Skip to content

Commit

Permalink
IFME-494 : Drupal core - Critical - Cross-site scripting - SA-CORE-20…
Browse files Browse the repository at this point in the history
…21-002
  • Loading branch information
jpilchisu committed May 4, 2021
1 parent a927e0f commit da9b021
Show file tree
Hide file tree
Showing 37 changed files with 909 additions and 218 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
Drupal 7.80, 2021-04-20
-----------------------
- Fixed security issues:
- SA-CORE-2021-002

Drupal 7.79, 2021-04-07
-----------------------
- Initial support for PHP 8
- Support for SameSite cookie attribute
- Avoid write for unchanged fields (opt-in)

Drupal 7.78, 2021-01-19
-----------------------
- Fixed security issues:
Expand Down
91 changes: 85 additions & 6 deletions includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.78');
define('VERSION', '7.80');

/**
* Core API compatibility.
Expand Down Expand Up @@ -2596,13 +2596,10 @@ function drupal_get_hash_salt() {
* The filename that the error was raised in.
* @param $line
* The line number the error was raised at.
* @param $context
* An array that points to the active symbol table at the point the error
* occurred.
*/
function _drupal_error_handler($error_level, $message, $filename, $line, $context) {
function _drupal_error_handler($error_level, $message, $filename, $line) {
require_once DRUPAL_ROOT . '/includes/errors.inc';
_drupal_error_handler_real($error_level, $message, $filename, $line, $context);
_drupal_error_handler_real($error_level, $message, $filename, $line);
}

/**
Expand Down Expand Up @@ -3879,3 +3876,85 @@ function drupal_clear_opcode_cache($filepath) {
@apc_delete_file($filepath);
}
}

/**
* Drupal's wrapper around PHP's setcookie() function.
*
* This allows the cookie's $value and $options to be altered.
*
* @param $name
* The name of the cookie.
* @param $value
* The value of the cookie.
* @param $options
* An associative array which may have any of the keys expires, path, domain,
* secure, httponly, samesite.
*
* @see setcookie()
* @ingroup php_wrappers
*/
function drupal_setcookie($name, $value, $options) {
$options = _drupal_cookie_params($options);
if (\PHP_VERSION_ID >= 70300) {
setcookie($name, $value, $options);
}
else {
setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
}
}

/**
* Process the params for cookies. This emulates support for the SameSite
* attribute in earlier versions of PHP, and allows the value of that attribute
* to be overridden.
*
* @param $options
* An associative array which may have any of the keys expires, path, domain,
* secure, httponly, samesite.
*
* @return
* An associative array which may have any of the keys expires, path, domain,
* secure, httponly, and samesite.
*/
function _drupal_cookie_params($options) {
$options['samesite'] = _drupal_samesite_cookie($options);
if (\PHP_VERSION_ID < 70300) {
// Emulate SameSite support in older PHP versions.
if (!empty($options['samesite'])) {
// Ensure the SameSite attribute is only added once.
if (!preg_match('/SameSite=/i', $options['path'])) {
$options['path'] .= '; SameSite=' . $options['samesite'];
}
}
}
return $options;
}

/**
* Determine the value for the samesite cookie attribute, in the following order
* of precedence:
*
* 1) A value explicitly passed to drupal_setcookie()
* 2) A value set in $conf['samesite_cookie_value']
* 3) The setting from php ini
* 4) The default of None, or FALSE (no attribute) if the cookie is not Secure
*
* @param $options
* An associative array as passed to drupal_setcookie().
* @return
* The value for the samesite cookie attribute.
*/
function _drupal_samesite_cookie($options) {
if (isset($options['samesite'])) {
return $options['samesite'];
}
$override = variable_get('samesite_cookie_value', NULL);
if ($override !== NULL) {
return $override;
}
$ini_options = session_get_cookie_params();
if (isset($ini_options['samesite'])) {
return $ini_options['samesite'];
}
return empty($options['secure']) ? FALSE : 'None';
}
13 changes: 11 additions & 2 deletions includes/common.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1559,7 +1559,7 @@ function _filter_xss_split($m, $store = FALSE) {
return '&lt;';
}

if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9\-]+)([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9\-]+)\s*([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
// Seriously malformed.
return '';
}
Expand Down Expand Up @@ -1618,7 +1618,13 @@ function _filter_xss_attributes($attr) {
// Attribute name, href for instance.
if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
$attrname = strtolower($match[1]);
$skip = ($attrname == 'style' || substr($attrname, 0, 2) == 'on');
$skip = (
$attrname == 'style' ||
substr($attrname, 0, 2) == 'on' ||
substr($attrname, 0, 1) == '-' ||
// Ignore long attributes to avoid unnecessary processing overhead.
strlen($attrname) > 96
);
$working = $mode = 1;
$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
}
Expand Down Expand Up @@ -2329,6 +2335,7 @@ function url($path = NULL, array $options = array()) {
}
elseif (!empty($path) && !$options['alias']) {
$language = isset($options['language']) && isset($options['language']->language) ? $options['language']->language : '';
require_once DRUPAL_ROOT . '/' . variable_get('path_inc', 'includes/path.inc');
$alias = drupal_get_path_alias($original_path, $language);
if ($alias != $original_path) {
// Strip leading slashes from internal path aliases to prevent them
Expand Down Expand Up @@ -5166,6 +5173,8 @@ function drupal_build_js_cache($files) {
$contents .= file_get_contents($path) . ";\n";
}
}
// Remove JS source and source mapping urls or these may cause 404 errors.
$contents = preg_replace('/\/\/(#|@)\s(sourceURL|sourceMappingURL)=\s*(\S*?)\s*$/m', '', $contents);
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
$filename = 'js_' . drupal_hash_base64($contents) . '.js';
Expand Down
48 changes: 36 additions & 12 deletions includes/database/database.inc
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@
*
* @see http://php.net/manual/book.pdo.php
*/
abstract class DatabaseConnection extends PDO {
abstract class DatabaseConnection {

/**
* The database target this connection is for.
Expand Down Expand Up @@ -261,6 +261,13 @@ abstract class DatabaseConnection extends PDO {
*/
protected $temporaryNameIndex = 0;

/**
* The actual PDO connection.
*
* @var \PDO
*/
protected $connection;

/**
* The connection information for this connection object.
*
Expand Down Expand Up @@ -325,14 +332,27 @@ abstract class DatabaseConnection extends PDO {
$driver_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;

// Call PDO::__construct and PDO::setAttribute.
parent::__construct($dsn, $username, $password, $driver_options);
$this->connection = new PDO($dsn, $username, $password, $driver_options);

// Set a Statement class, unless the driver opted out.
if (!empty($this->statementClass)) {
$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, array($this->statementClass, array($this)));
$this->connection->setAttribute(PDO::ATTR_STATEMENT_CLASS, array($this->statementClass, array($this)));
}
}

/**
* Proxy possible direct calls to the \PDO methods.
*
* Since PHP8.0 the signature of the the \PDO::query() method has changed,
* and this class can't extending \PDO any more.
*
* However, for the BC, proxy any calls to the \PDO methods to the actual
* PDO connection object.
*/
public function __call($name, $arguments) {
return call_user_func_array(array($this->connection, $name), $arguments);
}

/**
* Destroys this Connection object.
*
Expand All @@ -346,7 +366,7 @@ abstract class DatabaseConnection extends PDO {
// The Statement class attribute only accepts a new value that presents a
// proper callable, so we reset it to PDOStatement.
if (!empty($this->statementClass)) {
$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('PDOStatement', array()));
$this->connection->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('PDOStatement', array()));
}
$this->schema = NULL;
}
Expand Down Expand Up @@ -521,7 +541,7 @@ abstract class DatabaseConnection extends PDO {
$query = $this->prefixTables($query);

// Call PDO::prepare.
return parent::prepare($query);
return $this->connection->prepare($query);
}

/**
Expand Down Expand Up @@ -733,7 +753,7 @@ abstract class DatabaseConnection extends PDO {
case Database::RETURN_AFFECTED:
return $stmt->rowCount();
case Database::RETURN_INSERT_ID:
return $this->lastInsertId();
return $this->connection->lastInsertId();
case Database::RETURN_NULL:
return;
default:
Expand Down Expand Up @@ -1116,7 +1136,7 @@ abstract class DatabaseConnection extends PDO {
$rolled_back_other_active_savepoints = TRUE;
}
}
parent::rollBack();
$this->connection->rollBack();
if ($rolled_back_other_active_savepoints) {
throw new DatabaseTransactionOutOfOrderException();
}
Expand Down Expand Up @@ -1144,7 +1164,7 @@ abstract class DatabaseConnection extends PDO {
$this->query('SAVEPOINT ' . $name);
}
else {
parent::beginTransaction();
$this->connection->beginTransaction();
}
$this->transactionLayers[$name] = $name;
}
Expand Down Expand Up @@ -1195,7 +1215,7 @@ abstract class DatabaseConnection extends PDO {
// If there are no more layers left then we should commit.
unset($this->transactionLayers[$name]);
if (empty($this->transactionLayers)) {
if (!parent::commit()) {
if (!$this->connection->commit()) {
throw new DatabaseTransactionCommitFailedException();
}
}
Expand Down Expand Up @@ -1279,7 +1299,7 @@ abstract class DatabaseConnection extends PDO {
* Returns the version of the database server.
*/
public function version() {
return $this->getAttribute(PDO::ATTR_SERVER_VERSION);
return $this->connection->getAttribute(PDO::ATTR_SERVER_VERSION);
}

/**
Expand Down Expand Up @@ -1724,12 +1744,16 @@ abstract class Database {
*
* @param $key
* The connection key.
* @param $close
* Whether to close the connection.
* @return
* TRUE in case of success, FALSE otherwise.
*/
final public static function removeConnection($key) {
final public static function removeConnection($key, $close = TRUE) {
if (isset(self::$databaseInfo[$key])) {
self::closeConnection(NULL, $key);
if ($close) {
self::closeConnection(NULL, $key);
}
unset(self::$databaseInfo[$key]);
return TRUE;
}
Expand Down
Loading

0 comments on commit da9b021

Please sign in to comment.