From 75f9faaad12c2e91b51327bc1e7a09f43ba96560 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Wed, 17 Jun 2020 12:57:12 -0500
Subject: [PATCH] =?UTF-8?q?SA-CORE-2020-005=20by=20lorenzo=5Fgre,=20jazzy2?=
 =?UTF-8?q?fives,=20xjm,=20samuel.mortenson,=20pwolanin,=20larowlan,=20gre?=
 =?UTF-8?q?ggles,=20cashwilliams,=20Heine,=20mcdruid,=20alexpott,=20G?=
 =?UTF-8?q?=C3=A1bor=20Hojtsy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/includes/bootstrap.inc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index d2a0313a499b..0f8e7f108799 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -681,11 +681,17 @@ function drupal_valid_test_ua($new_prefix = NULL) {
     // Ensure that no information leaks on production sites.
     $test_db = new TestDatabase($prefix);
     $key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey';
-    if (!is_readable($key_file)) {
+    if (!is_readable($key_file) || is_dir($key_file)) {
       header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
       exit;
     }
     $private_key = file_get_contents($key_file);
+    // The string from drupal_generate_test_ua() is 74 bytes long. If we don't
+    // have it, tests cannot be allowed.
+    if (empty($private_key) || strlen($private_key) < 74) {
+      header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+      exit;
+    }
     // The file properties add more entropy not easily accessible to others.
     $key = $private_key . filectime(__FILE__) . fileinode(__FILE__);
     $time_diff = REQUEST_TIME - $time;
-- 
GitLab