--- 1675260_105.patch	2012-08-19 19:00:41.000000000 +0200
+++ ../modules/1675260-117.patch	2012-08-19 19:27:34.000000000 +0200
@@ -84,9 +84,91 @@
      }
      $dir->close();
  
+diff --git a/core/lib/Drupal/Component/PhpStorage/FileReadOnlyStorage.php b/core/lib/Drupal/Component/PhpStorage/FileReadOnlyStorage.php
+new file mode 100644
+index 0000000..e71f470
+--- /dev/null
++++ b/core/lib/Drupal/Component/PhpStorage/FileReadOnlyStorage.php
+@@ -0,0 +1,76 @@
++<?php
++
++/**
++ * @file
++ * Definition of Drupal\Component\PhpStorage\FileStorage.
++ */
++
++namespace Drupal\Component\PhpStorage;
++
++/**
++ * Reads code as regular PHP files, but won't write them.
++ */
++class FileReadOnlyStorage implements PhpStorageInterface {
++
++  /**
++   * The directory where the files should be stored.
++   *
++   * @var string
++   */
++  protected $directory;
++
++  /**
++   * Constructs this FileStorage object.
++   *
++   * @param $configuration
++   *   An associative array, containing at least one key (the rest are ignored):
++   *   - directory: The directory where the files should be stored.
++   *   - bin: overrides the $bin variable passed in directly.
++   * @param $bin
++   *   The storage bin. Multiple storage objects can be instantiated with the
++   *   same configuration, but for different bins.
++   */
++  public function __construct(array $configuration, $bin) {
++    if (isset($configuration['bin'])) {
++      $bin = $configuration['bin'];
++    }
++    $this->directory = $configuration['directory'] . '/' . $bin;
++  }
++
++  /**
++   * Implements Drupal\Component\PhpStorage\PhpStorageInterface::exists().
++   */
++  public function exists($name) {
++    return file_exists($this->getFullPath($name));
++  }
++
++  /**
++   * Implements Drupal\Component\PhpStorage\PhpStorageInterface::load().
++   */
++  public function load($name) {
++    // The FALSE returned on failure is enough for the caller to handle this,
++    // we do not want a warning too.
++    return (@include_once $this->getFullPath($name)) !== FALSE;
++  }
++
++  /**
++   * Implements Drupal\Component\PhpStorage\PhpStorageInterface::save().
++   */
++  public function save($name, $code) {
++    return FALSE;
++  }
++
++  /**
++   * Implements Drupal\Component\PhpStorage\PhpStorageInterface::delete().
++   */
++  public function delete($name) {
++    return FALSE;
++  }
++
++  /**
++   * Returns the full path where the file is or should be stored.
++   */
++  protected function getFullPath($name) {
++    return $this->directory . '/' . $name;
++  }
++}
 diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
 new file mode 100644
-index 0000000..448ceec
+index 0000000..0847d42
 --- /dev/null
 +++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
 @@ -0,0 +1,75 @@
@@ -115,7 +197,7 @@
 +   * Constructs this FileStorage object.
 +   *
 +   * @param $configuration
-+   *   An associated array, containing at least one key (the rest are ignored):
++   *   An associative array, containing at least one key (the rest are ignored):
 +   *   - directory: The directory where the files should be stored.
 +   * @param $bin
 +   *   The storage bin. Multiple storage objects can be instantiated with the
@@ -167,10 +249,10 @@
 +}
 diff --git a/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFileStorage.php b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFileStorage.php
 new file mode 100644
-index 0000000..2401c60
+index 0000000..87d4abd
 --- /dev/null
 +++ b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFileStorage.php
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,204 @@
 +<?php
 +
 +/**
@@ -187,11 +269,15 @@
 + * Each file is stored in its own unique containing directory. The hash is based
 + * on the virtual file name, the containing directory's mtime, and a
 + * cryptographically hard to guess secret string. Thus, even if the hashed file
-+ * name is discovered and overridden by an untrusted file (e.g., via a
++ * name is discovered and replaced by an untrusted file (e.g., via a
 + * move_uploaded_file() invocation by a script that performs insufficient
 + * validation), the directory's mtime gets updated in the process, invalidating
 + * the hash and preventing the untrusted file from getting loaded.
 + *
++ * Note that this does not protect against overwriting a file in-place (e.g.
++ * a malicious module that does a file_put_contents()) since this will not
++ * change the mtime of the directory.
++ *
 + * The containing directory is created with the same name as the virtual file
 + * name (slashes removed) to assist with debugging, since the file itself is
 + * stored with a name that's meaningless to humans.
@@ -489,10 +575,10 @@
      }
 diff --git a/core/modules/system/lib/Drupal/system/Tests/PhpStorage/FileStorageTest.php b/core/modules/system/lib/Drupal/system/Tests/PhpStorage/FileStorageTest.php
 new file mode 100644
-index 0000000..1c1230a
+index 0000000..0fe70bb
 --- /dev/null
 +++ b/core/modules/system/lib/Drupal/system/Tests/PhpStorage/FileStorageTest.php
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,75 @@
 +<?php
 +
 +/**
@@ -522,6 +608,12 @@
 +      'class' => 'Drupal\Component\PhpStorage\FileStorage',
 +      'directory' => DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php',
 +    );
++    $conf['php_storage']['readonly'] = array(
++      'class' => 'Drupal\Component\PhpStorage\FileReadOnlyStorage',
++      'directory' => DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php',
++      // Let this read from the bin where the other instance is writing.
++      'bin' => 'simpletest',
++    );
 +  }
 +
 +  /**
@@ -532,13 +624,42 @@
 +    $this->assertIdentical(get_class($php), 'Drupal\Component\PhpStorage\FileStorage');
 +    $this->assertCRUD($php);
 +  }
++
++  /**
++   * Tests writing with one class and readon with another.
++   */
++  function testReadOnly() {
++    $php = drupal_php_storage('simpletest');
++    $name = $this->randomName() . '/' . $this->randomName() . '.php';
++
++    // Find a function name that doesn't exist.
++    do {
++      $random = mt_rand(10000, 100000);
++      $function = 'test' . $random;
++    } while (function_exists($function));
++
++    // Write out a PHP file and ensure it's successfully loaded.
++    $code = "<?php\nfunction $function() { return $random;}";
++    $success = $php->save($name, $code);
++    $this->assertIdentical($success, TRUE);
++    $php_read = drupal_php_storage('readonly');
++    $php_read->load($name);
++    $this->assertIdentical($function(), $random);
++
++    // If the file was successfully loaded, it must also exist, but ensure the
++    // exists() method returns that correctly.
++    $this->assertIdentical($php_read->exists($name), TRUE);
++    // Saving and deleting should always fail.
++    $this->assertFalse($php_read->save($name, $code));
++    $this->assertFalse($php_read->delete($name));
++  }
 +}
 diff --git a/core/modules/system/lib/Drupal/system/Tests/PhpStorage/MTimeProtectedFileStorageTest.php b/core/modules/system/lib/Drupal/system/Tests/PhpStorage/MTimeProtectedFileStorageTest.php
 new file mode 100644
-index 0000000..12f0ce5
+index 0000000..f52b991
 --- /dev/null
 +++ b/core/modules/system/lib/Drupal/system/Tests/PhpStorage/MTimeProtectedFileStorageTest.php
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,125 @@
 +<?php
 +
 +/**
@@ -564,10 +685,11 @@
 +  function setUp() {
 +    global $conf;
 +    parent::setUp();
++    $this->secret = $this->randomName();
 +    $conf['php_storage']['simpletest'] = array(
 +      'class' => 'Drupal\Component\PhpStorage\MTimeProtectedFileStorage',
 +      'directory' => DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php',
-+      'secret' => $GLOBALS['drupal_hash_salt'],
++      'secret' => $this->secret,
 +    );
 +  }
 +
@@ -589,7 +711,7 @@
 +    $php->save($name, '<?php');
 +    $expected_root_directory = DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php/simpletest';
 +    $expected_directory = $expected_root_directory . '/' . $name;
-+    $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $GLOBALS['drupal_hash_salt'] . filemtime($expected_directory)) . '.php';
++    $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . filemtime($expected_directory)) . '.php';
 +
 +    // Ensure the file exists and that it and the containing directory have
 +    // minimal permissions. fileperms() can return high bits unrelated to
@@ -622,9 +744,46 @@
 +    chmod($expected_directory, 0100);
 +    $this->assertIdentical(file_get_contents($expected_filename), $untrusted_code);
 +    $php->load($name);
++    // If the untrusted code was included, $hacked would be re-assigned to FALSE.
 +    $this->assertIdentical($hacked, FALSE);
 +    $this->assertIdentical($php->exists($name), FALSE);
 +  }
++
++  /**
++   * Tests the vulnerability of the MTimeProtectedFileStorage implementation. It
++   * does not protet against overwritiing a file.
++   */
++  function testVulnerability() {
++    $php = drupal_php_storage('simpletest');
++    $name = 'simpletest.php';
++    $php->save($name, '<?php');
++    $expected_root_directory = DRUPAL_ROOT . '/' . variable_get('file_public_path', conf_path() . '/files') . '/php/simpletest';
++    $expected_directory = $expected_root_directory . '/' . $name;
++    $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . filemtime($expected_directory)) . '.php';
++
++    // Ensure the file exists and that it and the containing directory have
++    // minimal permissions. fileperms() can return high bits unrelated to
++    // permissions, so mask with 0777.
++    $this->assertTrue(file_exists($expected_filename));
++    $this->assertIdentical(fileperms($expected_filename) & 0777, 0400);
++    $this->assertIdentical(fileperms($expected_directory) & 0777, 0100);
++
++    // Ensure that if the file is replaced with an untrusted one (due to a
++    // direct replacedment), it does  get loaded.
++    sleep(1);
++    $hacked = FALSE;
++    $untrusted_code = "<?php\n" . '$hacked = TRUE;';
++    chmod($expected_filename, 0700);
++    chmod($expected_directory, 0700);
++    file_put_contents($expected_filename, $untrusted_code);
++    chmod($expected_filename, 0400);
++    chmod($expected_directory, 0100);
++    $this->assertIdentical(file_get_contents($expected_filename), $untrusted_code);
++    $php->load($name);
++    // If the untrusted code was included, $hacked would be re-assigned to FALSE.
++    $this->assertIdentical($hacked, FALSE);
++    $this->assertIdentical($php->exists($name), TRUE);
++  }
 +}
 diff --git a/core/modules/system/lib/Drupal/system/Tests/PhpStorage/PhpStorageTestBase.php b/core/modules/system/lib/Drupal/system/Tests/PhpStorage/PhpStorageTestBase.php
 new file mode 100644