Skip to content

Commit

Permalink
Update to Drupal 7.74. For more information, see https://www.drupal.o…
Browse files Browse the repository at this point in the history
  • Loading branch information
Pantheon Automation authored and greg-1-anderson committed Nov 18, 2020
1 parent 2cb3222 commit 2733cbd
Show file tree
Hide file tree
Showing 5 changed files with 266 additions and 34 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
Drupal 7.74, 2020-11-17
-----------------------
- Fixed security issues:
- SA-CORE-2020-012

Drupal 7.73, 2020-09-16
-----------------------
- Fixed security issues:
Expand Down
2 changes: 1 addition & 1 deletion includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.73');
define('VERSION', '7.74');

/**
* Core API compatibility.
Expand Down
70 changes: 48 additions & 22 deletions includes/file.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1151,8 +1151,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
* exploit.php_.pps.
*
* Specifically, this function adds an underscore to all extensions that are
* between 2 and 5 characters in length, internal to the file name, and not
* included in $extensions.
* between 2 and 5 characters in length, internal to the file name, and either
* included in the list of unsafe extensions, or not included in $extensions.
*
* Function behavior is also controlled by the Drupal variable
* 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no
Expand All @@ -1161,7 +1161,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
* @param $filename
* File name to modify.
* @param $extensions
* A space-separated list of extensions that should not be altered.
* A space-separated list of extensions that should not be altered. Note that
* extensions that are unsafe will be altered regardless of this parameter.
* @param $alerts
* If TRUE, drupal_set_message() will be called to display a message if the
* file name was changed.
Expand All @@ -1179,6 +1180,10 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {

$whitelist = array_unique(explode(' ', strtolower(trim($extensions))));

// Remove unsafe extensions from the list of allowed extensions. The list is
// copied from file_save_upload().
$whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));

// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
$filename_parts = explode('.', $filename);
Expand Down Expand Up @@ -1546,25 +1551,35 @@ function file_save_upload($form_field_name, $validators = array(), $destination
$validators['file_validate_extensions'][0] = $extensions;
}

if (!empty($extensions)) {
// Munge the filename to protect against possible malicious extension hiding
// within an unknown file type (ie: filename.html.foo).
$file->filename = file_munge_filename($file->filename, $extensions);
}

// Rename potentially executable files, to help prevent exploits (i.e. will
// rename filename.php.foo and filename.php to filename.php.foo.txt and
// filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
// evaluates to TRUE.
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
// The destination filename will also later be used to create the URI.
$file->filename .= '.txt';
// The .txt extension may not be in the allowed list of extensions. We have
// to add it here or else the file upload will fail.
if (!variable_get('allow_insecure_uploads', 0)) {
if (!empty($extensions)) {
$validators['file_validate_extensions'][0] .= ' txt';
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
// Munge the filename to protect against possible malicious extension hiding
// within an unknown file type (ie: filename.html.foo).
$file->filename = file_munge_filename($file->filename, $extensions);
}

// Rename potentially executable files, to help prevent exploits (i.e. will
// rename filename.php.foo and filename.php to filename.php_.foo_.txt and
// filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'
// evaluates to TRUE.
if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
// If the file will be rejected anyway due to a disallowed extension, it
// should not be renamed; rather, we'll let file_validate_extensions()
// reject it below.
if (!isset($validators['file_validate_extensions']) || !file_validate_extensions($file, $extensions)) {
$file->filemime = 'text/plain';
if (substr($file->filename, -4) != '.txt') {
// The destination filename will also later be used to create the URI.
$file->filename .= '.txt';
}
$file->filename = file_munge_filename($file->filename, $extensions, FALSE);
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
// The .txt extension may not be in the allowed list of extensions. We have
// to add it here or else the file upload will fail.
if (!empty($validators['file_validate_extensions'][0])) {
$validators['file_validate_extensions'][0] .= ' txt';
}
}
}
}

Expand Down Expand Up @@ -1732,7 +1747,18 @@ function file_validate(stdClass &$file, $validators = array()) {
}

// Let other modules perform validation on the new file.
return array_merge($errors, module_invoke_all('file_validate', $file));
$errors = array_merge($errors, module_invoke_all('file_validate', $file));

// Ensure the file does not contain a malicious extension. At this point
// file_save_upload() will have munged the file so it does not contain a
// malicious extension. Contributed and custom code that calls this method
// needs to take similar steps if they need to permit files with malicious
// extensions to be uploaded.
if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
$errors[] = t('For security reasons, your upload has been rejected.');
}

return $errors;
}

/**
Expand Down
Loading

0 comments on commit 2733cbd

Please sign in to comment.