From 7b2dc7936e2566c711159f75634cbb60ddacb340 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Wed, 24 Feb 2016 14:26:52 -0500
Subject: =?UTF-8?q?Drupal=207.43=20(SA-CORE-2016-001)=20by=20agerard,=20Al?=
 =?UTF-8?q?an=20Evans,=20benjy,=20berdir,=20catch,=20Damien=20Tournoud,=20?=
 =?UTF-8?q?DamienMcKenna,=20Dave=20Cohen,=20Dave=20Reid,=20David=5FRothste?=
 =?UTF-8?q?in,=20dsnopek,=20effulgentsia,=20FengWen,=20fgm,=20fnqgpc,=20gr?=
 =?UTF-8?q?eggles,=20G=C3=A1bor=20Hojtsy,=20Juho=20Nurminen=202NS,=20klaus?=
 =?UTF-8?q?i,=20larowlan,=20nagba,=20Pere=20Orga,=20plach,=20pwolanin,=20q?=
 =?UTF-8?q?uicksketch,=20rickmanelius,=20scor,=20stefan.r,=20StryKaizer,?=
 =?UTF-8?q?=20YesCT?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/system/system.admin.inc |  8 +++++++-
 modules/system/system.js        |  2 +-
 modules/system/system.test      | 16 ++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

(limited to 'modules/system')

diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc
index 0f525c6cf..16c40d4d4 100644
--- a/modules/system/system.admin.inc
+++ b/modules/system/system.admin.inc
@@ -2202,6 +2202,11 @@ function system_add_date_format_type_form_submit($form, &$form_state) {
  * Return the date for a given format string via Ajax.
  */
 function system_date_time_lookup() {
+  // This callback is protected with a CSRF token because user input from the
+  // query string is reflected in the output.
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'admin/config/regional/date-time/formats/lookup')) {
+    return MENU_ACCESS_DENIED;
+  }
   $result = format_date(REQUEST_TIME, 'custom', $_GET['format']);
   drupal_json_output($result);
 }
@@ -2875,13 +2880,14 @@ function system_date_time_formats() {
  * Allow users to add additional date formats.
  */
 function system_configure_date_formats_form($form, &$form_state, $dfid = 0) {
+  $ajax_path = 'admin/config/regional/date-time/formats/lookup';
   $js_settings = array(
     'type' => 'setting',
     'data' => array(
       'dateTime' => array(
         'date-format' => array(
           'text' => t('Displayed as'),
-          'lookup' => url('admin/config/regional/date-time/formats/lookup'),
+          'lookup' => url($ajax_path, array('query' => array('token' => drupal_get_token($ajax_path)))),
         ),
       ),
     ),
diff --git a/modules/system/system.js b/modules/system/system.js
index 910fb5d3d..c0e76d38e 100644
--- a/modules/system/system.js
+++ b/modules/system/system.js
@@ -105,7 +105,7 @@ Drupal.behaviors.dateTime = {
           // Attach keyup handler to custom format inputs.
           $('input' + source, context).once('date-time').keyup(function () {
             var input = $(this);
-            var url = fieldSettings.lookup + (/\?q=/.test(fieldSettings.lookup) ? '&format=' : '?format=') + encodeURIComponent(input.val());
+            var url = fieldSettings.lookup + (/\?/.test(fieldSettings.lookup) ? '&format=' : '?format=') + encodeURIComponent(input.val());
             $.getJSON(url, function (data) {
               $(suffix).empty().append(' ' + fieldSettings.text + ': <em>' + data + '</em>');
             });
diff --git a/modules/system/system.test b/modules/system/system.test
index bc764dde5..95b43538b 100644
--- a/modules/system/system.test
+++ b/modules/system/system.test
@@ -1350,7 +1350,23 @@ class DateTimeFunctionalTest extends DrupalWebTestCase {
     $this->assertEqual($this->getUrl(), url('admin/config/regional/date-time/formats', array('absolute' => TRUE)), 'Correct page redirection.');
     $this->assertText(t('Custom date format updated.'), 'Custom date format successfully updated.');
 
+    // Check that ajax callback is protected by CSRF token.
+    $this->drupalGet('admin/config/regional/date-time/formats/lookup', array('query' => array('format' => 'Y m d')));
+    $this->assertResponse(403, 'Access denied with no token');
+    $this->drupalGet('admin/config/regional/date-time/formats/lookup', array('query' => array('token' => 'invalid', 'format' => 'Y m d')));
+    $this->assertResponse(403, 'Access denied with invalid token');
+    $this->drupalGet('admin/config/regional/date-time/formats');
+    $this->clickLink(t('edit'));
+    $settings = $this->drupalGetSettings();
+    $lookup_url = $settings['dateTime']['date-format']['lookup'];
+    preg_match('/token=([^&]+)/', $lookup_url, $matches);
+    $this->assertFalse(empty($matches[1]), 'Found token value');
+    $this->drupalGet('admin/config/regional/date-time/formats/lookup', array('query' => array('token' => $matches[1], 'format' => 'Y m d')));
+    $this->assertResponse(200, 'Access allowed with valid token');
+    $this->assertText(format_date(time(), 'custom', 'Y m d'));
+
     // Delete custom date format.
+    $this->drupalGet('admin/config/regional/date-time/formats');
     $this->clickLink(t('delete'));
     $this->drupalPost($this->getUrl(), array(), t('Remove'));
     $this->assertEqual($this->getUrl(), url('admin/config/regional/date-time/formats', array('absolute' => TRUE)), 'Correct page redirection.');
-- 
cgit v1.2.3