updated core to 7.58 (right after the site was hacked)

2018-04-20 23:48:40 +02:00
parent 18f4aba146
commit 9344a61b61
711 changed files with 99690 additions and 480 deletions
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2236,8 +2236,11 @@ function url($path = NULL, array $options = array()) {
    'prefix' => ''
  );

+  // Determine whether this is an external link, but ensure that the current
+  // path is always treated as internal by default (to prevent external link
+  // injection vulnerabilities).
  if (!isset($options['external'])) {
-    $options['external'] = url_is_external($path);
+    $options['external'] = $path === $_GET['q'] ? FALSE : url_is_external($path);
  }

  // Preserve the original path before altering or aliasing.