Merge remote-tracking branch 'drupal/7.x' into 7.x-symfony

Benjamin Doherty · Benjamin Doherty · commit 074ebc2d12c6 · 2014-12-01T11:52:47.000-06:00
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,6 +1,13 @@
 
-Drupal 7.34, xxxx-xx-xx (development version)
+Drupal 7.35, xxxx-xx-xx (development version)
 -----------------------
+- Fixed a bug in the Contact module which caused the global user object to have
+  the incorrect name and e-mail address during the remainder of the page
+  request after the contact form is submitted.
+
+Drupal 7.34, 2014-11-19
+----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-006.
 
 Drupal 7.33, 2014-11-07
 -----------------------
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.34-dev');
+define('VERSION', '7.35-dev');
 
 /**
  * Core API compatibility.
diff --git a/includes/password.inc b/includes/password.inc
@@ -140,7 +140,7 @@ function _password_enforce_log2_boundaries($count_log2) {
  * @param $algo
  *   The string name of a hashing algorithm usable by hash(), like 'sha256'.
  * @param $password
- *   The plain-text password to hash.
+ *   Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash.
  * @param $setting
  *   An existing hash or the output of _password_generate_salt().  Must be
  *   at least 12 characters (the settings and salt).
@@ -150,6 +150,10 @@ function _password_enforce_log2_boundaries($count_log2) {
  *   The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
  */
 function _password_crypt($algo, $password, $setting) {
+  // Prevent DoS attacks by refusing to hash large passwords.
+  if (strlen($password) > 512) {
+    return FALSE;
+  }
   // The first 12 characters of an existing hash are its setting string.
   $setting = substr($setting, 0, 12);
 
diff --git a/includes/session.inc b/includes/session.inc
@@ -79,7 +79,7 @@ function _drupal_session_read($sid) {
   // Handle the case of first time visitors and clients that don't store
   // cookies (eg. web crawlers).
   $insecure_session_name = substr(session_name(), 1);
-  if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) {
+  if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) {
     $user = drupal_anonymous_user();
     return '';
   }
diff --git a/modules/contact/contact.pages.inc b/modules/contact/contact.pages.inc
@@ -134,7 +134,7 @@ function contact_site_form_submit($form, &$form_state) {
   global $user, $language;
 
   $values = $form_state['values'];
-  $values['sender'] = $user;
+  $values['sender'] = clone $user;
   $values['sender']->name = $values['name'];
   $values['sender']->mail = $values['mail'];
   $values['category'] = contact_load($values['cid']);
@@ -270,7 +270,7 @@ function contact_personal_form_submit($form, &$form_state) {
   global $user, $language;
 
   $values = $form_state['values'];
-  $values['sender'] = $user;
+  $values['sender'] = clone $user;
   $values['sender']->name = $values['name'];
   $values['sender']->mail = $values['mail'];
 
diff --git a/modules/simpletest/tests/password.test b/modules/simpletest/tests/password.test
@@ -57,4 +57,25 @@ class PasswordHashingTest extends DrupalWebTestCase {
     $this->assertFalse(user_needs_new_hash($account), 'Re-hashed password does not need a new hash.');
     $this->assertTrue(user_check_password($password, $account), 'Password check succeeds with re-hashed password.');
   }
+
+  /**
+   * Verifies that passwords longer than 512 bytes are not hashed.
+   */
+  public function testLongPassword() {
+    $password = str_repeat('x', 512);
+    $result = user_hash_password($password);
+    $this->assertFalse(empty($result), '512 byte long password is allowed.');
+    $password = str_repeat('x', 513);
+    $result = user_hash_password($password);
+    $this->assertFalse($result, '513 byte long password is not allowed.');
+    // Check a string of 3-byte UTF-8 characters.
+    $password = str_repeat('€', 170);
+    $result = user_hash_password($password);
+    $this->assertFalse(empty($result), '510 byte long password is allowed.');
+    $password .= 'xx';
+    $this->assertFalse(empty($result), '512 byte long password is allowed.');
+    $password = str_repeat('€', 171);
+    $result = user_hash_password($password);
+    $this->assertFalse($result, '513 byte long password is not allowed.');
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ function _drupal_session_read($sid) {`
`79`	`79`	`// Handle the case of first time visitors and clients that don't store`
`80`	`80`	`// cookies (eg. web crawlers).`
`81`	`81`	`$insecure_session_name = substr(session_name(), 1);`
`82`		`- if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) {`
	`82`	`+ if (empty($sid) \|\| (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) {`
`83`	`83`	`$user = drupal_anonymous_user();`
`84`	`84`	`return '';`
`85`	`85`	`}`