From 9f72251c9291b5613acb9ca4ea7a51b4739e3f93 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Wed, 21 Oct 2015 15:47:40 -0400
Subject: Drupal 7.41

---
 CHANGELOG.txt                     | 4 ++++
 includes/bootstrap.inc            | 2 +-
 modules/overlay/overlay-parent.js | 9 +++++----
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f75354e60..29277196e 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,4 +1,8 @@
 
+Drupal 7.41, 2015-10-21
+-----------------------
+- Fixed security issues (open redirect). See SA-CORE-2015-004.
+
 Drupal 7.40, 2015-10-14
 -----------------------
 - Made Drupal's code for parsing .info files run much faster and use much less
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 3768a10a7..b3382bf6f 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.40');
+define('VERSION', '7.41');
 
 /**
  * Core API compatibility.
diff --git a/modules/overlay/overlay-parent.js b/modules/overlay/overlay-parent.js
index 7859821b4..efb26370c 100644
--- a/modules/overlay/overlay-parent.js
+++ b/modules/overlay/overlay-parent.js
@@ -350,7 +350,7 @@ Drupal.overlay.setFocusBefore = function ($element, document) {
  *   TRUE if the URL represents an administrative link, FALSE otherwise.
  */
 Drupal.overlay.isAdminLink = function (url) {
-  if (Drupal.overlay.isExternalLink(url)) {
+  if (!Drupal.urlIsLocal(url)) {
     return false;
   }
 
@@ -378,6 +378,8 @@ Drupal.overlay.isAdminLink = function (url) {
 /**
  * Determine whether a link is external to the site.
  *
+ * Deprecated. Use Drupal.urlIsLocal() instead.
+ *
  * @param url
  *   The URL to be tested.
  *
@@ -385,8 +387,7 @@ Drupal.overlay.isAdminLink = function (url) {
  *   TRUE if the URL is external to the site, FALSE otherwise.
  */
 Drupal.overlay.isExternalLink = function (url) {
-  var re = RegExp('^((f|ht)tps?:)?//(?!' + window.location.host + ')');
-  return re.test(url);
+  return !Drupal.urlIsLocal(url);
 };
 
 /**
@@ -405,7 +406,7 @@ Drupal.overlay.isExternalLink = function (url) {
  */
 Drupal.overlay.getInternalUrl = function (path) {
   var url = Drupal.settings.basePath + path;
-  if (!this.isExternalLink(url)) {
+  if (Drupal.urlIsLocal(url)) {
     return url;
   }
 };
-- 
cgit v1.2.3