From 333779124f645e61bea12651f84c66bd66f40755 Mon Sep 17 00:00:00 2001
From: webchick <webchick@24967.no-reply.drupal.org>
Date: Wed, 8 Jun 2011 13:41:52 -0700
Subject: [PATCH] Issue #1179424 by aspilicious, Heine, pwolanin, scor: Fixed
 Color module security fixes from SA-CORE-2011-001 not yet applied to Drupal
 8.

---
 modules/color/color.module | 13 +++++++++++++
 modules/color/color.test   | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/modules/color/color.module b/modules/color/color.module
index ff6c70e6cb76..18954fe1fd3c 100644
--- a/modules/color/color.module
+++ b/modules/color/color.module
@@ -42,6 +42,7 @@ function color_form_system_theme_settings_alter(&$form, &$form_state) {
       '#theme' => 'color_scheme_form',
     );
     $form['color'] += color_scheme_form($form, $form_state, $theme);
+    $form['#validate'][] = 'color_scheme_form_validate';
     $form['#submit'][] = 'color_scheme_form_submit';
   }
 }
@@ -270,6 +271,18 @@ function theme_color_scheme_form($variables) {
   return $output;
 }
 
+/**
+ * Validation handler for color change form.
+ */
+function color_scheme_form_validate($form, &$form_state) {
+  // Only accept hexadecimal CSS color strings to avoid XSS upon use.
+  foreach ($form_state['values']['palette'] as $key => $color) {
+    if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
+      form_set_error('palette][' . $key, t('You must enter a valid hexadecimal color value for %name.', array('%name' => $form['color']['palette'][$key]['#title'])));
+    }
+  }
+}
+
 /**
  * Submit handler for color change form.
  */
diff --git a/modules/color/color.test b/modules/color/color.test
index 1ddfc0647daa..897bd6cc01c5 100644
--- a/modules/color/color.test
+++ b/modules/color/color.test
@@ -11,6 +11,7 @@
 class ColorTestCase extends DrupalWebTestCase {
   protected $big_user;
   protected $themes;
+  protected $colorTests;
 
   public static function getInfo() {
     return array(
@@ -40,6 +41,19 @@ class ColorTestCase extends DrupalWebTestCase {
       ),
     );
     theme_enable(array_keys($this->themes));
+
+    // Array filled with valid and not valid color values
+    $this->colorTests = array(
+      '#000' => TRUE,
+      '#123456' => TRUE,
+      '#abcdef' => TRUE,
+      '#0' => FALSE,
+      '#00' => FALSE,
+      '#0000' => FALSE,
+      '#00000' => FALSE,
+      '123456' => FALSE,
+      '#00000g' => FALSE,
+    );
   }
 
   /**
@@ -93,4 +107,27 @@ class ColorTestCase extends DrupalWebTestCase {
     $this->assertTrue(strpos($stylesheet_content, 'public://') === FALSE, 'Make sure the color paths have been translated to local paths. (' . $theme . ')');
     variable_set('preprocess_css', 0);
   }
+
+  /**
+   * Test to see if the provided color is valid
+   */
+  function testValidColor() {
+    variable_set('theme_default', 'bartik');
+    $settings_path = 'admin/appearance/settings/bartik';
+
+    $this->drupalLogin($this->big_user);
+    $edit['scheme'] = '';
+
+    foreach ($this->colorTests as $color => $is_valid) {
+      $edit['palette[bg]'] = $color;
+      $this->drupalPost($settings_path, $edit, t('Save configuration'));
+
+      if($is_valid) {
+        $this->assertText('The configuration options have been saved.');
+      }
+      else {
+        $this->assertText('You must enter a valid hexadecimal color value for Main background.');
+      }
+    }
+  }
 }
-- 
GitLab