http://drupal.org/node/1425084

http://drupalcode.org/project/drupal.git/commit/40093b2

CommentFileSizeAuthor
#4 1425330-file.patch5.68 KBswentel
#3 1425330-aggregator.patch3.51 KBswentel
#3 1425330-file.patch6.59 KBswentel
#3 1425330-openid.patch10.45 KBswentel
#1 63469-17.file-field-access-bypass.patch6.52 KBwebchick
#1 openid-signed-D7-1.patch11.03 KBwebchick
#1 SA-2699-aggregator-D7_0.patch3.84 KBwebchick
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
FileSize
SA-2699-aggregator-D7_0.patch3.84 KB
openid-signed-D7-1.patch11.03 KB
63469-17.file-field-access-bypass.patch6.52 KB

Thanks, you beat me to it. ;)

Here are the 7.x patches. They need porting to 8.x.

IMPORTANT: Please do NOT credit me on commit for these! Credit should go to:

c960657 - OpenID
David_Rothstein, Berdir, dww = File field access bypass
Dave Reid - Aggregator XSRF

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Active » Patch (to be ported)
swentel’s picture

swentel CreditAttribution: swentel commented
Status: Patch (to be ported) » Needs review
FileSize
1425330-openid.patch10.45 KB
1425330-file.patch6.59 KB
1425330-aggregator.patch3.51 KB

Here are the patches for D8 - I had 2 patches which didn't apply cleanly (file and openid), so I hope I merged them ok.

swentel’s picture

swentel CreditAttribution: swentel commented
FileSize
1425330-file.patch5.68 KB

Here's another for the file patch - the file_download_access() apparently get the wrong data, however, isn't that wrong then also in D7 ?

scor’s picture

scor CreditAttribution: scor commented
Issue tags: +Security Advisory follow-up

This issue should probably only cover aggregator and openid since they are straight forward fixes.

the file access issue needs more discussion over at #1245220: file_file_download() passed bogus $field to field_access().

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Title: Apply DRUPAL-SA-CORE-2012-001 fixes » Apply Aggregator and OpenID fixes from DRUPAL-SA-CORE-2012-001
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm commented

So, we currently just need to review the first and third patches in #3?

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented

Yes, the file stuff is dealt with in the other issue.

Aggregator patch looks good to me.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Needs review » Reviewed & tested by the community

The aggregator and openid patches look good to me.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Thanks a lot!

Committed and pushed to 8.x. I think this is ok, since I committed the 7.x patches already. :)

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Status: Fixed » Reviewed & tested by the community

Wrong patch was committed?

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented

WOAH. How did that happen?! I fail at Git. :)

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

There, I think I made it more betterer now. :)

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Looks good :)

Automatically closed -- issue fixed for 2 weeks with no activity.