updated core to 7.56, secutity update
This commit is contained in:
@@ -8,7 +8,7 @@
|
||||
/**
|
||||
* The current system version.
|
||||
*/
|
||||
define('VERSION', '7.54');
|
||||
define('VERSION', '7.56');
|
||||
|
||||
/**
|
||||
* Core API compatibility.
|
||||
@@ -254,8 +254,13 @@ define('DRUPAL_PHP_FUNCTION_PATTERN', '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'
|
||||
* http://tools.ietf.org/html/rfc7231#section-7.1.1.1
|
||||
*
|
||||
* Example: Sun, 06 Nov 1994 08:49:37 GMT
|
||||
*
|
||||
* This constant was introduced in PHP 7.0.19 and PHP 7.1.5 but needs to be
|
||||
* defined by Drupal for earlier PHP versions.
|
||||
*/
|
||||
define('DATE_RFC7231', 'D, d M Y H:i:s \G\M\T');
|
||||
if (!defined('DATE_RFC7231')) {
|
||||
define('DATE_RFC7231', 'D, d M Y H:i:s \G\M\T');
|
||||
}
|
||||
|
||||
/**
|
||||
* Provides a caching wrapper to be used in place of large array structures.
|
||||
|
@@ -487,7 +487,7 @@ function drupal_http_build_query(array $query, $parent = '') {
|
||||
$params = array();
|
||||
|
||||
foreach ($query as $key => $value) {
|
||||
$key = ($parent ? $parent . '[' . rawurlencode($key) . ']' : rawurlencode($key));
|
||||
$key = $parent ? $parent . rawurlencode('[' . $key . ']') : rawurlencode($key);
|
||||
|
||||
// Recurse into children.
|
||||
if (is_array($value)) {
|
||||
|
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
/**
|
||||
* The name by which to obtain a lock for retrive the next insert id.
|
||||
* The name by which to obtain a lock for retrieving the next insert id.
|
||||
*/
|
||||
define('POSTGRESQL_NEXTID_LOCK', 1000);
|
||||
|
||||
@@ -55,7 +55,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
|
||||
$connection_options['pdo'] += array(
|
||||
// Prepared statements are most effective for performance when queries
|
||||
// are recycled (used several times). However, if they are not re-used,
|
||||
// prepared statements become ineffecient. Since most of Drupal's
|
||||
// prepared statements become inefficient. Since most of Drupal's
|
||||
// prepared queries are not re-used, it should be faster to emulate
|
||||
// the preparation than to actually ready statements for re-use. If in
|
||||
// doubt, reset to FALSE and measure performance.
|
||||
@@ -175,14 +175,14 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrive a the next id in a sequence.
|
||||
* Retrieve the next id in a sequence.
|
||||
*
|
||||
* PostgreSQL has built in sequences. We'll use these instead of inserting
|
||||
* and updating a sequences table.
|
||||
*/
|
||||
public function nextId($existing = 0) {
|
||||
|
||||
// Retrive the name of the sequence. This information cannot be cached
|
||||
// Retrieve the name of the sequence. This information cannot be cached
|
||||
// because the prefix may change, for example, like it does in simpletests.
|
||||
$sequence_name = $this->makeSequenceName('sequences', 'value');
|
||||
|
||||
@@ -194,7 +194,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
|
||||
}
|
||||
|
||||
// PostgreSQL advisory locks are simply locks to be used by an
|
||||
// application such as Drupal. This will prevent other Drupal proccesses
|
||||
// application such as Drupal. This will prevent other Drupal processes
|
||||
// from altering the sequence while we are.
|
||||
$this->query("SELECT pg_advisory_lock(" . POSTGRESQL_NEXTID_LOCK . ")");
|
||||
|
||||
@@ -209,7 +209,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
|
||||
// Reset the sequence to a higher value than the existing id.
|
||||
$this->query("ALTER SEQUENCE " . $sequence_name . " RESTART WITH " . ($existing + 1));
|
||||
|
||||
// Retrive the next id. We know this will be as high as we want it.
|
||||
// Retrieve the next id. We know this will be as high as we want it.
|
||||
$id = $this->query("SELECT nextval('" . $sequence_name . "')")->fetchField();
|
||||
|
||||
$this->query("SELECT pg_advisory_unlock(" . POSTGRESQL_NEXTID_LOCK . ")");
|
||||
|
@@ -165,7 +165,7 @@ class DatabaseTasks_pgsql extends DatabaseTasks {
|
||||
LANGUAGE \'sql\''
|
||||
);
|
||||
|
||||
// Using || to concatenate in Drupal is not recommeneded because there are
|
||||
// Using || to concatenate in Drupal is not recommended because there are
|
||||
// database drivers for Drupal that do not support the syntax, however
|
||||
// they do support CONCAT(item1, item2) which we can replicate in
|
||||
// PostgreSQL. PostgreSQL requires the function to be defined for each
|
||||
|
@@ -80,7 +80,7 @@ class SelectQuery_pgsql extends SelectQuery {
|
||||
}
|
||||
|
||||
// If a table loads all fields, it can not be added again. It would
|
||||
// result in an ambigious alias error because that field would be loaded
|
||||
// result in an ambiguous alias error because that field would be loaded
|
||||
// twice: Once through table_alias.* and once directly. If the field
|
||||
// actually belongs to a different table, it must be added manually.
|
||||
foreach ($this->tables as $table) {
|
||||
@@ -90,7 +90,7 @@ class SelectQuery_pgsql extends SelectQuery {
|
||||
}
|
||||
|
||||
// If $field contains an characters which are not allowed in a field name
|
||||
// it is considered an expression, these can't be handeld automatically
|
||||
// it is considered an expression, these can't be handled automatically
|
||||
// either.
|
||||
if ($this->connection->escapeField($field) != $field) {
|
||||
return $return;
|
||||
|
@@ -845,8 +845,8 @@ class DeleteQuery extends Query implements QueryConditionInterface {
|
||||
/**
|
||||
* Executes the DELETE query.
|
||||
*
|
||||
* @return
|
||||
* The return value is dependent on the database connection.
|
||||
* @return int
|
||||
* The number of rows affected by the delete query.
|
||||
*/
|
||||
public function execute() {
|
||||
$values = array();
|
||||
@@ -1242,7 +1242,7 @@ class UpdateQuery extends Query implements QueryConditionInterface {
|
||||
* MergeQuery::updateFields() and MergeQuery::insertFields() needs to be called
|
||||
* instead. MergeQuery::fields() can also be called which calls both of these
|
||||
* methods as the common case is to use the same column-value pairs for both
|
||||
* INSERT and UPDATE. However, this is not mandatory. Another convinient
|
||||
* INSERT and UPDATE. However, this is not mandatory. Another convenient
|
||||
* wrapper is MergeQuery::key() which adds the same column-value pairs to the
|
||||
* condition and the INSERT query part.
|
||||
*
|
||||
|
@@ -164,6 +164,9 @@ require_once dirname(__FILE__) . '/query.inc';
|
||||
* @see drupal_install_schema()
|
||||
*/
|
||||
|
||||
/**
|
||||
* Base class for database schema definitions.
|
||||
*/
|
||||
abstract class DatabaseSchema implements QueryPlaceholderInterface {
|
||||
|
||||
protected $connection;
|
||||
@@ -291,7 +294,7 @@ abstract class DatabaseSchema implements QueryPlaceholderInterface {
|
||||
protected function buildTableNameCondition($table_name, $operator = '=', $add_prefix = TRUE) {
|
||||
$info = $this->connection->getConnectionOptions();
|
||||
|
||||
// Retrive the table name and schema
|
||||
// Retrieve the table name and schema
|
||||
$table_info = $this->getPrefixInfo($table_name, $add_prefix);
|
||||
|
||||
$condition = new DatabaseCondition('AND');
|
||||
|
@@ -99,16 +99,15 @@ class UpdateQuery_sqlite extends UpdateQuery {
|
||||
|
||||
/**
|
||||
* SQLite specific implementation of DeleteQuery.
|
||||
*
|
||||
* When the WHERE is omitted from a DELETE statement and the table being deleted
|
||||
* has no triggers, SQLite uses an optimization to erase the entire table content
|
||||
* without having to visit each row of the table individually.
|
||||
*
|
||||
* Prior to SQLite 3.6.5, SQLite does not return the actual number of rows deleted
|
||||
* by that optimized "truncate" optimization.
|
||||
*/
|
||||
class DeleteQuery_sqlite extends DeleteQuery {
|
||||
public function execute() {
|
||||
// When the WHERE is omitted from a DELETE statement and the table being
|
||||
// deleted has no triggers, SQLite uses an optimization to erase the entire
|
||||
// table content without having to visit each row of the table individually.
|
||||
// Prior to SQLite 3.6.5, SQLite does not return the actual number of rows
|
||||
// deleted by that optimized "truncate" optimization. But we want to return
|
||||
// the number of rows affected, so we calculate it directly.
|
||||
if (!count($this->condition)) {
|
||||
$total_rows = $this->connection->query('SELECT COUNT(*) FROM {' . $this->connection->escapeTable($this->table) . '}')->fetchField();
|
||||
parent::execute();
|
||||
|
@@ -244,7 +244,7 @@ class DatabaseSchema_sqlite extends DatabaseSchema {
|
||||
// database. So the syntax '...RENAME TO database.table' would fail.
|
||||
// So we must determine the full table name here rather than surrounding
|
||||
// the table with curly braces incase the db_prefix contains a reference
|
||||
// to a database outside of our existsing database.
|
||||
// to a database outside of our existing database.
|
||||
$info = $this->getPrefixInfo($new_name);
|
||||
$this->connection->query('ALTER TABLE {' . $table . '} RENAME TO ' . $info['table']);
|
||||
|
||||
|
@@ -66,7 +66,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line, $c
|
||||
_drupal_log_error(array(
|
||||
'%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
|
||||
// The standard PHP error handler considers that the error messages
|
||||
// are HTML. We mimick this behavior here.
|
||||
// are HTML. We mimic this behavior here.
|
||||
'!message' => filter_xss_admin($message),
|
||||
'%function' => $caller['function'],
|
||||
'%file' => $caller['file'],
|
||||
@@ -114,7 +114,7 @@ function _drupal_decode_exception($exception) {
|
||||
return array(
|
||||
'%type' => get_class($exception),
|
||||
// The standard PHP exception handler considers that the exception message
|
||||
// is plain-text. We mimick this behavior here.
|
||||
// is plain-text. We mimic this behavior here.
|
||||
'!message' => check_plain($message),
|
||||
'%function' => $caller['function'],
|
||||
'%file' => $caller['file'],
|
||||
@@ -233,7 +233,7 @@ function _drupal_log_error($error, $fatal = FALSE) {
|
||||
}
|
||||
else {
|
||||
// Display the message if the current error reporting level allows this type
|
||||
// of message to be displayed, and unconditionnaly in update.php.
|
||||
// of message to be displayed, and unconditionally in update.php.
|
||||
if (error_displayable($error)) {
|
||||
$class = 'error';
|
||||
|
||||
|
@@ -535,7 +535,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
|
||||
EOF;
|
||||
|
||||
if ($private) {
|
||||
$lines = "Deny from all\n\n" . $lines;
|
||||
$lines = <<<EOF
|
||||
# Deny all requests from Apache 2.4+.
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all denied
|
||||
</IfModule>
|
||||
|
||||
# Deny all requests from Apache 2.0-2.2.
|
||||
<IfModule !mod_authz_core.c>
|
||||
Deny from all
|
||||
</IfModule>
|
||||
EOF
|
||||
. "\n\n" . $lines;
|
||||
}
|
||||
|
||||
return $lines;
|
||||
@@ -889,7 +900,6 @@ function file_valid_uri($uri) {
|
||||
*/
|
||||
function file_unmanaged_copy($source, $destination = NULL, $replace = FILE_EXISTS_RENAME) {
|
||||
$original_source = $source;
|
||||
$original_destination = $destination;
|
||||
|
||||
// Assert that the source file actually exists.
|
||||
if (!file_exists($source)) {
|
||||
@@ -1604,6 +1614,20 @@ function file_save_upload($form_field_name, $validators = array(), $destination
|
||||
|
||||
// If we made it this far it's safe to record this file in the database.
|
||||
if ($file = file_save($file)) {
|
||||
// Track non-public files in the session if they were uploaded by an
|
||||
// anonymous user. This allows modules such as the File module to only
|
||||
// grant view access to the specific anonymous user who uploaded the file.
|
||||
// See file_file_download().
|
||||
// The 'file_public_schema' variable is used to allow other publicly
|
||||
// accessible file schemes to be treated the same as the public:// scheme
|
||||
// provided by Drupal core and to avoid adding unnecessary data to the
|
||||
// session (and the resulting bypass of the page cache) in those cases. For
|
||||
// security reasons, only schemes that are completely publicly accessible,
|
||||
// with no download restrictions, should be added to this variable. See
|
||||
// file_managed_file_value().
|
||||
if (!$user->uid && !in_array($destination_scheme, variable_get('file_public_schema', array('public')))) {
|
||||
$_SESSION['anonymous_allowed_file_ids'][$file->fid] = $file->fid;
|
||||
}
|
||||
// Add file to the cache.
|
||||
$upload_cache[$form_field_name] = $file;
|
||||
return $file;
|
||||
@@ -2553,7 +2577,6 @@ function file_directory_temp() {
|
||||
* An associative array of headers, as expected by file_transfer().
|
||||
*/
|
||||
function file_get_content_headers($file) {
|
||||
$name = mime_header_encode($file->filename);
|
||||
$type = mime_header_encode($file->filemime);
|
||||
|
||||
return array(
|
||||
|
Reference in New Issue
Block a user