Support from Acquia helps fund testing for Drupal Acquia logo

Comments

greggles’s picture

Priority: Normal » Critical
Issue tags: +Security Advisory follow-up

Well, probably some other metadata is important.

Status: Reviewed & tested by the community » Needs work
Issue tags: -Security Advisory follow-up

The last submitted patch, 57404_null_byte_file_munge_filename_17-D8.patch, failed testing.

tim.plunkett’s picture

Status: Needs work » Needs review
Issue tags: +Security Advisory follow-up
David_Rothstein’s picture

Also tagging as a release blocker for the next D7 release (just in case it turns out there's anything in the latest 7.x-dev code we need to do as followup for this, although I doubt it).

Status: Needs review » Needs work
Issue tags: -Security Advisory follow-up

The last submitted patch, 57404_null_byte_file_munge_filename_17-D8.patch, failed testing.

plach’s picture

Status: Needs work » Needs review
Issue tags: +Security Advisory follow-up

57404_null_byte_file_munge_filename_17-D8.patch queued for re-testing.

Tests pass here.

plach’s picture

Status: Needs review » Reviewed & tested by the community

This is a straight port of the D7 patch. Tests pass, angels sing. RTBC :)

webchick’s picture

Title: SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload » Tests for SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload
Component: upload.module » file system
Category: bug » task
Priority: Critical » Major
Status: Reviewed & tested by the community » Active
Issue tags: +Needs tests, +Needs backport to D7

Committed and pushed to 8.x, but we need test coverage for this.

David_Rothstein’s picture

Status: Active » Needs review
FileSize
931 bytes
1.55 KB

Maybe just something like this?

Status: Needs review » Needs work

The last submitted patch, file-munge-filename-1870612-9.patch, failed testing.

David_Rothstein’s picture

Status: Needs work » Needs review
FileSize
933 bytes
1.56 KB

Hm, I don't claim to have tested those myself actually, but I thought I at least ran them through php -l to check for syntax errors. Apparently not :)

These should be better.

plach’s picture

Status: Needs review » Reviewed & tested by the community

The test looks good to me, but what about appending it to another test method to save a new drupal installation and speed things up a bit?

plach’s picture

Status: Reviewed & tested by the community » Needs review

Didn't mean to change the status (yet :).

David_Rothstein’s picture

Well, that entire file basically uses the one-test-per-method pattern already, so I didn't want to break the pattern here.

plach’s picture

Status: Needs review » Reviewed & tested by the community

Sound good.

webchick’s picture

Version: 8.x-dev » 7.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Lovely. Thanks, David!

Committed and pushed to 8.x.

Those tests should be backported to 7.x too, methinks.

plach’s picture

Status: Patch (to be ported) » Needs review
FileSize
1.43 KB
825 bytes

Straight reroll.

Status: Needs review » Needs work

The last submitted patch, file-munge-filename-1870612-17-WITH-ROLLBACK.patch, failed testing.

plach’s picture

Status: Needs work » Reviewed & tested by the community

Cool

David_Rothstein’s picture

Status: Reviewed & tested by the community » Fixed
David_Rothstein’s picture

Title: Tests for SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload » SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload
Category: task » bug
Priority: Major » Critical

I'm also 100% convinced that there's nothing left to do on 7.x-dev for this issue, so removing tag.

Automatically closed -- issue fixed for 2 weeks with no activity.