See:
- https://www.drupal.org/SA-CORE-2016-003
- http://cgit.drupalcode.org/drupal/commit/?id=17ff00c
- https://httpoxy.org/
Drupal 7 core is not vulnerable, but porting the fix in .htaccess/web.config files would mitigate the issue when using vulnerable libraries or vulnerable code.
Credit for the D8 version of this patch (the security release):
alexpott, Michael Dowling, mlhess, xjm, Pere Orga, dawehner, greggles, coltrane, pwolanin, larowlan
Comment | File | Size | Author |
---|---|---|---|
#18 | 2768921-18.patch | 3.23 KB | mcdruid |
Comments
Comment #2
Pere OrgaQuoting Kurt Seifried:
Patch attached. I'm unable to test IIS.
Comment #3
Pere OrgaComment #6
Pere OrgaComment #7
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedI closed #2783239: Backport DRUPAL-SA-CORE-2016-003 hardening as a duplicate, but it pointed out via the linked issue that the IIS code that went into Drupal 8 may have problems - so this issue likely needs work for that too.
Comment #8
jfhovinne CreditAttribution: jfhovinne commentedComment added to web.config.
Comment #9
izmeez CreditAttribution: izmeez commentedThe addition of a comment line in the patch introduced in #8 is helpful.
And further to comment #7, for clarity, the issue regarding problems with IIS is #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments
Comment #10
izmeez CreditAttribution: izmeez commentedThe patch in #8 is favoured because it includes an additional comment line explaining the purpose of the code changes. It looks good and we have been using it for some time without problems.
Comment #11
mcdruidIIUC if we committed this to D7 there's a risk we'd break IIS deployments in the way outlined by #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments (per #7).
So I'd want to see the patch in that issue backported rather than adding the web.config lines which apparently caused problems in IIS.
Comment #12
izmeez CreditAttribution: izmeez commented@mcdruid, Thanks, good catch.
Comment #13
izmeez CreditAttribution: izmeez commentedHere is my first attempt at backport of #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments as requested in comment #11. Attached is a patch and interdiff.
Comment #14
izmeez CreditAttribution: izmeez commentedThe patch in comment #13 is incomplete. Here is a patch that is a combined backport of SA-CORE-2016-003 and #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments and an interdiff comparing with patch in comment #8.
Comment #15
izmeez CreditAttribution: izmeez commentedI wonder if a change record will be required for existing sites to alert them that a deployment change may be required for earlier versions of php.
and
Comment #16
mcdruidI think a CR makes sense for this, yep.
We'll need to call out the changes to .htaccess and web.config in release notes.
I'm not crazy about the formatting / indentation here:
...but it looks like the only thing CodeSniffer complains about is the absence of any punctuation at the end of the comment (first line in snippet above):
That could be fixed on commit.
It looks like this should be harmless as the addition to web.config is commented out, but it'd be good to have confirmation of a manual test on IIS. Even better if someone could check the status report when running a vulnerable PHP version, but just a "it doesn't break everything" would be sufficient. I've added a tag accordingly, and will try to find a tester in slack next week if necessary.
Comment #17
mcdruidI did a quick manual test in IIS running in an old VM. Confirmed that the (commented out) changes to web.config don't break anything.. which is as we'd expect.
I also checked the status report warning (I cheated and changed the condition so that my PHP version triggered it) and found a couple of small issues; I hadn't spotted that there's a short array syntax copy-paste in the description (perhaps the PHP 5.3 test I've just kicked off will pick that up?). Plus the
:variable
syntax being used for the link doesn't work in D7 so we get some malformed HTML.So this patch fixes those minor glitches, and adds the full stop after the comment that I mentioned previously.
I've also tweaked the layout of the long conditional a little; this may just be subjective but I prefer it spanning fewer lines.
Comment #18
mcdruidOops; missed another short array syntax copypasta.
Comment #19
izmeez CreditAttribution: izmeez commented@mcdruid Thanks. The patch looks good and the formatting does improve it. Sorry for missing the short arrays on back port from D8. Patch also applies without difficulty on my tests.
Comment #20
izmeez CreditAttribution: izmeez commentedI have created a draft change record, https://www.drupal.org/node/3215527
Comment #21
mcdruidThanks for starting the CR.
...doesn't match https://www.drupal.org/project/drupal/issues/2783079#comment-11509375 and the logic that we're adding to the requirements check.
If we want to be really helpful, let's show (or link to) the exact changes being made to .htaccess and web.config to make it easier for those to be manually applied to any customised versions of those files.
Comment #22
mcdruidTaking #19 as RTBC :)
Comment #23
mcdruidComment #24
izmeez CreditAttribution: izmeez commentedI've modified the change record and decided to show the changes made to .htaccess and web.config rather than the extra step of a link. It's still a draft and open for improvements.
Comment #25
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedRTBC + 1, patch looks good and security hardening is a good idea
Comment #34
mcdruidComment #37
mcdruidComment #39
mcdruidThank you everybody!