core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -2105,6 +2105,10 @@ function field_ui_next_destination($entity_type, $bundle) {
|
||||
$destinations = !empty($_REQUEST['destinations']) ? $_REQUEST['destinations'] : array();
|
||||
if (!empty($destinations)) {
|
||||
unset($_REQUEST['destinations']);
|
||||
}
|
||||
// Remove any external URLs.
|
||||
$destinations = array_diff($destinations, array_filter($destinations, 'url_is_external'));
|
||||
if ($destinations) {
|
||||
return field_ui_get_destinations($destinations);
|
||||
}
|
||||
$admin_path = _field_ui_bundle_admin_path($entity_type, $bundle);
|
||||
|
||||
@@ -6,8 +6,8 @@ core = 7.x
|
||||
dependencies[] = field
|
||||
files[] = field_ui.test
|
||||
|
||||
; Information added by Drupal.org packaging script on 2015-04-02
|
||||
version = "7.36"
|
||||
; Information added by Drupal.org packaging script on 2016-10-05
|
||||
version = "7.51"
|
||||
project = "drupal"
|
||||
datestamp = "1427943826"
|
||||
datestamp = "1475694174"
|
||||
|
||||
|
||||
@@ -106,9 +106,19 @@ function field_ui_menu() {
|
||||
$access = array_intersect_key($bundle_info['admin'], drupal_map_assoc(array('access callback', 'access arguments')));
|
||||
$access += array(
|
||||
'access callback' => 'user_access',
|
||||
'access arguments' => array('administer site configuration'),
|
||||
'access arguments' => array('administer fields'),
|
||||
);
|
||||
|
||||
// Add the "administer fields" permission on top of the access
|
||||
// restriction because the field UI should only be accessible to
|
||||
// trusted users.
|
||||
if ($access['access callback'] != 'user_access' || $access['access arguments'] != array('administer fields')) {
|
||||
$access = array(
|
||||
'access callback' => 'field_ui_admin_access',
|
||||
'access arguments' => array($access['access callback'], $access['access arguments']),
|
||||
);
|
||||
}
|
||||
|
||||
$items["$path/fields"] = array(
|
||||
'title' => 'Manage fields',
|
||||
'page callback' => 'drupal_get_form',
|
||||
@@ -392,3 +402,13 @@ function field_ui_form_node_type_form_submit($form, &$form_state) {
|
||||
$form_state['redirect'] = _field_ui_bundle_admin_path('node', $form_state['values']['type']) .'/fields';
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Access callback to determine if a user is allowed to use the field UI.
|
||||
*
|
||||
* Only grant access if the user has both the "administer fields" permission and
|
||||
* is granted access by the entity specific restrictions.
|
||||
*/
|
||||
function field_ui_admin_access($access_callback, $access_arguments) {
|
||||
return user_access('administer fields') && call_user_func_array($access_callback, $access_arguments);
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ class FieldUITestCase extends DrupalWebTestCase {
|
||||
parent::setUp($modules);
|
||||
|
||||
// Create test user.
|
||||
$admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer taxonomy'));
|
||||
$admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer taxonomy', 'administer fields'));
|
||||
$this->drupalLogin($admin_user);
|
||||
|
||||
// Create content type, with underscores.
|
||||
@@ -445,6 +445,19 @@ class FieldUIManageFieldsTestCase extends FieldUITestCase {
|
||||
$this->assertText(t('The machine-readable name is already in use. It must be unique.'));
|
||||
$this->assertUrl($url, array(), 'Stayed on the same page.');
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that external URLs in the 'destinations' query parameter are blocked.
|
||||
*/
|
||||
function testExternalDestinations() {
|
||||
$path = 'admin/structure/types/manage/article/fields/field_tags/field-settings';
|
||||
$options = array(
|
||||
'query' => array('destinations' => array('http://example.com')),
|
||||
);
|
||||
$this->drupalPost($path, NULL, t('Save field settings'), $options);
|
||||
|
||||
$this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -682,7 +695,7 @@ class FieldUIAlterTestCase extends DrupalWebTestCase {
|
||||
parent::setUp(array('field_test'));
|
||||
|
||||
// Create test user.
|
||||
$admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer users'));
|
||||
$admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer users', 'administer fields'));
|
||||
$this->drupalLogin($admin_user);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user