security update core+modules

modules/overlay/overlay-parent.js

@@ -630,8 +630,11 @@ Drupal.overlay.eventhandlerOverrideLink = function (event) {
           $target.attr('href', $.param.querystring(href, { destination: fragmentizedDestination }));
         }
 
-        // Make the link open in the immediate parent of the frame.
-        $target.attr('target', '_parent');
+        // Make the link open in the immediate parent of the frame, unless the
+        // link already has a different target.
+        if (!$target.attr('target')) {
+          $target.attr('target', '_parent');
+        }
       }
     }
   }

modules/overlay/overlay.info

@@ -3,3 +3,9 @@ description = Displays the Drupal administration interface in an overlay.
 package = Core
 version = VERSION
 core = 7.x
+
+; Information added by Drupal.org packaging script on 2015-04-02
+version = "7.36"
+project = "drupal"
+datestamp = "1427943826"
+

modules/overlay/overlay.module

@@ -146,6 +146,10 @@ function overlay_init() {
       // If this page shouldn't be rendered inside the overlay, redirect to the
       // parent.
       elseif (!path_is_admin($current_path)) {
+        // Prevent open redirects by ensuring the current path is not an absolute URL.
+        if (url_is_external($current_path)) {
+          $current_path = '<front>';
+        }
         overlay_close_dialog($current_path, array('query' => drupal_get_query_parameters(NULL, array('q', 'render'))));
       }
 
@@ -704,7 +708,7 @@ function overlay_overlay_child_initialize() {
 }
 
 /**
- * Requests that the overlay overlay closes when the page is displayed.
+ * Requests that the overlay closes when the page is displayed.
  *
  * @param $redirect
  *   (optional) The path that should open in the parent window after the