Skip to content
Snippets Groups Projects
Commit 17ff00c6 authored by Jess's avatar Jess
Browse files

SA-CORE-2016-003 by alexpott, Michael Dowling, mlhess, xjm, Pere Orga,... 

SA-CORE-2016-003 by alexpott, Michael Dowling, mlhess, xjm, Pere Orga, dawehner, greggles, coltrane, pwolanin, larowlan
parent 2fb3a051
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
.htaccess
+ 3
1
View file @ 17ff00c6
......@@ -180,8 +180,10 @@ AddEncoding gzip svgz
</IfModule>
</IfModule>
# Add headers to all responses.
# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
composer.lock
+ 22
22
View file @ 17ff00c6
......@@ -678,32 +678,32 @@
},
{
"name": "guzzlehttp/guzzle",
"version": "6.1.0",
"version": "6.2.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
"reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81"
"reference": "3f808fba627f2c5b69e2501217bf31af349c1427"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/guzzle/zipball/66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
"reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
"url": "https://api.github.com/repos/guzzle/guzzle/zipball/3f808fba627f2c5b69e2501217bf31af349c1427",
"reference": "3f808fba627f2c5b69e2501217bf31af349c1427",
"shasum": ""
},
"require": {
"guzzlehttp/promises": "~1.0",
"guzzlehttp/psr7": "~1.1",
"php": ">=5.5.0"
"guzzlehttp/promises": "^1.0",
"guzzlehttp/psr7": "^1.3.1",
"php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
"phpunit/phpunit": "~4.0",
"psr/log": "~1.0"
"phpunit/phpunit": "^4.0",
"psr/log": "^1.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "6.1-dev"
"dev-master": "6.2-dev"
}
},
"autoload": {
......@@ -736,20 +736,20 @@
"rest",
"web service"
],
"time": "2015-09-08 17:36:26"
"time": "2016-07-15 17:22:37"
},
{
"name": "guzzlehttp/promises",
"version": "1.0.2",
"version": "1.2.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
"reference": "97fe7210def29451ec74923b27e552238defd75a"
"reference": "c10d860e2a9595f8883527fa0021c7da9e65f579"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/promises/zipball/97fe7210def29451ec74923b27e552238defd75a",
"reference": "97fe7210def29451ec74923b27e552238defd75a",
"url": "https://api.github.com/repos/guzzle/promises/zipball/c10d860e2a9595f8883527fa0021c7da9e65f579",
"reference": "c10d860e2a9595f8883527fa0021c7da9e65f579",
"shasum": ""
},
"require": {
......@@ -787,20 +787,20 @@
"keywords": [
"promise"
],
"time": "2015-08-15 19:37:21"
"time": "2016-05-18 16:56:05"
},
{
"name": "guzzlehttp/psr7",
"version": "1.2.0",
"version": "1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
"reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e"
"reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/guzzle/psr7/zipball/4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
"reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
"url": "https://api.github.com/repos/guzzle/psr7/zipball/5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"shasum": ""
},
"require": {
......@@ -816,7 +816,7 @@
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.0-dev"
"dev-master": "1.4-dev"
}
},
"autoload": {
......@@ -845,7 +845,7 @@
"stream",
"uri"
],
"time": "2015-08-15 19:32:36"
"time": "2016-06-24 23:00:38"
},
{
"name": "ircmaxell/password-compat",
......
core/composer.json
+ 1
1
View file @ 17ff00c6
......@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
"guzzlehttp/guzzle": "~6.1",
"guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "~1.4",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
......
core/lib/Drupal/Core/Http/ClientFactory.php
+ 7
0
View file @ 17ff00c6
......@@ -52,6 +52,13 @@ public function fromOptions(array $config = []) {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
// Security consideration: prevent Guzzle from using environment variables
// to configure the outbound proxy.
'proxy' => [
'http' => NULL,
'https' => NULL,
'no' => [],
]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
......
sites/default/default.settings.php
+ 0
3
View file @ 17ff00c6
......@@ -325,9 +325,6 @@
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
*
* If these settings are not configured, the system environment variables
* HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
......
web.config
+ 8
0
View file @ 17ff00c6
......@@ -34,6 +34,14 @@
</conditions>
</rule>
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
<!-- To redirect all users to access the site WITH the 'www.' prefix,
http://example.com/foo will be redirected to http://www.example.com/foo)
adapt and uncomment the following: -->
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment