SA-CORE-2020-005 by lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, …

…pwolanin, larowlan, greggles, cashwilliams, Heine, mcdruid, alexpott, Gábor Hojtsy

includes/bootstrap.inc

@@ -681,11 +681,17 @@ function drupal_valid_test_ua($new_prefix = NULL) {
     // Ensure that no information leaks on production sites.
     $test_db = new TestDatabase($prefix);
     $key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey';
-    if (!is_readable($key_file)) {
+    if (!is_readable($key_file) || is_dir($key_file)) {
       header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
       exit;
     }
     $private_key = file_get_contents($key_file);
+    // The string from drupal_generate_test_ua() is 74 bytes long. If we don't
+    // have it, tests cannot be allowed.
+    if (empty($private_key) || strlen($private_key) < 74) {
+      header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+      exit;
+    }
     // The file properties add more entropy not easily accessible to others.
     $key = $private_key . filectime(__FILE__) . fileinode(__FILE__);
     $time_diff = REQUEST_TIME - $time;