Files: 
CommentFileSizeAuthor
#17 file-munge-filename-1870612-17.patch825 bytesplach
PASSED: [[SimpleTest]]: [MySQL] 39,689 pass(es). View
#17 file-munge-filename-1870612-17-WITH-ROLLBACK.patch1.43 KBplach
FAILED: [[SimpleTest]]: [MySQL] 39,693 pass(es), 1 fail(s), and 0 exception(s). View
#11 file-munge-filename-1870612-11-WITH-ROLLBACK.patch1.56 KBDavid_Rothstein
FAILED: [[SimpleTest]]: [MySQL] 49,672 pass(es), 1 fail(s), and 0 exception(s). View
#11 file-munge-filename-1870612-11.patch933 bytesDavid_Rothstein
PASSED: [[SimpleTest]]: [MySQL] 49,685 pass(es). View
#9 file-munge-filename-1870612-9-WITH-ROLLBACK.patch1.55 KBDavid_Rothstein
FAILED: [[SimpleTest]]: [MySQL] Invalid PHP syntax in core/modules/system/lib/Drupal/system/Tests/File/NameMungingTest.php. View
#9 file-munge-filename-1870612-9.patch931 bytesDavid_Rothstein
FAILED: [[SimpleTest]]: [MySQL] Invalid PHP syntax in core/modules/system/lib/Drupal/system/Tests/File/NameMungingTest.php. View
57404_null_byte_file_munge_filename_17-D8.patch661 bytesgreggles
PASSED: [[SimpleTest]]: [MySQL] 49,598 pass(es). View

Comments

greggles’s picture

Priority: Normal » Critical
Issue tags: +Security Advisory follow-up

Well, probably some other metadata is important.

Status: Reviewed & tested by the community » Needs work
Issue tags: -Security Advisory follow-up

The last submitted patch, 57404_null_byte_file_munge_filename_17-D8.patch, failed testing.

tim.plunkett’s picture

Status: Needs work » Needs review
Issue tags: +Security Advisory follow-up
David_Rothstein’s picture

Also tagging as a release blocker for the next D7 release (just in case it turns out there's anything in the latest 7.x-dev code we need to do as followup for this, although I doubt it).

Status: Needs review » Needs work
Issue tags: -Security Advisory follow-up

The last submitted patch, 57404_null_byte_file_munge_filename_17-D8.patch, failed testing.

plach’s picture

Status: Needs work » Needs review
Issue tags: +Security Advisory follow-up

57404_null_byte_file_munge_filename_17-D8.patch queued for re-testing.

Tests pass here.

plach’s picture

Status: Needs review » Reviewed & tested by the community

This is a straight port of the D7 patch. Tests pass, angels sing. RTBC :)

webchick’s picture

Title: SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload » Tests for SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload
Component: upload.module » file system
Category: bug » task
Priority: Critical » Major
Status: Reviewed & tested by the community » Active
Issue tags: +Needs tests, +needs backport to D7

Committed and pushed to 8.x, but we need test coverage for this.

David_Rothstein’s picture

Status: Active » Needs review
FileSize
931 bytes
FAILED: [[SimpleTest]]: [MySQL] Invalid PHP syntax in core/modules/system/lib/Drupal/system/Tests/File/NameMungingTest.php. View
1.55 KB
FAILED: [[SimpleTest]]: [MySQL] Invalid PHP syntax in core/modules/system/lib/Drupal/system/Tests/File/NameMungingTest.php. View

Maybe just something like this?

Status: Needs review » Needs work

The last submitted patch, file-munge-filename-1870612-9.patch, failed testing.

David_Rothstein’s picture

Status: Needs work » Needs review
FileSize
933 bytes
PASSED: [[SimpleTest]]: [MySQL] 49,685 pass(es). View
1.56 KB
FAILED: [[SimpleTest]]: [MySQL] 49,672 pass(es), 1 fail(s), and 0 exception(s). View

Hm, I don't claim to have tested those myself actually, but I thought I at least ran them through php -l to check for syntax errors. Apparently not :)

These should be better.

plach’s picture

Status: Needs review » Reviewed & tested by the community

The test looks good to me, but what about appending it to another test method to save a new drupal installation and speed things up a bit?

plach’s picture

Status: Reviewed & tested by the community » Needs review

Didn't mean to change the status (yet :).

David_Rothstein’s picture

Well, that entire file basically uses the one-test-per-method pattern already, so I didn't want to break the pattern here.

plach’s picture

Status: Needs review » Reviewed & tested by the community

Sound good.

webchick’s picture

Version: 8.x-dev » 7.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Lovely. Thanks, David!

Committed and pushed to 8.x.

Those tests should be backported to 7.x too, methinks.

plach’s picture

Status: Patch (to be ported) » Needs review
FileSize
1.43 KB
FAILED: [[SimpleTest]]: [MySQL] 39,693 pass(es), 1 fail(s), and 0 exception(s). View
825 bytes
PASSED: [[SimpleTest]]: [MySQL] 39,689 pass(es). View

Straight reroll.

Status: Needs review » Needs work

The last submitted patch, file-munge-filename-1870612-17-WITH-ROLLBACK.patch, failed testing.

plach’s picture

Status: Needs work » Reviewed & tested by the community

Cool

David_Rothstein’s picture

Status: Reviewed & tested by the community » Fixed
David_Rothstein’s picture

Title: Tests for SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload » SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload
Category: task » bug
Priority: Major » Critical

I'm also 100% convinced that there's nothing left to do on 7.x-dev for this issue, so removing tag.

Automatically closed -- issue fixed for 2 weeks with no activity.