This is a quick meta reminder issue: the problems identified in SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities need to go into Drupal 7 as well.

We already have patches for some issues. I'll post those asap.

CommentFileSizeAuthor
#13 881578_13_SA-CORE-2010-002.patch1.32 KBscor
#12 881578_12_SA-CORE-2010-002.patch1.17 KBscor
#3 file_download_upper.patch766 bytesGábor Hojtsy
#2 comment-unpublished-edit-d7.patch777 bytesGábor Hojtsy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

grendzy’s picture

grendzy CreditAttribution: grendzy commented
Issue tags: +Security Advisory follow-up

.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Active » Needs review
FileSize
comment-unpublished-edit-d7.patch777 bytes

Here is the D7 port of the "Comment unpublishing bypass" (1 of 4 issues).

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
FileSize
file_download_upper.patch766 bytes

Here is a patch for the "File download access bypass" issue which I can only assume helps. Upload module is no more, but file field is there.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

I assume Heine has ports for the OpenID patches, so not working on those now.

scor’s picture

scor CreditAttribution: scor commented

Was the actions XSS issue fixed elsewhere?

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

@scor: I don't think so. Will ping Heine about patches he might have.

Heine’s picture

Heine CreditAttribution: Heine commented

I've posted the OpenID assertion verification patch in #886982: Incomplete verification of assertions.

Heine’s picture

Heine CreditAttribution: Heine commented

The actions on D7 are incorrectly double escaped and should be in a separate issue.

Heine’s picture

Heine CreditAttribution: Heine commented

Actions has changed quite a bit and is now at #887102: Trigger & Action escaping issues.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

Ok then we only need to deal with the small fixes from #2 and #3 in here. Any review feedback? Should I merge them into one patch?

grendzy’s picture

grendzy CreditAttribution: grendzy commented

I think a combined patch would be easier - the project workflow doesn't support multiple patches per issue very well.

scor’s picture

scor CreditAttribution: scor commented
FileSize
881578_12_SA-CORE-2010-002.patch1.17 KB

merged patches.

scor’s picture

scor CreditAttribution: scor commented
FileSize
881578_13_SA-CORE-2010-002.patch1.32 KB

with documentation. we could probably bake in a test for the file issue as well.

grendzy’s picture

grendzy CreditAttribution: grendzy commented
Status: Needs review » Reviewed & tested by the community

I tested both issues; this patch works as expected.

Comment moderation issue:
- before: comment/1/edit works on unpublished comments
- after: 403 forbidden

file issue:
before: system/files/TeSt.JpG displays the file
after: 404 page

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Security Advisory follow-up

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security Advisory follow-up

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.