Skip to content

Commit

Permalink
Update to Drupal 7.71. For more information, see https://www.drupal.o…
Browse files Browse the repository at this point in the history
  • Loading branch information
Pantheon Automation authored and greg-1-anderson committed Jun 3, 2020
1 parent d6850e4 commit 8afbba2
Show file tree
Hide file tree
Showing 35 changed files with 589 additions and 57 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
Drupal 7.xx, xxxx-xx-xx (development version)
Drupal 7.71, 2020-06-03
-----------------------
- Fix for jQuery Form bug in Chromium-based browsers
- Full support for PHP 7.4

Drupal 7.70, 2020-05-19
-----------------------
Expand Down
15 changes: 7 additions & 8 deletions includes/batch.inc
Original file line number Diff line number Diff line change
Expand Up @@ -478,18 +478,17 @@ function _batch_finished() {
$queue->deleteQueue();
}
}
// Clean-up the session. Not needed for CLI updates.
if (isset($_SESSION)) {
unset($_SESSION['batches'][$batch['id']]);
if (empty($_SESSION['batches'])) {
unset($_SESSION['batches']);
}
}
}
$_batch = $batch;
$batch = NULL;

// Clean-up the session. Not needed for CLI updates.
if (isset($_SESSION)) {
unset($_SESSION['batches'][$batch['id']]);
if (empty($_SESSION['batches'])) {
unset($_SESSION['batches']);
}
}

// Redirect if needed.
if ($_batch['progressive']) {
// Revert the 'destination' that was saved in batch_process().
Expand Down
2 changes: 1 addition & 1 deletion includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.70');
define('VERSION', '7.71');

/**
* Core API compatibility.
Expand Down
6 changes: 3 additions & 3 deletions includes/common.inc
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@ function drupal_add_feed($url = NULL, $title = '') {
*/
function drupal_get_feeds($delimiter = "\n") {
$feeds = drupal_add_feed();
return implode($feeds, $delimiter);
return implode($delimiter, $feeds);
}

/**
Expand Down Expand Up @@ -3743,7 +3743,7 @@ function _drupal_build_css_path($matches, $base = NULL) {
}

// Prefix with base and remove '../' segments where possible.
$path = $_base . $matches[1];
$path = $_base . (isset($matches[1]) ? $matches[1] : '');
$last = '';
while ($path != $last) {
$last = $path;
Expand Down Expand Up @@ -6673,7 +6673,7 @@ function element_children(&$elements, $sort = FALSE) {
$children = array();
$sortable = FALSE;
foreach ($elements as $key => $value) {
if ($key === '' || $key[0] !== '#') {
if (is_int($key) || $key === '' || $key[0] !== '#') {
$children[$key] = $value;
if (is_array($value) && isset($value['#weight'])) {
$sortable = TRUE;
Expand Down
2 changes: 1 addition & 1 deletion includes/filetransfer/filetransfer.inc
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,7 @@ abstract class FileTransfer {
$parts = explode('/', $path);
$chroot = '';
while (count($parts)) {
$check = implode($parts, '/');
$check = implode('/', $parts);
if ($this->isFile($check . '/' . drupal_basename(__FILE__))) {
// Remove the trailing slash.
return substr($chroot, 0, -1);
Expand Down
3 changes: 3 additions & 0 deletions includes/menu.inc
Original file line number Diff line number Diff line change
Expand Up @@ -2483,6 +2483,9 @@ function menu_link_get_preferred($path = NULL, $selected_menu = NULL) {
// untranslated paths). Afterwards, the most relevant path is picked from
// the menus, ordered by menu preference.
$item = menu_get_item($path);
if ($item === FALSE) {
return FALSE;
}
$path_candidates = array();
// 1. The current item href.
$path_candidates[$item['href']] = $item['href'];
Expand Down
30 changes: 30 additions & 0 deletions includes/pager.inc
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,16 @@ function theme_pager($variables) {
$quantity = empty($variables['quantity']) ? 0 : $variables['quantity'];
global $pager_page_array, $pager_total;

// Nothing to do if there is no pager.
if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
return;
}

// Nothing to do if there is only one page.
if ($pager_total[$element] <= 1) {
return;
}

// Calculate various markers within this pager piece:
// Middle is used to "center" pages around the current page.
$pager_middle = ceil($quantity / 2);
Expand Down Expand Up @@ -455,6 +465,11 @@ function theme_pager_first($variables) {
global $pager_page_array;
$output = '';

// Nothing to do if there is no pager.
if (!isset($pager_page_array[$element])) {
return;
}

// If we are anywhere but the first page
if ($pager_page_array[$element] > 0) {
$output = theme('pager_link', array('text' => $text, 'page_new' => pager_load_array(0, $element, $pager_page_array), 'element' => $element, 'parameters' => $parameters));
Expand Down Expand Up @@ -485,6 +500,11 @@ function theme_pager_previous($variables) {
global $pager_page_array;
$output = '';

// Nothing to do if there is no pager.
if (!isset($pager_page_array[$element])) {
return;
}

// If we are anywhere but the first page
if ($pager_page_array[$element] > 0) {
$page_new = pager_load_array($pager_page_array[$element] - $interval, $element, $pager_page_array);
Expand Down Expand Up @@ -524,6 +544,11 @@ function theme_pager_next($variables) {
global $pager_page_array, $pager_total;
$output = '';

// Nothing to do if there is no pager.
if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
return;
}

// If we are anywhere but the last page
if ($pager_page_array[$element] < ($pager_total[$element] - 1)) {
$page_new = pager_load_array($pager_page_array[$element] + $interval, $element, $pager_page_array);
Expand Down Expand Up @@ -560,6 +585,11 @@ function theme_pager_last($variables) {
global $pager_page_array, $pager_total;
$output = '';

// Nothing to do if there is no pager.
if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
return;
}

// If we are anywhere but the last page
if ($pager_page_array[$element] < ($pager_total[$element] - 1)) {
$output = theme('pager_link', array('text' => $text, 'page_new' => pager_load_array($pager_total[$element] - 1, $element, $pager_page_array), 'element' => $element, 'parameters' => $parameters));
Expand Down
14 changes: 8 additions & 6 deletions includes/path.inc
Original file line number Diff line number Diff line change
Expand Up @@ -466,13 +466,15 @@ function path_delete($criteria) {
$criteria = array('pid' => $criteria);
}
$path = path_load($criteria);
$query = db_delete('url_alias');
foreach ($criteria as $field => $value) {
$query->condition($field, $value);
if (isset($path['source'])) {
$query = db_delete('url_alias');
foreach ($criteria as $field => $value) {
$query->condition($field, $value);
}
$query->execute();
module_invoke_all('path_delete', $path);
drupal_clear_path_cache($path['source']);
}
$query->execute();
module_invoke_all('path_delete', $path);
drupal_clear_path_cache($path['source']);
}

/**
Expand Down
2 changes: 1 addition & 1 deletion includes/request-sanitizer.inc
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ class DrupalRequestSanitizer {
protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
if (is_array($input)) {
foreach ($input as $key => $value) {
if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
if ($key !== '' && is_string($key) && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
unset($input[$key]);
$sanitized_keys[] = $key;
}
Expand Down
19 changes: 19 additions & 0 deletions misc/ajax.js
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,25 @@ Drupal.ajax = function (base, element, element_settings) {
type: 'POST'
};

// For multipart forms (e.g., file uploads), jQuery Form targets the form
// submission to an iframe instead of using an XHR object. The initial "src"
// of the iframe, prior to the form submission, is set to options.iframeSrc.
// "about:blank" is the semantically correct, standards-compliant, way to
// initialize a blank iframe; however, some old IE versions (possibly only 6)
// incorrectly report a mixed content warning when iframes with an
// "about:blank" src are added to a parent document with an https:// origin.
// jQuery Form works around this by defaulting to "javascript:false" instead,
// but that breaks on Chrome 83, so here we force the semantically correct
// behavior for all browsers except old IE.
// @see https://www.drupal.org/project/drupal/issues/3143016
// @see https://github.com/jquery-form/form/blob/df9cb101b9c9c085c8d75ad980c7ff1cf62063a1/jquery.form.js#L68
// @see https://bugs.chromium.org/p/chromium/issues/detail?id=1084874
// @see https://html.spec.whatwg.org/multipage/browsers.html#creating-browsing-contexts
// @see https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
if (navigator.userAgent.indexOf("MSIE") === -1) {
ajax.options.iframeSrc = 'about:blank';
}

// Bind the ajaxSubmit function to the element event.
$(ajax.element).bind(element_settings.event, function (event) {
if (!Drupal.settings.urlIsAjaxTrusted[ajax.url] && !Drupal.urlIsLocal(ajax.url)) {
Expand Down
3 changes: 0 additions & 3 deletions misc/typo3/phar-stream-wrapper/.gitignore

This file was deleted.

5 changes: 4 additions & 1 deletion misc/typo3/phar-stream-wrapper/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/badges/quality-score.png?b=v2)](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/?branch=v2)
[![Travis CI Build Status](https://travis-ci.org/TYPO3/phar-stream-wrapper.svg?branch=v2)](https://travis-ci.org/TYPO3/phar-stream-wrapper)
[![AppVeyor Build status](https://ci.appveyor.com/api/projects/status/q4ls5tg4w1d6sf4i/branch/v2?svg=true)](https://ci.appveyor.com/project/ohader/phar-stream-wrapper)

# PHP Phar Stream Wrapper

Expand All @@ -21,9 +22,11 @@ and has been addressed concerning the specific attack vector and for this generi
`PharStreamWrapper` in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th
July 2018.

* https://typo3.org/security/advisory/typo3-core-sa-2018-002/
* https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
* https://youtu.be/GePBmsNJw6Y
* https://typo3.org/security/advisory/typo3-psa-2018-001/
* https://typo3.org/security/advisory/typo3-psa-2019-007/
* https://typo3.org/security/advisory/typo3-psa-2019-008/

## License

Expand Down
4 changes: 3 additions & 1 deletion misc/typo3/phar-stream-wrapper/composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,16 @@
"keywords": ["php", "phar", "stream-wrapper", "security"],
"require": {
"php": "^5.3.3|^7.0",
"ext-fileinfo": "*",
"ext-json": "*",
"brumann/polyfill-unserialize": "^1.0"
},
"require-dev": {
"ext-xdebug": "*",
"phpunit/phpunit": "^4.8.36"
},
"suggest": {
"ext-fileinfo": "For PHP builtin file type guessing, otherwise uses internal processing"
},
"autoload": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\": "src/"
Expand Down
4 changes: 2 additions & 2 deletions misc/typo3/phar-stream-wrapper/src/Helper.php
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public static function determineBaseFile($path)

while (count($parts)) {
$currentPath = implode('/', $parts);
if (@is_file($currentPath)) {
if (@is_file($currentPath) && realpath($currentPath) !== false) {
return $currentPath;
}
array_pop($parts);
Expand Down Expand Up @@ -106,7 +106,7 @@ public static function normalizePath($path)
* @param string $path File path to process
* @return string
*/
private static function normalizeWindowsPath($path)
public static function normalizeWindowsPath($path)
{
return str_replace('\\', '/', $path);
}
Expand Down
40 changes: 37 additions & 3 deletions misc/typo3/phar-stream-wrapper/src/Phar/Reader.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ class Reader
private $fileName;

/**
* Mime-type in order to use zlib, bzip2 or no compression.
* In case ext-fileinfo is not present only the relevant types
* 'application/x-gzip' and 'application/x-bzip2' are assigned
* to this class property.
*
* @var string
*/
private $fileType;
Expand Down Expand Up @@ -139,7 +144,7 @@ private function extractData($fileName)
*/
private function resolveStream()
{
if ($this->fileType === 'application/x-gzip') {
if ($this->fileType === 'application/x-gzip' || $this->fileType === 'application/gzip') {
return 'compress.zlib://';
} elseif ($this->fileType === 'application/x-bzip2') {
return 'compress.bzip2://';
Expand All @@ -152,8 +157,37 @@ private function resolveStream()
*/
private function determineFileType()
{
$fileInfo = new \finfo();
return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
if (class_exists('\\finfo')) {
$fileInfo = new \finfo();
return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
}
return $this->determineFileTypeByHeader();
}

/**
* In case ext-fileinfo is not present only the relevant types
* 'application/x-gzip' and 'application/x-bzip2' are resolved.
*
* @return string
*/
private function determineFileTypeByHeader()
{
$resource = fopen($this->fileName, 'r');
if (!is_resource($resource)) {
throw new ReaderException(
sprintf('Resource %s could not be opened', $this->fileName),
1557753055
);
}
$header = fgets($resource, 4);
fclose($resource);
$mimeType = '';
if (strpos($header, "\x42\x5a\x68") === 0) {
$mimeType = 'application/x-bzip2';
} elseif (strpos($header, "\x1f\x8b") === 0) {
$mimeType = 'application/x-gzip';
}
return $mimeType;
}

/**
Expand Down
2 changes: 1 addition & 1 deletion misc/typo3/phar-stream-wrapper/src/PharStreamWrapper.php
Original file line number Diff line number Diff line change
Expand Up @@ -476,7 +476,7 @@ private function invokeInternalStreamWrapper($functionName)
{
$arguments = func_get_args();
array_shift($arguments);
$silentExecution = $functionName{0} === '@';
$silentExecution = $functionName[0] === '@';
$functionName = ltrim($functionName, '@');
$this->restoreInternalSteamWrapper();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
use TYPO3\PharStreamWrapper\Helper;
use TYPO3\PharStreamWrapper\Manager;
use TYPO3\PharStreamWrapper\Phar\Reader;
use TYPO3\PharStreamWrapper\Phar\ReaderException;
use TYPO3\PharStreamWrapper\Resolvable;

class PharInvocationResolver implements Resolvable
Expand Down Expand Up @@ -59,7 +60,7 @@ public function resolve($path, $flags = null)
{
$hasPharPrefix = Helper::hasPharPrefix($path);
if ($flags === null) {
$flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS | static::ASSERT_INTERNAL_INVOCATION;
$flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS;
}

if ($hasPharPrefix && $flags & static::RESOLVE_ALIAS) {
Expand Down Expand Up @@ -147,9 +148,14 @@ private function resolveBaseName($path, $flags)
}
// ensure the possible alias name (how we have been called initially) matches
// the resolved alias name that was retrieved by the current possible base name
$reader = new Reader($currentBaseName);
$currentAlias = $reader->resolveContainer()->getAlias();
if ($currentAlias !== $possibleAlias) {
try {
$reader = new Reader($currentBaseName);
$currentAlias = $reader->resolveContainer()->getAlias();
} catch (ReaderException $exception) {
// most probably that was not a Phar file
continue;
}
if (empty($currentAlias) || $currentAlias !== $possibleAlias) {
continue;
}
$this->addBaseName($currentBaseName);
Expand Down Expand Up @@ -215,7 +221,9 @@ private function addBaseName($baseName)
if (isset($this->baseNames[$baseName])) {
return;
}
$this->baseNames[$baseName] = realpath($baseName);
$this->baseNames[$baseName] = Helper::normalizeWindowsPath(
realpath($baseName)
);
}

/**
Expand Down
Loading

0 comments on commit 8afbba2

Please sign in to comment.