Proposed release for 7.x 1.18.14.1 with drupal 7.75 (#114)

* Update to Drupal 7.61. For more information, see https://www.drupal.org/project/drupal/releases/7.61

* Update to PHP 7.2. For details see https://pantheon.io/blog/php-72-everywhere/

* Update to Drupal 7.62. For more information, see https://www.drupal.org/project/drupal/releases/7.62

* Update to Drupal 7.63. For more information, see https://www.drupal.org/project/drupal/releases/7.63

* Update to Drupal 7.64. For more information, see https://www.drupal.org/project/drupal/releases/7.64

* Update to Drupal 7.65. For more information, see https://www.drupal.org/project/drupal/releases/7.65

* Update to Drupal 7.66. For more information, see https://www.drupal.org/project/drupal/releases/7.66

* Update to Drupal 7.67. For more information, see https://www.drupal.org/project/drupal/releases/7.67

* BUGS-2253: Remove 'Icon' from .gitignore.

* Enforce HTTPS. For more info see https://pantheon.io/blog/pantheon-now-enforces-https-default-plus-really-simple-hsts

* Update to Drupal 7.68. For more information, see https://www.drupal.org/project/drupal/releases/7.68

* Update to Drupal 7.69. For more information, see https://www.drupal.org/project/drupal/releases/7.69

* Update to Drupal 7.70. For more information, see https://www.drupal.org/project/drupal/releases/7.70

* Update to Drupal 7.71. For more information, see https://www.drupal.org/project/drupal/releases/7.71

* [OTTO-355] Default to Drush 8 in pantheon.upstream.yml

* [OTTO-357] Add protected_web_paths to upstream

* Update to Drupal 7.72. For more information, see https://www.drupal.org/project/drupal/releases/7.72

* Update to Drupal 7.73. For more information, see https://www.drupal.org/project/drupal/releases/7.73

* Update to Drupal 7.74. For more information, see https://www.drupal.org/project/drupal/releases/7.74

* Update to Drupal 7.75. For more information, see https://www.drupal.org/project/drupal/releases/7.75

Co-authored-by: Pantheon Automation <[email protected]>
Co-authored-by: Greg Anderson <[email protected]>
Co-authored-by: Greg Anderson <[email protected]>
Co-authored-by: Greg Anderson <[email protected]>

CHANGELOG.txt

@@ -1,3 +1,8 @@
+Drupal 7.75, 2020-11-26
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-013
+
 Drupal 7.74, 2020-11-17
 -----------------------
 - Fixed security issues:

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.74');
+define('VERSION', '7.75');
 
 /**
  * Core API compatibility.

modules/system/system.tar.inc

@@ -1788,7 +1788,7 @@ class Archive_Tar
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1858,9 +1858,9 @@ class Archive_Tar
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1896,7 +1896,7 @@ class Archive_Tar
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'