Download & Extend
Issues

Apply Aggregator and OpenID fixes from DRUPAL-SA-CORE-2012-001

Posted by catch on February 2, 2012 at 2:08am
Project:Drupal core
Version:8.x-dev
Component:base system
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed (fixed)
Issue tags:Security Advisory follow-up

Issue Summary

http://drupal.org/node/1425084

http://drupalcode.org/project/drupal.git/commit/40093b2

Login or register to post comments

Comments

#1

Posted by webchick on February 2, 2012 at 2:40am

Thanks, you beat me to it. ;)

Here are the 7.x patches. They need porting to 8.x.

IMPORTANT: Please do NOT credit me on commit for these! Credit should go to:

c960657 - OpenID
David_Rothstein, Berdir, dww = File field access bypass
Dave Reid - Aggregator XSRF

AttachmentSizeStatusTest resultOperations
63469-17.file-field-access-bypass.patch6.52 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 63469-17.file-field-access-bypass.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.View details
openid-signed-D7-1.patch11.03 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch openid-signed-D7-1.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.View details
SA-2699-aggregator-D7_0.patch3.84 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch SA-2699-aggregator-D7_0.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.View details

#2

Posted by webchick on February 2, 2012 at 2:40am
Status:active» patch (to be ported)

#3

Posted by swentel on February 2, 2012 at 10:20am
Status:patch (to be ported)» needs review

Here are the patches for D8 - I had 2 patches which didn't apply cleanly (file and openid), so I hope I merged them ok.

AttachmentSizeStatusTest resultOperations
1425330-aggregator.patch3.51 KBIdlePASSED: [[SimpleTest]]: [MySQL] 34,018 pass(es).View details
1425330-file.patch6.59 KBIdleFAILED: [[SimpleTest]]: [MySQL] 33,933 pass(es), 0 fail(s), and 5 exception(es).View details
1425330-openid.patch10.45 KBIdlePASSED: [[SimpleTest]]: [MySQL] 33,950 pass(es).View details

#4

Posted by swentel on February 2, 2012 at 11:22am

Here's another for the file patch - the file_download_access() apparently get the wrong data, however, isn't that wrong then also in D7 ?

AttachmentSizeStatusTest resultOperations
1425330-file.patch5.68 KBIdlePASSED: [[SimpleTest]]: [MySQL] 33,935 pass(es).View details

#5

Posted by scor on February 3, 2012 at 5:53pm

This issue should probably only cover aggregator and openid since they are straight forward fixes.

the file access issue needs more discussion over at #1245220: file_file_download() passed bogus $field to field_access().

#6

Posted by David_Rothstein on February 6, 2012 at 6:26pm
Title:Apply DRUPAL-SA-CORE-2012-001 fixes» Apply Aggregator and OpenID fixes from DRUPAL-SA-CORE-2012-001

#7

Posted by xjm on February 6, 2012 at 8:38pm

So, we currently just need to review the first and third patches in #3?

#8

Posted by Berdir on February 24, 2012 at 7:55am

Yes, the file stuff is dealt with in the other issue.

Aggregator patch looks good to me.

#9

Posted by sun on February 28, 2012 at 2:22pm
Status:needs review» reviewed & tested by the community

The aggregator and openid patches look good to me.

#10

Posted by webchick on February 28, 2012 at 6:17pm
Status:reviewed & tested by the community» fixed

Thanks a lot!

Committed and pushed to 8.x. I think this is ok, since I committed the 7.x patches already. :)

#11

Posted by David_Rothstein on February 28, 2012 at 6:21pm
Status:fixed» reviewed & tested by the community

Wrong patch was committed?

#12

Posted by webchick on February 28, 2012 at 6:27pm

WOAH. How did that happen?! I fail at Git. :)

#13

Posted by webchick on February 28, 2012 at 6:34pm
Status:reviewed & tested by the community» fixed

There, I think I made it more betterer now. :)

#14

Posted by David_Rothstein on February 28, 2012 at 6:42pm

Looks good :)

#15

Posted by System Message on March 13, 2012 at 6:50pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.