core security update

modules/overlay/overlay-parent.js

@@ -350,7 +350,7 @@ Drupal.overlay.setFocusBefore = function ($element, document) {
  *   TRUE if the URL represents an administrative link, FALSE otherwise.
  */
 Drupal.overlay.isAdminLink = function (url) {
-  if (Drupal.overlay.isExternalLink(url)) {
+  if (!Drupal.urlIsLocal(url)) {
     return false;
   }
 
@@ -378,6 +378,8 @@ Drupal.overlay.isAdminLink = function (url) {
 /**
  * Determine whether a link is external to the site.
  *
+ * Deprecated. Use Drupal.urlIsLocal() instead.
+ *
  * @param url
  *   The URL to be tested.
  *
@@ -385,8 +387,28 @@ Drupal.overlay.isAdminLink = function (url) {
  *   TRUE if the URL is external to the site, FALSE otherwise.
  */
 Drupal.overlay.isExternalLink = function (url) {
-  var re = RegExp('^((f|ht)tps?:)?//(?!' + window.location.host + ')');
-  return re.test(url);
+  return !Drupal.urlIsLocal(url);
+};
+
+/**
+ * Constructs an internal URL (relative to this site) from the provided path.
+ *
+ * For example, if the provided path is 'admin' and the site is installed at
+ * http://example.com/drupal, this function will return '/drupal/admin'.
+ *
+ * @param path
+ *   The internal path, without any leading slash.
+ *
+ * @return
+ *   The internal URL derived from the provided path, or null if a valid
+ *   internal path cannot be constructed (for example, if an attempt to create
+ *   an external link is detected).
+ */
+Drupal.overlay.getInternalUrl = function (path) {
+  var url = Drupal.settings.basePath + path;
+  if (Drupal.urlIsLocal(url)) {
+    return url;
+  }
 };
 
 /**
@@ -577,7 +599,7 @@ Drupal.overlay.eventhandlerOverrideLink = function (event) {
       // If the link contains the overlay-restore class and the overlay-context
       // state is set, also update the parent window's location.
       var parentLocation = ($target.hasClass('overlay-restore') && typeof $.bbq.getState('overlay-context') == 'string')
-        ? Drupal.settings.basePath + $.bbq.getState('overlay-context')
+        ? this.getInternalUrl($.bbq.getState('overlay-context'))
         : null;
       href = this.fragmentizeLink($target.get(0), parentLocation);
       // Only override default behavior when left-clicking and user is not
@@ -657,11 +679,15 @@ Drupal.overlay.eventhandlerOperateByURLFragment = function (event) {
   }
 
   // Get the overlay URL from the current URL fragment.
+  var internalUrl = null;
   var state = $.bbq.getState('overlay');
   if (state) {
+    internalUrl = this.getInternalUrl(state);
+  }
+  if (internalUrl) {
     // Append render variable, so the server side can choose the right
     // rendering and add child frame code to the page if needed.
-    var url = $.param.querystring(Drupal.settings.basePath + state, { render: 'overlay' });
+    var url = $.param.querystring(internalUrl, { render: 'overlay' });
 
     this.open(url);
     this.resetActiveClass(this.getPath(Drupal.settings.basePath + state));

modules/overlay/overlay.info

@@ -4,8 +4,8 @@ package = Core
 version = VERSION
 core = 7.x
 
-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"
 

modules/overlay/overlay.module

@@ -78,6 +78,20 @@ function overlay_theme() {
   );
 }
 
+/**
+ * Implements hook_form_alter().
+ */
+function overlay_form_alter(&$form, &$form_state) {
+  // Add a hidden element to prevent dropping out of the overlay when a form is
+  // submitted inside the overlay using a GET method.
+  if (isset($form['#method']) && $form['#method'] == 'get' && isset($_REQUEST['render']) && $_REQUEST['render'] == 'overlay' && !isset($form['render'])) {
+    $form['render'] = array(
+      '#type' => 'hidden',
+      '#value' => 'overlay',
+    );
+  }
+}
+
 /**
  * Implements hook_form_FORM_ID_alter().
  */