Issue #2783079 by david_garcia, alexpott: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments
Nathaniel Catchpole
parent
1c940d7240
commit
fe1eb450f2
|
|
@ -833,6 +833,39 @@ function system_requirements($phase) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Warning for httpoxy on IIS with affected PHP versions
|
||||||
|
// @see https://www.drupal.org/node/2783079
|
||||||
|
if (strpos($software, 'Microsoft-IIS') !== FALSE
|
||||||
|
&& (
|
||||||
|
version_compare(PHP_VERSION, '5.5.38', '<')
|
||||||
|
|| (version_compare(PHP_VERSION, '5.6.0', '>=') && version_compare(PHP_VERSION, '5.6.24', '<'))
|
||||||
|
|| (version_compare(PHP_VERSION, '7.0.0', '>=') && version_compare(PHP_VERSION, '7.0.9', '<'))
|
||||||
|
)) {
|
||||||
|
$dom = new \DOMDocument('1.0', 'UTF-8');
|
||||||
|
$webconfig = file_get_contents('web.config');
|
||||||
|
// If you are here the web.config file must - of course - be well formed.
|
||||||
|
// But the PHP DOM component will throw warnings on some XML compliant
|
||||||
|
// stuff, so silently parse the configuration file.
|
||||||
|
@$dom->loadHTML($webconfig);
|
||||||
|
$httpoxy_rewrite = FALSE;
|
||||||
|
foreach ($dom->getElementsByTagName('rule') as $rule) {
|
||||||
|
foreach ($rule->attributes as $attr) {
|
||||||
|
if (@$attr->name == 'name' && @$attr->nodeValue == 'Erase HTTP_PROXY') {
|
||||||
|
$httpoxy_rewrite = TRUE;
|
||||||
|
break 2;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!$httpoxy_rewrite) {
|
||||||
|
$requirements['iis_httpoxy_protection'] = [
|
||||||
|
'title' => t('IIS httpoxy protection'),
|
||||||
|
'value' => t('Your PHP runtime version is affected by the httpoxy vulnerability.'),
|
||||||
|
'description' => t('Either update your PHP runtime version or uncomment the "Erase HTTP_PROXY" rule in your web.config file and add HTTP_PROXY to the allowed headers list. See more details in the <a href=":link">security advisory</a>.', [':link' => 'https://www.drupal.org/SA-CORE-2016-003']),
|
||||||
|
'severity' => REQUIREMENT_ERROR,
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $requirements;
|
return $requirements;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,10 @@
|
||||||
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
|
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
|
||||||
</conditions>
|
</conditions>
|
||||||
</rule>
|
</rule>
|
||||||
|
<!-- If running on a PHP version affected by httpoxy vulnerability
|
||||||
|
uncomment the following rule to mitigate it's impact. To make this
|
||||||
|
rule work, you will also need to add HTTP_PROXY to the allowed server
|
||||||
|
variables manually in IIS. See https://www.drupal.org/node/2783079.
|
||||||
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
|
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
|
||||||
<match url="*.*" />
|
<match url="*.*" />
|
||||||
<serverVariables>
|
<serverVariables>
|
||||||
|
|
@ -41,7 +44,7 @@
|
||||||
</serverVariables>
|
</serverVariables>
|
||||||
<action type="None" />
|
<action type="None" />
|
||||||
</rule>
|
</rule>
|
||||||
|
-->
|
||||||
<!-- To redirect all users to access the site WITH the 'www.' prefix,
|
<!-- To redirect all users to access the site WITH the 'www.' prefix,
|
||||||
http://example.com/foo will be redirected to http://www.example.com/foo)
|
http://example.com/foo will be redirected to http://www.example.com/foo)
|
||||||
adapt and uncomment the following: -->
|
adapt and uncomment the following: -->
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue