Refer to #1895328: Security exploit in plupload external library examples folder, we should remove examples folder in plupload library in order to avoid security risk as stated in PSA-2011-02.
In order to include plupload module into Drupal distribution, e.g. DruStack, we need a patch file for drush make so can remove examples folder by patching the library.
This issue should be considered Fixed due to the recommended patch not being one that can be applied to the repo. If a search has lead you here there is a plupload.make.example file in the module. This should be applied to your local make file and applied thus (assuming your .make file is called build.make);
drush make --no-core --libraries=plupload build.make
Comment | File | Size | Author |
---|---|---|---|
#38 | plupload-rm_examples_2_3_7-1903850-38.patch | 30.56 KB | bwaindwain |
#33 | plupload-1_5_8-rm_examples-1903850-33.patch | 599 bytes | nevergone |
#31 | plupload-2_2_1-rm_examples-1903850-31.patch | 29.84 KB | jsst |
#30 | plupload-2_2_1-rm_examples-1903850-30.patch | 30.1 KB | jsst |
#29 | plupload-1_5_8-rm_examples-1903850-29.patch | 36.94 KB | Pol |
Comments
Comment #1
hswong3i CreditAttribution: hswong3i commentedPatch file for plupload_1_5_5.zip.
Comment #2
slashrsm CreditAttribution: slashrsm commentedThanks. Will link this issue from project's page.
Comment #3
TravisCarden CreditAttribution: TravisCarden commentedPardon my presumption in setting this back to "needs work"—hopefully I'm the one in error—but I'm attempting to use this patch in a make file, and Drush reports that it's applying it, but the examples directory is still there afterward:
Even applying the patch manually (which works, so long as you use
patch -p1 ...
) leaves behindexamples/bg.jpg
andexamples/uploads
.I'm I missing the obvious, or does the patch not actually work? Or is it a problem with Drush make? Or both?
Comment #4
hswong3i CreditAttribution: hswong3i commentedRefer to http://git.wikia.com/wiki/Patches, patch now created with:
Therefore able to show the rename/delete action and so works for both GIT checkout and -dev.tar.gz package.
Comment #5
hswong3i CreditAttribution: hswong3i commentedSo poor that with -D it will not able to apply by patch not git apply:
Well... so recreate patch with:
Therefore sorry that please manually remove the example folder after patch applied ;-)
Comment #6
q11q11 CreditAttribution: q11q11 commentedSorry for silly question, but how should line with that patch looks like in my.make file?
This doesn`t work
libraries[plupload][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch
How else ?
Comment #7
hswong3i CreditAttribution: hswong3i commentedHopefully my DruStack version can be your reference:
Some code snippet:
Comment #8
mrfelton CreditAttribution: mrfelton commentedNone of the above patches wok with an archive version of plupload from https://github.com/moxiecode/plupload/archive/1.5.6.zip.This works:Comment #9
bart.hanssens CreditAttribution: bart.hanssens commentedPatch for 1.5.7
Comment #10
hswong3i CreditAttribution: hswong3i commentedThis should also works for 1.5.7
Comment #11
igor.ro CreditAttribution: igor.ro commented#9 and #10 did not worked for me.
Here is new patch for 1.5.7
Comment #12
hefox CreditAttribution: hefox commentedPerhaps plupload should have a make file itself for the library that includes the patch
Comment #13
Chris CharltonPatch available at: https://drupal.org/node/2088143
Comment #14
saltednutSee: #2168205: plupload.com/downloads/plupload_1_5_7.zip no longer exists
A new version, 1.5.8 does exist at https://github.com/moxiecode/plupload/archive/v1.5.8.zip and it needs patched.
Comment #15
saltednutWould like to make a patch but unsure how one does this for a library.
Would I unzip the library and then create a new repository, commit changes, then make changes and use git diff?
Confusing to create a patch for a non-repository... thanks in advance!
Comment #16
hswong3i CreditAttribution: hswong3i commentedPatch revoke for v1.5.8 GIT from github
Comment #17
hswong3i CreditAttribution: hswong3i commentedComment #18
hefox CreditAttribution: hefox commentedNot going to look into it now, but I wonder if there is a drush issue for removing a directory/files from a download. Not like plupload is the only library in this situation.
edit: drush error => drush issue
Comment #19
saltednutFixed grammar in title.
Patch confirmed working for us with minimal effort.
Comment #20
Anonymous (not verified) CreditAttribution: Anonymous commentedThe patch is now suddenly failing... :S
[edit]
Hm.. i think it always failed.. however we removed --force-complete from the drush command so now we notice :(
[edit2]
Nope it worked a few days ago :S
Our log message from 2015-01-09:
>> plupload-7.x-1.7 downloaded.
>> Found makefile: plupload.make
>> plupload downloaded from https://github.com/moxiecode/plupload/archive/v1.5.8.zip.[0m
>> plupload patched with plupload-1_5_8-rm_examples-1903850-16.patch.
However the 'examples' directory is still there in /sites/all/libraries/plupload/examples :') Great patch.
Comment #21
dtarc CreditAttribution: dtarc commentedHere's another patch for 1.5.8
Comment #22
evilehk CreditAttribution: evilehk commentedPatch to remove examples folder for plupload v2.1.8.
Comment #23
GoldThe patch at #22 failed to apply.
The patch at #21 worked for me though.
While this patch fixes the external library this isn't really something that can be "applied" to the current codebase. It is useful from the point of view of it being available for
drush make
though. The current plupload.make.example file is referencing the patch at #21 also.This issue feels Fixed to me. At least as far as we can apply things to the codebase.
Going forward, the example make file from #2088143: [Needs docs] Add make file so dependencies are downloaded automatically will be updated as new versions of the library are released. Chances are this patch may fail if the files in the examples dir change. New patches could be added and tracked here.
Comment #24
evilehk CreditAttribution: evilehk commentedGreat detail, thanks Gold. Just as you mentioned, this is a good spot for patches to remove the examples directory in future versions of plupload. The patch in #22 is meant for plupload v2.1.8 (not plupload 1.5.8). The patch in #22 is referenced in the plupload.make file after patch #2098555-26: Make compatible with plupload version 2.1.9 is applied. If you had time, it would be great if you can apply the same level detail to verifying that patch!
Comment #26
ciss CreditAttribution: ciss at yousign GmbH commentedDrush make uses the
patch
command which does not support Git's binary diff format. Adding a patch that was created usinggit diff --text
.Comment #27
srjoshAttached is a patch to remove the examples file for version 2.1.9 of PLUpload.
Comment #28
PolHi all,
We are having this error on some machines.
In order to debug where it was coming from, we've created a small makefile containing plupload only.
The drush command:
drush make test.make --no-core -v -d -y
The log when building: http://pastebin.com/UHhP50eu
Software versions:
Comment #29
PolHere's a new patch against v1.5.8. It's different from #21.
It has been created using
git diff -a
with git 2.10.Comment #30
jsst CreditAttribution: jsst at Ibuildings commentedSorry, this patch is actually against 54a0e4e.
Comment #31
jsst CreditAttribution: jsst at Ibuildings commentedPatch against 2.2.1.
Comment #32
Jorrit CreditAttribution: Jorrit as a volunteer commented#29 works while #21 doesn't, using `patch` and plupload 1.5.8.
Comment #33
nevergone CreditAttribution: nevergone commented7.x-1.x version: #29 is good work.
Comment #34
NWOM CreditAttribution: NWOM commented-Deleted-
Comment #35
NWOM CreditAttribution: NWOM commentedAdded the last comment to the wrong issue.
Comment #36
Ludo.RI confirm #31 works for version 2.2.1
Comment #37
bwaindwain CreditAttribution: bwaindwain as a volunteer commentedPatch from #31 works for us with Plupload 2.3.6 in Drupal 9.1.4. Thanks @jsst.
Comment #38
bwaindwain CreditAttribution: bwaindwain as a volunteer commentedHere's a new patch for 2.3.7
Comment #39
NWOM CreditAttribution: NWOM commentedSetting to Needs Review since a patch is attached. It was accidentally removed by whover changed the version from 8.x back to 7.x. I have not tested the newest patch myself.
Comment #40
orodicio CreditAttribution: orodicio at Metadrop commentedPatch from #31 works for us with Plupload 2.3.6 in Drupal 9.5.4.
Comment #41
thejimbirch CreditAttribution: thejimbirch at Kanopi Studios commentedThanks for the patches! I struggled to understand the process, so I am adding a workflow document in hopes of helping others.
Remove security vulnerability in Plupload examples folder
The Drupal Plupload module requires the moxiecode/plupload library. This library contains an examples folder that has a security vulnerability that can be exploited.
This vulnerability can be confirmed on Pantheon using their status check in the dashboard.
Removing the folder
This issue contains patches against the different versions of the Plupload library, not the module. There are different patches for the different versions of the Plupload library (again, not the Drupal module).
The tricky bit is that you are patching the library, which is a dependency of the Drupal module, not the module itself. (should I say it one more time? =)
In your composer.json file, you can add the following under the patches section:
After that, run
composer update moxiecode/plupload
and verify the patch has been applied.If you are using Pantheon, after you deploy, run the Status check in the dashboard to verify the folder has been removed.
Comment #42
budalokko CreditAttribution: budalokko commentedThe vulnerability was fixed upstream two years ago:
- https://github.com/moxiecode/plupload/releases/tag/v2.3.7
- https://github.com/moxiecode/plupload/issues/1536
We won't change our procedures for d7 at this point, but wondering what the users of this patch think about just requiring a version >=2.3.7 for the Drupal 8+ version of the module.
This is the fix. Secure enough under my view:
https://github.com/moxiecode/plupload/commit/ad2c48793bc989800a9d1f53e09...