updated core to 7.63

This commit is contained in:
2019-01-27 14:26:06 +01:00
parent ccab226e12
commit 31cfa90501
172 changed files with 2256 additions and 624 deletions

View File

@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.59');
define('VERSION', '7.63');
/**
* Core API compatibility.
@@ -704,6 +704,19 @@ function drupal_environment_initialize() {
// Set sane locale settings, to ensure consistent string, dates, times and
// numbers handling.
setlocale(LC_ALL, 'C');
// PHP's built-in phar:// stream wrapper is not sufficiently secure. Override
// it with a more secure one, which requires PHP 5.3.3. For lower versions,
// unregister the built-in one without replacing it. Sites needing phar
// support for lower PHP versions must implement hook_stream_wrappers() to
// register their desired implementation.
if (in_array('phar', stream_get_wrappers(), TRUE)) {
stream_wrapper_unregister('phar');
if (version_compare(PHP_VERSION, '5.3.3', '>=')) {
include_once DRUPAL_ROOT . '/includes/file.phar.inc';
file_register_phar_wrapper();
}
}
}
/**
@@ -3785,8 +3798,12 @@ function _drupal_shutdown_function() {
chdir(DRUPAL_ROOT);
try {
while (list($key, $callback) = each($callbacks)) {
// Manually iterate over the array instead of using a foreach loop.
// A foreach operates on a copy of the array, so any shutdown functions that
// were added from other shutdown functions would never be called.
while ($callback = current($callbacks)) {
call_user_func_array($callback['callback'], $callback['arguments']);
next($callbacks);
}
}
catch (Exception $exception) {

View File

@@ -867,8 +867,10 @@ function drupal_http_request($url, array $options = array()) {
// Make the socket connection to a proxy server.
$socket = 'tcp://' . $proxy_server . ':' . variable_get('proxy_port', 8080);
// The Host header still needs to match the real request.
$options['headers']['Host'] = $uri['host'];
$options['headers']['Host'] .= isset($uri['port']) && $uri['port'] != 80 ? ':' . $uri['port'] : '';
if (!isset($options['headers']['Host'])) {
$options['headers']['Host'] = $uri['host'];
$options['headers']['Host'] .= isset($uri['port']) && $uri['port'] != 80 ? ':' . $uri['port'] : '';
}
break;
case 'http':
@@ -878,14 +880,18 @@ function drupal_http_request($url, array $options = array()) {
// RFC 2616: "non-standard ports MUST, default ports MAY be included".
// We don't add the standard port to prevent from breaking rewrite rules
// checking the host that do not take into account the port number.
$options['headers']['Host'] = $uri['host'] . ($port != 80 ? ':' . $port : '');
if (!isset($options['headers']['Host'])) {
$options['headers']['Host'] = $uri['host'] . ($port != 80 ? ':' . $port : '');
}
break;
case 'https':
// Note: Only works when PHP is compiled with OpenSSL support.
$port = isset($uri['port']) ? $uri['port'] : 443;
$socket = 'ssl://' . $uri['host'] . ':' . $port;
$options['headers']['Host'] = $uri['host'] . ($port != 443 ? ':' . $port : '');
if (!isset($options['headers']['Host'])) {
$options['headers']['Host'] = $uri['host'] . ($port != 443 ? ':' . $port : '');
}
break;
default:
@@ -2311,7 +2317,10 @@ function url($path = NULL, array $options = array()) {
$language = isset($options['language']) && isset($options['language']->language) ? $options['language']->language : '';
$alias = drupal_get_path_alias($original_path, $language);
if ($alias != $original_path) {
$path = $alias;
// Strip leading slashes from internal path aliases to prevent them
// becoming external URLs without protocol. /example.com should not be
// turned into //example.com.
$path = ltrim($alias, '/');
}
}

View File

@@ -1534,9 +1534,9 @@ function file_save_upload($form_field_name, $validators = array(), $destination
// rename filename.php.foo and filename.php to filename.php.foo.txt and
// filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
// evaluates to TRUE.
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
$file->uri .= '.txt';
// The destination filename will also later be used to create the URI.
$file->filename .= '.txt';
// The .txt extension may not be in the allowed list of extensions. We have
// to add it here or else the file upload will fail.

41
includes/file.phar.inc Normal file
View File

@@ -0,0 +1,41 @@
<?php
use Drupal\Core\Security\PharExtensionInterceptor;
use TYPO3\PharStreamWrapper\Manager as PharStreamWrapperManager;
use TYPO3\PharStreamWrapper\Behavior as PharStreamWrapperBehavior;
use TYPO3\PharStreamWrapper\PharStreamWrapper;
/**
* Registers a phar stream wrapper that is more secure than PHP's built-in one.
*
* @see file_get_stream_wrappers()
*/
function file_register_phar_wrapper() {
$directory = DRUPAL_ROOT . '/misc/typo3/phar-stream-wrapper/src';
include_once $directory . '/Assertable.php';
include_once $directory . '/Behavior.php';
include_once $directory . '/Exception.php';
include_once $directory . '/Helper.php';
include_once $directory . '/Manager.php';
include_once $directory . '/PharStreamWrapper.php';
include_once DRUPAL_ROOT . '/misc/typo3/drupal-security/PharExtensionInterceptor.php';
// Set up a stream wrapper to handle insecurities due to PHP's built-in
// phar stream wrapper.
try {
$behavior = new PharStreamWrapperBehavior();
PharStreamWrapperManager::initialize(
$behavior->withAssertion(new PharExtensionInterceptor())
);
}
catch (\LogicException $e) {
// Continue if the PharStreamWrapperManager is already initialized.
// For example, this occurs following a drupal_static_reset(), such
// as during tests.
};
// To prevent file_stream_wrapper_valid_scheme() treating "phar" as a valid
// scheme, this is registered with PHP only, not with hook_stream_wrappers()
// or the internal storage of file_get_stream_wrappers().
stream_wrapper_register('phar', '\\TYPO3\\PharStreamWrapper\\PharStreamWrapper');
}

View File

@@ -555,8 +555,10 @@ function form_get_cache($form_build_id, &$form_state) {
* Stores a form in the cache.
*/
function form_set_cache($form_build_id, $form, $form_state) {
// 6 hours cache life time for forms should be plenty.
$expire = 21600;
// The default cache_form expiration is 6 hours. On busy sites, the cache_form
// table can become very large. A shorter cache lifetime can help to keep the
// table's size under control.
$expire = variable_get('form_cache_expiration', 21600);
// Ensure that the form build_id embedded in the form structure is the same as
// the one passed in as a parameter. This is an additional safety measure to
@@ -1438,10 +1440,12 @@ function _form_validate(&$elements, &$form_state, $form_id = NULL) {
// length if it's a string, and the item count if it's an array.
// An unchecked checkbox has a #value of integer 0, different than string
// '0', which could be a valid value.
$is_empty_multiple = (!count($elements['#value']));
$is_countable = is_array($elements['#value']) || $elements['#value'] instanceof Countable;
$is_empty_multiple = $is_countable && count($elements['#value']) == 0;
$is_empty_string = (is_string($elements['#value']) && drupal_strlen(trim($elements['#value'])) == 0);
$is_empty_value = ($elements['#value'] === 0);
if ($is_empty_multiple || $is_empty_string || $is_empty_value) {
$is_empty_null = is_null($elements['#value']);
if ($is_empty_multiple || $is_empty_string || $is_empty_value || $is_empty_null) {
// Although discouraged, a #title is not mandatory for form elements. In
// case there is no #title, we cannot set a form error message.
// Instead of setting no #title, form constructors are encouraged to set

View File

@@ -779,7 +779,7 @@ function drupal_uninstall_modules($module_list = array(), $uninstall_dependents
$module_list = array_flip(array_values($module_list));
$profile = drupal_get_profile();
while (list($module) = each($module_list)) {
foreach (array_keys($module_list) as $module) {
if (!isset($module_data[$module]) || drupal_get_installed_schema_version($module) == SCHEMA_UNINSTALLED) {
// This module doesn't exist or is already uninstalled. Skip it.
unset($module_list[$module]);

View File

@@ -576,7 +576,8 @@ function _menu_load_objects(&$item, &$map) {
// 'load arguments' in the hook_menu() entry, but they need
// some processing. In this case the $function is the key to the
// load_function array, and the value is the list of arguments.
list($function, $args) = each($function);
$args = current($function);
$function = key($function);
$load_functions[$index] = $function;
// Some arguments are placeholders for dynamic items to process.
@@ -2402,7 +2403,8 @@ function menu_set_active_trail($new_trail = NULL) {
// a stripped down menu tree containing the active trail only, in case
// the given menu has not been built in this request yet.
$tree = menu_tree_page_data($preferred_link['menu_name'], NULL, TRUE);
list($key, $curr) = each($tree);
$curr = current($tree);
next($tree);
}
// There is no link for the current path.
else {
@@ -2432,7 +2434,8 @@ function menu_set_active_trail($new_trail = NULL) {
}
$tree = $curr['below'] ? $curr['below'] : array();
}
list($key, $curr) = each($tree);
$curr = current($tree);
next($tree);
}
// Make sure the current page is in the trail to build the page title, by
// appending either the preferred link or the menu router item for the

View File

@@ -404,7 +404,11 @@ function module_enable($module_list, $enable_dependencies = TRUE) {
// Create an associative array with weights as values.
$module_list = array_flip(array_values($module_list));
while (list($module) = each($module_list)) {
// The array is iterated over manually (instead of using a foreach) because
// modules may be added to the list within the loop and we need to process
// them.
while ($module = key($module_list)) {
next($module_list);
if (!isset($module_data[$module])) {
// This module is not found in the filesystem, abort.
return FALSE;
@@ -540,7 +544,11 @@ function module_disable($module_list, $disable_dependents = TRUE) {
$module_list = array_flip(array_values($module_list));
$profile = drupal_get_profile();
while (list($module) = each($module_list)) {
// The array is iterated over manually (instead of using a foreach) because
// modules may be added to the list within the loop and we need to process
// them.
while ($module = key($module_list)) {
next($module_list);
if (!isset($module_data[$module]) || !$module_data[$module]->status) {
// This module doesn't exist or is already disabled, skip it.
unset($module_list[$module]);

View File

@@ -1776,13 +1776,13 @@ function theme_link($variables) {
* http://www.w3.org/TR/WCAG-TECHS/H42.html for more information.
*/
function theme_links($variables) {
$links = $variables['links'];
$attributes = $variables['attributes'];
$links = (array) $variables['links'];
$attributes = (array) $variables['attributes'];
$heading = $variables['heading'];
global $language_url;
$output = '';
if (count($links) > 0) {
if (!empty($links)) {
// Treat the heading first if it is present to prepend it to the
// list of links.
if (!empty($heading)) {
@@ -1995,7 +1995,7 @@ function theme_table($variables) {
$empty = $variables['empty'];
// Add sticky headers, if applicable.
if (count($header) && $sticky) {
if (!empty($header) && $sticky) {
drupal_add_js('misc/tableheader.js');
// Add 'sticky-enabled' class to the table to identify it for JS.
// This is needed to target tables constructed by this function.
@@ -2009,7 +2009,7 @@ function theme_table($variables) {
}
// Format the table columns:
if (count($colgroups)) {
if (!empty($colgroups)) {
foreach ($colgroups as $number => $colgroup) {
$attributes = array();
@@ -2044,38 +2044,40 @@ function theme_table($variables) {
}
// Add the 'empty' row message if available.
if (!count($rows) && $empty) {
if (empty($rows) && $empty) {
$header_count = 0;
foreach ($header as $header_cell) {
if (is_array($header_cell)) {
$header_count += isset($header_cell['colspan']) ? $header_cell['colspan'] : 1;
}
else {
$header_count++;
if (!empty($header)) {
foreach ($header as $header_cell) {
if (is_array($header_cell)) {
$header_count += isset($header_cell['colspan']) ? $header_cell['colspan'] : 1;
}
else {
$header_count++;
}
}
}
$rows[] = array(array('data' => $empty, 'colspan' => $header_count, 'class' => array('empty', 'message')));
}
// Format the table header:
if (count($header)) {
if (!empty($header)) {
$ts = tablesort_init($header);
// HTML requires that the thead tag has tr tags in it followed by tbody
// tags. Using ternary operator to check and see if we have any rows.
$output .= (count($rows) ? ' <thead><tr>' : ' <tr>');
$output .= (!empty($rows) ? ' <thead><tr>' : ' <tr>');
foreach ($header as $cell) {
$cell = tablesort_header($cell, $header, $ts);
$output .= _theme_table_cell($cell, TRUE);
}
// Using ternary operator to close the tags based on whether or not there are rows
$output .= (count($rows) ? " </tr></thead>\n" : "</tr>\n");
$output .= (!empty($rows) ? " </tr></thead>\n" : "</tr>\n");
}
else {
$ts = array();
}
// Format the table rows:
if (count($rows)) {
if (!empty($rows)) {
$output .= "<tbody>\n";
$flip = array('even' => 'odd', 'odd' => 'even');
$class = 'even';
@@ -2095,7 +2097,7 @@ function theme_table($variables) {
$attributes = array();
$no_striping = FALSE;
}
if (count($cells)) {
if (!empty($cells)) {
// Add odd/even class
if (!$no_striping) {
$class = $flip[$class];