7.x-1.6 Release

672ae628 · Chris Gross · bc1e4133 · 672ae628 · 672ae628 · 672ae628
Commit 672ae628 authored 7 years ago by Chris Gross
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt

+Drupal 7.58, 2018-03-28
+-----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002.
+
 Drupal 7.57, 2018-02-21
 -----------------------
 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-001.

--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
 * The current system version.
 */
-define('VERSION', '7.57');
+define('VERSION', '7.58');

 /**
 * Core API compatibility.
@@ -2657,6 +2657,10 @@ function _drupal_bootstrap_configuration() {
  timer_start('page');
  // Initialize the configuration, including variables from settings.php.
  drupal_settings_initialize();
+
+  // Sanitize unsafe keys from the request.
+  require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
+  DrupalRequestSanitizer::sanitize();
 }

 /**

--- a/includes/request-sanitizer.inc
+++ b/includes/request-sanitizer.inc
+<?php
+
+/**
+ * @file
+ * Contains code for sanitizing user input from the request.
+ */
+
+/**
+ * Sanitizes user input from the request.
+ */
+class DrupalRequestSanitizer {
+
+  /**
+   * Tracks whether the request was already sanitized.
+   */
+  protected static $sanitized = FALSE;
+
+  /**
+   * Modifies the request to strip dangerous keys from user input.
+   */
+  public static function sanitize() {
+    if (!self::$sanitized) {
+      $whitelist = variable_get('sanitize_input_whitelist', array());
+      $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
+
+      // Process query string parameters.
+      $get_sanitized_keys = array();
+      $_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
+      if ($log_sanitized_keys && $get_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      // Process request body parameters.
+      $post_sanitized_keys = array();
+      $_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
+      if ($log_sanitized_keys && $post_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      // Process cookie parameters.
+      $cookie_sanitized_keys = array();
+      $_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
+      if ($log_sanitized_keys && $cookie_sanitized_keys) {
+        _drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
+      }
+
+      $request_sanitized_keys = array();
+      $_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
+
+      self::$sanitized = TRUE;
+    }
+  }
+
+  /**
+   * Strips dangerous keys from the provided input.
+   *
+   * @param mixed $input
+   *   The input to sanitize.
+   * @param string[] $whitelist
+   *   An array of keys to whitelist as safe.
+   * @param string[] $sanitized_keys
+   *   An array of keys that have been removed.
+   *
+   * @return mixed
+   *   The sanitized input.
+   */
+  protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
+    if (is_array($input)) {
+      foreach ($input as $key => $value) {
+        if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+          unset($input[$key]);
+          $sanitized_keys[] = $key;
+        }
+        else {
+          $input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
+        }
+      }
+    }
+    return $input;
+  }
+
+}
--- a/profiles/wcm_base/CHANGELOG.txt
+++ b/profiles/wcm_base/CHANGELOG.txt
+WCM Base 7.x-1.6, 2018-03-28
+----------------------------
+- WCM Base: Updated Drupal to 7.58 per SA-CORE-2018-002.
+
 WCM Base 7.x-1.6-rc3, 2018-03-27
 --------------------------------
 - WCM Omega: Accordion bugfixes.

--- a/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.styles.css
+++ b/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.styles.css
--- a/profiles/wcm_base/themes/wcm_omega/sass/base/_accordions.scss
+++ b/profiles/wcm_base/themes/wcm_omega/sass/base/_accordions.scss
@@ -24,6 +24,12 @@

 //visual styles for accordions
 .accordion {
+  margin-bottom: 1em;
+
+  .accordion {
+    margin-bottom: 0;
+  }
+
  //wcm button style is already negated for accordions, see _buttons.scss
  button.accordion-header {
    border: 0;
@@ -62,6 +68,7 @@
    }
  }
  .accordion-item {
+    & > h2,
    & > h3,
    & > h4 {
      margin-bottom: 0;