Origin: https://github.com/drupal/drupal/commit/cd3721550d988240ef6e682bd1cae2939c6e9e5a
Forwarded: not-needed
From: samuel.mortenson, nod_, larowlan, dsnopek, catch, effulgentsia, mcdruid
Date: Wed 18 Nov 01:33:06 PM CST 2020
Subject: Fixes for SA-CORE-2020-007
 Backported the diff between 7.72 and 7.73, applying it to the version in the
 old-stable Debian release (7.52)
 .
 SA-CORE-2020-007 (CVE-2020-13666) deals with a XSS due to the Drupal API not
 disabling JSONP.
Index: drupal7/misc/ajax.js
===================================================================
--- drupal7.orig/misc/ajax.js
+++ drupal7/misc/ajax.js
@@ -149,7 +149,7 @@ Drupal.ajax = function (base, element, e
   // The 'this' variable will not persist inside of the options object.
   var ajax = this;
   ajax.options = {
-    url: ajax.url,
+    url: Drupal.sanitizeAjaxUrl(ajax.url),
     data: ajax.submit,
     beforeSerialize: function (element_settings, options) {
       return ajax.beforeSerialize(element_settings, options);
@@ -195,6 +195,7 @@ Drupal.ajax = function (base, element, e
       }
     },
     dataType: 'json',
+    jsonp: false,
     type: 'POST'
   };
 
Index: drupal7/misc/autocomplete.js
===================================================================
--- drupal7.orig/misc/autocomplete.js
+++ drupal7/misc/autocomplete.js
@@ -297,8 +297,9 @@ Drupal.ACDB.prototype.search = function
     // encodeURIComponent to allow autocomplete search terms to contain slashes.
     $.ajax({
       type: 'GET',
-      url: db.uri + '/' + Drupal.encodePath(searchString),
+      url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
       dataType: 'json',
+      jsonp: false,
       success: function (matches) {
         if (typeof matches.status == 'undefined' || matches.status != 0) {
           db.cache[searchString] = matches;
Index: drupal7/misc/drupal.js
===================================================================
--- drupal7.orig/misc/drupal.js
+++ drupal7/misc/drupal.js
@@ -372,6 +372,23 @@ Drupal.urlIsLocal = function (url) {
 };
 
 /**
+ * Sanitizes a URL for use with jQuery.ajax().
+ *
+ * @param url
+ *   The URL string to be sanitized.
+ *
+ * @return
+ *   The sanitized URL.
+ */
+Drupal.sanitizeAjaxUrl = function (url) {
+  var regex = /\=\?(&|$)/;
+  while (url.match(regex)) {
+    url = url.replace(regex, '');
+  }
+  return url;
+}
+
+/**
  * Generate the themed representation of a Drupal object.
  *
  * All requests for themed output must go through this function. It examines
