Skip to content

Commit

Permalink
Drupal 7.98
Browse files Browse the repository at this point in the history
  • Loading branch information
shelane committed Oct 3, 2023
1 parent 93e3f86 commit 26bd176
Show file tree
Hide file tree
Showing 177 changed files with 1,115 additions and 511 deletions.
9 changes: 9 additions & 0 deletions docroot/CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
Drupal 7.98, 2023-06-07
-----------------------
- Various security improvements
- Various bug fixes, optimizations and improvements

Drupal 7.97, 2023-04-21
-----------------------
- Fix PHP 5.x regression caused by SA-CORE-2023-005

Drupal 7.96, 2023-04-19
-----------------------
- Fixed security issues:
Expand Down
10 changes: 5 additions & 5 deletions docroot/cron.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
include_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

if (!isset($_GET['cron_key']) || variable_get('cron_key', 'drupal') != $_GET['cron_key']) {
watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE);
drupal_access_denied();
}
elseif (variable_get('maintenance_mode', 0)) {
if (variable_get('maintenance_mode', 0)) {
watchdog('cron', 'Cron could not run because the site is in maintenance mode.', array(), WATCHDOG_NOTICE);
drupal_site_offline();
}
elseif (!isset($_GET['cron_key']) || variable_get('cron_key', 'drupal') != $_GET['cron_key']) {
watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE);
drupal_access_denied();
}
else {
Expand Down
27 changes: 21 additions & 6 deletions docroot/includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.96');
define('VERSION', '7.98');

/**
* Core API compatibility.
Expand Down Expand Up @@ -2303,15 +2303,30 @@ function drupal_base64_encode($string) {
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random
* source.
* On PHP 7 and later, this function is a wrapper around the built-in PHP
* function random_bytes(). If that function does not exist or cannot find an
* appropriate source of randomness, this function is better than simply calling
* mt_rand() or any other built-in PHP function because it can return a long
* string of bytes (compared to < 4 bytes normally from mt_rand()) and uses the
* best available pseudo-random source.
*
* @param $count
* @param int $count
* The number of characters (bytes) to return in the string.
*
* @return string
* A randomly generated string.
*/
function drupal_random_bytes($count) {
if (function_exists('random_bytes')) {
try {
return random_bytes($count);
}
catch (Exception $e) {
// An appropriate source of randomness could not be found. Fall back to a
// less secure implementation.
}
}

// $random_state does not use drupal_static as it stores random bytes.
static $random_state, $bytes, $has_openssl;

Expand Down
7 changes: 7 additions & 0 deletions docroot/includes/common.inc
Original file line number Diff line number Diff line change
Expand Up @@ -7363,6 +7363,13 @@ function _drupal_schema_initialize(&$schema, $module, $remove_descriptions = TRU
unset($field['description']);
}
}
// Set the type key for all fields where it is not set (mostly when using
// datatabase specific data types).
foreach ($table['fields'] as &$field) {
if (!isset($field['type'])) {
$field['type'] = NULL;
}
}
}
}

Expand Down
18 changes: 12 additions & 6 deletions docroot/includes/file.inc
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,13 @@ define('FILE_EXISTS_ERROR', 2);
*/
define('FILE_STATUS_PERMANENT', 1);

/**
* A pipe-separated list of insecure extensions.
*
* @see file_munge_filename(), file_save_upload()
*/
define('FILE_INSECURE_EXTENSIONS', 'php|phar|pl|py|cgi|asp|js|phtml');

/**
* Provides Drupal stream wrapper registry.
*
Expand Down Expand Up @@ -1180,9 +1187,8 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {

$whitelist = array_unique(explode(' ', strtolower(trim($extensions))));

// Remove unsafe extensions from the list of allowed extensions. The list is
// copied from file_save_upload().
$whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));
// Remove unsafe extensions from the list of allowed extensions.
$whitelist = array_diff($whitelist, explode('|', FILE_INSECURE_EXTENSIONS));

// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
Expand Down Expand Up @@ -1562,7 +1568,7 @@ function file_save_upload($form_field_name, $validators = array(), $destination
// rename filename.php.foo and filename.php to filename.php_.foo_.txt and
// filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'
// evaluates to TRUE.
if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
if (preg_match('/\.(' . FILE_INSECURE_EXTENSIONS . ')(\.|$)/i', $file->filename)) {
// If the file will be rejected anyway due to a disallowed extension, it
// should not be renamed; rather, we'll let file_validate_extensions()
// reject it below.
Expand Down Expand Up @@ -1754,7 +1760,7 @@ function file_validate(stdClass &$file, $validators = array()) {
// malicious extension. Contributed and custom code that calls this method
// needs to take similar steps if they need to permit files with malicious
// extensions to be uploaded.
if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(' . FILE_INSECURE_EXTENSIONS . ')(\.|$)/i', $file->filename)) {
$errors[] = t('For security reasons, your upload has been rejected.');
}

Expand Down Expand Up @@ -2749,7 +2755,7 @@ function file_uri_normalize_dot_segments($uri) {
if ($target !== FALSE) {
if (!in_array($scheme, variable_get('file_sa_core_2023_005_schemes', array()))) {
$class = file_stream_wrapper_get_class($scheme);
$is_local = is_subclass_of($class, DrupalLocalStreamWrapper::class);
$is_local = is_subclass_of($class, 'DrupalLocalStreamWrapper');
if ($is_local) {
$target = str_replace(DIRECTORY_SEPARATOR, '/', $target);
}
Expand Down
73 changes: 50 additions & 23 deletions docroot/includes/form.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1682,7 +1682,10 @@ function form_clear_error() {
}

/**
* Returns an associative array of all errors.
* Returns an associative array of all errors if any.
*
* @return array|null
* The form errors if any, NULL otherwise.
*/
function form_get_errors() {
$form = form_set_error();
Expand Down Expand Up @@ -2307,8 +2310,8 @@ function form_state_values_clean(&$form_state) {
* A keyed array containing the current state of the form.
*
* @return
* The data that will appear in the $form_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_image_button_value($form, $input, $form_state) {
if ($input !== FALSE) {
Expand Down Expand Up @@ -2353,8 +2356,8 @@ function form_type_image_button_value($form, $input, $form_state) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_checkbox_value($element, $input = FALSE) {
if ($input === FALSE) {
Expand Down Expand Up @@ -2394,8 +2397,8 @@ function form_type_checkbox_value($element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_checkboxes_value($element, $input = FALSE) {
if ($input === FALSE) {
Expand Down Expand Up @@ -2435,8 +2438,8 @@ function form_type_checkboxes_value($element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_tableselect_value($element, $input = FALSE) {
// If $element['#multiple'] == FALSE, then radio buttons are displayed and
Expand Down Expand Up @@ -2471,8 +2474,8 @@ function form_type_tableselect_value($element, $input = FALSE) {
* element's default value is returned. Defaults to FALSE.
*
* @return
* The data that will appear in the $element_state['values'] collection for
* this element.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_radios_value(&$element, $input = FALSE) {
if ($input !== FALSE) {
Expand Down Expand Up @@ -2510,8 +2513,8 @@ function form_type_radios_value(&$element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_password_confirm_value($element, $input = FALSE) {
if ($input === FALSE) {
Expand Down Expand Up @@ -2541,8 +2544,8 @@ function form_type_password_confirm_value($element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_select_value($element, $input = FALSE) {
if ($input !== FALSE) {
Expand Down Expand Up @@ -2578,12 +2581,12 @@ function form_type_select_value($element, $input = FALSE) {
* @param array $element
* The form element whose value is being populated.
* @param mixed $input
* The incoming input to populate the form element. If this is FALSE,
* the element's default value should be returned.
* The incoming input to populate the form element. If this is FALSE, the
* element's default value should be returned.
*
* @return string
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_textarea_value($element, $input = FALSE) {
if ($input !== FALSE && $input !== NULL) {
Expand All @@ -2603,8 +2606,8 @@ function form_type_textarea_value($element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_textfield_value($element, $input = FALSE) {
if ($input !== FALSE && $input !== NULL) {
Expand All @@ -2627,8 +2630,8 @@ function form_type_textfield_value($element, $input = FALSE) {
* the element's default value should be returned.
*
* @return
* The data that will appear in the $element_state['values'] collection
* for this element. Return nothing to use the default.
* The data that will appear in $form_state['values'] for this element, or
* nothing to use the default.
*/
function form_type_token_value($element, $input = FALSE) {
if ($input !== FALSE) {
Expand Down Expand Up @@ -3377,6 +3380,30 @@ function form_process_actions($element, &$form_state) {
return $element;
}

/**
* Processes a form button element.
*
* @param $element
* An associative array containing the properties and children of the
* form button.
* @param $form_state
* The $form_state array for the form this element belongs to.
*
* @return
* The processed element.
*/
function form_process_button($element, &$form_state) {
// We normally want to add drupal.form-single-submit so that the double submit
// protection can be added to the site, however, with the addition of
// javascript_always_use_jquery, this would make most pages with a login
// block or a search form have jquery always added, changing what people who
// set the javascript_always_use_jquery variable to FALSE would have expected.
if (variable_get('javascript_always_use_jquery', TRUE) && variable_get('javascript_use_double_submit_protection', TRUE)) {
$element['#attached']['library'][] = array('system', 'drupal.form-single-submit');
}
return $element;
}

/**
* Processes a container element.
*
Expand Down
2 changes: 1 addition & 1 deletion docroot/includes/locale.inc
Original file line number Diff line number Diff line change
Expand Up @@ -1093,7 +1093,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
*
* @param $report
* Report array summarizing the number of changes done in the form:
* array(inserts, updates, deletes).
* array(additions, deletes, skips, updates).
* @param $langcode
* Language code to import string into.
* @param $context
Expand Down
Loading

0 comments on commit 26bd176

Please sign in to comment.