Download & Extend
Plupload integration » Issues

[meta] Patch for remove plupload library examples folder for Drupal distribution

Posted by hswong3i on January 31, 2013 at 3:14am
Project:Plupload integration
Version:7.x-1.x-dev
Component:Miscellaneous
Category:support request
Priority:normal
Assigned:Unassigned
Status:needs review

Issue Summary

Refer to #1895328: Security exploit in plupload external library examples folder, we should remove examples folder in plupload library in order to avoid security risk as stated in PSA-2011-02.

In order to include plupload module into Drupal distribution, e.g. DruStack, we need a patch file for drush make so can remove examples folder by patching the library.

Login or register to post comments

Comments

#1

Posted by hswong3i on January 31, 2013 at 3:16am

Patch file for plupload_1_5_5.zip.

AttachmentSize
plupload-1_5_5-remove_examples-1903850-1.patch 39.14 KB

#2

Posted by slashrsm on January 31, 2013 at 3:42pm
Status:active» fixed

Thanks. Will link this issue from project's page.

#3

Posted by TravisCarden on February 8, 2013 at 6:19pm
Status:fixed» needs work

Pardon my presumption in setting this back to "needs work"—hopefully I'm the one in error—but I'm attempting to use this patch in a make file, and Drush reports that it's applying it, but the examples directory is still there afterward:

$ dr make my.make --no-core --no-patch-txt --libraries=plupload -y
Make new site in the current directory? (y/n): y
Drush make restricted to the following entries:                             [ok]
Libraries: plupload
plupload downloaded from http://plupload.com/downloads/plupload_1_5_5.zip.  [ok]
plupload patched with plupload-1_5_5-remove_examples-1903850-1.patch.       [ok]
$ ls sites/all/libraries/plupload/examples/
bg.jpg  custom.html  dump.php  jquery  upload.php  uploads

Even applying the patch manually (which works, so long as you use patch -p1 ...) leaves behind examples/bg.jpg and examples/uploads.

I'm I missing the obvious, or does the patch not actually work? Or is it a problem with Drush make? Or both?

#4

Posted by hswong3i on March 10, 2013 at 9:00am
Status:needs work» active

Refer to http://git.wikia.com/wiki/Patches, patch now created with:

git format-patch HEAD^ -M -C -s -D --keep-subject --stdout > ../plupload-1_5_6-remove_examples-1903850-4.patch

Therefore able to show the rename/delete action and so works for both GIT checkout and -dev.tar.gz package.

AttachmentSize
plupload-1_5_6-remove_examples-1903850-4.patch 2.2 KB

#5

Posted by hswong3i on March 10, 2013 at 9:23am

So poor that with -D it will not able to apply by patch not git apply:

-D, --irreversible-delete
Omit the preimage for deletes, i.e. print only the header but not the diff between the
preimage and /dev/null. The resulting patch is not meant to be applied with patch nor git
apply; this is solely for people who want to just concentrate on reviewing the text after
the change. In addition, the output obviously lack enough information to apply such a
patch in reverse, even manually, hence the name of the option.

When used together with -B, omit also the preimage in the deletion part of a delete/create
pair.

Well... so recreate patch with:

git format-patch HEAD^ -M -C -s --keep-subject --stdout > ../plupload-1_5_6-rm_examples-1903850-5.patch

Therefore sorry that please manually remove the example folder after patch applied ;-)

AttachmentSize
plupload-1_5_6-rm_examples-1903850-5.patch 38.9 KB

#6

Posted by q11q11 on March 13, 2013 at 10:07pm

Sorry for silly question, but how should line with that patch looks like in my.make file?

This doesn`t work
libraries[plupload][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch

How else ?

#7

Posted by hswong3i on March 14, 2013 at 2:36am

Hopefully my DruStack version can be your reference:

Some code snippet:

libraries[plupload][directory_name] = "plupload"
libraries[plupload][download][type] = "file"
libraries[plupload][download][url] = "http://plupload.com/downloads/plupload_1_5_6.zip"
libraries[plupload][patch][] = "http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch"
libraries[plupload][type] = "library"

#8

Posted by mrfelton on May 8, 2013 at 9:01am
Status:active» needs review

None of the above patches wok with an archive version of plupload from https://github.com/moxiecode/plupload/archive/1.5.6.zip. This works:

projects[plupload_lib][type] = library
projects[plupload_lib][download][type] = get
projects[plupload_lib][download][url] = http://plupload.com/downloads/plupload_1_5_6.zip
projects[plupload_lib][directory_name] = plupload
projects[plupload_lib][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch
AttachmentSize
plupload-1_5_6-rm_examples-1903850-7.patch 77.93 KB

#9

Posted by bart.hanssens on May 15, 2013 at 10:09am

Patch for 1.5.7

AttachmentSize
plupload-1_5_7-rm_examples-1903850-9.patch 37.11 KB