Origin: vendor
Forwarded: not-needed
From: Gunnar Wolf <gwolf@debian.org>
Last-update: 2016-11-18
Description: Fixes SA-CORE-2015-004 (open redirect)
 Backporting the diff between 7.40 and 7.41, applying it to the
 version in the Stable Debian release (7.32). For further details, the
 advisory is in:
 .
 https://www.drupal.org/SA-CORE-2015-004
 Assigned CVE ID: CVE-2015-7943

Index: drupal7/modules/overlay/overlay-parent.js
===================================================================
--- drupal7.orig/modules/overlay/overlay-parent.js
+++ drupal7/modules/overlay/overlay-parent.js
@@ -350,7 +350,7 @@ Drupal.overlay.setFocusBefore = function
  *   TRUE if the URL represents an administrative link, FALSE otherwise.
  */
 Drupal.overlay.isAdminLink = function (url) {
-  if (Drupal.overlay.isExternalLink(url)) {
+  if (!Drupal.urlIsLocal(url)) {
     return false;
   }
 
@@ -378,6 +378,8 @@ Drupal.overlay.isAdminLink = function (u
 /**
  * Determine whether a link is external to the site.
  *
+ * Deprecated. Use Drupal.urlIsLocal() instead.
+ *
  * @param url
  *   The URL to be tested.
  *
@@ -385,8 +387,7 @@ Drupal.overlay.isAdminLink = function (u
  *   TRUE if the URL is external to the site, FALSE otherwise.
  */
 Drupal.overlay.isExternalLink = function (url) {
-  var re = RegExp('^((f|ht)tps?:)?//(?!' + window.location.host + ')');
-  return re.test(url);
+  return !Drupal.urlIsLocal(url);
 };
 
 /**
@@ -405,7 +406,7 @@ Drupal.overlay.isExternalLink = function
  */
 Drupal.overlay.getInternalUrl = function (path) {
   var url = Drupal.settings.basePath + path;
-  if (!this.isExternalLink(url)) {
+  if (Drupal.urlIsLocal(url)) {
     return url;
   }
 };
