From 17ff00c6c4a774c5164991f0f179c95ce886793c Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Mon, 18 Jul 2016 17:32:46 +0200
Subject: [PATCH] SA-CORE-2016-003 by alexpott, Michael Dowling, mlhess, xjm,
Pere Orga, dawehner, greggles, coltrane, pwolanin, larowlan
---
.htaccess | 4 +-
composer.lock | 44 ++++++++++-----------
core/composer.json | 2 +-
core/lib/Drupal/Core/Http/ClientFactory.php | 7 ++++
sites/default/default.settings.php | 3 --
web.config | 8 ++++
6 files changed, 41 insertions(+), 27 deletions(-)
diff --git a/.htaccess b/.htaccess
index f4024c632ac6..4716fa12c8cb 100644
--- a/.htaccess
+++ b/.htaccess
@@ -180,8 +180,10 @@ AddEncoding gzip svgz
</IfModule>
</IfModule>
-# Add headers to all responses.
+# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
+ # Disable Proxy header, since it's an attack vector.
+ RequestHeader unset Proxy
</IfModule>
diff --git a/composer.lock b/composer.lock
index 90b375c0f5be..132fba518826 100644
--- a/composer.lock
+++ b/composer.lock
@@ -678,32 +678,32 @@
},
{
"name": "guzzlehttp/guzzle",
- "version": "6.1.0",
+ "version": "6.2.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/guzzle.git",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81"
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/guzzle/zipball/66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
- "reference": "66fd14b4d0b8f2389eaf37c5458608c7cb793a81",
+ "url": "https://api.github.com/repos/guzzle/guzzle/zipball/3f808fba627f2c5b69e2501217bf31af349c1427",
+ "reference": "3f808fba627f2c5b69e2501217bf31af349c1427",
"shasum": ""
},
"require": {
- "guzzlehttp/promises": "~1.0",
- "guzzlehttp/psr7": "~1.1",
- "php": ">=5.5.0"
+ "guzzlehttp/promises": "^1.0",
+ "guzzlehttp/psr7": "^1.3.1",
+ "php": ">=5.5"
},
"require-dev": {
"ext-curl": "*",
- "phpunit/phpunit": "~4.0",
- "psr/log": "~1.0"
+ "phpunit/phpunit": "^4.0",
+ "psr/log": "^1.0"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "6.1-dev"
+ "dev-master": "6.2-dev"
}
},
"autoload": {
@@ -736,20 +736,20 @@
"rest",
"web service"
],
- "time": "2015-09-08 17:36:26"
+ "time": "2016-07-15 17:22:37"
},
{
"name": "guzzlehttp/promises",
- "version": "1.0.2",
+ "version": "1.2.0",
"source": {
"type": "git",
"url": "https://github.com/guzzle/promises.git",
- "reference": "97fe7210def29451ec74923b27e552238defd75a"
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/promises/zipball/97fe7210def29451ec74923b27e552238defd75a",
- "reference": "97fe7210def29451ec74923b27e552238defd75a",
+ "url": "https://api.github.com/repos/guzzle/promises/zipball/c10d860e2a9595f8883527fa0021c7da9e65f579",
+ "reference": "c10d860e2a9595f8883527fa0021c7da9e65f579",
"shasum": ""
},
"require": {
@@ -787,20 +787,20 @@
"keywords": [
"promise"
],
- "time": "2015-08-15 19:37:21"
+ "time": "2016-05-18 16:56:05"
},
{
"name": "guzzlehttp/psr7",
- "version": "1.2.0",
+ "version": "1.3.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e"
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/guzzle/psr7/zipball/4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
- "reference": "4ef919b0cf3b1989523138b60163bbcb7ba1ff7e",
+ "url": "https://api.github.com/repos/guzzle/psr7/zipball/5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
+ "reference": "5c6447c9df362e8f8093bda8f5d8873fe5c7f65b",
"shasum": ""
},
"require": {
@@ -816,7 +816,7 @@
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.0-dev"
+ "dev-master": "1.4-dev"
}
},
"autoload": {
@@ -845,7 +845,7 @@
"stream",
"uri"
],
- "time": "2015-08-15 19:32:36"
+ "time": "2016-06-24 23:00:38"
},
{
"name": "ircmaxell/password-compat",
diff --git a/core/composer.json b/core/composer.json
index 550c7813d734..2d58d79e1ea9 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -21,7 +21,7 @@
"twig/twig": "^1.23.1",
"doctrine/common": "2.5.*",
"doctrine/annotations": "1.2.*",
- "guzzlehttp/guzzle": "~6.1",
+ "guzzlehttp/guzzle": "~6.2",
"symfony-cmf/routing": "~1.4",
"easyrdf/easyrdf": "0.9.*",
"zendframework/zend-feed": "~2.4",
diff --git a/core/lib/Drupal/Core/Http/ClientFactory.php b/core/lib/Drupal/Core/Http/ClientFactory.php
index a68f0851757f..3dcf35374ebd 100644
--- a/core/lib/Drupal/Core/Http/ClientFactory.php
+++ b/core/lib/Drupal/Core/Http/ClientFactory.php
@@ -52,6 +52,13 @@ public function fromOptions(array $config = []) {
'User-Agent' => 'Drupal/' . \Drupal::VERSION . ' (+https://www.drupal.org/) ' . \GuzzleHttp\default_user_agent(),
],
'handler' => $this->stack,
+ // Security consideration: prevent Guzzle from using environment variables
+ // to configure the outbound proxy.
+ 'proxy' => [
+ 'http' => NULL,
+ 'https' => NULL,
+ 'no' => [],
+ ]
];
$config = NestedArray::mergeDeep($default_config, Settings::get('http_client_config', []), $config);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 770a3a79a84f..d6d130e319d7 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -325,9 +325,6 @@
*
* You can also define an array of host names that can be accessed directly,
* bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
- *
- * If these settings are not configured, the system environment variables
- * HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the web server will be used instead.
*/
# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
diff --git a/web.config b/web.config
index a0535a10db23..562847125fa7 100644
--- a/web.config
+++ b/web.config
@@ -34,6 +34,14 @@
</conditions>
</rule>
+ <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
+ <match url="*.*" />
+ <serverVariables>
+ <set name="HTTP_PROXY" value="" />
+ </serverVariables>
+ <action type="None" />
+ </rule>
+
<!-- To redirect all users to access the site WITH the 'www.' prefix,
http://example.com/foo will be redirected to http://www.example.com/foo)
adapt and uncomment the following: -->
--
GitLab