See: https://www.drupal.org/SA-CORE-2015-003
http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=731dfacab8bf39918c135...

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Credit for the D6/D7 version of this patch (the security release):

csabot3, Crell, pwolanin, YesCT, ircmaxell, greggles
CommentFileSizeAuthor
#6 2554229-6.patch4.01 KBstefan.r
#4 2554229-3.patch2.48 KBstefan.r
#2 2554229-1.patch2.48 KBstefan.r

Comments

webchick created an issue. See original summary.

stefan.r’s picture

stefan.r commented
Status: Active » Needs review
StatusFileSize
new 2554229-1.patch2.48 KB

Status: Needs review » Needs work

The last submitted patch, 2: 2554229-1.patch, failed testing.

stefan.r’s picture

stefan.r commented
Status: Needs work » Needs review
StatusFileSize
new 2554229-3.patch2.48 KB

Status: Needs review » Needs work

The last submitted patch, 4: 2554229-3.patch, failed testing.

stefan.r’s picture

stefan.r commented
Status: Needs work » Needs review
StatusFileSize
new 2554229-6.patch4.01 KB
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs review » Reviewed & tested by the community

Thanks!

effulgentsia’s picture

effulgentsia commented

Patch looks great. Adding credit to larowlan for reviewing and webchick for reporting.

effulgentsia’s picture

effulgentsia commented
Status: Reviewed & tested by the community » Fixed

Pushed to 8.0.x. Thanks!

  • effulgentsia committed 02a6786 on 8.0.x 
    Issue #2554229 by stefan.r, csabot3, Crell, pwolanin, YesCT, ircmaxell,...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.