From 44d6dbd86e3b3974a676a223dd97356ad905e4b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= <gabor@hojtsy.hu>
Date: Wed, 17 Oct 2007 21:35:42 +0000
Subject: [PATCH] Drupal 4.7.8

---
 CHANGELOG.txt          | 6 ++++++
 includes/common.inc    | 6 ++----
 modules/comment.module | 6 +++---
 modules/system.module  | 7 ++++---
 modules/upload.module  | 6 +++---
 5 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 38d527ff7da..e7d28ab32c3 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,5 +1,11 @@
 // $Id$
 
+Drupal 4.7.8, 2007-10-17
+----------------------
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
+
 Drupal 4.7.7, 2007-07-26
 ------------------------
 - fixed security issue (XSS), see SA-2007-018
diff --git a/includes/common.inc b/includes/common.inc
index f307ea8d7a1..92651aeee69 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -235,10 +235,6 @@ function drupal_get_destination() {
  * 'user login'-block in a sidebar.  The function drupal_get_destination()
  * can be used to help set the destination URL.
  *
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid".
- *
  * This function ends the request; use it rather than a print theme('page')
  * statement in your menu callback.
  *
@@ -260,6 +256,8 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) {
   }
 
   $url = url($path, $query, $fragment, TRUE);
+  // Remove newlines from the URL to avoid header injection attacks.
+  $url = str_replace(array("\n", "\r"), '', $url);
 
   // Before the redirect, allow modules to react to the end of the page request.
   module_invoke_all('exit', $url);
diff --git a/modules/comment.module b/modules/comment.module
index 9caea76a53d..2d7591a9246 100644
--- a/modules/comment.module
+++ b/modules/comment.module
@@ -568,7 +568,7 @@ function comment_save($edit) {
         }
   
         // Add the comment to database.
-        $status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
+        $edit['status'] = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
         $roles = variable_get('comment_roles', array());
         $score = 0;
 
@@ -629,7 +629,7 @@ function comment_save($edit) {
           $edit['name'] = $user->name;
         }
 
-        db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
+        db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $edit['status'], $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
 
         _comment_update_node_statistics($edit['nid']);
 
@@ -645,7 +645,7 @@ function comment_save($edit) {
 
       // Explain the approval queue if necessary, and then
       // redirect the user to the node he's commenting on.
-      if ($status == COMMENT_NOT_PUBLISHED) {
+      if ($edit['status'] == COMMENT_NOT_PUBLISHED) {
         drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));
       }
       return $edit['cid'];
diff --git a/modules/system.module b/modules/system.module
index a92f9f95a40..66a17c6251f 100644
--- a/modules/system.module
+++ b/modules/system.module
@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '4.7.8 dev');
+define('VERSION', '4.7.8');
 
 /**
  * Implementation of hook_help().
@@ -1235,8 +1235,9 @@ function system_theme_settings($key = '') {
  * offered to go back to the item that is being changed in case the user changes
  * his/her mind.
  *
- * You should use $GLOBALS['values']['edit'][$name] (where $name is usually 'confirm') to
- * check if the confirmation was successful.
+ * If the submit handler for this form is invoked, the user successfully
+ * confirmed the action. You should never directly inspect $_POST to see if an
+ * action was confirmed.
  *
  * @param $form_id
  *   The unique form identifier. Used by the form API to construct the theme.
diff --git a/modules/upload.module b/modules/upload.module
index 7dc47b60458..2112444e497 100644
--- a/modules/upload.module
+++ b/modules/upload.module
@@ -157,7 +157,7 @@ function upload_settings() {
   foreach ($roles as $rid => $role) {
     $form["settings_role_$rid"] = array('#type' => 'fieldset', '#title' => t('Settings for %role', array('%role' => theme('placeholder', $role))), '#collapsible' => TRUE, '#collapsed' => TRUE);
     $form["settings_role_$rid"]["upload_extensions_$rid"] = array(
-      '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'),
+      '#type' => 'textfield', '#title' => t('Permitted file extensions'), '#default_value' => variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'),
       '#maxlength' => 255, '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.')
     );
     $form["settings_role_$rid"]["upload_uploadsize_$rid"] = array(
@@ -326,7 +326,7 @@ function _upload_validate(&$node) {
           $total_usersize = upload_space_used($user->uid) + $filesize;
           $error = array();
           foreach ($user->roles as $rid => $name) {
-            $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
+            $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp');
             $uploadsize = variable_get("upload_uploadsize_$rid", 1) * 1024 * 1024;
             $usersize = variable_get("upload_usersize_$rid", 10) * 1024 * 1024;
 
@@ -538,7 +538,7 @@ function upload_munge_filename($filename, $extensions = NULL, $alerts = 1) {
     if (!isset($extensions)) {
       $extensions = '';
       foreach ($user->roles as $rid => $name) {
-        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls xls pdf ppt pps odt ods odp'));
       }
 
     }