Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is a quick meta reminder issue: the problems identified in SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities need to go into Drupal 7 as well.
We already have patches for some issues. I'll post those asap.
Comment | File | Size | Author |
---|---|---|---|
#13 | 881578_13_SA-CORE-2010-002.patch | 1.32 KB | scor |
#12 | 881578_12_SA-CORE-2010-002.patch | 1.17 KB | scor |
#3 | file_download_upper.patch | 766 bytes | Gábor Hojtsy |
#2 | comment-unpublished-edit-d7.patch | 777 bytes | Gábor Hojtsy |
Comments
Comment #1
grendzy CreditAttribution: grendzy commented.
Comment #2
Gábor HojtsyHere is the D7 port of the "Comment unpublishing bypass" (1 of 4 issues).
Comment #3
Gábor HojtsyHere is a patch for the "File download access bypass" issue which I can only assume helps. Upload module is no more, but file field is there.
Comment #4
Gábor HojtsyI assume Heine has ports for the OpenID patches, so not working on those now.
Comment #5
scor CreditAttribution: scor commentedWas the actions XSS issue fixed elsewhere?
Comment #6
Gábor Hojtsy@scor: I don't think so. Will ping Heine about patches he might have.
Comment #7
Heine CreditAttribution: Heine commentedI've posted the OpenID assertion verification patch in #886982: Incomplete verification of assertions.
Comment #8
Heine CreditAttribution: Heine commentedThe actions on D7 are incorrectly double escaped and should be in a separate issue.
Comment #9
Heine CreditAttribution: Heine commentedActions has changed quite a bit and is now at #887102: Trigger & Action escaping issues.
Comment #10
Gábor HojtsyOk then we only need to deal with the small fixes from #2 and #3 in here. Any review feedback? Should I merge them into one patch?
Comment #11
grendzy CreditAttribution: grendzy commentedI think a combined patch would be easier - the project workflow doesn't support multiple patches per issue very well.
Comment #12
scor CreditAttribution: scor commentedmerged patches.
Comment #13
scor CreditAttribution: scor commentedwith documentation. we could probably bake in a test for the file issue as well.
Comment #14
grendzy CreditAttribution: grendzy commentedI tested both issues; this patch works as expected.
Comment moderation issue:
- before: comment/1/edit works on unpublished comments
- after: 403 forbidden
file issue:
before: system/files/TeSt.JpG displays the file
after: 404 page
Comment #15
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.