Commit 950a57dc authored by Gerhard Killesreiter's avatar Gerhard Killesreiter

various bugfixes

parent cca18c90
// $Id$
Drupal 4.7.11, xxxx-xx-xx
Drupal 4.7.11, 2008-01-10
-------------------------
- fixed a security issue (Cross site request forgery), see SA-2008-005
- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
Drupal 4.7.10, 2007-12-06
-------------------------
......
......@@ -13,7 +13,7 @@ CONTENTS OF THIS FILE
REQUIREMENTS
------------
Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5
Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5
(http://www.php.net/) and either MySQL (http://www.mysql.com/)
or PostgreSQL (http://www.postgresql.org/). Your database user
will also need sufficient privileges to run Drupal. Please
......
......@@ -610,9 +610,49 @@ function referer_uri() {
/**
* Encode special characters in a plain-text string for display as HTML.
*
* Uses drupal_validate_utf8 to prevent cross site scripting attacks on
* Internet Explorer 6.
*
*/
function check_plain($text) {
return htmlspecialchars($text, ENT_QUOTES);
return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
}
/**
* Checks whether a string is valid UTF-8.
*
* All functions designed to filter input should use drupal_validate_utf8
* to ensure they operate on valid UTF-8 strings to prevent bypass of the
* filter.
*
* When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
* as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
* bytes. When these subsequent bytes are HTML control characters such as
* quotes or angle brackets, parts of the text that were deemed safe by filters
* end up in locations that are potentially unsafe; An onerror attribute that
* is outside of a tag, and thus deemed safe by a filter, can be interpreted
* by the browser as if it were inside the tag.
*
* This function exploits preg_match behaviour (since PHP 4.3.5) when used with
* the u modifier as a fast way to find invalid UTF-8. When the matched string
* contains invalid byte sequences, it will fail silently.
*
* preg_match may not fail on 4 and 5 octet sequences, even though they
* are not supported by the specification.
*
* The specific preg_match behaviour is present
*
* @param $text
* The text to check.
* @return
* TRUE if the text is valid UTF-8, FALSE if not.
*/
function drupal_validate_utf8($text) {
if (strlen($text) == 0) {
return TRUE;
}
return (preg_match('/^./us', $text) == 1);
}
/**
......
......@@ -995,12 +995,30 @@ function aggregator_view() {
return $output;
}
function aggregator_admin_remove_feed($fid) {
$feed = aggregator_get_feed($fid);
return confirm_form(
'aggregator_admin_remove_feed',
array(
'feed' => array(
'#type' => 'value',
'#value' => $feed,
),
),
t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => theme('placeholder', $feed['title']))),
'admin/aggregator',
t('This action cannot be undone.'),
t('Remove items'),
t('Cancel')
);
}
/**
* Menu callback; removes all items from a feed, then redirects to the overview page.
* Remove all items from a feed and redirect to the overview page.
*/
function aggregator_admin_remove_feed($feed) {
aggregator_remove(aggregator_get_feed($feed));
drupal_goto('admin/aggregator');
function aggregator_admin_remove_feed_submit($form_id, $form_values) {
aggregator_remove($form_values['feed']);
return 'admin/aggregator';
}
/**
......
......@@ -1135,6 +1135,11 @@ function filter_xss_admin($string) {
* The format to use.
*/
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!drupal_validate_utf8($string)) {
return '';
}
// Store the input format
_filter_xss_split($allowed_tags, TRUE);
// Remove NUL characters (ignored by some browsers)
......
......@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
define('VERSION', '4.7.11-dev');
define('VERSION', '4.7.11');
/**
* Implementation of hook_help().
......
......@@ -74,6 +74,9 @@ function watchdog_user($op, &$edit, &$user) {
* Menu callback; displays a listing of log messages.
*/
function watchdog_overview() {
if (ini_get('register_globals')) {
drupal_set_message(t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.'), 'error');
}
$icons = array(WATCHDOG_NOTICE => '',
WATCHDOG_WARNING => theme('image', 'misc/watchdog-warning.png', t('warning'), t('warning')),
WATCHDOG_ERROR => theme('image', 'misc/watchdog-error.png', t('error'), t('error')));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment