From 221b8d999bd354cf2b33512f8ce304b5ccfd004b Mon Sep 17 00:00:00 2001 From: Pantheon Automation Date: Wed, 20 Jan 2021 19:08:51 -0800 Subject: [PATCH] Update to Drupal 7.78. For more information, see https://www.drupal.org/project/drupal/releases/7.78 --- CHANGELOG.txt | 5 +++++ includes/bootstrap.inc | 2 +- modules/system/system.tar.inc | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 2c3b93c64d4..f9b010c58cb 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,8 @@ +Drupal 7.78, 2021-01-19 +----------------------- +- Fixed security issues: + - SA-CORE-2021-001 + Drupal 7.77, 2020-12-03 ----------------------- - Hotfix for schema.prefixed tables diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index cb70533e46a..e79c5d50942 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.77'); +define('VERSION', '7.78'); /** * Core API compatibility. diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc index 92fa5290824..0af6275b401 100644 --- a/modules/system/system.tar.inc +++ b/modules/system/system.tar.inc @@ -2178,6 +2178,14 @@ class Archive_Tar } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {'