Origin: backport (diff between 7.18 and 7.19)
Forwarded: not-needed
From: Gunnar Wolf <gwolf@debian.org>
Last-Update: 2013-01-11
Applied-Upstream: Yes
Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution)
 This patch is taken from the diff between 7.17 and 7.18, applying it
 to the currently frozen version (7.14). For further details, the
 advisory is in:
 .
 http://drupal.org/SA-CORE-2012-004

Index: drupal7/includes/file.inc
===================================================================
--- drupal7.orig/includes/file.inc
+++ drupal7/includes/file.inc
@@ -1113,6 +1113,9 @@ function file_munge_filename($filename,
 
   // Allow potentially insecure uploads for very savvy users and admin
   if (!variable_get('allow_insecure_uploads', 0)) {
+    // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
+    $filename = str_replace(chr(0), '', $filename);
+
     $whitelist = array_unique(explode(' ', trim($extensions)));
 
     // Split the filename up by periods. The first part becomes the basename
Index: drupal7/modules/user/user.test
===================================================================
--- drupal7.orig/modules/user/user.test
+++ drupal7/modules/user/user.test
@@ -2020,7 +2020,7 @@ class UserUserSearchTestCase extends Dru
   public static function getInfo() {
     return array(
       'name' => 'User search',
-      'description' => 'Testing that only user with the right permission can see the email address in the user search.',
+      'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
       'group' => 'User',
     );
   }
@@ -2040,11 +2040,29 @@ class UserUserSearchTestCase extends Dru
     $edit = array('keys' => $keys);
     $this->drupalPost('search/user/', $edit, t('Search'));
     $this->assertText($keys);
+
+    // Create a blocked user.
+    $blocked_user = $this->drupalCreateUser();
+    $edit = array('status' => 0);
+    $blocked_user = user_save($blocked_user, $edit);
+
+    // Verify that users with "administer users" permissions can see blocked
+    // accounts in search results.
+    $edit = array('keys' => $blocked_user->name);
+    $this->drupalPost('search/user/', $edit, t('Search'));
+    $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
+
+    // Verify that users without "administer users" permissions do not see
+    // blocked accounts in search results.
+    $this->drupalLogin($user1);
+    $edit = array('keys' => $blocked_user->name);
+    $this->drupalPost('search/user/', $edit, t('Search'));
+    $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
+
     $this->drupalLogout();
   }
 }
 
-
 /**
  * Test role assignment.
  */
Index: drupal7/modules/user/user.module
===================================================================
--- drupal7.orig/modules/user/user.module
+++ drupal7/modules/user/user.module
@@ -924,14 +924,18 @@ function user_search_execute($keys = NUL
   $query = db_select('users')->extend('PagerDefault');
   $query->fields('users', array('uid'));
   if (user_access('administer users')) {
-    // Administrators can also search in the otherwise private email field.
+    // Administrators can also search in the otherwise private email field,
+    // and they don't need to be restricted to only active users.
     $query->fields('users', array('mail'));
     $query->condition(db_or()->
       condition('name', '%' . db_like($keys) . '%', 'LIKE')->
       condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
   }
   else {
-    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
+    // Regular users can only search via usernames, and we do not show them
+    // blocked accounts.
+    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
+      ->condition('status', 1);
   }
   $uids = $query
     ->limit(15)
