diff --git a/CHANGELOG.txt b/CHANGELOG.txt index f75354e603c..29277196e0b 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,4 +1,8 @@ +Drupal 7.41, 2015-10-21 +----------------------- +- Fixed security issues (open redirect). See SA-CORE-2015-004. + Drupal 7.40, 2015-10-14 ----------------------- - Made Drupal's code for parsing .info files run much faster and use much less diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 761943b3194..1a5433b9e0e 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.40'); +define('VERSION', '7.41'); /** * Core API compatibility. diff --git a/modules/overlay/overlay-parent.js b/modules/overlay/overlay-parent.js index 7859821b49d..efb26370c50 100644 --- a/modules/overlay/overlay-parent.js +++ b/modules/overlay/overlay-parent.js @@ -350,7 +350,7 @@ Drupal.overlay.setFocusBefore = function ($element, document) { * TRUE if the URL represents an administrative link, FALSE otherwise. */ Drupal.overlay.isAdminLink = function (url) { - if (Drupal.overlay.isExternalLink(url)) { + if (!Drupal.urlIsLocal(url)) { return false; } @@ -378,6 +378,8 @@ Drupal.overlay.isAdminLink = function (url) { /** * Determine whether a link is external to the site. * + * Deprecated. Use Drupal.urlIsLocal() instead. + * * @param url * The URL to be tested. * @@ -385,8 +387,7 @@ Drupal.overlay.isAdminLink = function (url) { * TRUE if the URL is external to the site, FALSE otherwise. */ Drupal.overlay.isExternalLink = function (url) { - var re = RegExp('^((f|ht)tps?:)?//(?!' + window.location.host + ')'); - return re.test(url); + return !Drupal.urlIsLocal(url); }; /** @@ -405,7 +406,7 @@ Drupal.overlay.isExternalLink = function (url) { */ Drupal.overlay.getInternalUrl = function (path) { var url = Drupal.settings.basePath + path; - if (!this.isExternalLink(url)) { + if (Drupal.urlIsLocal(url)) { return url; } };