SERV-214: Updated core and modules

Author: cableman

CHANGELOG.txt

@@ -1,3 +1,14 @@
+Drupal 7.60, 2018-10-18
+------------------------
+- Fixed security issues. See SA-CORE-2018-006.
+
+Drupal 7.59, 2018-04-25
+-----------------------
+- Fixed security issues (remote code execution). See SA-CORE-2018-004.
+
+Drupal 7.58, 2018-03-28
+-----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002.
 
 Drupal 7.57, 2018-02-21
 -----------------------

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.57');
+define('VERSION', '7.60');
 
 /**
  * Core API compatibility.
@@ -2632,6 +2632,10 @@ function _drupal_bootstrap_configuration() {
   timer_start('page');
   // Initialize the configuration, including variables from settings.php.
   drupal_settings_initialize();
+
+  // Sanitize unsafe keys from the request.
+  require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
+  DrupalRequestSanitizer::sanitize();
 }
 
 /**
@@ -2774,6 +2778,11 @@ function _drupal_bootstrap_variables() {
       unset($_GET['destination']);
       unset($_REQUEST['destination']);
     }
+    // Use the DrupalRequestSanitizer to ensure that the destination's query
+    // parameters are not dangerous.
+    if (isset($_GET['destination'])) {
+      DrupalRequestSanitizer::cleanDestination();
+    }
     // If there's still something in $_REQUEST['destination'] that didn't come
     // from $_GET, check it too.
     if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {

includes/common.inc

@@ -611,8 +611,9 @@ function drupal_parse_url($url) {
   }
   // The 'q' parameter contains the path of the current page if clean URLs are
   // disabled. It overrides the 'path' of the URL when present, even if clean
-  // URLs are enabled, due to how Apache rewriting rules work.
-  if (isset($options['query']['q'])) {
+  // URLs are enabled, due to how Apache rewriting rules work. The path
+  // parameter must be a string.
+  if (isset($options['query']['q']) && is_string($options['query']['q'])) {
     $options['path'] = $options['query']['q'];
     unset($options['query']['q']);
   }
@@ -2310,7 +2311,10 @@ function url($path = NULL, array $options = array()) {
     $language = isset($options['language']) && isset($options['language']->language) ? $options['language']->language : '';
     $alias = drupal_get_path_alias($original_path, $language);
     if ($alias != $original_path) {
-      $path = $alias;
+      // Strip leading slashes from internal path aliases to prevent them
+      // becoming external URLs without protocol. /example.com should not be
+      // turned into //example.com.
+      $path = ltrim($alias, '/');
     }
   }
 

includes/request-sanitizer.inc

@@ -0,0 +1,114 @@
+<?php
+
+/**
+ * @file
+ * Contains code for sanitizing user input from the request.
+ */
+
+/**
+ * Sanitizes user input from the request.
+ */
+class DrupalRequestSanitizer {
+
+  /**
+   * Tracks whether the request was already sanitized.
+   */
+  protected static $sanitized = FALSE;
+
+  /**
+   * Modifies the request to strip dangerous keys from user input.
+   */
+  public static function sanitize() {
+    if (!self::$sanitized) {
+      $whitelist = variable_get('sanitize_input_whitelist', array());
+      $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
+
+      // Process query string parameters.
+      $get_sanitized_keys = array();
+      $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
+      if ($log_sanitized_keys && $get_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      // Process request body parameters.
+      $post_sanitized_keys = array();
+      $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
+      if ($log_sanitized_keys && $post_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      // Process cookie parameters.
+      $cookie_sanitized_keys = array();
+      $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
+      if ($log_sanitized_keys && $cookie_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      $request_sanitized_keys = array();
+      $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
+
+      self::$sanitized = TRUE;
+    }
+  }
+
+  /**
+   * Removes the destination if it is dangerous.
+   *
+   * Note this can only be called after common.inc has been included.
+   *
+   * @return bool
+   *   TRUE if the destination has been removed from $_GET, FALSE if not.
+   */
+  public static function cleanDestination() {
+    $dangerous_keys = array();
+    $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
+
+    $parts = drupal_parse_url($_GET['destination']);
+    // If there is a query string, check its query parameters.
+    if (!empty($parts['query'])) {
+      $whitelist = variable_get('sanitize_input_whitelist', array());
+
+      self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
+      if (!empty($dangerous_keys)) {
+        // The destination is removed rather than sanitized to mirror the
+        // handling of external destinations.
+        unset($_GET['destination']);
+        unset($_REQUEST['destination']);
+        if ($log_sanitized_keys) {
+          trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
+        }
+        return TRUE;
+      }
+    }
+    return FALSE;
+  }
+
+  /**
+   * Strips dangerous keys from the provided input.
+   *
+   * @param mixed $input
+   *   The input to sanitize.
+   * @param string[] $whitelist
+   *   An array of keys to whitelist as safe.
+   * @param string[] $sanitized_keys
+   *   An array of keys that have been removed.
+   *
+   * @return mixed
+   *   The sanitized input.
+   */
+  protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
+    if (is_array($input)) {
+      foreach ($input as $key => $value) {
+        if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+          unset($input[$key]);
+          $sanitized_keys[] = $key;
+        }
+        else {
+          $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
+        }
+      }
+    }
+    return $input;
+  }
+
+}

modules/aggregator/aggregator.info

@@ -7,8 +7,7 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/aggregator/tests/aggregator_test.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/block/block.info

@@ -6,8 +6,7 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/block/tests/block_test.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/block/tests/themes/block_test_theme/block_test_theme.info

@@ -13,8 +13,7 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/blog/blog.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/book/book.info

@@ -7,8 +7,7 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/color/color.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/comment/comment.info

@@ -9,8 +9,7 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/contact/contact.info

@@ -6,8 +6,7 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/contextual/contextual.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/dashboard/dashboard.info

@@ -7,8 +7,7 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/dblog/dblog.info

@@ -5,8 +5,7 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/field/field.info

@@ -11,8 +11,7 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/field/modules/field_sql_storage/field_sql_storage.info

@@ -7,8 +7,7 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/field/modules/list/list.info

@@ -7,8 +7,7 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"

modules/field/modules/list/tests/list_test.info

@@ -5,8 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2018-02-21
-version = "7.57"
+; Information added by Drupal.org packaging script on 2018-10-17
+version = "7.60"
 project = "drupal"
-datestamp = "1519235152"
-
+datestamp = "1539816636"