From 2a3dc22a5364bc5b38eb55fe1bd24f389854e9e3 Mon Sep 17 00:00:00 2001 From: xjm Date: Wed, 17 Jun 2020 12:58:08 -0500 Subject: [PATCH] =?UTF-8?q?SA-CORE-2020-005=20by=20lorenzo=5Fgre,=20jazzy2?= =?UTF-8?q?fives,=20xjm,=20samuel.mortenson,=20pwolanin,=20larowlan,=20gre?= =?UTF-8?q?ggles,=20cashwilliams,=20Heine,=20mcdruid,=20alexpott,=20G?= =?UTF-8?q?=C3=A1bor=20Hojtsy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- includes/bootstrap.inc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 73b947f13ef..81f33e0201a 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -681,11 +681,17 @@ function drupal_valid_test_ua($new_prefix = NULL) { // Ensure that no information leaks on production sites. $test_db = new TestDatabase($prefix); $key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey'; - if (!is_readable($key_file)) { + if (!is_readable($key_file) || is_dir($key_file)) { header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); exit; } $private_key = file_get_contents($key_file); + // The string from drupal_generate_test_ua() is 74 bytes long. If we don't + // have it, tests cannot be allowed. + if (empty($private_key) || strlen($private_key) < 74) { + header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); + exit; + } // The file properties add more entropy not easily accessible to others. $key = $private_key . filectime(__FILE__) . fileinode(__FILE__); $time_diff = REQUEST_TIME - $time;