Newest release: 7.102

CHANGELOG.txt

@@ -1,3 +1,9 @@
+Drupal 7.102, 2024-11-20
+------------------------
+- Fixed security issues:
+   - SA-CORE-2024-005
+   - SA-CORE-2024-008
+
 Drupal 7.101, 2024-06-05
 -----------------------
 - Various security improvements

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.101');
+define('VERSION', '7.102');
 
 /**
  * Core API compatibility.
@@ -457,6 +457,9 @@ abstract class DrupalCacheArray implements ArrayAccess {
     if ($this->bin == 'cache_form' && !variable_get('drupal_cache_array_persist_cache_form', FALSE)) {
       return;
     }
+    if (!is_array($this->keysToPersist)) {
+      throw new UnexpectedValueException();
+    }
     $data = array();
     foreach ($this->keysToPersist as $offset => $persist) {
       if ($persist) {

includes/database/mysql/query.inc

@@ -63,6 +63,14 @@ class InsertQuery_mysql extends InsertQuery {
 
     $max_placeholder = 0;
     $values = array();
+    if (!is_array($this->insertValues)) {
+      if (version_compare(PHP_VERSION, '7.4', '>=')) {
+        throw new UnexpectedValueException();
+      }
+      else {
+        drupal_trigger_fatal_error('Unexpected Value');
+      }
+    }
     if (count($this->insertValues)) {
       foreach ($this->insertValues as $insert_values) {
         $placeholders = array();
@@ -96,6 +104,14 @@ class TruncateQuery_mysql extends TruncateQuery { }
 class UpdateQuery_mysql extends UpdateQuery {
   public function __toString() {
     if (method_exists($this->connection, 'escapeField')) {
+      if (!is_array($this->fields)) {
+        if (version_compare(PHP_VERSION, '7.4', '>=')) {
+          throw new UnexpectedValueException();
+        }
+        else {
+          drupal_trigger_fatal_error('Unexpected Value');
+        }
+      }
       $escapedFields = array();
       foreach ($this->fields as $field => $data) {
         $field = $this->connection->escapeField($field);

includes/database/pgsql/query.inc

@@ -120,7 +120,15 @@ class InsertQuery_pgsql extends InsertQuery {
 
     $max_placeholder = 0;
     $values = array();
-      if (count($this->insertValues)) {
+    if (!is_array($this->insertValues)) {
+      if (version_compare(PHP_VERSION, '7.4', '>=')) {
+        throw new UnexpectedValueException();
+      }
+      else {
+        drupal_trigger_fatal_error('Unexpected Value');
+      }
+    }
+    if (count($this->insertValues)) {
       foreach ($this->insertValues as $insert_values) {
         $placeholders = array();
 

includes/database/prefetch.inc

@@ -293,6 +293,15 @@ class DatabaseStatementPrefetch implements Iterator, DatabaseStatementInterface
             $class_name = $this->fetchOptions['class'];
           }
           if (count($this->fetchOptions['constructor_args'])) {
+            // Verify the current db connection to avoid this code being called
+            // in an inappropriate context.
+            $db_connection_options = Database::getConnection()->getConnectionOptions();
+            $defaults = array('sqlite', 'oracle');
+            $extras = variable_get('database_statement_prefetch_valid_db_drivers', array());
+            $valid_db_drivers = array_merge($defaults, $extras);
+            if (!in_array($db_connection_options['driver'], $valid_db_drivers)) {
+              throw new BadMethodCallException();
+            }
             $reflector = new ReflectionClass($class_name);
             $result = $reflector->newInstanceArgs($this->fetchOptions['constructor_args']);
           }

includes/database/query.inc

@@ -1190,6 +1190,15 @@ class UpdateQuery extends Query implements QueryConditionInterface {
    *   The prepared statement.
    */
   public function __toString() {
+    if (!is_array($this->expressionFields) || !is_array($this->fields)) {
+      if (version_compare(PHP_VERSION, '7.4', '>=')) {
+        throw new UnexpectedValueException();
+      }
+      else {
+        drupal_trigger_fatal_error('Unexpected Value');
+      }
+    }
+
     // Create a sanitized comment string to prepend to the query.
     $comments = $this->connection->makeComment($this->comments);
 

includes/database/sqlite/database.inc

@@ -134,6 +134,9 @@ class DatabaseConnection_sqlite extends DatabaseConnection {
    */
   public function __destruct() {
     if ($this->tableDropped && !empty($this->attachedDatabases)) {
+      if (!is_array($this->attachedDatabases)) {
+        throw new UnexpectedValueException();
+      }
       foreach ($this->attachedDatabases as $prefix) {
         // Check if the database is now empty, ignore the internal SQLite tables.
         try {

modules/overlay/overlay-parent.js

@@ -229,7 +229,7 @@ Drupal.overlay.destroy = function () {
  */
 Drupal.overlay.redirect = function (url) {
   // Create a native Link object, so we can use its object methods.
-  var link = $(url.link(url)).get(0);
+  var link = $("<a>").attr("href", url).get(0);
 
   // If the link is already open, force the hashchange event to simulate reload.
   if (window.location.href == link.href) {
@@ -865,7 +865,7 @@ Drupal.overlay.resetActiveClass = function(activePath) {
 Drupal.overlay.getPath = function (link, ignorePathFromQueryString) {
   if (typeof link == 'string') {
     // Create a native Link object, so we can use its object methods.
-    link = $(link.link(link)).get(0);
+    link = $("<a>").attr("href", link).get(0);
   }
 
   var path = link.pathname;

modules/system/system.install

@@ -3420,6 +3420,13 @@ function system_update_7087() {
   }
 }
 
+/**
+ * Clear caches as registry has been altered.
+ */
+function system_update_7088() {
+  // Empty update to clear caches.
+}
+
 /**
  * @} End of "defgroup updates-7.x-extra".
  * The next series of updates should start at 8000.

modules/system/system.module

@@ -4139,3 +4139,11 @@ function system_file_download($uri) {
     }
   }
 }
+
+/**
+ * Implements hook_registry_files_alter
+ */
+function system_registry_files_alter(&$files, $modules) {
+  // Database drivers that use DatabaseStatementPrefetch must include this file.
+  unset($files['includes/database/prefetch.inc']);
+}