core security update

2016-10-13 12:11:14 +02:00
parent 747127f643
commit 1a06561593
306 changed files with 7346 additions and 2431 deletions
--- a/modules/node/content_types.inc
+++ b/modules/node/content_types.inc
@@ -11,7 +11,7 @@
 function node_overview_types() {
  $types = node_type_get_types();
  $names = node_type_get_names();
-  $field_ui = module_exists('field_ui');
+  $field_ui = module_exists('field_ui') && user_access('administer fields');
  $header = array(t('Name'), array('data' => t('Operations'), 'colspan' => $field_ui ? '4' : '2'));
  $rows = array();

--- a/modules/node/node.admin.inc
+++ b/modules/node/node.admin.inc
@@ -329,6 +329,8 @@ function _node_mass_update_helper($nid, $updates) {
 }

 /**
+ * Implements callback_batch_operation().
+ *
 * Executes a batch operation for node_mass_update().
 *
 * @param array $nodes
@@ -367,7 +369,9 @@ function _node_mass_update_batch_process($nodes, $updates, &$context) {
 }

 /**
- * Menu callback: Reports the status of batch operation for node_mass_update().
+ * Implements callback_batch_finished().
+ *
+ * Reports the status of batch operation for node_mass_update().
 *
 * @param bool $success
 *   A boolean indicating whether the batch mass update operation successfully
@@ -504,14 +508,17 @@ function node_admin_nodes() {
  $options = array();
  foreach ($nodes as $node) {
    $langcode = entity_language('node', $node);
-    $l_options = $langcode != LANGUAGE_NONE && isset($languages[$langcode]) ? array('language' => $languages[$langcode]) : array();
+    $uri = entity_uri('node', $node);
+    if ($langcode != LANGUAGE_NONE && isset($languages[$langcode])) {
+      $uri['options']['language'] = $languages[$langcode];
+    }
    $options[$node->nid] = array(
      'title' => array(
        'data' => array(
          '#type' => 'link',
          '#title' => $node->title,
-          '#href' => 'node/' . $node->nid,
-          '#options' => $l_options,
+          '#href' => $uri['path'],
+          '#options' => $uri['options'],
          '#suffix' => ' ' . theme('mark', array('type' => node_mark($node->nid, $node->changed))),
        ),
      ),
--- a/modules/node/node.api.php
+++ b/modules/node/node.api.php
@@ -950,7 +950,7 @@ function hook_node_info() {
 *   'recent', or 'comments'. The values should be arrays themselves, with the
 *   following keys available:
 *   - title: (required) The human readable name of the ranking mechanism.
- *   - join: (optional) The part of a query string to join to any additional
+ *   - join: (optional) An array with information to join any additional
 *     necessary table. This is not necessary if the table required is already
 *     joined to by the base query, such as for the {node} table. Other tables
 *     should use the full table name as an alias to avoid naming collisions.
@@ -974,7 +974,12 @@ function hook_ranking() {
        'title' => t('Average vote'),
        // Note that we use i.sid, the search index's search item id, rather than
        // n.nid.
-        'join' => 'LEFT JOIN {vote_node_data} vote_node_data ON vote_node_data.nid = i.sid',
+        'join' => array(
+          'type' => 'LEFT',
+          'table' => 'vote_node_data',
+          'alias' => 'vote_node_data',
+          'on' => 'vote_node_data.nid = i.sid',
+        ),
        // The highest possible score should be 1, and the lowest possible score,
        // always 0, should be 0.
        'score' => 'vote_node_data.average / CAST(%f AS DECIMAL)',
@@ -1079,19 +1084,9 @@ function hook_delete($node) {
 * @ingroup node_api_hooks
 */
 function hook_prepare($node) {
-  $file = file_save_upload($field_name, _image_filename($file->filename, NULL, TRUE));
-  if ($file) {
-    if (!image_get_info($file->uri)) {
-      form_set_error($field_name, t('Uploaded file is not a valid image'));
-      return;
-    }
+  if (!isset($node->mymodule_value)) {
+    $node->mymodule_value = 'foo';
  }
-  else {
-    return;
-  }
-  $node->images['_original'] = $file->uri;
-  _image_build_derivatives($node, TRUE);
-  $node->new_file = TRUE;
 }

 /**
--- a/modules/node/node.info
+++ b/modules/node/node.info
@@ -9,8 +9,8 @@ required = TRUE
 configure = admin/structure/types
 stylesheets[all][] = node.css

-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"

--- a/modules/node/node.install
+++ b/modules/node/node.install
@@ -410,6 +410,7 @@ function node_schema() {
      'nid' => array(
        'description' => 'The {node}.nid that was read.',
        'type' => 'int',
+        'unsigned' => TRUE,
        'not null' => TRUE,
        'default' => 0,
      ),
@@ -933,6 +934,33 @@ function node_update_7014() {
  db_add_index('node', 'language', array('language'));
 }

+/**
+ * Enable node types that may have been erroneously disabled in Drupal 7.36.
+ */
+function node_update_7015() {
+  db_update('node_type')
+    ->fields(array('disabled' => 0))
+    ->condition('base', 'node_content')
+    ->execute();
+}
+
+/**
+ * Change {history}.nid to an unsigned int in order to match {node}.nid.
+ */
+function node_update_7016() {
+  db_drop_primary_key('history');
+  db_drop_index('history', 'nid');
+  db_change_field('history', 'nid', 'nid', array(
+    'description' => 'The {node}.nid that was read.',
+    'type' => 'int',
+    'unsigned' => TRUE,
+    'not null' => TRUE,
+    'default' => 0,
+  ));
+  db_add_primary_key('history', array('uid', 'nid'));
+  db_add_index('history', 'nid', array('nid'));
+}
+
 /**
 * @} End of "addtogroup updates-7.x-extra".
 */
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -740,9 +740,11 @@ function _node_types_build($rebuild = FALSE) {
    $type_db = $type_object->type;
    // Original disabled value.
    $disabled = $type_object->disabled;
-    // Check for node types either from disabled modules or otherwise not defined
-    // and mark as disabled.
-    if (empty($type_object->custom) && empty($_node_types->types[$type_db])) {
+    // Check for node types from disabled modules and mark their types for removal.
+    // Types defined by the node module in the database (rather than by a separate
+    // module using hook_node_info) have a base value of 'node_content'. The isset()
+    // check prevents errors on old (pre-Drupal 7) databases.
+    if (isset($type_object->base) && $type_object->base != 'node_content' && empty($_node_types->types[$type_db])) {
      $type_object->disabled = TRUE;
    }
    if (isset($_node_types->types[$type_db])) {
@@ -2951,7 +2953,10 @@ function node_search_validate($form, &$form_state) {
 * system. When adding a node listing to your module, be sure to use a dynamic
 * query created by db_select() and add a tag of "node_access". This will allow
 * modules dealing with node access to ensure only nodes to which the user has
- * access are retrieved, through the use of hook_query_TAG_alter().
+ * access are retrieved, through the use of hook_query_TAG_alter(). Tagging a
+ * query with "node_access" does not check the published/unpublished status of
+ * nodes, so the base query is responsible for ensuring that unpublished nodes
+ * are not displayed to inappropriate users.
 *
 * Note: Even a single module returning NODE_ACCESS_DENY from hook_node_access()
 * will block access to the node. Therefore, implementers should take care to
@@ -3667,6 +3672,8 @@ function node_access_rebuild($batch_mode = FALSE) {
 }

 /**
+ * Implements callback_batch_operation().
+ *
 * Performs batch operation for node_access_rebuild().
 *
 * This is a multistep operation: we go through all nodes by packs of 20. The
@@ -3681,7 +3688,7 @@ function _node_access_rebuild_batch_operation(&$context) {
    // Initiate multistep processing.
    $context['sandbox']['progress'] = 0;
    $context['sandbox']['current_node'] = 0;
-    $context['sandbox']['max'] = db_query('SELECT COUNT(DISTINCT nid) FROM {node}')->fetchField();
+    $context['sandbox']['max'] = db_query('SELECT COUNT(nid) FROM {node}')->fetchField();
  }

  // Process the next 20 nodes.
@@ -3705,6 +3712,8 @@ function _node_access_rebuild_batch_operation(&$context) {
 }

 /**
+ * Implements callback_batch_finished().
+ *
 * Performs post-processing for node_access_rebuild().
 *
 * @param bool $success
--- a/modules/node/node.pages.inc
+++ b/modules/node/node.pages.inc
@@ -396,7 +396,6 @@ function node_preview($node) {

    $cloned_node->changed = REQUEST_TIME;
    $nodes = array($cloned_node->nid => $cloned_node);
-    field_attach_prepare_view('node', $nodes, 'full');

    // Display a preview of the node.
    if (!form_get_errors()) {
--- a/modules/node/node.test
+++ b/modules/node/node.test
@@ -457,10 +457,70 @@ class PagePreviewTestCase extends DrupalWebTestCase {
  }

  function setUp() {
-    parent::setUp();
+    parent::setUp(array('taxonomy', 'node'));

    $web_user = $this->drupalCreateUser(array('edit own page content', 'create page content'));
    $this->drupalLogin($web_user);
+
+    // Add a vocabulary so we can test different view modes.
+    $vocabulary = (object) array(
+      'name' => $this->randomName(),
+      'description' => $this->randomName(),
+      'machine_name' => drupal_strtolower($this->randomName()),
+      'help' => '',
+      'nodes' => array('page' => 'page'),
+    );
+    taxonomy_vocabulary_save($vocabulary);
+
+    $this->vocabulary = $vocabulary;
+
+    // Add a term to the vocabulary.
+    $term = (object) array(
+      'name' => $this->randomName(),
+      'description' => $this->randomName(),
+      // Use the first available text format.
+      'format' => db_query_range('SELECT format FROM {filter_format}', 0, 1)->fetchField(),
+      'vid' => $this->vocabulary->vid,
+      'vocabulary_machine_name' => $vocabulary->machine_name,
+    );
+    taxonomy_term_save($term);
+
+    $this->term = $term;
+
+    // Set up a field and instance.
+    $this->field_name = drupal_strtolower($this->randomName());
+    $this->field = array(
+      'field_name' => $this->field_name,
+      'type' => 'taxonomy_term_reference',
+      'settings' => array(
+        'allowed_values' => array(
+          array(
+            'vocabulary' => $this->vocabulary->machine_name,
+            'parent' => '0',
+          ),
+        ),
+      )
+    );
+
+    field_create_field($this->field);
+    $this->instance = array(
+      'field_name' => $this->field_name,
+      'entity_type' => 'node',
+      'bundle' => 'page',
+      'widget' => array(
+        'type' => 'options_select',
+      ),
+      // Hide on full display but render on teaser.
+      'display' => array(
+        'default' => array(
+          'type' => 'hidden',
+        ),
+        'teaser' => array(
+          'type' => 'taxonomy_term_reference_link',
+        ),
+      ),
+    );
+    field_create_instance($this->instance);
  }

  /**
@@ -470,21 +530,26 @@ class PagePreviewTestCase extends DrupalWebTestCase {
    $langcode = LANGUAGE_NONE;
    $title_key = "title";
    $body_key = "body[$langcode][0][value]";
+    $term_key = "{$this->field_name}[$langcode]";

    // Fill in node creation form and preview node.
    $edit = array();
    $edit[$title_key] = $this->randomName(8);
    $edit[$body_key] = $this->randomName(16);
+    $edit[$term_key] = $this->term->tid;
    $this->drupalPost('node/add/page', $edit, t('Preview'));

-    // Check that the preview is displaying the title and body.
+    // Check that the preview is displaying the title, body, and term.
    $this->assertTitle(t('Preview | Drupal'), 'Basic page title is preview.');
    $this->assertText($edit[$title_key], 'Title displayed.');
    $this->assertText($edit[$body_key], 'Body displayed.');
+    $this->assertText($this->term->name, 'Term displayed.');

-    // Check that the title and body fields are displayed with the correct values.
+    // Check that the title, body, and term fields are displayed with the
+    // correct values.
    $this->assertFieldByName($title_key, $edit[$title_key], 'Title field displayed.');
    $this->assertFieldByName($body_key, $edit[$body_key], 'Body field displayed.');
+    $this->assertFieldByName($term_key, $edit[$term_key], 'Term field displayed.');
  }

  /**
@@ -494,6 +559,7 @@ class PagePreviewTestCase extends DrupalWebTestCase {
    $langcode = LANGUAGE_NONE;
    $title_key = "title";
    $body_key = "body[$langcode][0][value]";
+    $term_key = "{$this->field_name}[$langcode]";
    // Force revision on "Basic page" content.
    variable_set('node_options_page', array('status', 'revision'));

@@ -501,17 +567,21 @@ class PagePreviewTestCase extends DrupalWebTestCase {
    $edit = array();
    $edit[$title_key] = $this->randomName(8);
    $edit[$body_key] = $this->randomName(16);
+    $edit[$term_key] = $this->term->tid;
    $edit['log'] = $this->randomName(32);
    $this->drupalPost('node/add/page', $edit, t('Preview'));

-    // Check that the preview is displaying the title and body.
+    // Check that the preview is displaying the title, body, and term.
    $this->assertTitle(t('Preview | Drupal'), 'Basic page title is preview.');
    $this->assertText($edit[$title_key], 'Title displayed.');
    $this->assertText($edit[$body_key], 'Body displayed.');
+    $this->assertText($this->term->name, 'Term displayed.');

-    // Check that the title and body fields are displayed with the correct values.
+    // Check that the title, body, and term fields are displayed with the
+    // correct values.
    $this->assertFieldByName($title_key, $edit[$title_key], 'Title field displayed.');
    $this->assertFieldByName($body_key, $edit[$body_key], 'Body field displayed.');
+    $this->assertFieldByName($term_key, $edit[$term_key], 'Term field displayed.');

    // Check that the log field has the correct value.
    $this->assertFieldByName('log', $edit['log'], 'Log field displayed.');
@@ -1448,7 +1518,7 @@ class NodeTypeTestCase extends DrupalWebTestCase {
   * Tests editing a node type using the UI.
   */
  function testNodeTypeEditing() {
-    $web_user = $this->drupalCreateUser(array('bypass node access', 'administer content types'));
+    $web_user = $this->drupalCreateUser(array('bypass node access', 'administer content types', 'administer fields'));
    $this->drupalLogin($web_user);

    $instance = field_info_instance('node', 'body', 'page');
@@ -2698,8 +2768,8 @@ class NodeAccessFieldTestCase extends NodeWebTestCase {
    node_access_rebuild();

    // Create some users.
-    $this->admin_user = $this->drupalCreateUser(array('access content', 'bypass node access'));
-    $this->content_admin_user = $this->drupalCreateUser(array('access content', 'administer content types'));
+    $this->admin_user = $this->drupalCreateUser(array('access content', 'bypass node access', 'administer fields'));
+    $this->content_admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer fields'));

    // Add a custom field to the page content type.
    $this->field_name = drupal_strtolower($this->randomName() . '_field_name');
@@ -2916,3 +2986,36 @@ class NodePageCacheTest extends NodeWebTestCase {
    $this->assertResponse(404);
  }
 }
+
+/**
+ * Tests that multi-byte UTF-8 characters are stored and retrieved correctly.
+ */
+class NodeMultiByteUtf8Test extends NodeWebTestCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Multi-byte UTF-8',
+      'description' => 'Test that multi-byte UTF-8 characters are stored and retrieved correctly.',
+      'group' => 'Node',
+    );
+  }
+
+  /**
+   * Tests that multi-byte UTF-8 characters are stored and retrieved correctly.
+   */
+  public function testMultiByteUtf8() {
+    $connection = Database::getConnection();
+    // On MySQL, this test will only run if 'charset' is set to 'utf8mb4' in
+    // settings.php.
+    if (!($connection->utf8mb4IsSupported() && $connection->utf8mb4IsActive())) {
+      return;
+    }
+    $title = '🐙';
+    $this->assertTrue(drupal_strlen($title, 'utf-8') < strlen($title), 'Title has multi-byte characters.');
+    $node = $this->drupalCreateNode(array('title' => $title));
+    $this->drupalGet('node/' . $node->nid);
+    $result = $this->xpath('//h1[@id="page-title"]');
+    $this->assertEqual(trim((string) $result[0]), $title, 'The passed title was returned.');
+  }
+
+}
--- a/modules/node/tests/node_access_test.info
+++ b/modules/node/tests/node_access_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"

--- a/modules/node/tests/node_test.info
+++ b/modules/node/tests/node_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"

--- a/modules/node/tests/node_test_exception.info
+++ b/modules/node/tests/node_test_exception.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"