Skip to content
Snippets Groups Projects
Commit ceee045f authored by Jess's avatar Jess
Browse files

SA-CORE-2020-005 by lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, pwolanin,... 

SA-CORE-2020-005 by lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, pwolanin, larowlan, greggles, cashwilliams, Heine, mcdruid, alexpott, Gábor Hojtsy

(cherry picked from commit b34dc3f7)
parent d836a915
Branches
Tags
8 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!1012Issue #3226887: Hreflang on non-canonical content pages,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10,!596Issue #3046532: deleting an entity reference field, used in a contextual view, makes the whole site unrecoverable,!496Issue #2463967: Use .user.ini file for PHP settings,!144Issue #2666286: Clean up menu_ui to conform to Drupal coding standards,!16Draft: Resolve #2081585 "History storage",!13Resolve #2903456
Hide whitespace changes
Inline Side-by-side
core/includes/bootstrap.inc
+ 7
1
View file @ ceee045f
......@@ -382,11 +382,17 @@ function drupal_valid_test_ua($new_prefix = NULL) {
// Ensure that no information leaks on production sites.
$test_db = new TestDatabase($prefix);
$key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey';
if (!is_readable($key_file)) {
if (!is_readable($key_file) || is_dir($key_file)) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
exit;
}
$private_key = file_get_contents($key_file);
// The string from drupal_generate_test_ua() is 74 bytes long. If we don't
// have it, tests cannot be allowed.
if (empty($private_key) || strlen($private_key) < 74) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
exit;
}
// The file properties add more entropy not easily accessible to others.
$key = $private_key . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment