security updates

have to check views and entityreference for custom patches
2015-04-19 20:45:16 +02:00
parent 802ec0c6f3
commit b3221c71e2
516 changed files with 14267 additions and 7349 deletions
--- a/sites/all/modules/contrib/mail/mimemail/includes/mimemail.admin.inc
+++ b/sites/all/modules/contrib/mail/mimemail/includes/mimemail.admin.inc
@@ -101,7 +101,7 @@ function mimemail_admin_settings() {
  $form['mimemail']['advanced']['mimemail_key'] = array(
    '#type' => 'textfield',
    '#title' => t('Message validation string'),
-    '#default_value' => variable_get('mimemail_key', md5(rand())),
+    '#default_value' => variable_get('mimemail_key', drupal_random_key()),
    '#required' => TRUE,
    '#description' => t('This string will be used to validate incoming messages. It can be anything, but must be used on both sides of the transfer.'),
  );
--- a/sites/all/modules/contrib/mail/mimemail/includes/mimemail.incoming.inc
+++ b/sites/all/modules/contrib/mail/mimemail/includes/mimemail.incoming.inc
@@ -15,15 +15,23 @@
 *   The POSTed message.
 */
 function mimemail_post() {
-  $message = $_POST['message'];
-  $token   = $_POST['token'];
-  $hash    = md5(variable_get('mimemail_key', '**') . $message);
-
-  if ($hash != $token) {
-    watchdog('access denied', 'Authentication error for POST e-mail', WATCHDOG_WARNING);
+  if (!isset($_POST['token']) || empty($_POST['token'])) {
    return drupal_access_denied();
  }
-  return mimemail_incoming($message);
+
+  if (isset($_POST['message']) && !empty($_POST['message'])) {
+    $key = variable_get('mimemail_key', drupal_random_key());
+    $hash = hash_hmac('sha1', $_POST['message'], $key);
+    if ($hash != $_POST['token']) {
+      watchdog('access denied', 'Authentication error for POST e-mail', WATCHDOG_WARNING);
+      return drupal_access_denied();
+    }
+    else {
+      return mimemail_incoming($_POST['message']);
+    }
+  }
+
+  return drupal_access_denied();
 }

 /**