SA-CORE-2016-004 by alexpott, andypost, antongp, cashwilliams, catch, Chi,...

SA-CORE-2016-004 by alexpott, andypost, antongp, cashwilliams, catch, Chi, dawehner, dsnopek, Heine, kierheyl, Pere Orga, pwolanin, larowlan, q2u, stefan.r, xjm

(cherry picked from commit 75d6aa33)

core/lib/Drupal/Core/EventSubscriber/DefaultExceptionSubscriber.php

@@ -188,13 +188,16 @@ public function onException(GetResponseForExceptionEvent $event) {
     if (!method_exists($this, $method)) {
       if ($exception instanceof HttpExceptionInterface) {
         $this->onFormatUnknown($event);
+        $response = $event->getResponse();
+        $response->headers->set('Content-Type', 'text/plain');
       }
       else {
         $this->onHtml($event);
       }
-      return;
     }
-    $this->$method($event);
+    else {
+      $this->$method($event);
+    }
   }
 
   /**

core/modules/comment/src/CommentFieldItemList.php

@@ -2,7 +2,9 @@
 
 namespace Drupal\comment;
 
+use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Field\FieldItemList;
+use Drupal\Core\Session\AccountInterface;
 
 /**
  * Defines a item list class for comment fields.
@@ -37,4 +39,28 @@ public function offsetExists($offset) {
     return parent::offsetExists($offset);
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) {
+    if ($operation === 'edit') {
+      // Only users with administer comments permission can edit the comment
+      // status field.
+      $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments');
+      return $return_as_object ? $result : $result->isAllowed();
+    }
+    if ($operation === 'view') {
+      // Only users with either post comments or access comments permisison can
+      // view the field value. The formatter,
+      // Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter,
+      // takes care of showing the thread and form based on individual
+      // permissions, so if a user only has ‘post comments’ access, only the
+      // form will be shown and not the comments.
+      $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments')
+        ->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments'));
+      return $return_as_object ? $result : $result->isAllowed();
+    }
+    return parent::access($operation, $account, $return_as_object);
+  }
+
 }

core/modules/comment/src/Tests/CommentNonNodeTest.php

@@ -384,6 +384,7 @@ function testCommentFunctionality() {
       'administer entity_test fields',
       'view test entity',
       'administer entity_test content',
+      'administer comments',
     ));
     $this->drupalLogin($limited_user);
     $this->drupalGet('entity_test/structure/entity_test/fields/entity_test.entity_test.comment');

core/modules/comment/tests/src/Functional/CommentStatusFieldAccessTest.php

+<?php
+
+namespace Drupal\Tests\comment\Functional;
+
+
+use Drupal\comment\Tests\CommentTestTrait;
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\BrowserTestBase;
+
+/**
+ * Tests comment status field access.
+ *
+ * @group comment
+ */
+class CommentStatusFieldAccessTest extends BrowserTestBase {
+
+  use CommentTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public $profile = 'testing';
+
+  /**
+   * Comment admin.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $commentAdmin;
+
+  /**
+   * Node author.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $nodeAuthor;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = [
+    'node',
+    'comment',
+    'user',
+    'system',
+    'text',
+  ];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+    $node_type = NodeType::create([
+      'type' => 'article',
+      'name' => t('Article'),
+    ]);
+    $node_type->save();
+    $this->nodeAuthor = $this->drupalCreateUser([
+      'create article content',
+      'skip comment approval',
+      'post comments',
+      'edit own comments',
+      'access comments',
+      'administer nodes',
+    ]);
+    $this->commentAdmin = $this->drupalCreateUser([
+      'administer comments',
+      'create article content',
+      'edit own comments',
+      'skip comment approval',
+      'post comments',
+      'access comments',
+      'administer nodes',
+    ]);
+    $this->addDefaultCommentField('node', 'article');
+  }
+
+  /**
+   * Tests comment status field access.
+   */
+  public function testCommentStatusFieldAccessStatus() {
+    $this->drupalLogin($this->nodeAuthor);
+    $this->drupalGet('node/add/article');
+    $assert = $this->assertSession();
+    $assert->fieldNotExists('comment[0][status]');
+    $this->submitForm([
+      'title[0][value]' => 'Node 1',
+    ], t('Save and publish'));
+    $assert->fieldExists('subject[0][value]');
+    $this->drupalLogin($this->commentAdmin);
+    $this->drupalGet('node/add/article');
+    $assert->fieldExists('comment[0][status]');
+    $this->submitForm([
+      'title[0][value]' => 'Node 2',
+    ], t('Save and publish'));
+    $assert->fieldExists('subject[0][value]');
+  }
+
+}

core/modules/config/config.module

@@ -65,14 +65,17 @@ function config_file_download($uri) {
   $scheme = file_uri_scheme($uri);
   $target = file_uri_target($uri);
   if ($scheme == 'temporary' && $target == 'config.tar.gz') {
-    $request = \Drupal::request();
-    $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME'));
-    $date_string = $date->format('Y-m-d-H-i');
-    $hostname = str_replace('.', '-', $request->getHttpHost());
-    $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz';
-    $disposition = 'attachment; filename="' . $filename . '"';
-    return array(
-      'Content-disposition' => $disposition,
-    );
+    if (\Drupal::currentUser()->hasPermission('export configuration')) {
+      $request = \Drupal::request();
+      $date = DateTime::createFromFormat('U', $request->server->get('REQUEST_TIME'));
+      $date_string = $date->format('Y-m-d-H-i');
+      $hostname = str_replace('.', '-', $request->getHttpHost());
+      $filename = 'config' . '-' . $hostname . '-' . $date_string . '.tar.gz';
+      $disposition = 'attachment; filename="' . $filename . '"';
+      return array(
+        'Content-disposition' => $disposition,
+      );
+    }
+    return -1;
   }
 }

core/modules/config/src/Tests/ConfigExportUITest.php

@@ -88,6 +88,12 @@ function testExport() {
     // Check the single export form doesn't have "form-required" elements.
     $this->drupalGet('admin/config/development/configuration/single/export');
     $this->assertNoRaw('js-form-required form-required', 'No form required fields are found.');
+
+    // Ensure the temporary file is not available to users without the
+    // permission.
+    $this->drupalLogout();
+    $this->drupalGet('system/temporary', ['query' => ['file' => 'config.tar.gz']]);
+    $this->assertResponse(403);
   }
 
 }

core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php

@@ -185,6 +185,17 @@ public function testExceptionEscaping() {
     $this->setRawContent($response->getContent());
     $this->assertRaw(Html::escape('Escaped content: <p> <br> <h3>'));
     $this->assertNoRaw('<p> <br> <h3>');
+
+    $string = '<script>alert(123);</script>';
+    $request = Request::create('/router_test/test2?_format=json' . urlencode($string), 'GET');
+
+    $kernel = \Drupal::getContainer()->get('http_kernel');
+    $response = $kernel->handle($request)->prepare($request);
+    // As the Content-type is text/plain the fact that the raw string is
+    // contained in the output does not matter.
+    $this->assertEqual($response->headers->get('Content-type'), 'text/plain; charset=UTF-8');
+    $this->setRawContent($response->getContent());
+    $this->assertRaw($string);
   }
 
 }