Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merged 7.78.

merge-requests/295/head
xjm 2021-01-19 17:25:38 -06:00
parent 3556012c84 8c555d9b7d
commit f86e64a7bf
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.txt
View File

@ -1,6 +1,11 @@
Drupal 7.xx, xxxx-xx-xx (development version)
-----------------------
Drupal 7.78, 2021-01-19
-----------------------
- Fixed security issues:
- SA-CORE-2021-001
Drupal 7.77, 2020-12-03
-----------------------
- Hotfix for schema.prefixed tables

8
modules/system/system.tar.inc
View File

@ -2178,6 +2178,14 @@ class Archive_Tar
}
}
} elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'