From 4c665d911d4cf2eb4b5f92a6d141b85afbf51f90 Mon Sep 17 00:00:00 2001 From: xjm Date: Tue, 19 Jan 2021 17:25:37 -0600 Subject: [PATCH 1/2] SA-CORE-2021-001 by larowlan, stephenacrossri, siliconmeadow, mcdruid, xjm, vijaycs85, mlhess, greggles --- modules/system/system.tar.inc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc index 92fa5290824..0af6275b401 100644 --- a/modules/system/system.tar.inc +++ b/modules/system/system.tar.inc @@ -2178,6 +2178,14 @@ class Archive_Tar } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {' From 8c555d9b7d3a202cee756104b48e580ae41a6379 Mon Sep 17 00:00:00 2001 From: xjm Date: Tue, 19 Jan 2021 17:25:37 -0600 Subject: [PATCH 2/2] Drupal 7.78 --- CHANGELOG.txt | 5 +++++ includes/bootstrap.inc | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 2c3b93c64d4..f9b010c58cb 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,8 @@ +Drupal 7.78, 2021-01-19 +----------------------- +- Fixed security issues: + - SA-CORE-2021-001 + Drupal 7.77, 2020-12-03 ----------------------- - Hotfix for schema.prefixed tables diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 87c1fdca25c..2b6d7ff487d 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.77'); +define('VERSION', '7.78'); /** * Core API compatibility.