Refer to #1895328: Security exploit in plupload external library examples folder, we should remove examples folder in plupload library in order to avoid security risk as stated in PSA-2011-02.

In order to include plupload module into Drupal distribution, e.g. DruStack, we need a patch file for drush make so can remove examples folder by patching the library.

This issue should be considered Fixed due to the recommended patch not being one that can be applied to the repo. If a search has lead you here there is a plupload.make.example file in the module. This should be applied to your local make file and applied thus (assuming your .make file is called build.make);
drush make --no-core --libraries=plupload build.make

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hswong3i’s picture

slashrsm’s picture

Status: Active » Fixed

Thanks. Will link this issue from project's page.

TravisCarden’s picture

Status: Fixed » Needs work

Pardon my presumption in setting this back to "needs work"—hopefully I'm the one in error—but I'm attempting to use this patch in a make file, and Drush reports that it's applying it, but the examples directory is still there afterward:

$ dr make my.make --no-core --no-patch-txt --libraries=plupload -y
Make new site in the current directory? (y/n): y
Drush make restricted to the following entries:                             [ok]
Libraries: plupload
plupload downloaded from http://plupload.com/downloads/plupload_1_5_5.zip.  [ok]
plupload patched with plupload-1_5_5-remove_examples-1903850-1.patch.       [ok]
$ ls sites/all/libraries/plupload/examples/
bg.jpg  custom.html  dump.php  jquery  upload.php  uploads

Even applying the patch manually (which works, so long as you use patch -p1 ...) leaves behind examples/bg.jpg and examples/uploads.

I'm I missing the obvious, or does the patch not actually work? Or is it a problem with Drush make? Or both?

hswong3i’s picture

Status: Needs work » Active
FileSize
2.2 KB

Refer to http://git.wikia.com/wiki/Patches, patch now created with:

git format-patch HEAD^ -M -C -s -D --keep-subject --stdout > ../plupload-1_5_6-remove_examples-1903850-4.patch

Therefore able to show the rename/delete action and so works for both GIT checkout and -dev.tar.gz package.

hswong3i’s picture

So poor that with -D it will not able to apply by patch not git apply:

-D, --irreversible-delete
Omit the preimage for deletes, i.e. print only the header but not the diff between the
preimage and /dev/null. The resulting patch is not meant to be applied with patch nor git
apply; this is solely for people who want to just concentrate on reviewing the text after
the change. In addition, the output obviously lack enough information to apply such a
patch in reverse, even manually, hence the name of the option.

When used together with -B, omit also the preimage in the deletion part of a delete/create
pair.

Well... so recreate patch with:

git format-patch HEAD^ -M -C -s --keep-subject --stdout > ../plupload-1_5_6-rm_examples-1903850-5.patch

Therefore sorry that please manually remove the example folder after patch applied ;-)

q11q11’s picture

Sorry for silly question, but how should line with that patch looks like in my.make file?

This doesn`t work
libraries[plupload][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch

How else ?

hswong3i’s picture

Hopefully my DruStack version can be your reference:

Some code snippet:

libraries[plupload][directory_name] = "plupload"
libraries[plupload][download][type] = "file"
libraries[plupload][download][url] = "http://plupload.com/downloads/plupload_1_5_6.zip"
libraries[plupload][patch][] = "http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch"
libraries[plupload][type] = "library"
mrfelton’s picture

Status: Active » Needs review
FileSize
77.93 KB

None of the above patches wok with an archive version of plupload from https://github.com/moxiecode/plupload/archive/1.5.6.zip. This works:

projects[plupload_lib][type] = library
projects[plupload_lib][download][type] = get
projects[plupload_lib][download][url] = http://plupload.com/downloads/plupload_1_5_6.zip
projects[plupload_lib][directory_name] = plupload
projects[plupload_lib][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch
bart.hanssens’s picture

Patch for 1.5.7

hswong3i’s picture

This should also works for 1.5.7

igor.ro’s picture

#9 and #10 did not worked for me.

Here is new patch for 1.5.7

hefox’s picture

Perhaps plupload should have a make file itself for the library that includes the patch

Chris Charlton’s picture

saltednut’s picture

saltednut’s picture

Would like to make a patch but unsure how one does this for a library.

Would I unzip the library and then create a new repository, commit changes, then make changes and use git diff?

Confusing to create a patch for a non-repository... thanks in advance!

hswong3i’s picture

hswong3i’s picture

hefox’s picture

Not going to look into it now, but I wonder if there is a drush issue for removing a directory/files from a download. Not like plupload is the only library in this situation.

edit: drush error => drush issue

saltednut’s picture

Title: [meta] Patch for remove plupload library examples folder for Drupal distribution » [meta] Patch to remove plupload library examples folder for Drupal distribution

Fixed grammar in title.

Patch confirmed working for us with minimal effort.

libraries[plupload][download][type] = "get"
libraries[plupload][download][url] = "https://github.com/moxiecode/plupload/archive/v1.5.8.zip"
libraries[plupload][patch][1903850] = "http://drupal.org/files/issues/plupload-1_5_8-rm_examples-1903850-16.patch"
Anonymous’s picture

The patch is now suddenly failing... :S

Unable to patch plupload with plupload-1_5_8-rm_examples-1903850-16.patch.

[edit]
Hm.. i think it always failed.. however we removed --force-complete from the drush command so now we notice :(

[edit2]
Nope it worked a few days ago :S
Our log message from 2015-01-09:
>> plupload-7.x-1.7 downloaded.
>> Found makefile: plupload.make
>> plupload downloaded from https://github.com/moxiecode/plupload/archive/v1.5.8.zip.[0m
>> plupload patched with plupload-1_5_8-rm_examples-1903850-16.patch.

However the 'examples' directory is still there in /sites/all/libraries/plupload/examples :') Great patch.

dtarc’s picture

Here's another patch for 1.5.8

evilehk’s picture

Patch to remove examples folder for plupload v2.1.8.

Gold’s picture

Issue summary: View changes
Status: Needs review » Fixed

The patch at #22 failed to apply.

ubuntu@webserver:~/htdocs$ drush make --no-core --libraries=plupload build.make 
Make new site in the current directory? (y/n): y
Drush make restricted to the following entries:                                                                                                                                                          [ok]
Libraries: plupload
Beginning to build build.make.                                                                                                                                                                           [ok]
plupload downloaded from https://github.com/moxiecode/plupload/archive/v1.5.8.zip.                                                                                                                       [ok]
Unable to patch plupload with meta_patch_to_remove-1903850-22.patch.

The patch at #21 worked for me though.

ubuntu@webserver:~/htdocs$ drush make --no-core --libraries=plupload build.make 
Make new site in the current directory? (y/n): y
Drush make restricted to the following entries:                                                                                                                                                          [ok]
Libraries: plupload
Beginning to build build.make.                                                                                                                                                                           [ok]
plupload downloaded from https://github.com/moxiecode/plupload/archive/v1.5.8.zip.                                                                                                                       [ok]
plupload patched with plupload-1_5_8-rm_examples-1903850-21.patch.                                                                                                                                       [ok]
Generated PATCHES.txt file for plupload                                                                                                                                                                  [ok]
ubuntu@webserver:~/htdocs$ ls sites/all/libraries/plupload/
changelog.txt  js  license.txt  PATCHES.txt  readme.md
ubuntu@webserver:~/htdocs$ cat sites/all/libraries/plupload/PATCHES.txt 
The following patches have been applied to this project:
- https://www.drupal.org/files/issues/plupload-1_5_8-rm_examples-1903850-21.patch

This file was automatically generated by Drush Make (http://drupal.org/project/drush).

While this patch fixes the external library this isn't really something that can be "applied" to the current codebase. It is useful from the point of view of it being available for drush make though. The current plupload.make.example file is referencing the patch at #21 also.

This issue feels Fixed to me. At least as far as we can apply things to the codebase.

Going forward, the example make file from #2088143: [Needs docs] Add make file so dependencies are downloaded automatically will be updated as new versions of the library are released. Chances are this patch may fail if the files in the examples dir change. New patches could be added and tracked here.

evilehk’s picture

Great detail, thanks Gold. Just as you mentioned, this is a good spot for patches to remove the examples directory in future versions of plupload. The patch in #22 is meant for plupload v2.1.8 (not plupload 1.5.8). The patch in #22 is referenced in the plupload.make file after patch #2098555-26: Make compatible with plupload version 2.1.9 is applied. If you had time, it would be great if you can apply the same level detail to verifying that patch!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

ciss’s picture

Drush make uses the patch command which does not support Git's binary diff format. Adding a patch that was created using git diff --text.

srjosh’s picture

Version: 7.x-1.x-dev » 8.x-1.x-dev
Status: Closed (fixed) » Needs review
FileSize
29.84 KB

Attached is a patch to remove the examples file for version 2.1.9 of PLUpload.

Pol’s picture

Version: 8.x-1.x-dev » 7.x-1.x-dev
Status: Needs review » Active

Hi all,

We are having this error on some machines.

In order to debug where it was coming from, we've created a small makefile containing plupload only.

api = 2
core = 7.x

projects[] = drupal

projects[plupload][subdir] = "contrib"
projects[plupload][download][branch] = 7.x-1.x
projects[plupload][download][revision] = bba974c6f3224346a1acae4181a700b55129e6e1
projects[plupload][download][type] = git

; Plupload
libraries[plupload][destination] = "libraries"
libraries[plupload][download][type] = "file"
libraries[plupload][download][request_type]= "get"
libraries[plupload][download][file_type] = "zip"
libraries[plupload][download][url] = "https://github.com/moxiecode/plupload/archive/v1.5.8.zip"
libraries[plupload][directory_name] = "plupload"
libraries[plupload][patch][1903850] = "https://www.drupal.org/files/issues/plupload-1_5_8-rm_examples-1903850-21.patch"

The drush command:
drush make test.make --no-core -v -d -y

The log when building: http://pastebin.com/UHhP50eu

Software versions:

dellapo@vs-nxte-dellapo7 ~/d/g/p/resources> patch --version
GNU patch 2.7.1
Copyright (C) 2003, 2009-2012 Free Software Foundation, Inc.
Copyright (C) 1988 Larry Wall

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Larry Wall and Paul Eggert
dellapo@vs-nxte-dellapo7 ~/d/g/p/resources> git --version
git version 2.10.0
dellapo@vs-nxte-dellapo7 ~/d/g/p/resources>
Pol’s picture

Here's a new patch against v1.5.8. It's different from #21.

It has been created using git diff -a with git 2.10.

jsst’s picture

Sorry, this patch is actually against 54a0e4e.

jsst’s picture

Patch against 2.2.1.

Jorrit’s picture

#29 works while #21 doesn't, using `patch` and plupload 1.5.8.

nevergone’s picture

FileSize
599 bytes

7.x-1.x version: #29 is good work.

NWOM’s picture

Version: 7.x-1.x-dev » 7.x-2.x-dev

-Deleted-

NWOM’s picture

Version: 7.x-2.x-dev » 7.x-1.x-dev

Added the last comment to the wrong issue.

Ludo.R’s picture

I confirm #31 works for version 2.2.1

bwaindwain’s picture

Patch from #31 works for us with Plupload 2.3.6 in Drupal 9.1.4. Thanks @jsst.

bwaindwain’s picture

Here's a new patch for 2.3.7

NWOM’s picture

Category: Support request » Feature request
Status: Active » Needs review

Setting to Needs Review since a patch is attached. It was accidentally removed by whover changed the version from 8.x back to 7.x. I have not tested the newest patch myself.

orodicio’s picture

Patch from #31 works for us with Plupload 2.3.6 in Drupal 9.5.4.

thejimbirch’s picture

Thanks for the patches! I struggled to understand the process, so I am adding a workflow document in hopes of helping others.

Remove security vulnerability in Plupload examples folder

The Drupal Plupload module requires the moxiecode/plupload library. This library contains an examples folder that has a security vulnerability that can be exploited.

This vulnerability can be confirmed on Pantheon using their status check in the dashboard.

Removing the folder

This issue contains patches against the different versions of the Plupload library, not the module. There are different patches for the different versions of the Plupload library (again, not the Drupal module).

The tricky bit is that you are patching the library, which is a dependency of the Drupal module, not the module itself. (should I say it one more time? =)

In your composer.json file, you can add the following under the patches section:

    "moxiecode/plupload": {
        "Patch to remove plupload library examples folder - https://www.drupal.org/node/1903850": "https://www.drupal.org/files/issues/plupload-2_1_9-rm_examples-1903850-27.patch"
    }

After that, run composer update moxiecode/plupload and verify the patch has been applied.

If you are using Pantheon, after you deploy, run the Status check in the dashboard to verify the folder has been removed.

budalokko’s picture

The vulnerability was fixed upstream two years ago:

- https://github.com/moxiecode/plupload/releases/tag/v2.3.7
- https://github.com/moxiecode/plupload/issues/1536

We won't change our procedures for d7 at this point, but wondering what the users of this patch think about just requiring a version >=2.3.7 for the Drupal 8+ version of the module.

This is the fix. Secure enough under my view:

https://github.com/moxiecode/plupload/commit/ad2c48793bc989800a9d1f53e09...