bachir/materio-base-legacy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated core to 7.56, secutity update

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2017-07-25 19:10:33 +02:00
parent 58161d2b57
commit 5c7f02554f
158 changed files with 821 additions and 559 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
includes/bootstrap.inc
View File

@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.54');
define('VERSION', '7.56');
/**
* Core API compatibility.
@@ -254,8 +254,13 @@ define('DRUPAL_PHP_FUNCTION_PATTERN', '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'
* http://tools.ietf.org/html/rfc7231#section-7.1.1.1
*
* Example: Sun, 06 Nov 1994 08:49:37 GMT
*
* This constant was introduced in PHP 7.0.19 and PHP 7.1.5 but needs to be
* defined by Drupal for earlier PHP versions.
*/
define('DATE_RFC7231', 'D, d M Y H:i:s \G\M\T');
if (!defined('DATE_RFC7231')) {
define('DATE_RFC7231', 'D, d M Y H:i:s \G\M\T');
}
/**
* Provides a caching wrapper to be used in place of large array structures.

2
includes/common.inc
View File

@@ -487,7 +487,7 @@ function drupal_http_build_query(array $query, $parent = '') {
$params = array();
foreach ($query as $key => $value) {
$key = ($parent ? $parent . '[' . rawurlencode($key) . ']' : rawurlencode($key));
$key = $parent ? $parent . rawurlencode('[' . $key . ']') : rawurlencode($key);
// Recurse into children.
if (is_array($value)) {

12
includes/database/pgsql/database.inc
View File

@@ -11,7 +11,7 @@
*/
/**
* The name by which to obtain a lock for retrive the next insert id.
* The name by which to obtain a lock for retrieving the next insert id.
*/
define('POSTGRESQL_NEXTID_LOCK', 1000);
@@ -55,7 +55,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
$connection_options['pdo'] += array(
// Prepared statements are most effective for performance when queries
// are recycled (used several times). However, if they are not re-used,
// prepared statements become ineffecient. Since most of Drupal's
// prepared statements become inefficient. Since most of Drupal's
// prepared queries are not re-used, it should be faster to emulate
// the preparation than to actually ready statements for re-use. If in
// doubt, reset to FALSE and measure performance.
@@ -175,14 +175,14 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
}
/**
* Retrive a the next id in a sequence.
* Retrieve the next id in a sequence.
*
* PostgreSQL has built in sequences. We'll use these instead of inserting
* and updating a sequences table.
*/
public function nextId($existing = 0) {
// Retrive the name of the sequence. This information cannot be cached
// Retrieve the name of the sequence. This information cannot be cached
// because the prefix may change, for example, like it does in simpletests.
$sequence_name = $this->makeSequenceName('sequences', 'value');
@@ -194,7 +194,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
}
// PostgreSQL advisory locks are simply locks to be used by an
// application such as Drupal. This will prevent other Drupal proccesses
// application such as Drupal. This will prevent other Drupal processes
// from altering the sequence while we are.
$this->query("SELECT pg_advisory_lock(" . POSTGRESQL_NEXTID_LOCK . ")");
@@ -209,7 +209,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
// Reset the sequence to a higher value than the existing id.
$this->query("ALTER SEQUENCE " . $sequence_name . " RESTART WITH " . ($existing + 1));
// Retrive the next id. We know this will be as high as we want it.
// Retrieve the next id. We know this will be as high as we want it.
$id = $this->query("SELECT nextval('" . $sequence_name . "')")->fetchField();
$this->query("SELECT pg_advisory_unlock(" . POSTGRESQL_NEXTID_LOCK . ")");

2
includes/database/pgsql/install.inc
View File

@@ -165,7 +165,7 @@ class DatabaseTasks_pgsql extends DatabaseTasks {
LANGUAGE \'sql\''
);
// Using || to concatenate in Drupal is not recommeneded because there are
// Using || to concatenate in Drupal is not recommended because there are
// database drivers for Drupal that do not support the syntax, however
// they do support CONCAT(item1, item2) which we can replicate in
// PostgreSQL. PostgreSQL requires the function to be defined for each

4
includes/database/pgsql/select.inc
View File

@@ -80,7 +80,7 @@ class SelectQuery_pgsql extends SelectQuery {
}
// If a table loads all fields, it can not be added again. It would
// result in an ambigious alias error because that field would be loaded
// result in an ambiguous alias error because that field would be loaded
// twice: Once through table_alias.* and once directly. If the field
// actually belongs to a different table, it must be added manually.
foreach ($this->tables as $table) {
@@ -90,7 +90,7 @@ class SelectQuery_pgsql extends SelectQuery {
}
// If $field contains an characters which are not allowed in a field name
// it is considered an expression, these can't be handeld automatically
// it is considered an expression, these can't be handled automatically
// either.
if ($this->connection->escapeField($field) != $field) {
return $return;

6
includes/database/query.inc
View File

@@ -845,8 +845,8 @@ class DeleteQuery extends Query implements QueryConditionInterface {
/**
* Executes the DELETE query.
*
* @return
* The return value is dependent on the database connection.
* @return int
* The number of rows affected by the delete query.
*/
public function execute() {
$values = array();
@@ -1242,7 +1242,7 @@ class UpdateQuery extends Query implements QueryConditionInterface {
* MergeQuery::updateFields() and MergeQuery::insertFields() needs to be called
* instead. MergeQuery::fields() can also be called which calls both of these
* methods as the common case is to use the same column-value pairs for both
* INSERT and UPDATE. However, this is not mandatory. Another convinient
* INSERT and UPDATE. However, this is not mandatory. Another convenient
* wrapper is MergeQuery::key() which adds the same column-value pairs to the
* condition and the INSERT query part.
*

5
includes/database/schema.inc
View File

@@ -164,6 +164,9 @@ require_once dirname(__FILE__) . '/query.inc';
* @see drupal_install_schema()
*/
/**
* Base class for database schema definitions.
*/
abstract class DatabaseSchema implements QueryPlaceholderInterface {
protected $connection;
@@ -291,7 +294,7 @@ abstract class DatabaseSchema implements QueryPlaceholderInterface {
protected function buildTableNameCondition($table_name, $operator = '=', $add_prefix = TRUE) {
$info = $this->connection->getConnectionOptions();
// Retrive the table name and schema
// Retrieve the table name and schema
$table_info = $this->getPrefixInfo($table_name, $add_prefix);
$condition = new DatabaseCondition('AND');

13
includes/database/sqlite/query.inc
View File

@@ -99,16 +99,15 @@ class UpdateQuery_sqlite extends UpdateQuery {
/**
* SQLite specific implementation of DeleteQuery.
*
* When the WHERE is omitted from a DELETE statement and the table being deleted
* has no triggers, SQLite uses an optimization to erase the entire table content
* without having to visit each row of the table individually.
*
* Prior to SQLite 3.6.5, SQLite does not return the actual number of rows deleted
* by that optimized "truncate" optimization.
*/
class DeleteQuery_sqlite extends DeleteQuery {
public function execute() {
// When the WHERE is omitted from a DELETE statement and the table being
// deleted has no triggers, SQLite uses an optimization to erase the entire
// table content without having to visit each row of the table individually.
// Prior to SQLite 3.6.5, SQLite does not return the actual number of rows
// deleted by that optimized "truncate" optimization. But we want to return
// the number of rows affected, so we calculate it directly.
if (!count($this->condition)) {
$total_rows = $this->connection->query('SELECT COUNT(*) FROM {' . $this->connection->escapeTable($this->table) . '}')->fetchField();
parent::execute();

2
includes/database/sqlite/schema.inc
View File

@@ -244,7 +244,7 @@ class DatabaseSchema_sqlite extends DatabaseSchema {
// database. So the syntax '...RENAME TO database.table' would fail.
// So we must determine the full table name here rather than surrounding
// the table with curly braces incase the db_prefix contains a reference
// to a database outside of our existsing database.
// to a database outside of our existing database.
$info = $this->getPrefixInfo($new_name);
$this->connection->query('ALTER TABLE {' . $table . '} RENAME TO ' . $info['table']);

6
includes/errors.inc
View File

@@ -66,7 +66,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line, $c
_drupal_log_error(array(
'%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
// The standard PHP error handler considers that the error messages
// are HTML. We mimick this behavior here.
// are HTML. We mimic this behavior here.
'!message' => filter_xss_admin($message),
'%function' => $caller['function'],
'%file' => $caller['file'],
@@ -114,7 +114,7 @@ function _drupal_decode_exception($exception) {
return array(
'%type' => get_class($exception),
// The standard PHP exception handler considers that the exception message
// is plain-text. We mimick this behavior here.
// is plain-text. We mimic this behavior here.
'!message' => check_plain($message),
'%function' => $caller['function'],
'%file' => $caller['file'],
@@ -233,7 +233,7 @@ function _drupal_log_error($error, $fatal = FALSE) {
}
else {
// Display the message if the current error reporting level allows this type
// of message to be displayed, and unconditionnaly in update.php.
// of message to be displayed, and unconditionally in update.php.
if (error_displayable($error)) {
$class = 'error';

29
includes/file.inc
View File

@@ -535,7 +535,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
EOF;
if ($private) {
$lines = "Deny from all\n\n" . $lines;
$lines = <<<EOF
# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
EOF
. "\n\n" . $lines;
}
return $lines;
@@ -889,7 +900,6 @@ function file_valid_uri($uri) {
*/
function file_unmanaged_copy($source, $destination = NULL, $replace = FILE_EXISTS_RENAME) {
$original_source = $source;
$original_destination = $destination;
// Assert that the source file actually exists.
if (!file_exists($source)) {
@@ -1604,6 +1614,20 @@ function file_save_upload($form_field_name, $validators = array(), $destination
// If we made it this far it's safe to record this file in the database.
if ($file = file_save($file)) {
// Track non-public files in the session if they were uploaded by an
// anonymous user. This allows modules such as the File module to only
// grant view access to the specific anonymous user who uploaded the file.
// See file_file_download().
// The 'file_public_schema' variable is used to allow other publicly
// accessible file schemes to be treated the same as the public:// scheme
// provided by Drupal core and to avoid adding unnecessary data to the
// session (and the resulting bypass of the page cache) in those cases. For
// security reasons, only schemes that are completely publicly accessible,
// with no download restrictions, should be added to this variable. See
// file_managed_file_value().
if (!$user->uid && !in_array($destination_scheme, variable_get('file_public_schema', array('public')))) {
$_SESSION['anonymous_allowed_file_ids'][$file->fid] = $file->fid;
}
// Add file to the cache.
$upload_cache[$form_field_name] = $file;
return $file;
@@ -2553,7 +2577,6 @@ function file_directory_temp() {
* An associative array of headers, as expected by file_transfer().
*/
function file_get_content_headers($file) {
$name = mime_header_encode($file->filename);
$type = mime_header_encode($file->filemime);
return array(