From 316bd96ebff36284f5f3e33268760ff9c672b6f8 Mon Sep 17 00:00:00 2001 From: webchick Date: Wed, 25 May 2011 13:07:13 -0700 Subject: [PATCH] Drupal 7.1 --- CHANGELOG.txt | 5 ++++- includes/bootstrap.inc | 2 +- modules/color/color.install | 15 +++++++++++++++ modules/color/color.module | 13 +++++++++++++ modules/file/file.module | 2 +- 5 files changed, 34 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index e5685048550d..ea91e0de93d0 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,4 +1,7 @@ -// $Id$ + +Drupal 7.1, 2011-05-25 +---------------------- +- Fixed security issues (Cross site scripting, File access bypass), see SA-CORE-2011-001. Drupal 7.0, 2011-01-05 ---------------------- diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index be9813cc123c..fb73528ff69d 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -9,7 +9,7 @@ /** * The current system version. */ -define('VERSION', '7.0'); +define('VERSION', '7.1'); /** * Core API compatibility. diff --git a/modules/color/color.install b/modules/color/color.install index 0655e797ebed..ff1e835a4d5a 100644 --- a/modules/color/color.install +++ b/modules/color/color.install @@ -41,3 +41,18 @@ function color_requirements($phase) { return $requirements; } + +/** + * Warn site administrator if unsafe CSS color codes are found in the database. + */ +function color_update_7001() { + $theme_palettes = db_query("SELECT name FROM {variable} WHERE name LIKE 'color_%_palette'")->fetchCol(); + foreach ($theme_palettes as $name) { + $palette = variable_get($name, array()); + foreach ($palette as $key => $color) { + if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) { + drupal_set_message('Some of the custom CSS color codes specified via the color module are invalid. Please examine the themes which are making use of the color module at the Appearance settings page to verify their CSS color values.', 'warning'); + } + } + } +} diff --git a/modules/color/color.module b/modules/color/color.module index d94cadc3374c..ab8fb9b79673 100644 --- a/modules/color/color.module +++ b/modules/color/color.module @@ -43,6 +43,7 @@ function color_form_system_theme_settings_alter(&$form, &$form_state) { '#theme' => 'color_scheme_form', ); $form['color'] += color_scheme_form($form, $form_state, $theme); + $form['#validate'][] = 'color_scheme_form_validate'; $form['#submit'][] = 'color_scheme_form_submit'; } } @@ -271,6 +272,18 @@ function theme_color_scheme_form($variables) { return $output; } +/** + * Validation handler for color change form. + */ +function color_scheme_form_validate($form, &$form_state) { + // Only accept hexadecimal CSS color strings to avoid XSS upon use. + foreach ($form_state['values']['palette'] as $key => $color) { + if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) { + form_set_error('palette][' . $key, t('%name must be a valid hexadecimal CSS color value.', array('%name' => $form['color']['palette'][$key]['#title']))); + } + } +} + /** * Submit handler for color change form. */ diff --git a/modules/file/file.module b/modules/file/file.module index 13a8024b2033..3b6e185803e3 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -976,7 +976,7 @@ function file_get_file_references($file, $field = NULL, $age = FIELD_LOAD_REVISI } } - return isset($field) ? $references[$field['field_name']] : $references; + return isset($field) ? $references[$field['field_name']] : array_filter($references); } /**