From 0987fb36807b7d66a9f6e5574058a18279519450 Mon Sep 17 00:00:00 2001
From: John Rearick <jrearick@iastate.edu>
Date: Wed, 16 Sep 2020 13:52:09 -0500
Subject: [PATCH 1/3] LUGG-1215 Drupal 7.73 SA-CORE-2020-007

---
 CHANGELOG.txt          |  5 +++++
 includes/bootstrap.inc |  2 +-
 misc/ajax.js           |  3 ++-
 misc/autocomplete.js   |  3 ++-
 misc/drupal.js         | 17 +++++++++++++++++
 5 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 4f438e7b4..7f5f570a5 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.73, 2020-09-16
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-007
+
 Drupal 7.72, 2020-06-17
 -----------------------
 - Fixed security issues:
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 7ac17ab7c..099c348d7 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.72');
+define('VERSION', '7.73');
 
 /**
  * Core API compatibility.
diff --git a/misc/ajax.js b/misc/ajax.js
index 0c9579b00..79a4e9eb6 100644
--- a/misc/ajax.js
+++ b/misc/ajax.js
@@ -149,7 +149,7 @@ Drupal.ajax = function (base, element, element_settings) {
   // The 'this' variable will not persist inside of the options object.
   var ajax = this;
   ajax.options = {
-    url: ajax.url,
+    url: Drupal.sanitizeAjaxUrl(ajax.url),
     data: ajax.submit,
     beforeSerialize: function (element_settings, options) {
       return ajax.beforeSerialize(element_settings, options);
@@ -195,6 +195,7 @@ Drupal.ajax = function (base, element, element_settings) {
       }
     },
     dataType: 'json',
+    jsonp: false,
     type: 'POST'
   };
 
diff --git a/misc/autocomplete.js b/misc/autocomplete.js
index af090713c..09ceeec0f 100644
--- a/misc/autocomplete.js
+++ b/misc/autocomplete.js
@@ -297,8 +297,9 @@ Drupal.ACDB.prototype.search = function (searchString) {
     // encodeURIComponent to allow autocomplete search terms to contain slashes.
     $.ajax({
       type: 'GET',
-      url: db.uri + '/' + Drupal.encodePath(searchString),
+      url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
       dataType: 'json',
+      jsonp: false,
       success: function (matches) {
         if (typeof matches.status == 'undefined' || matches.status != 0) {
           db.cache[searchString] = matches;
diff --git a/misc/drupal.js b/misc/drupal.js
index 19fbc712f..7a3f5f592 100644
--- a/misc/drupal.js
+++ b/misc/drupal.js
@@ -424,6 +424,23 @@ Drupal.urlIsLocal = function (url) {
   return absoluteUrl === baseUrl || absoluteUrl.indexOf(baseUrl + '/') === 0;
 };
 
+/**
+ * Sanitizes a URL for use with jQuery.ajax().
+ *
+ * @param url
+ *   The URL string to be sanitized.
+ *
+ * @return
+ *   The sanitized URL.
+ */
+Drupal.sanitizeAjaxUrl = function (url) {
+  var regex = /\=\?(&|$)/;
+  while (url.match(regex)) {
+    url = url.replace(regex, '');
+  }
+  return url;
+}
+
 /**
  * Generate the themed representation of a Drupal object.
  *

From af016ef4d3629408c84d40e8fe1c019de68b8812 Mon Sep 17 00:00:00 2001
From: John Rearick <jrearick@iastate.edu>
Date: Wed, 16 Sep 2020 14:09:55 -0500
Subject: [PATCH 2/3] LUGG-1215 Luggage version to 3.6.14

---
 LUGGAGE_CHANGELOG.txt | 5 +++++
 LUGGAGE_VERSION.php   | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/LUGGAGE_CHANGELOG.txt b/LUGGAGE_CHANGELOG.txt
index 1cb491512..20aa28c08 100644
--- a/LUGGAGE_CHANGELOG.txt
+++ b/LUGGAGE_CHANGELOG.txt
@@ -2,6 +2,11 @@ How to read this changelog:
 
 The LUGG- prefix refers to JIRA issue numbers; the # prefix refers to GitHub issue numbers.
 
+Luggage 3.6.14, 2020-09-16
+Drupal 7.73, 2020-09-16
+-------------------------
+- LUGG-1215 - Drupal 7.73 SA-CORE-2020-007
+
 Luggage 3.6.13, 2020-06-17
 Drupal 7.72, 2020-06-17
 -------------------------
diff --git a/LUGGAGE_VERSION.php b/LUGGAGE_VERSION.php
index 35f3e78e6..f8dbf54df 100644
--- a/LUGGAGE_VERSION.php
+++ b/LUGGAGE_VERSION.php
@@ -1,3 +1,3 @@
 <?php
 
-$version = "3.6.13";
+$version = "3.6.14";

From c16c15a152bf23514c221b85dee10c83b293b772 Mon Sep 17 00:00:00 2001
From: John Rearick <jrearick@iastate.edu>
Date: Wed, 16 Sep 2020 14:27:51 -0500
Subject: [PATCH 3/3] LUGG-1215 Luggage ISU Version to 6.14

---
 LUGGAGE_ISU_CHANGELOG.txt | 6 ++++++
 LUGGAGE_ISU_VERSION.php   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/LUGGAGE_ISU_CHANGELOG.txt b/LUGGAGE_ISU_CHANGELOG.txt
index b338fbb55..635ddd7f5 100644
--- a/LUGGAGE_ISU_CHANGELOG.txt
+++ b/LUGGAGE_ISU_CHANGELOG.txt
@@ -6,6 +6,12 @@ The Luggage_ISU version number shows the upstream Luggage version it is based on
 as well as the Luggage_ISU version. For example, Luggage_ISU 3.5.0-5.0 is based
 on the upstream Luggage release 3.5.0.
 
+Luggage_ISU 3.6.14-6.14, 2020-09-16
+Drupal 7.73, 2020-09-16
+-------------------------
+Merged with upstream Luggage 3.6.14
+- LUGG-1215 - Drupal 7.73 SA-CORE-2020-007
+
 Luggage_ISU 3.6.13-6.13, 2020-06-17
 Drupal 7.72, 2020-06-17
 -------------------------
diff --git a/LUGGAGE_ISU_VERSION.php b/LUGGAGE_ISU_VERSION.php
index 7e8fca0af..b1af5eb65 100644
--- a/LUGGAGE_ISU_VERSION.php
+++ b/LUGGAGE_ISU_VERSION.php
@@ -1,3 +1,3 @@
 <?php
 
-$version = "6.13";
+$version = "6.14";