core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -7,8 +7,8 @@ files[] = filter.test
|
||||
required = TRUE
|
||||
configure = admin/config/content/formats
|
||||
|
||||
; Information added by Drupal.org packaging script on 2015-04-02
|
||||
version = "7.36"
|
||||
; Information added by Drupal.org packaging script on 2016-10-05
|
||||
version = "7.51"
|
||||
project = "drupal"
|
||||
datestamp = "1427943826"
|
||||
datestamp = "1475694174"
|
||||
|
||||
|
||||
@@ -93,6 +93,14 @@ function filter_menu() {
|
||||
'type' => MENU_SUGGESTED_ITEM,
|
||||
'file' => 'filter.pages.inc',
|
||||
);
|
||||
$items['filter/tips/%filter_format'] = array(
|
||||
'title' => 'Compose tips',
|
||||
'page callback' => 'filter_tips_long',
|
||||
'page arguments' => array(2),
|
||||
'access callback' => 'filter_access',
|
||||
'access arguments' => array(2),
|
||||
'file' => 'filter.pages.inc',
|
||||
);
|
||||
$items['admin/config/content/formats'] = array(
|
||||
'title' => 'Text formats',
|
||||
'description' => 'Configure how content input by users is filtered, including allowed HTML tags. Also allows enabling of module-provided filters.',
|
||||
@@ -340,6 +348,7 @@ function filter_admin_format_title($format) {
|
||||
function filter_permission() {
|
||||
$perms['administer filters'] = array(
|
||||
'title' => t('Administer text formats and filters'),
|
||||
'description' => t('Define how text is handled by combining filters into <a href="@url">text formats</a>.', array('@url' => url('admin/config/content/formats'))),
|
||||
'restrict access' => TRUE,
|
||||
);
|
||||
|
||||
@@ -1118,18 +1127,23 @@ function filter_dom_serialize($dom_document) {
|
||||
$body_node = $dom_document->getElementsByTagName('body')->item(0);
|
||||
$body_content = '';
|
||||
|
||||
foreach ($body_node->getElementsByTagName('script') as $node) {
|
||||
filter_dom_serialize_escape_cdata_element($dom_document, $node);
|
||||
}
|
||||
if ($body_node !== NULL) {
|
||||
foreach ($body_node->getElementsByTagName('script') as $node) {
|
||||
filter_dom_serialize_escape_cdata_element($dom_document, $node);
|
||||
}
|
||||
|
||||
foreach ($body_node->getElementsByTagName('style') as $node) {
|
||||
filter_dom_serialize_escape_cdata_element($dom_document, $node, '/*', '*/');
|
||||
}
|
||||
foreach ($body_node->getElementsByTagName('style') as $node) {
|
||||
filter_dom_serialize_escape_cdata_element($dom_document, $node, '/*', '*/');
|
||||
}
|
||||
|
||||
foreach ($body_node->childNodes as $child_node) {
|
||||
$body_content .= $dom_document->saveXML($child_node);
|
||||
foreach ($body_node->childNodes as $child_node) {
|
||||
$body_content .= $dom_document->saveXML($child_node);
|
||||
}
|
||||
return preg_replace('|<([^> ]*)/>|i', '<$1 />', $body_content);
|
||||
}
|
||||
else {
|
||||
return $body_content;
|
||||
}
|
||||
return preg_replace('|<([^> ]*)/>|i', '<$1 />', $body_content);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1483,7 +1497,7 @@ function _filter_url($text, $filter) {
|
||||
$tasks['_filter_url_parse_full_links'] = $pattern;
|
||||
|
||||
// Match e-mail addresses.
|
||||
$url_pattern = "[A-Za-z0-9._-]{1,254}@(?:$domain)";
|
||||
$url_pattern = "[A-Za-z0-9._+-]{1,254}@(?:$domain)";
|
||||
$pattern = "`($url_pattern)`";
|
||||
$tasks['_filter_url_parse_email_links'] = $pattern;
|
||||
|
||||
|
||||
@@ -14,10 +14,9 @@
|
||||
* @see filter_menu()
|
||||
* @see theme_filter_tips()
|
||||
*/
|
||||
function filter_tips_long() {
|
||||
$format_id = arg(2);
|
||||
if ($format_id) {
|
||||
$output = theme('filter_tips', array('tips' => _filter_tips($format_id, TRUE), 'long' => TRUE));
|
||||
function filter_tips_long($format = NULL) {
|
||||
if (!empty($format)) {
|
||||
$output = theme('filter_tips', array('tips' => _filter_tips($format->format, TRUE), 'long' => TRUE));
|
||||
}
|
||||
else {
|
||||
$output = theme('filter_tips', array('tips' => _filter_tips(-1, TRUE), 'long' => TRUE));
|
||||
|
||||
@@ -555,6 +555,27 @@ class FilterFormatAccessTestCase extends DrupalWebTestCase {
|
||||
$this->assertTrue(isset($options[$this->allowed_format->format]), 'The allowed text format appears as an option when adding a new node.');
|
||||
$this->assertFalse(isset($options[$this->disallowed_format->format]), 'The disallowed text format does not appear as an option when adding a new node.');
|
||||
$this->assertTrue(isset($options[filter_fallback_format()]), 'The fallback format appears as an option when adding a new node.');
|
||||
|
||||
// Check regular user access to the filter tips pages.
|
||||
$this->drupalGet('filter/tips/' . $this->allowed_format->format);
|
||||
$this->assertResponse(200);
|
||||
$this->drupalGet('filter/tips/' . $this->disallowed_format->format);
|
||||
$this->assertResponse(403);
|
||||
$this->drupalGet('filter/tips/' . filter_fallback_format());
|
||||
$this->assertResponse(200);
|
||||
$this->drupalGet('filter/tips/invalid-format');
|
||||
$this->assertResponse(404);
|
||||
|
||||
// Check admin user access to the filter tips pages.
|
||||
$this->drupalLogin($this->admin_user);
|
||||
$this->drupalGet('filter/tips/' . $this->allowed_format->format);
|
||||
$this->assertResponse(200);
|
||||
$this->drupalGet('filter/tips/' . $this->disallowed_format->format);
|
||||
$this->assertResponse(200);
|
||||
$this->drupalGet('filter/tips/' . filter_fallback_format());
|
||||
$this->assertResponse(200);
|
||||
$this->drupalGet('filter/tips/invalid-format');
|
||||
$this->assertResponse(404);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1099,8 +1120,12 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
|
||||
$f = filter_xss("<img src=\"jav\0a\0\0cript:alert(0)\">", array('img'));
|
||||
$this->assertNoNormalized($f, 'cript', 'HTML scheme clearing evasion -- embedded nulls.');
|
||||
|
||||
$f = filter_xss('<img src="  javascript:alert(0)">', array('img'));
|
||||
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- spaces and metacharacters before scheme.');
|
||||
// @todo This dataset currently fails under 5.4 because of
|
||||
// https://www.drupal.org/node/1210798. Restore after it's fixed.
|
||||
if (version_compare(PHP_VERSION, '5.4.0', '<')) {
|
||||
$f = filter_xss('<img src="  javascript:alert(0)">', array('img'));
|
||||
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- spaces and metacharacters before scheme.');
|
||||
}
|
||||
|
||||
$f = filter_xss('<img src="vbscript:msgbox(0)">', array('img'));
|
||||
$this->assertNoNormalized($f, 'vbscript', 'HTML scheme clearing evasion -- another scheme.');
|
||||
@@ -1148,7 +1173,7 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
|
||||
// Setup dummy filter object.
|
||||
$filter = new stdClass();
|
||||
$filter->settings = array(
|
||||
'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>',
|
||||
'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <test-element>',
|
||||
'filter_html_help' => 1,
|
||||
'filter_html_nofollow' => 0,
|
||||
);
|
||||
@@ -1184,6 +1209,10 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
|
||||
|
||||
$f = _filter_html('<code onerror> </code>', $filter);
|
||||
$this->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes on default.');
|
||||
|
||||
// Custom tags are supported and should be allowed through.
|
||||
$f = _filter_html('<test-element></test-element>', $filter);
|
||||
$this->assertNormalized($f, 'test-element', 'HTML filter should allow custom elements.');
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1269,6 +1298,7 @@ class FilterUnitTestCase extends DrupalUnitTestCase {
|
||||
// Create a e-mail that is too long.
|
||||
$long_email = str_repeat('a', 254) . '@example.com';
|
||||
$too_long_email = str_repeat('b', 255) . '@example.com';
|
||||
$email_with_plus_sign = 'one+two@example.com';
|
||||
|
||||
|
||||
// Filter selection/pattern matching.
|
||||
@@ -1282,12 +1312,13 @@ http://example.com or www.example.com
|
||||
),
|
||||
// MAILTO URLs.
|
||||
'
|
||||
person@example.com or mailto:person2@example.com or ' . $long_email . ' but not ' . $too_long_email . '
|
||||
person@example.com or mailto:person2@example.com or ' . $email_with_plus_sign . ' or ' . $long_email . ' but not ' . $too_long_email . '
|
||||
' => array(
|
||||
'<a href="mailto:person@example.com">person@example.com</a>' => TRUE,
|
||||
'<a href="mailto:person2@example.com">mailto:person2@example.com</a>' => TRUE,
|
||||
'<a href="mailto:' . $long_email . '">' . $long_email . '</a>' => TRUE,
|
||||
'<a href="mailto:' . $too_long_email . '">' . $too_long_email . '</a>' => FALSE,
|
||||
'<a href="mailto:' . $email_with_plus_sign . '">' . $email_with_plus_sign . '</a>' => TRUE,
|
||||
),
|
||||
// URI parts and special characters.
|
||||
'
|
||||
@@ -1979,3 +2010,26 @@ class FilterSettingsTestCase extends DrupalWebTestCase {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests DOMDocument serialization.
|
||||
*/
|
||||
class FilterDOMSerializeTestCase extends DrupalWebTestCase {
|
||||
|
||||
public static function getInfo() {
|
||||
return array(
|
||||
'name' => 'Serialization',
|
||||
'description' => 'Test serialization of DOMDocument objects.',
|
||||
'group' => 'Filter',
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests empty DOMDocument object.
|
||||
*/
|
||||
function testFilterEmptyDOMSerialization() {
|
||||
$document = new DOMDocument();
|
||||
$result = filter_dom_serialize($document);
|
||||
$this->assertEqual('', $result);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user