Merge branch 'staging' into j3/categoriesOnTheFly

Author: SharkyKZ

.github/SECURITY.md

@@ -9,9 +9,7 @@ This document outlines security procedures and policies for the `Joomla! Project
 
 ## Reporting a Bug
 
-The `Joomla` team and community take all security bugs in `Joomla` seriously.
-
-The Joomla! Project takes security vulnerabilities very seriously. As such, the Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
+The `Joomla` team and community take all security bugs in `Joomla` seriously. The Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
 
 If you find a possible vulnerability, please report it to the JSST using the [online form](https://developer.joomla.org/security/contact-the-team.html) or via email at [email protected] 
 
@@ -25,7 +23,7 @@ Thank you for improving the security of `Joomla`.
 
 ## Response Handling
 
-The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:
+The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. We have established the following guidelines for responding to issue reports:
 
 * Within 24 hours every report gets acknowledged
 * Within 7 days every report gets a further response stating either

administrator/components/com_actionlogs/helpers/actionlogs.php

@@ -23,6 +23,14 @@
  */
 class ActionlogsHelper
 {
+	/**
+	 * Array of characters starting a formula
+	 *
+	 * @var    array
+	 * @since  3.9.7
+	 */
+	private static $characters = array('=', '+', '-', '@');
+
 	/**
 	 * Method to convert logs objects array to an iterable type for use with a CSV export
 	 *
@@ -54,6 +62,8 @@ public static function getCsvData($data)
 			return ActionlogsHelperPhp55::getCsvAsGenerator($data);
 		}
 
+		$disabledText = Text::_('COM_ACTIONLOGS_DISABLED');
+
 		$rows = array();
 
 		// Header row
@@ -68,11 +78,11 @@ public static function getCsvData($data)
 
 			$rows[] = array(
 				'id'         => $log->id,
-				'message'    => strip_tags(static::getHumanReadableLogMessage($log, false)),
+				'message'    => self::escapeCsvFormula(strip_tags(static::getHumanReadableLogMessage($log, false))),
 				'date'       => $date->format('Y-m-d H:i:s T'),
-				'extension'  => Text::_($extension),
-				'name'       => $log->name,
-				'ip_address' => Text::_($log->ip_address),
+				'extension'  => self::escapeCsvFormula(Text::_($extension)),
+				'name'       => self::escapeCsvFormula($log->name),
+				'ip_address' => self::escapeCsvFormula($log->ip_address === 'COM_ACTIONLOGS_DISABLED' ? $disabledText : $log->ip_address)
 			);
 		}
 
@@ -205,7 +215,7 @@ public static function getHumanReadableLogMessage($log, $generateLinks = true)
 			$messageData['type'] = Text::_($messageData['type']);
 		}
 
-		$linkMode = Factory::getApplication()->get('force_ssl', 0) >= 1 ? 1 : -1;
+		$linkMode = Factory::getApplication()->get('force_ssl', 0) >= 1 ? Route::TLS_FORCE : Route::TLS_IGNORE;
 
 		foreach ($messageData as $key => $value)
 		{
@@ -339,4 +349,28 @@ public static function loadActionLogPluginsLanguage()
 		// Load com_privacy too.
 		$lang->load('com_privacy', JPATH_ADMINISTRATOR, null, false, true);
 	}
+
+	/**
+	 * Escapes potential characters that start a formula in a CSV value to prevent injection attacks
+	 *
+	 * @param   mixed  $value  csv field value
+	 *
+	 * @return  mixed
+	 *
+	 * @since   3.9.7
+	 */
+	protected static function escapeCsvFormula($value)
+	{
+		if ($value == '')
+		{
+			return $value;
+		}
+
+		if (in_array($value[0], self::$characters, true))
+		{
+			$value = ' ' . $value;
+		}
+
+		return $value;
+	}
 }

administrator/components/com_actionlogs/helpers/actionlogsphp55.php

@@ -23,6 +23,14 @@
  */
 class ActionlogsHelperPhp55
 {
+	/**
+	 * Array of characters starting a formula
+	 *
+	 * @var    array
+	 * @since  3.9.7
+	 */
+	private static $characters = array('=', '+', '-', '@');
+
 	/**
 	 * Method to convert logs objects array to a Generator for use with a CSV export
 	 *
@@ -46,6 +54,8 @@ public static function getCsvAsGenerator($data)
 			);
 		}
 
+		$disabledText = Text::_('COM_ACTIONLOGS_DISABLED');
+
 		// Header row
 		yield array('Id', 'Message', 'Date', 'Extension', 'User', 'Ip');
 
@@ -57,12 +67,36 @@ public static function getCsvAsGenerator($data)
 
 			yield array(
 				'id'         => $log->id,
-				'message'    => strip_tags(ActionlogsHelper::getHumanReadableLogMessage($log, false)),
+				'message'    => self::escapeCsvFormula(strip_tags(ActionlogsHelper::getHumanReadableLogMessage($log, false))),
 				'date'       => (new Date($log->log_date, new DateTimeZone('UTC')))->format('Y-m-d H:i:s T'),
-				'extension'  => Text::_($extension),
-				'name'       => $log->name,
-				'ip_address' => Text::_($log->ip_address),
+				'extension'  => self::escapeCsvFormula(Text::_($extension)),
+				'name'       => self::escapeCsvFormula($log->name),
+				'ip_address' => self::escapeCsvFormula($log->ip_address === 'COM_ACTIONLOGS_DISABLED' ? $disabledText : $log->ip_address)
 			);
 		}
 	}
+
+	/**
+	 * Escapes potential characters that start a formula in a CSV value to prevent injection attacks
+	 *
+	 * @param   mixed  $value  csv field value
+	 *
+	 * @return  mixed
+	 *
+	 * @since   3.9.7
+	 */
+	protected static function escapeCsvFormula($value)
+	{
+		if ($value == '')
+		{
+			return $value;
+		}
+
+		if (in_array($value[0], self::$characters, true))
+		{
+			$value = ' ' . $value;
+		}
+
+		return $value;
+	}
 }

administrator/components/com_admin/models/forms/profile.xml

@@ -143,15 +143,6 @@
 				<option value="">JOPTION_USE_DEFAULT</option>
 			</field>
 
-			<field
-				name="helpsite"
-				type="helpsite"
-				label="COM_ADMIN_USER_FIELD_HELPSITE_LABEL"
-				description="COM_ADMIN_USER_FIELD_HELPSITE_DESC"
-				>
-				<option value="">JOPTION_USE_DEFAULT</option>
-			</field>
-
 			<field
 				name="timezone"
 				type="timezone"

administrator/components/com_admin/script.php

@@ -1968,7 +1968,10 @@ public function deleteUnexistingFiles()
 			/*
 			 * Joomla! 3.8.0 thru 3.9.0
 			 */
+			'/administrator/components/com_users/controllers/profile.json.php',
 			'/administrator/includes/toolbar.php',
+			'/components/com_users/controllers/profile_base_json.php',
+			'/components/com_users/controllers/profile.json.php',
 			'/libraries/joomla/filesystem/file.php',
 			'/libraries/joomla/filesystem/folder.php',
 			'/libraries/joomla/filesystem/helper.php',
@@ -1984,6 +1987,15 @@ public function deleteUnexistingFiles()
 			'/libraries/src/Mail/language/phpmailer.lang-joomla.php',
 			'/plugins/captcha/recaptcha/recaptchalib.php',
 
+			/*
+			 * Joomla! 3.9.0 thru 3.10.0
+			 */
+			'/SECURITY.md',
+			'/administrator/components/com_users/controllers/profile.json.php',
+			'/components/com_users/controllers/profile.json.php',
+			'/components/com_users/controllers/profile_base_json.php',
+			'/tests/unit/suites/libraries/cms/form/field/JFormFieldHelpsiteTest.php',
+
 			/*
 			 * Legacy FOF
 			 */
@@ -2010,6 +2022,11 @@ public function deleteUnexistingFiles()
 			'/libraries/fof/view.html.php',
 			'/libraries/fof/view.json.php',
 			'/libraries/fof/view.php',
+
+			/*
+			 * Joomla! 3.9.7
+			 */
+			'/administrator/components/com_joomlaupdate/access.xml',
 		);
 
 		// TODO There is an issue while deleting folders using the ftp mode

administrator/components/com_admin/sql/updates/mysql/3.9.7-2019-05-16.sql

@@ -0,0 +1 @@
+# Query removed, see https://github.com/joomla/joomla-cms/pull/25177

administrator/components/com_admin/sql/updates/mysql/3.9.8-2019-06-11.sql

@@ -0,0 +1 @@
+UPDATE #__users SET params = REPLACE(params, '",,"', '","');

administrator/components/com_admin/sql/updates/postgresql/3.9.7-2019-05-16.sql

@@ -0,0 +1 @@
+# Query removed, see https://github.com/joomla/joomla-cms/pull/25177

administrator/components/com_admin/sql/updates/postgresql/3.9.8-2019-06-11.sql

@@ -0,0 +1 @@
+UPDATE "#__users" SET "params" = REPLACE("params", '",,"', '","');

administrator/components/com_admin/sql/updates/sqlazure/3.9.7-2019-05-16.sql

@@ -0,0 +1 @@
+# Query removed, see https://github.com/joomla/joomla-cms/pull/25177