchString = searchString.replace(/^\s+|\.{2,}\/|\s+$/g, '');
// Skip empty search strings, or search strings ending with a comma, since
// that is the separator between search terms.
if (searchString.length <= 0 ||
searchString.charAt(searchString.length - 1) == ',') {
return;
Expand Down
Loading

0 comments on commit fa99d97

Please sign in to comment.