500-7002-AS

CHANGELOG.txt

@@ -1,5 +1,11 @@
 // $Id$
 
+Drupal 5.1, 2007-01-29
+----------------------
+- fixed security issue (code execution), see SA-2007-005
+- fixed a variety of small bugs.
+
+
 Drupal 5.0, 2007-01-15
 ------------------------
 - completely retooled the administration page

includes/form.inc

@@ -959,7 +959,7 @@ function form_select_options($element, $choices = NULL) {
       else {
         $selected = '';
       }
-      $options .= '<option value="'. $key .'"'. $selected .'>'. check_plain($choice) .'</option>';
+      $options .= '<option value="'. check_plain($key) .'"'. $selected .'>'. check_plain($choice) .'</option>';
     }
   }
   return $options;
@@ -1055,7 +1055,7 @@ function theme_radio($element) {
   $output = '<input type="radio" ';
   $output .= 'name="' . $element['#name'] .'" ';
   $output .= 'value="'. $element['#return_value'] .'" ';
-  $output .= ($element['#value'] == $element['#return_value']) ? ' checked="checked" ' : ' ';
+  $output .= (check_plain($element['#value']) == $element['#return_value']) ? ' checked="checked" ' : ' ';
   $output .= drupal_attributes($element['#attributes']) .' />';
   if (!is_null($element['#title'])) {
     $output = '<label class="option">'. $output .' '. $element['#title'] .'</label>';
@@ -1258,7 +1258,7 @@ function expand_radios($element) {
   if (count($element['#options']) > 0) {
     foreach ($element['#options'] as $key => $choice) {
       if (!isset($element[$key])) {
-        $element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => $key, '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
+        $element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => check_plain($key), '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
       }
     }
   }
@@ -1537,10 +1537,10 @@ function theme_form_element($element, $value) {
   if (!empty($element['#title'])) {
     $title = $element['#title'];
     if (!empty($element['#id'])) {
-      $output .= ' <label for="'. $element['#id'] .'">'. t('!title: !required', array('!title' => $title, '!required' => $required)) ."</label>\n";
+      $output .= ' <label for="'. $element['#id'] .'">'. t('!title: !required', array('!title' => filter_xss_admin($title), '!required' => $required)) ."</label>\n";
     }
     else {
-      $output .= ' <label>'. t('!title: !required', array('!title' => $title, '!required' => $required)) ."</label>\n";
+      $output .= ' <label>'. t('!title: !required', array('!title' => filter_xss_admin($title), '!required' => $required)) ."</label>\n";
     }
   }
 

modules/comment/comment.module

@@ -1582,24 +1582,26 @@ function comment_form_add_preview($form, $edit) {
 
   $output = '';
 
-  comment_validate($edit);
+  // Invoke full validation for the form, to protect against cross site
-  $comment = (object)_comment_form_submit($edit);
+  // request forgeries (CSRF) and setting arbitrary values for fields such as
-
+  // the input format. Preview the comment only when form validation does not
-  // Attach the user and time information.
+  // set any errors.
-  if ($edit['author']) {
+  drupal_validate_form($form['form_id']['#value'], $form);
-    $account = user_load(array('name' => $edit['author']));
-  }
-  elseif ($user->uid && !isset($edit['is_anonymous'])) {
-    $account = $user;
-  }
-  if ($account) {
-    $comment->uid = $account->uid;
-    $comment->name = check_plain($account->name);
-  }
-  $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
-
-  // Preview the comment with security check.
   if (!form_get_errors()) {
+    $comment = (object)_comment_form_submit($edit);
+
+    // Attach the user and time information.
+    if ($edit['author']) {
+      $account = user_load(array('name' => $edit['author']));
+    }
+    elseif ($user->uid && !isset($edit['is_anonymous'])) {
+      $account = $user;
+    }
+    if ($account) {
+      $comment->uid = $account->uid;
+      $comment->name = check_plain($account->name);
+    }
+    $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
     $output .= theme('comment_view', $comment);
   }
   $form['comment_preview'] = array(

modules/node/node.module

@@ -2069,6 +2069,10 @@ function node_form_add_preview($form) {
 
   $op = isset($form_values['op']) ? $form_values['op'] : '';
   if ($op == t('Preview')) {
+    // Invoke full validation for the form, to protect against cross site
+    // request forgeries (CSRF) and setting arbitrary values for fields such as
+    // the input format. Preview the node only when form validation does not
+    // set any errors.
     drupal_validate_form($form['form_id']['#value'], $form);
     if (!form_get_errors()) {
       // Because the node preview may display a form, we must render it

modules/system/system.module

@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.1-dev');
+define('VERSION', '5.1');
 
 /**
  * Implementation of hook_help().