LUGG-1217 Merge branch 'release'

isubit · Dec 2, 2020 · ed1b9d8 · ed1b9d8
2 parents ecf5593 + 2c8fa33
commit ed1b9d8
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 7 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.75, 2020-11-26
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-013
+
 Drupal 7.74, 2020-11-17
 -----------------------
 - Fixed security issues:

diff --git a/LUGGAGE_CHANGELOG.txt b/LUGGAGE_CHANGELOG.txt
@@ -2,10 +2,15 @@ How to read this changelog:
 
 The LUGG- prefix refers to JIRA issue numbers; the # prefix refers to GitHub issue numbers.
 
+Luggage 3.6.16, 2020-12-02
+Drupal 7.75, 2020-11-25
+-------------------------
+- LUGG-1217 - Drupal 7.75 SA-CORE-2020-013
+
 Luggage 3.6.15, 2020-11-18
 Drupal 7.74, 2020-11-18
 -------------------------
-- LUGG-1216 - Drupal 7.74 SA-CORE-2020-007
+- LUGG-1216 - Drupal 7.74 SA-CORE-2020-012
 
 Luggage 3.6.14, 2020-09-16
 Drupal 7.73, 2020-09-16

diff --git a/LUGGAGE_VERSION.php b/LUGGAGE_VERSION.php
@@ -1,3 +1,3 @@
 <?php
 
-$version = "3.6.15";
+$version = "3.6.16";
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.74');
+define('VERSION', '7.75');
 
 /**
  * Core API compatibility.

diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc
@@ -1788,7 +1788,7 @@ class Archive_Tar
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1858,9 +1858,9 @@ class Archive_Tar
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1896,7 +1896,7 @@ class Archive_Tar
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'