Update Drupal to 7.94

docroot/CHANGELOG.txt

@@ -1,3 +1,14 @@
+Drupal 7.94, 2022-12-14
+-----------------------
+- Hotfix for book.module and Select query properties
+
+Drupal 7.93, 2022-12-07
+-----------------------
+- Improved support for PHP 8.2
+- Minimum PHP version changed to PHP 5.3
+- Various security hardenings
+- Various bug fixes, optimizations and improvements
+
 Drupal 7.92, 2022-09-07
 -----------------------
 - Improved support for PHP 8.1

docroot/INSTALL.sqlite.txt

@@ -3,7 +3,7 @@ SQLITE REQUIREMENTS
 -------------------
 
 To use SQLite with your Drupal installation, the following requirements must be
-met: Server has PHP 5.2 or later with PDO, and the PDO SQLite driver must be
+met: Server has PHP 5.3 or later with PDO, and the PDO SQLite driver must be
 enabled.
 
 SQLITE DATABASE CREATION

docroot/INSTALL.txt

@@ -15,19 +15,20 @@ REQUIREMENTS AND NOTES
 Drupal requires:
 
 - A web server. Apache (version 2.0 or greater) is recommended.
-- PHP 5.2.4 (or greater) (http://www.php.net/).
+- PHP 5.3.3 (at least, PHP 7.x or greater recommended) (https://www.php.net/).
 - One of the following databases:
-  - MySQL 5.0.15 (or greater) (http://www.mysql.com/).
-  - MariaDB 5.1.44 (or greater) (http://mariadb.org/). MariaDB is a fully
-    compatible drop-in replacement for MySQL.
-  - Percona Server 5.1.70 (or greater) (http://www.percona.com/). Percona
-    Server is a backwards-compatible replacement for MySQL.
-  - PostgreSQL 8.3 (or greater) (http://www.postgresql.org/).
-  - SQLite 3.3.7 (or greater) (http://www.sqlite.org/).
-
-For more detailed information about Drupal requirements, including a list of
-PHP extensions and configurations that are required, see "System requirements"
-(http://drupal.org/requirements) in the Drupal.org online documentation.
+  - MySQL 5.5 (or greater) (https://www.mysql.com/) or equivalent versions of a
+    compatible database such as MariaDB or Percona.
+  - PostgreSQL 9.5 (or greater) (https://www.postgresql.org/).
+  - SQLite 3.27 (or greater) (https://www.sqlite.org/).
+
+Note that version numbers above represent the minimum versions that Drupal 7 is
+routinely tested with. For more detailed information about compatibility with
+newer versions (that benefit from support from their maintainers), and
+requirements including a list of PHP extensions and configurations that are
+required, see "System requirements"
+(https://www.drupal.org/docs/7/system-requirements) in the Drupal.org online
+documentation.
 
 For detailed information on how to configure a test server environment using a
 variety of operating systems and web servers, see "Local server setup"

docroot/includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.92');
+define('VERSION', '7.94');
 
 /**
  * Core API compatibility.
@@ -18,7 +18,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x');
 /**
  * Minimum supported version of PHP.
  */
-define('DRUPAL_MINIMUM_PHP', '5.2.4');
+define('DRUPAL_MINIMUM_PHP', '5.3.3');
 
 /**
  * Minimum recommended value of PHP memory_limit.
@@ -3949,6 +3949,14 @@ function drupal_setcookie($name, $value, $options) {
     setcookie($name, $value, $options);
   }
   else {
+    $defaults = array(
+      'expires' => 0,
+      'path' => '',
+      'domain' => '',
+      'secure' => FALSE,
+      'httponly' => FALSE,
+    );
+    $options += $defaults;
     setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
   }
 }

docroot/includes/common.inc

@@ -1278,6 +1278,10 @@ function fix_gpc_magic() {
  *
  * This uses the
  * @link http://php.net/manual/filter.filters.validate.php PHP e-mail validation filter. @endlink
+ * However, a module may override this by implementing
+ * hook_valid_email_address_alter(&$valid, $mail).
+ *
+ * @see hook_valid_email_address_alter()
  *
  * @param $mail
  *   A string containing an e-mail address.
@@ -1286,7 +1290,9 @@ function fix_gpc_magic() {
  *   TRUE if the address is in a valid format.
  */
 function valid_email_address($mail) {
-  return (bool)filter_var($mail, FILTER_VALIDATE_EMAIL);
+  $valid = (bool) filter_var($mail, FILTER_VALIDATE_EMAIL);
+  drupal_alter('valid_email_address', $valid, $mail);
+  return $valid;
 }
 
 /**
@@ -2608,7 +2614,14 @@ function l($text, $path, array $options = array()) {
       $use_theme = FALSE;
     }
   }
-  $path = drupal_strip_dangerous_protocols((string) $path);
+  $path = (string) $path;
+  // For backwards compatibility, do not strip a couple of specific javascript
+  // paths that are harmless.
+  // @see https://www.drupal.org/project/drupal/issues/3310081
+  $skip_js_paths = array('javascript:void()', 'javascript:void();', 'javascript:void(0)', 'javascript:void(0);');
+  if (!in_array(strtolower($path), $skip_js_paths)) {
+    $path = drupal_strip_dangerous_protocols($path);
+  }
   if ($use_theme) {
     return theme('link', array('text' => $text, 'path' => $path, 'options' => $options));
   }
@@ -2737,19 +2750,6 @@ function drupal_deliver_html_page($page_callback_result) {
   }
   drupal_add_http_header('X-Content-Type-Options', 'nosniff');
 
-  if (variable_get('block_interest_cohort', TRUE)) {
-    $permissions_policy = drupal_get_http_header('Permissions-Policy');
-    if (is_null($permissions_policy)) {
-      drupal_add_http_header('Permissions-Policy', 'interest-cohort=()');
-    }
-    else {
-      // Only add interest-cohort if the header does not contain it already.
-      if (strpos($permissions_policy, 'interest-cohort') === FALSE) {
-        drupal_add_http_header('Permissions-Policy', 'interest-cohort=()', TRUE);
-      }
-    }
-  }
-
   // Menu status constants are integers; page content is a string or array.
   if (is_int($page_callback_result)) {
     // @todo: Break these up into separate functions?
@@ -5532,7 +5532,8 @@ function drupal_cron_run() {
   drupal_alter('cron_queue_info', $queues);
 
   // Try to acquire cron lock.
-  if (!lock_acquire('cron', 240.0)) {
+  $cron_lock_expiration_timeout = variable_get('cron_lock_expiration_timeout', 900.0);
+  if (!lock_acquire('cron', $cron_lock_expiration_timeout)) {
     // Cron is still running normally.
     watchdog('cron', 'Attempting to re-run cron while it is already running.', array(), WATCHDOG_WARNING);
   }

docroot/includes/database/database.inc

@@ -764,12 +764,12 @@ abstract class DatabaseConnection {
       if ($options['throw_exception']) {
         // Add additional debug information.
         if ($query instanceof DatabaseStatementInterface) {
-          $e->query_string = $stmt->getQueryString();
+          $e->errorInfo['query_string'] = $stmt->getQueryString();
         }
         else {
-          $e->query_string = $query;
+          $e->errorInfo['query_string'] = $query;
         }
-        $e->args = $args;
+        $e->errorInfo['args'] = $args;
         throw $e;
       }
       return NULL;

docroot/includes/database/pgsql/database.inc

@@ -129,12 +129,12 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
       if ($options['throw_exception']) {
         // Add additional debug information.
         if ($query instanceof DatabaseStatementInterface) {
-          $e->query_string = $stmt->getQueryString();
+          $e->errorInfo['query_string'] = $stmt->getQueryString();
         }
         else {
-          $e->query_string = $query;
+          $e->errorInfo['query_string'] = $query;
         }
-        $e->args = $args;
+        $e->errorInfo['args'] = $args;
         throw $e;
       }
       return NULL;

docroot/includes/database/query.inc

@@ -1287,6 +1287,15 @@ class MergeQuery extends Query implements QueryConditionInterface {
    */
   protected $conditionTable;
 
+  /**
+   * The condition object for this query.
+   *
+   * Condition handling is handled via composition.
+   *
+   * @var DatabaseCondition
+   */
+  protected $condition;
+
   /**
    * An array of fields on which to insert.
    *
@@ -1693,6 +1702,13 @@ class DatabaseCondition implements QueryConditionInterface, Countable {
    */
   protected $queryPlaceholderIdentifier;
 
+  /**
+   * Contains the string version of the Condition.
+   *
+   * @var string
+   */
+  protected $stringVersion;
+
   /**
    * Constructs a DataBaseCondition object.
    *

docroot/includes/database/select.inc

@@ -944,6 +944,20 @@ class SelectQuery extends Query implements SelectQueryInterface {
    */
   protected $range;
 
+  /**
+   * The query metadata for alter purposes.
+   *
+   * @var array
+   */
+  public $alterMetaData;
+
+  /**
+   * The query tags.
+   *
+   * @var array
+   */
+  public $alterTags;
+
   /**
    * An array whose elements specify a query to UNION, and the UNION type. The
    * 'type' key may be '', 'ALL', or 'DISTINCT' to represent a 'UNION',

docroot/includes/entity.inc

@@ -621,7 +621,7 @@ class EntityFieldQuery {
    *
    * @see EntityFieldQuery::execute().
    */
-  public $orderedResults = array();
+  public $ordered_results = array();
 
   /**
    * The method executing the query, if it is overriding the default.
@@ -1179,7 +1179,7 @@ class EntityFieldQuery {
   /**
    * Executes the query.
    *
-   * After executing the query, $this->orderedResults will contain a list of
+   * After executing the query, $this->ordered_results will contain a list of
    * the same stub entities in the order returned by the query. This is only
    * relevant if there are multiple entity types in the returned value and
    * a field ordering was requested. In every other case, the returned value

docroot/includes/errors.inc

@@ -103,8 +103,8 @@ function _drupal_decode_exception($exception) {
       // We remove that call.
       array_shift($backtrace);
     }
-    if (isset($exception->query_string, $exception->args)) {
-      $message .= ": " . $exception->query_string . "; " . print_r($exception->args, TRUE);
+    if (isset($exception->errorInfo['query_string'], $exception->errorInfo['args'])) {
+      $message .= ": " . $exception->errorInfo['query_string'] . "; " . print_r($exception->errorInfo['args'], TRUE);
     }
   }
   $caller = _drupal_get_last_caller($backtrace);

docroot/includes/filetransfer/filetransfer.inc

@@ -9,11 +9,13 @@
  * the password should always be asked from the user and never stored. For
  * safety, all methods operate only inside a "jail", by default the Drupal root.
  */
+#[AllowDynamicProperties]
 abstract class FileTransfer {
   protected $username;
   protected $password;
   protected $hostname = 'localhost';
   protected $port;
+  protected $jail;
 
   /**
    * The constructor for the UpdateConnection class. This method is also called

docroot/includes/updater.inc

@@ -74,6 +74,16 @@ class Updater {
    */
   public $source;
 
+  /**
+   * @var string $name The name of the project.
+   */
+  protected $name;
+
+  /**
+   * @var string $title The title of the project.
+   */
+  protected $title;
+
   public function __construct($source) {
     $this->source = $source;
     $this->name = self::getProjectName($source);

docroot/install.php

@@ -16,8 +16,8 @@
 define('MAINTENANCE_MODE', 'install');
 
 // Exit early if running an incompatible PHP version to avoid fatal errors.
-if (version_compare(PHP_VERSION, '5.2.4') < 0) {
-  print 'Your PHP installation is too old. Drupal requires at least PHP 5.2.4. See the <a href="http://drupal.org/requirements">system requirements</a> page for more information.';
+if (version_compare(PHP_VERSION, '5.3.3') < 0) {
+  print 'Your PHP installation is too old. Drupal requires at least PHP 5.3.3. See the <a href="https://www.drupal.org/docs/7/system-requirements">system requirements</a> page for more information.';
   exit;
 }
 

docroot/misc/tabledrag.js

@@ -165,7 +165,8 @@ Drupal.tableDrag.prototype.initColumns = function () {
   // Set a cookie if it is not already present.
   if ($.cookie('Drupal.tableDrag.showWeight') === null) {
     $.cookie('Drupal.tableDrag.showWeight', 0, {
-      path: Drupal.settings.basePath,
+      // Workaround lack of support for the SameSite attribute in jQuery Cookie.
+      path: Drupal.settings.basePath + '; SameSite=Lax',
       // The cookie expires in one year.
       expires: 365
     });
@@ -197,9 +198,9 @@ Drupal.tableDrag.prototype.hideColumns = function () {
   });
   // Change link text.
   $('.tabledrag-toggle-weight').text(Drupal.t('Show row weights'));
-  // Change cookie.
+  // Change cookie (including workaround for SameSite attribute).
   $.cookie('Drupal.tableDrag.showWeight', 0, {
-    path: Drupal.settings.basePath,
+    path: Drupal.settings.basePath + '; SameSite=Lax',
     // The cookie expires in one year.
     expires: 365
   });
@@ -222,9 +223,9 @@ Drupal.tableDrag.prototype.showColumns = function () {
   });
   // Change link text.
   $('.tabledrag-toggle-weight').text(Drupal.t('Hide row weights'));
-  // Change cookie.
+  // Change cookie (including workaround for SameSite attribute).
   $.cookie('Drupal.tableDrag.showWeight', 1, {
-    path: Drupal.settings.basePath,
+    path: Drupal.settings.basePath + '; SameSite=Lax',
     // The cookie expires in one year.
     expires: 365
   });

docroot/misc/tableheader.js

@@ -69,6 +69,29 @@ Drupal.tableHeader = function (table) {
   this.stickyHeader.show();
 };
 
+/**
+ * Call the header offset function to prevent use of eval().
+ *
+ * @param accessor
+ *   The callback function name.
+ * @return
+ *   The callback result.
+ */
+Drupal.tableHeader.callHeaderOffsetFunction = function(accessor) {
+  accessor = accessor.split('.');
+  var callback = window;
+  for (var i = 0, len = accessor.length - 1; i < len; i++) {
+    if (typeof callback[accessor[i]] !== 'function' && typeof callback[accessor[i]] != 'object') {
+      return 0;
+    }
+    callback = callback[accessor[i]];
+  }
+  if (typeof callback[accessor[accessor.length - 1]] === 'function') {
+    return callback[accessor[accessor.length - 1]]();
+  }
+  return 0;
+};
+
 /**
  * Event handler: recalculates position of the sticky table header.
  *
@@ -80,7 +103,7 @@ Drupal.tableHeader.prototype.eventhandlerRecalculateStickyHeader = function (eve
   var calculateWidth = event.data && event.data.calculateWidth;
 
   // Reset top position of sticky table headers to the current top offset.
-  this.stickyOffsetTop = Drupal.settings.tableHeaderOffset ? eval(Drupal.settings.tableHeaderOffset + '()') : 0;
+  this.stickyOffsetTop = Drupal.settings.tableHeaderOffset ? Drupal.tableHeader.callHeaderOffsetFunction(Drupal.settings.tableHeaderOffset) : 0;
   this.stickyTable.css('top', this.stickyOffsetTop + 'px');
 
   // Save positioning data.

docroot/modules/aggregator/aggregator.info

@@ -7,7 +7,7 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by Drupal.org packaging script on 2022-09-07
-version = "7.92"
+; Information added by Drupal.org packaging script on 2022-12-14
+version = "7.94"
 project = "drupal"
-datestamp = "1662554078"
+datestamp = "1671034612"