Permalink
Browse files

Drupal 7.31

  • Loading branch information...
DavidRothstein committed Aug 6, 2014
1 parent f9784cf commit 90e884ad0f7f2cf269d953f7d70966de9fd821ff
Showing with 50 additions and 2 deletions.
  1. +4 −0 CHANGELOG.txt
  2. +1 −1 includes/bootstrap.inc
  3. +35 −1 includes/xmlrpc.inc
  4. +5 −0 modules/openid/openid.inc
  5. +5 −0 modules/simpletest/tests/xmlrpc.test
@@ -1,4 +1,8 @@
Drupal 7.31, 2014-08-06
----------------------
- Fixed security issues (denial of service). See SA-CORE-2014-004.
Drupal 7.30, 2014-07-24
-----------------------
- Fixed a regression introduced in Drupal 7.29 that caused files or images
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.30');
define('VERSION', '7.31');
/**
* Core API compatibility.
@@ -178,7 +178,41 @@ function xmlrpc_message_parse($xmlrpc_message) {
xml_set_element_handler($xmlrpc_message->_parser, 'xmlrpc_message_tag_open', 'xmlrpc_message_tag_close');
xml_set_character_data_handler($xmlrpc_message->_parser, 'xmlrpc_message_cdata');
xmlrpc_message_set($xmlrpc_message);
if (!xml_parse($xmlrpc_message->_parser, $xmlrpc_message->message)) {
// Strip XML declaration.
$header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xmlrpc_message->message, 0, 100), 1);
$xml = trim(substr_replace($xmlrpc_message->message, $header, 0, 100));
if ($xml == '') {
return FALSE;
}
// Strip DTD.
$header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($xml, 0, 200), 1);
$xml = trim(substr_replace($xml, $header, 0, 200));
if ($xml == '') {
return FALSE;
}
// Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
$root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n"));
// Reject a second DTD.
if (strtoupper($root_tag) == '<!DOCTYPE') {
return FALSE;
}
if (!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault'))) {
return FALSE;
}
// Skip parsing if there is an unreasonably large number of tags.
try {
$dom = new DOMDocument();
@$dom->loadXML($xml);
if ($dom->getElementsByTagName('*')->length > variable_get('xmlrpc_message_maximum_tag_count', 30000)) {
return FALSE;
}
}
catch (Exception $e) {
return FALSE;
}
if (!xml_parse($xmlrpc_message->_parser, $xml)) {
return FALSE;
}
xml_parser_free($xmlrpc_message->_parser);
@@ -158,6 +158,11 @@ function _openid_xrds_parse($raw_xml) {
return array();
}
// Also stop parsing if there is an unreasonably large number of tags.
if ($dom->getElementsByTagName('*')->length > variable_get('openid_xrds_maximum_tag_count', 30000)) {
return array();
}
// Parse the DOM document for the information we need.
if ($xml = simplexml_import_dom($dom)) {
foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) {
@@ -211,6 +211,11 @@ class XMLRPCMessagesTestCase extends DrupalWebTestCase {
* Make sure that XML-RPC can transfer large messages.
*/
function testSizedMessages() {
// These tests can produce up to 128 x 160 words in the XML-RPC message
// (see xmlrpc_test_message_sized_in_kb()) with 4 tags used to represent
// each. Set a large enough tag limit to allow this to be tested.
variable_set('xmlrpc_message_maximum_tag_count', 100000);
$xml_url = url(NULL, array('absolute' => TRUE)) . 'xmlrpc.php';
$sizes = array(8, 80, 160);
foreach ($sizes as $size) {

0 comments on commit 90e884a

Please sign in to comment.