Frage zum patchen 5.7 - SA-2008-044
Eingetragen von Jim (25)am 21.07.2008 - 09:55 Uhr in
Moin zusammen,
es gibt ja einen Patch um die SA-2008-044 Sicherheitslücke zu schliessen (http://drupal.org/node/280571). Code ist:
Index: install.php
===================================================================
RCS file: /cvs/drupal/drupal/install.php,v
retrieving revision 1.34.2.4
diff -u -p -r1.34.2.4 install.php
--- install.php 7 Nov 2007 08:10:16 -0000 1.34.2.4
+++ install.php 9 Jul 2008 20:37:35 -0000
@@ -153,6 +153,15 @@ function install_change_settings($profil
include_once './includes/form.inc';
drupal_maintenance_theme();
+ // Don't fill in placeholders
+ if ($db_url == 'mysql://username:password@localhost/databasename') {
+ $db_user = $db_pass = $db_path = '';
+ }
+ elseif (!empty($db_url)) {
+ // Do not install over a configured settings.php.
+ install_already_done_error();
+ }
+
// The existing database settings are not working, so we need write access
// to settings.php to change them.
if (!drupal_verify_install_file($settings_file, FILE_EXIST|FILE_READABLE|FILE_WRITABLE)) {
@@ -163,14 +172,6 @@ function install_change_settings($profil
exit;
}
- // Don't fill in placeholders
- if ($db_url == 'mysql://username:password@localhost/databasename') {
- $db_user = $db_pass = $db_path = '';
- }
- elseif (!empty($db_url)) {
- // Do not install over a configured settings.php.
- install_already_done_error();
- }
$output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
drupal_set_title(st('Database configuration'));
print theme('install_page', $output);
Index: includes/theme.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/theme.inc,v
retrieving revision 1.337.2.2
diff -u -p -r1.337.2.2 theme.inc
--- includes/theme.inc 31 May 2007 05:52:42 -0000 1.337.2.2
+++ includes/theme.inc 9 Jul 2008 20:37:57 -0000
@@ -544,16 +544,14 @@ function theme_links($links, $attributes
$i = 1;
foreach ($links as $key => $link) {
- $class = '';
+ $class = $key;
// Automatically add a class to each link and also to each LI
if (isset($link['attributes']) && isset($link['attributes']['class'])) {
$link['attributes']['class'] .= ' ' . $key;
- $class = $key;
}
else {
$link['attributes']['class'] = $key;
- $class = $key;
}
// Add first and last classes to the list of links to help out themers.
@@ -564,7 +562,7 @@ function theme_links($links, $attributes
if ($i == $num_links) {
$extra_class .= 'last ';
}
- $output .= '<li class="'. $extra_class . $class .'">';
+ $output .= '<li '. drupal_attributes(array('class' => $extra_class . $class)) .'>';
// Is the title HTML?
$html = isset($link['html']) && $link['html'];
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.160.2.6
diff -u -p -r1.160.2.6 filter.module
--- modules/filter/filter.module 22 Jan 2008 08:43:34 -0000 1.160.2.6
+++ modules/filter/filter.module 9 Jul 2008 20:37:46 -0000
@@ -1244,7 +1244,7 @@ function _filter_autop($text) {
* for scripts and styles.
*/
function filter_xss_admin($string) {
- return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+ return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
}
/**
Index: modules/locale/locale.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/locale/locale.module,v
retrieving revision 1.155
diff -u -p -r1.155 locale.module
--- modules/locale/locale.module 27 Dec 2006 13:11:59 -0000 1.155
+++ modules/locale/locale.module 9 Jul 2008 20:37:41 -0000
@@ -111,7 +111,7 @@ function locale_menu($may_cache) {
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/settings/locale/string/delete/'. arg(5),
'title' => t('Delete string'),
- 'callback' => 'locale_admin_string_delete',
+ 'callback' => 'locale_admin_string_delete_page',
'callback arguments' => array(arg(5)),
'access' => $access,
'type' => MENU_CALLBACK);
@@ -407,9 +407,29 @@ function locale_admin_string_edit_submit
}
/**
- * Delete a string.
+ * String deletion confirmation page.
*/
-function locale_admin_string_delete($lid) {
+function locale_admin_string_delete_page($lid) {
+ if ($source = db_fetch_object(db_query('SELECT * FROM {locales_source} WHERE lid = %d', $lid))) {
+ return drupal_get_form('locale_string_delete_form', $source);
+ }
+ else {
+ return drupal_not_found();
+ }
+}
+
+/**
+ * User interface for the string deletion confirmation screen.
+ */
+function locale_string_delete_form($source) {
+ $form['lid'] = array('#type' => 'value', '#value' => $source->lid);
+ return confirm_form($form, t('Are you sure you want to delete the string "%source"?', array('%source' => $source->source)), 'admin/build/translate/search', t('Deleting the string will remove all translations of this string in all languages. This action cannot be undone.'), t('Delete'), t('Cancel'));
+}
+
+/**
+ * Process string deletion submissions.
+ */
+function locale_string_delete_form_submit($form_id, $form_values) {
include_once './includes/locale.inc';
- _locale_string_delete($lid);
+ _locale_string_delete($form_values['lid']);
}
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.745.2.26
diff -u -p -r1.745.2.26 user.module
--- modules/user/user.module 7 Jan 2008 02:30:35 -0000 1.745.2.26
+++ modules/user/user.module 9 Jul 2008 20:37:51 -0000
@@ -968,9 +968,11 @@ function user_login_submit($form_id, $fo
// Update the user table timestamp noting user has logged in.
db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);
+ // Regenerate the session ID to prevent against session fixation attacks.
+ sess_regenerate();
+
user_module_invoke('login', $form_values, $user);
- sess_regenerate();
return 'user/'. $user->uid;
}
}Ich habe mir jetzt mal die Infos hier und bei drupal.org bzg. des patchens durchgelesen, aber irgendwie verstehe ich leider nur Bahnhof. :-(
Auch habe ich diesen Beitrag hier http://www.drupalcenter.de/node/7655 gefunden, aber ich habe keinen Shell-Zugang.
Ein kompl. Update auf die Version 5.8 wollte ich eigentlich nicht machen, weil es im Forum von drupal.org dazu einige Userberichte zu Problemen nach dem Update gibt.
Wenn ich den Patch-Code richtig deute ("The existing database settings are not working, so we need write access to settings.php to change them."), dann ist es wohl nicht, so wie ich das bisher von anderen PHP-Systemen her kenne, mit dem austauschen von ein paar PHP-Dateien getan, oder?
Welche Möglichkeiten habe ich denn evtl. noch um den Patch einzuspielen, bzw. 5.7 entsprechend zu patchen?
Danke und Gruß
Jim
- Anmelden oder Registrieren um Kommentare zu schreiben
Neue Kommentare
vor 2 Wochen 1 Tag
vor 2 Wochen 2 Tagen
vor 2 Wochen 3 Tagen
vor 3 Wochen 10 Stunden
vor 3 Wochen 13 Stunden
vor 3 Wochen 4 Tagen
vor 3 Wochen 4 Tagen
vor 3 Wochen 4 Tagen
vor 6 Wochen 1 Tag
vor 6 Wochen 2 Tagen