Origin: vendor
Forwarded: not-needed
From: Gunnar Wolf <gwolf@debian.org>
Last-update: 2016-06-15
Description: Fixes SA-CORE-2016-002 (webapp user privilege escalation).
 Backporting the diff between 7.43 and 7.44, applying it to the
 version in the Stable Debian release (7.32). For further details, the
 advisory is in:
 .
 https://www.drupal.org/SA-CORE-2016-002
 Corresponding CVE IDs CVE-2016-6211, CVE-2016-6212

Index: drupal7/modules/user/user.module
===================================================================
--- drupal7.orig/modules/user/user.module
+++ drupal7/modules/user/user.module
@@ -1140,7 +1140,7 @@ function user_account_form(&$form, &$for
   $form['account']['roles'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Roles'),
-    '#default_value' => (!$register && isset($account->roles) ? array_keys($account->roles) : array()),
+    '#default_value' => (!$register && !empty($account->roles) ? array_keys(array_filter($account->roles)) : array()),
     '#options' => $roles,
     '#access' => $roles && user_access('administer permissions'),
     DRUPAL_AUTHENTICATED_RID => $checkbox_authenticated,
