Révision 134c7813
Ajouté par Mathieu Schiano Di Schiabica il y a environ 8 ans
drupal7/CHANGELOG.txt | ||
---|---|---|
1 | 1 |
|
2 |
Drupal 7.43, 2016-02-24 |
|
3 |
----------------------- |
|
4 |
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-001. |
|
5 |
|
|
2 | 6 |
Drupal 7.42, 2016-02-03 |
3 | 7 |
----------------------- |
4 | 8 |
- Stopped invoking hook_flush_caches() on every cron run, since some modules |
drupal7/includes/bootstrap.inc | ||
---|---|---|
8 | 8 |
/** |
9 | 9 |
* The current system version. |
10 | 10 |
*/ |
11 |
define('VERSION', '7.42');
|
|
11 |
define('VERSION', '7.43');
|
|
12 | 12 |
|
13 | 13 |
/** |
14 | 14 |
* Core API compatibility. |
drupal7/includes/common.inc | ||
---|---|---|
688 | 688 |
$options['fragment'] = $destination['fragment']; |
689 | 689 |
} |
690 | 690 |
|
691 |
// In some cases modules call drupal_goto(current_path()). We need to ensure |
|
692 |
// that such a redirect is not to an external URL. |
|
693 |
if ($path === current_path() && empty($options['external']) && url_is_external($path)) { |
|
694 |
// Force url() to generate a non-external URL. |
|
695 |
$options['external'] = FALSE; |
|
696 |
} |
|
697 |
|
|
691 | 698 |
drupal_alter('drupal_goto', $path, $options, $http_response_code); |
692 | 699 |
|
693 | 700 |
// The 'Location' HTTP header must be absolute. |
... | ... | |
2220 | 2227 |
'prefix' => '' |
2221 | 2228 |
); |
2222 | 2229 |
|
2223 |
// A duplicate of the code from url_is_external() to avoid needing another |
|
2224 |
// function call, since performance inside url() is critical. |
|
2225 | 2230 |
if (!isset($options['external'])) { |
2226 |
// Return an external link if $path contains an allowed absolute URL. Avoid |
|
2227 |
// calling drupal_strip_dangerous_protocols() if there is any slash (/), |
|
2228 |
// hash (#) or question_mark (?) before the colon (:) occurrence - if any - |
|
2229 |
// as this would clearly mean it is not a URL. If the path starts with 2 |
|
2230 |
// slashes then it is always considered an external URL without an explicit |
|
2231 |
// protocol part. |
|
2232 |
$colonpos = strpos($path, ':'); |
|
2233 |
$options['external'] = (strpos($path, '//') === 0) |
|
2234 |
|| ($colonpos !== FALSE |
|
2235 |
&& !preg_match('![/?#]!', substr($path, 0, $colonpos)) |
|
2236 |
&& drupal_strip_dangerous_protocols($path) == $path); |
|
2231 |
$options['external'] = url_is_external($path); |
|
2237 | 2232 |
} |
2238 | 2233 |
|
2239 | 2234 |
// Preserve the original path before altering or aliasing. |
... | ... | |
2353 | 2348 |
*/ |
2354 | 2349 |
function url_is_external($path) { |
2355 | 2350 |
$colonpos = strpos($path, ':'); |
2356 |
// Avoid calling drupal_strip_dangerous_protocols() if there is any slash (/), |
|
2357 |
// hash (#) or question_mark (?) before the colon (:) occurrence - if any - as |
|
2358 |
// this would clearly mean it is not a URL. If the path starts with 2 slashes |
|
2359 |
// then it is always considered an external URL without an explicit protocol |
|
2360 |
// part. |
|
2351 |
// Some browsers treat \ as / so normalize to forward slashes. |
|
2352 |
$path = str_replace('\\', '/', $path); |
|
2353 |
// If the path starts with 2 slashes then it is always considered an external |
|
2354 |
// URL without an explicit protocol part. |
|
2361 | 2355 |
return (strpos($path, '//') === 0) |
2356 |
// Leading control characters may be ignored or mishandled by browsers, so |
|
2357 |
// assume such a path may lead to an external location. The \p{C} character |
|
2358 |
// class matches all UTF-8 control, unassigned, and private characters. |
|
2359 |
|| (preg_match('/^\p{C}/u', $path) !== 0) |
|
2360 |
// Avoid calling drupal_strip_dangerous_protocols() if there is any slash |
|
2361 |
// (/), hash (#) or question_mark (?) before the colon (:) occurrence - if |
|
2362 |
// any - as this would clearly mean it is not a URL. |
|
2362 | 2363 |
|| ($colonpos !== FALSE |
2363 | 2364 |
&& !preg_match('![/?#]!', substr($path, 0, $colonpos)) |
2364 | 2365 |
&& drupal_strip_dangerous_protocols($path) == $path); |
drupal7/includes/path.inc | ||
---|---|---|
347 | 347 |
* drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL) makes this function available. |
348 | 348 |
* |
349 | 349 |
* @return |
350 |
* The current Drupal URL path. |
|
350 |
* The current Drupal URL path. The path is untrusted user input and must be |
|
351 |
* treated as such. |
|
351 | 352 |
* |
352 | 353 |
* @see request_path() |
353 | 354 |
*/ |
drupal7/includes/xmlrpcs.inc | ||
---|---|---|
264 | 264 |
*/ |
265 | 265 |
function xmlrpc_server_multicall($methodcalls) { |
266 | 266 |
// See http://www.xmlrpc.com/discuss/msgReader$1208 |
267 |
// To avoid multicall expansion attacks, limit the number of duplicate method |
|
268 |
// calls allowed with a default of 1. Set to -1 for unlimited. |
|
269 |
$duplicate_method_limit = variable_get('xmlrpc_multicall_duplicate_method_limit', 1); |
|
270 |
$method_count = array(); |
|
267 | 271 |
$return = array(); |
268 | 272 |
$xmlrpc_server = xmlrpc_server_get(); |
269 | 273 |
foreach ($methodcalls as $call) { |
... | ... | |
273 | 277 |
$ok = FALSE; |
274 | 278 |
} |
275 | 279 |
$method = $call['methodName']; |
280 |
$method_count[$method] = isset($method_count[$method]) ? $method_count[$method] + 1 : 1; |
|
276 | 281 |
$params = $call['params']; |
277 | 282 |
if ($method == 'system.multicall') { |
278 | 283 |
$result = xmlrpc_error(-32600, t('Recursive calls to system.multicall are forbidden.')); |
279 | 284 |
} |
285 |
elseif ($duplicate_method_limit > 0 && $method_count[$method] > $duplicate_method_limit) { |
|
286 |
$result = xmlrpc_error(-156579, t('Too many duplicate method calls in system.multicall.')); |
|
287 |
} |
|
280 | 288 |
elseif ($ok) { |
281 | 289 |
$result = xmlrpc_server_call($xmlrpc_server, $method, $params); |
282 | 290 |
} |
drupal7/modules/aggregator/aggregator.info | ||
---|---|---|
7 | 7 |
configure = admin/config/services/aggregator/settings |
8 | 8 |
stylesheets[all][] = aggregator.css |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/aggregator/tests/aggregator_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/block/block.info | ||
---|---|---|
6 | 6 |
files[] = block.test |
7 | 7 |
configure = admin/structure/block |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/block/tests/block_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/block/tests/themes/block_test_theme/block_test_theme.info | ||
---|---|---|
13 | 13 |
regions[highlighted] = Highlighted |
14 | 14 |
regions[help] = Help |
15 | 15 |
|
16 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
17 |
version = "7.42"
|
|
16 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
17 |
version = "7.43"
|
|
18 | 18 |
project = "drupal" |
19 |
datestamp = "1454517955"
|
|
19 |
datestamp = "1456343506"
|
|
20 | 20 |
|
drupal7/modules/blog/blog.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = blog.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/book/book.info | ||
---|---|---|
7 | 7 |
configure = admin/content/book/settings |
8 | 8 |
stylesheets[all][] = book.css |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/color/color.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = color.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/comment/comment.info | ||
---|---|---|
9 | 9 |
configure = admin/content/comment |
10 | 10 |
stylesheets[all][] = comment.css |
11 | 11 |
|
12 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
13 |
version = "7.42"
|
|
12 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
13 |
version = "7.43"
|
|
14 | 14 |
project = "drupal" |
15 |
datestamp = "1454517955"
|
|
15 |
datestamp = "1456343506"
|
|
16 | 16 |
|
drupal7/modules/contact/contact.info | ||
---|---|---|
6 | 6 |
files[] = contact.test |
7 | 7 |
configure = admin/structure/contact |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/contextual/contextual.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = contextual.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/dashboard/dashboard.info | ||
---|---|---|
7 | 7 |
dependencies[] = block |
8 | 8 |
configure = admin/dashboard/customize |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/dblog/dblog.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = dblog.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/field/field.info | ||
---|---|---|
11 | 11 |
required = TRUE |
12 | 12 |
stylesheets[all][] = theme/field.css |
13 | 13 |
|
14 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
15 |
version = "7.42"
|
|
14 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
15 |
version = "7.43"
|
|
16 | 16 |
project = "drupal" |
17 |
datestamp = "1454517955"
|
|
17 |
datestamp = "1456343506"
|
|
18 | 18 |
|
drupal7/modules/field/modules/field_sql_storage/field_sql_storage.info | ||
---|---|---|
7 | 7 |
files[] = field_sql_storage.test |
8 | 8 |
required = TRUE |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/field/modules/list/list.info | ||
---|---|---|
7 | 7 |
dependencies[] = options |
8 | 8 |
files[] = tests/list.test |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/field/modules/list/tests/list_test.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/field/modules/number/number.info | ||
---|---|---|
6 | 6 |
dependencies[] = field |
7 | 7 |
files[] = number.test |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/field/modules/options/options.info | ||
---|---|---|
6 | 6 |
dependencies[] = field |
7 | 7 |
files[] = options.test |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/field/modules/text/text.info | ||
---|---|---|
7 | 7 |
files[] = text.test |
8 | 8 |
required = TRUE |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/field/tests/field_test.info | ||
---|---|---|
6 | 6 |
version = VERSION |
7 | 7 |
hidden = TRUE |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/field_ui/field_ui.info | ||
---|---|---|
6 | 6 |
dependencies[] = field |
7 | 7 |
files[] = field_ui.test |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/file/file.info | ||
---|---|---|
6 | 6 |
dependencies[] = field |
7 | 7 |
files[] = tests/file.test |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/file/file.module | ||
---|---|---|
529 | 529 |
// publicly accessible, with no download restrictions; for security |
530 | 530 |
// reasons all other schemes must go through the file_download_access() |
531 | 531 |
// check. |
532 |
if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) {
|
|
533 |
$fid = $file->fid;
|
|
532 |
if (!in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) && !file_download_access($file->uri)) {
|
|
533 |
$force_default = TRUE;
|
|
534 | 534 |
} |
535 |
// If the current user doesn't have access, don't let the file be |
|
536 |
// changed. |
|
537 |
else { |
|
535 |
// Temporary files that belong to other users should never be allowed. |
|
536 |
// Since file ownership can't be determined for anonymous users, they |
|
537 |
// are not allowed to reuse temporary files at all. |
|
538 |
elseif ($file->status != FILE_STATUS_PERMANENT && (!$GLOBALS['user']->uid || $file->uid != $GLOBALS['user']->uid)) { |
|
538 | 539 |
$force_default = TRUE; |
539 | 540 |
} |
541 |
// If all checks pass, allow the file to be changed. |
|
542 |
else { |
|
543 |
$fid = $file->fid; |
|
544 |
} |
|
540 | 545 |
} |
541 | 546 |
} |
542 | 547 |
} |
drupal7/modules/file/tests/file.test | ||
---|---|---|
218 | 218 |
$message = isset($message) ? $message : format_string('File %file is permanent.', array('%file' => $file->uri)); |
219 | 219 |
$this->assertTrue($file->status == FILE_STATUS_PERMANENT, $message); |
220 | 220 |
} |
221 |
|
|
222 |
/** |
|
223 |
* Creates a temporary file, for a specific user. |
|
224 |
* |
|
225 |
* @param string $data |
|
226 |
* A string containing the contents of the file. |
|
227 |
* @param int $uid |
|
228 |
* The user ID of the file owner. |
|
229 |
* |
|
230 |
* @return object |
|
231 |
* A file object, or FALSE on error. |
|
232 |
*/ |
|
233 |
function createTemporaryFile($data, $uid = NULL) { |
|
234 |
$file = file_save_data($data, NULL, NULL); |
|
235 |
|
|
236 |
if ($file) { |
|
237 |
$file->uid = isset($uid) ? $uid : $this->admin_user->uid; |
|
238 |
// Change the file status to be temporary. |
|
239 |
$file->status = NULL; |
|
240 |
return file_save($file); |
|
241 |
} |
|
242 |
|
|
243 |
return $file; |
|
244 |
} |
|
221 | 245 |
} |
222 | 246 |
|
223 | 247 |
/** |
... | ... | |
526 | 550 |
} |
527 | 551 |
} |
528 | 552 |
|
553 |
/** |
|
554 |
* Tests exploiting the temporary file removal of another user using fid. |
|
555 |
*/ |
|
556 |
function testTemporaryFileRemovalExploit() { |
|
557 |
// Create a victim user. |
|
558 |
$victim_user = $this->drupalCreateUser(); |
|
559 |
|
|
560 |
// Create an attacker user. |
|
561 |
$attacker_user = $this->drupalCreateUser(array( |
|
562 |
'access content', |
|
563 |
'create page content', |
|
564 |
'edit any page content', |
|
565 |
)); |
|
566 |
|
|
567 |
// Log in as the attacker user. |
|
568 |
$this->drupalLogin($attacker_user); |
|
569 |
|
|
570 |
// Perform tests using the newly created users. |
|
571 |
$this->doTestTemporaryFileRemovalExploit($victim_user->uid, $attacker_user->uid); |
|
572 |
} |
|
573 |
|
|
574 |
/** |
|
575 |
* Tests exploiting the temporary file removal for anonymous users using fid. |
|
576 |
*/ |
|
577 |
public function testTemporaryFileRemovalExploitAnonymous() { |
|
578 |
// Set up an anonymous victim user. |
|
579 |
$victim_uid = 0; |
|
580 |
|
|
581 |
// Set up an anonymous attacker user. |
|
582 |
$attacker_uid = 0; |
|
583 |
|
|
584 |
// Set up permissions for anonymous attacker user. |
|
585 |
user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array( |
|
586 |
'access content' => TRUE, |
|
587 |
'create page content' => TRUE, |
|
588 |
'edit any page content' => TRUE, |
|
589 |
)); |
|
590 |
|
|
591 |
// In order to simulate being the anonymous attacker user, we need to log |
|
592 |
// out here since setUp() has logged in the admin. |
|
593 |
$this->drupalLogout(); |
|
594 |
|
|
595 |
// Perform tests using the newly set up users. |
|
596 |
$this->doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid); |
|
597 |
} |
|
598 |
|
|
599 |
/** |
|
600 |
* Helper for testing exploiting the temporary file removal using fid. |
|
601 |
* |
|
602 |
* @param int $victim_uid |
|
603 |
* The victim user ID. |
|
604 |
* @param int $attacker_uid |
|
605 |
* The attacker user ID. |
|
606 |
*/ |
|
607 |
protected function doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid) { |
|
608 |
// Use 'page' instead of 'article', so that the 'article' image field does |
|
609 |
// not conflict with this test. If in the future the 'page' type gets its |
|
610 |
// own default file or image field, this test can be made more robust by |
|
611 |
// using a custom node type. |
|
612 |
$type_name = 'page'; |
|
613 |
$field_name = 'test_file_field'; |
|
614 |
$this->createFileField($field_name, $type_name); |
|
615 |
|
|
616 |
$test_file = $this->getTestFile('text'); |
|
617 |
foreach (array('nojs', 'js') as $type) { |
|
618 |
// Create a temporary file owned by the anonymous victim user. This will be |
|
619 |
// as if they had uploaded the file, but not saved the node they were |
|
620 |
// editing or creating. |
|
621 |
$victim_tmp_file = $this->createTemporaryFile('some text', $victim_uid); |
|
622 |
$victim_tmp_file = file_load($victim_tmp_file->fid); |
|
623 |
$this->assertTrue($victim_tmp_file->status != FILE_STATUS_PERMANENT, 'New file saved to disk is temporary.'); |
|
624 |
$this->assertFalse(empty($victim_tmp_file->fid), 'New file has a fid'); |
|
625 |
$this->assertEqual($victim_uid, $victim_tmp_file->uid, 'New file belongs to the victim user'); |
|
626 |
|
|
627 |
// Have attacker create a new node with a different uploaded file and |
|
628 |
// ensure it got uploaded successfully. |
|
629 |
// @todo Can we test AJAX? See https://www.drupal.org/node/2538260 |
|
630 |
$edit = array( |
|
631 |
'title' => $type . '-title', |
|
632 |
); |
|
633 |
|
|
634 |
// Attach a file to a node. |
|
635 |
$langcode = LANGUAGE_NONE; |
|
636 |
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($test_file->uri); |
|
637 |
$this->drupalPost("node/add/$type_name", $edit, 'Save'); |
|
638 |
$node = $this->drupalGetNodeByTitle($edit['title']); |
|
639 |
$node_file = file_load($node->{$field_name}[$langcode][0]['fid']); |
|
640 |
$this->assertFileExists($node_file, 'New file saved to disk on node creation.'); |
|
641 |
$this->assertEqual($attacker_uid, $node_file->uid, 'New file belongs to the attacker.'); |
|
642 |
|
|
643 |
// Ensure the file can be downloaded. |
|
644 |
$this->drupalGet(file_create_url($node_file->uri)); |
|
645 |
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.'); |
|
646 |
|
|
647 |
// "Click" the remove button (emulating either a nojs or js submission). |
|
648 |
// In this POST request, the attacker "guesses" the fid of the victim's |
|
649 |
// temporary file and uses that to remove this file. |
|
650 |
$this->drupalGet('node/' . $node->nid . '/edit'); |
|
651 |
switch ($type) { |
|
652 |
case 'nojs': |
|
653 |
$this->drupalPost(NULL, array("{$field_name}[$langcode][0][fid]" => (string) $victim_tmp_file->fid), 'Remove'); |
|
654 |
break; |
|
655 |
case 'js': |
|
656 |
$button = $this->xpath('//input[@type="submit" and @value="Remove"]'); |
|
657 |
$this->drupalPostAJAX(NULL, array("{$field_name}[$langcode][0][fid]" => (string) $victim_tmp_file->fid), array((string) $button[0]['name'] => (string) $button[0]['value'])); |
|
658 |
break; |
|
659 |
} |
|
660 |
|
|
661 |
// The victim's temporary file should not be removed by the attacker's |
|
662 |
// POST request. |
|
663 |
$this->assertFileExists($victim_tmp_file); |
|
664 |
} |
|
665 |
} |
|
666 |
|
|
529 | 667 |
/** |
530 | 668 |
* Tests upload and remove buttons for multiple multi-valued File fields. |
531 | 669 |
*/ |
drupal7/modules/file/tests/file_module_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/filter/filter.info | ||
---|---|---|
7 | 7 |
required = TRUE |
8 | 8 |
configure = admin/config/content/formats |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/forum/forum.info | ||
---|---|---|
9 | 9 |
configure = admin/structure/forum |
10 | 10 |
stylesheets[all][] = forum.css |
11 | 11 |
|
12 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
13 |
version = "7.42"
|
|
12 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
13 |
version = "7.43"
|
|
14 | 14 |
project = "drupal" |
15 |
datestamp = "1454517955"
|
|
15 |
datestamp = "1456343506"
|
|
16 | 16 |
|
drupal7/modules/help/help.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = help.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/image/image.info | ||
---|---|---|
7 | 7 |
files[] = image.test |
8 | 8 |
configure = admin/config/media/image-styles |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/image/tests/image_module_test.info | ||
---|---|---|
6 | 6 |
files[] = image_module_test.module |
7 | 7 |
hidden = TRUE |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/locale/locale.info | ||
---|---|---|
6 | 6 |
files[] = locale.test |
7 | 7 |
configure = admin/config/regional/language |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/locale/tests/locale_test.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/menu/menu.info | ||
---|---|---|
6 | 6 |
files[] = menu.test |
7 | 7 |
configure = admin/structure/menu |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/node/node.info | ||
---|---|---|
9 | 9 |
configure = admin/structure/types |
10 | 10 |
stylesheets[all][] = node.css |
11 | 11 |
|
12 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
13 |
version = "7.42"
|
|
12 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
13 |
version = "7.43"
|
|
14 | 14 |
project = "drupal" |
15 |
datestamp = "1454517955"
|
|
15 |
datestamp = "1456343506"
|
|
16 | 16 |
|
drupal7/modules/node/tests/node_access_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/node/tests/node_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/node/tests/node_test_exception.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/openid/openid.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = openid.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/openid/tests/openid_test.info | ||
---|---|---|
6 | 6 |
dependencies[] = openid |
7 | 7 |
hidden = TRUE |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/overlay/overlay.info | ||
---|---|---|
4 | 4 |
version = VERSION |
5 | 5 |
core = 7.x |
6 | 6 |
|
7 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
8 |
version = "7.42"
|
|
7 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
8 |
version = "7.43"
|
|
9 | 9 |
project = "drupal" |
10 |
datestamp = "1454517955"
|
|
10 |
datestamp = "1456343506"
|
|
11 | 11 |
|
drupal7/modules/path/path.info | ||
---|---|---|
6 | 6 |
files[] = path.test |
7 | 7 |
configure = admin/config/search/path |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/php/php.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = php.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/poll/poll.info | ||
---|---|---|
6 | 6 |
files[] = poll.test |
7 | 7 |
stylesheets[all][] = poll.css |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/profile/profile.info | ||
---|---|---|
11 | 11 |
; See user_system_info_alter(). |
12 | 12 |
hidden = TRUE |
13 | 13 |
|
14 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
15 |
version = "7.42"
|
|
14 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
15 |
version = "7.43"
|
|
16 | 16 |
project = "drupal" |
17 |
datestamp = "1454517955"
|
|
17 |
datestamp = "1456343506"
|
|
18 | 18 |
|
drupal7/modules/rdf/rdf.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
files[] = rdf.test |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/rdf/tests/rdf_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/search/search.info | ||
---|---|---|
8 | 8 |
configure = admin/config/search/settings |
9 | 9 |
stylesheets[all][] = search.css |
10 | 10 |
|
11 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
12 |
version = "7.42"
|
|
11 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
12 |
version = "7.43"
|
|
13 | 13 |
project = "drupal" |
14 |
datestamp = "1454517955"
|
|
14 |
datestamp = "1456343506"
|
|
15 | 15 |
|
drupal7/modules/search/tests/search_embedded_form.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/search/tests/search_extra_type.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/search/tests/search_node_tags.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/shortcut/shortcut.info | ||
---|---|---|
6 | 6 |
files[] = shortcut.test |
7 | 7 |
configure = admin/config/user-interface/shortcut |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/simpletest/simpletest.info | ||
---|---|---|
57 | 57 |
files[] = tests/upgrade/update.field.test |
58 | 58 |
files[] = tests/upgrade/update.user.test |
59 | 59 |
|
60 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
61 |
version = "7.42"
|
|
60 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
61 |
version = "7.43"
|
|
62 | 62 |
project = "drupal" |
63 |
datestamp = "1454517955"
|
|
63 |
datestamp = "1456343506"
|
|
64 | 64 |
|
drupal7/modules/simpletest/tests/actions_loop_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/ajax_forms_test.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/ajax_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/batch_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/boot_test_1.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/boot_test_2.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/common.test | ||
---|---|---|
372 | 372 |
} |
373 | 373 |
} |
374 | 374 |
|
375 |
/** |
|
376 |
* Tests url_is_external(). |
|
377 |
*/ |
|
378 |
class UrlIsExternalUnitTest extends DrupalUnitTestCase { |
|
379 |
|
|
380 |
public static function getInfo() { |
|
381 |
return array( |
|
382 |
'name' => 'External URL checking', |
|
383 |
'description' => 'Performs tests on url_is_external().', |
|
384 |
'group' => 'System', |
|
385 |
); |
|
386 |
} |
|
387 |
|
|
388 |
/** |
|
389 |
* Tests if each URL is external or not. |
|
390 |
*/ |
|
391 |
function testUrlIsExternal() { |
|
392 |
foreach ($this->examples() as $path => $expected) { |
|
393 |
$this->assertIdentical(url_is_external($path), $expected, $path); |
|
394 |
} |
|
395 |
} |
|
396 |
|
|
397 |
/** |
|
398 |
* Provides data for testUrlIsExternal(). |
|
399 |
* |
|
400 |
* @return array |
|
401 |
* An array of test data, keyed by a path, with the expected value where |
|
402 |
* TRUE is external, and FALSE is not external. |
|
403 |
*/ |
|
404 |
protected function examples() { |
|
405 |
return array( |
|
406 |
// Simple external URLs. |
|
407 |
'http://example.com' => TRUE, |
|
408 |
'https://example.com' => TRUE, |
|
409 |
'http://drupal.org/foo/bar?foo=bar&bar=baz&baz#foo' => TRUE, |
|
410 |
'//drupal.org' => TRUE, |
|
411 |
// Some browsers ignore or strip leading control characters. |
|
412 |
"\x00//www.example.com" => TRUE, |
|
413 |
"\x08//www.example.com" => TRUE, |
|
414 |
"\x1F//www.example.com" => TRUE, |
|
415 |
"\n//www.example.com" => TRUE, |
|
416 |
// JSON supports decoding directly from UTF-8 code points. |
|
417 |
json_decode('"\u00AD"') . "//www.example.com" => TRUE, |
|
418 |
json_decode('"\u200E"') . "//www.example.com" => TRUE, |
|
419 |
json_decode('"\uE0020"') . "//www.example.com" => TRUE, |
|
420 |
json_decode('"\uE000"') . "//www.example.com" => TRUE, |
|
421 |
// Backslashes should be normalized to forward. |
|
422 |
'\\\\example.com' => TRUE, |
|
423 |
// Local URLs. |
|
424 |
'node' => FALSE, |
|
425 |
'/system/ajax' => FALSE, |
|
426 |
'?q=foo:bar' => FALSE, |
|
427 |
'node/edit:me' => FALSE, |
|
428 |
'/drupal.org' => FALSE, |
|
429 |
'<front>' => FALSE, |
|
430 |
); |
|
431 |
} |
|
432 |
} |
|
433 |
|
|
375 | 434 |
/** |
376 | 435 |
* Tests for check_plain(), filter_xss(), format_string(), and check_url(). |
377 | 436 |
*/ |
... | ... | |
1256 | 1315 |
$this->assertText('drupal_goto', 'Drupal goto redirect succeeded.'); |
1257 | 1316 |
$this->assertEqual($this->getUrl(), url('common-test/drupal_goto', array('query' => array('foo' => '123'), 'absolute' => TRUE)), 'Drupal goto redirected to expected URL.'); |
1258 | 1317 |
|
1318 |
// Test that calling drupal_goto() on the current path is not dangerous. |
|
1319 |
variable_set('common_test_redirect_current_path', TRUE); |
|
1320 |
$this->drupalGet('', array('query' => array('q' => 'http://www.example.com/'))); |
|
1321 |
$headers = $this->drupalGetHeaders(TRUE); |
|
1322 |
list(, $status) = explode(' ', $headers[0][':status'], 3); |
|
1323 |
$this->assertEqual($status, 302, 'Expected response code was sent.'); |
|
1324 |
$this->assertNotEqual($this->getUrl(), 'http://www.example.com/', 'Drupal goto did not redirect to external URL.'); |
|
1325 |
$this->assertTrue(strpos($this->getUrl(), url('<front>', array('absolute' => TRUE))) === 0, 'Drupal redirected to itself.'); |
|
1326 |
variable_del('common_test_redirect_current_path'); |
|
1259 | 1327 |
// Test that drupal_goto() respects ?destination=xxx. Use an complicated URL |
1260 | 1328 |
// to test that the path is encoded and decoded properly. |
1261 | 1329 |
$destination = 'common-test/drupal_goto/destination?foo=%2525&bar=123'; |
drupal7/modules/simpletest/tests/common_test.info | ||
---|---|---|
7 | 7 |
stylesheets[print][] = common_test.print.css |
8 | 8 |
hidden = TRUE |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/simpletest/tests/common_test.module | ||
---|---|---|
92 | 92 |
} |
93 | 93 |
} |
94 | 94 |
|
95 |
/** |
|
96 |
* Implements hook_init(). |
|
97 |
*/ |
|
98 |
function common_test_init() { |
|
99 |
if (variable_get('common_test_redirect_current_path', FALSE)) { |
|
100 |
drupal_goto(current_path()); |
|
101 |
} |
|
102 |
} |
|
103 |
|
|
95 | 104 |
/** |
96 | 105 |
* Print destination query parameter. |
97 | 106 |
*/ |
drupal7/modules/simpletest/tests/common_test_cron_helper.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/database_test.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/drupal_autoload_test/drupal_autoload_test.info | ||
---|---|---|
7 | 7 |
core = 7.x |
8 | 8 |
hidden = TRUE |
9 | 9 |
|
10 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
11 |
version = "7.42"
|
|
10 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
11 |
version = "7.43"
|
|
12 | 12 |
project = "drupal" |
13 |
datestamp = "1454517955"
|
|
13 |
datestamp = "1456343506"
|
|
14 | 14 |
|
drupal7/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/entity_cache_test.info | ||
---|---|---|
6 | 6 |
dependencies[] = entity_cache_test_dependency |
7 | 7 |
hidden = TRUE |
8 | 8 |
|
9 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
10 |
version = "7.42"
|
|
9 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
10 |
version = "7.43"
|
|
11 | 11 |
project = "drupal" |
12 |
datestamp = "1454517955"
|
|
12 |
datestamp = "1456343506"
|
|
13 | 13 |
|
drupal7/modules/simpletest/tests/entity_cache_test_dependency.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/entity_crud_hook_test.info | ||
---|---|---|
5 | 5 |
version = VERSION |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955"
|
|
11 |
datestamp = "1456343506"
|
|
12 | 12 |
|
drupal7/modules/simpletest/tests/entity_query_access_test.info | ||
---|---|---|
5 | 5 |
core = 7.x |
6 | 6 |
hidden = TRUE |
7 | 7 |
|
8 |
; Information added by Drupal.org packaging script on 2016-02-03
|
|
9 |
version = "7.42"
|
|
8 |
; Information added by Drupal.org packaging script on 2016-02-24
|
|
9 |
version = "7.43"
|
|
10 | 10 |
project = "drupal" |
11 |
datestamp = "1454517955" |
Formats disponibles : Unified diff
Update to 7.43