bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated core to 7.80

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2021-07-12 10:11:08 +02:00
parent 7b1e954f7f
commit 5656f5a68a
236 changed files with 4149 additions and 888 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
misc/ajax.js
View File

@@ -149,7 +149,7 @@ Drupal.ajax = function (base, element, element_settings) {
// The 'this' variable will not persist inside of the options object.
var ajax = this;
ajax.options = {
url: ajax.url,
url: Drupal.sanitizeAjaxUrl(ajax.url),
data: ajax.submit,
beforeSerialize: function (element_settings, options) {
return ajax.beforeSerialize(element_settings, options);
@@ -195,9 +195,29 @@ Drupal.ajax = function (base, element, element_settings) {
}
},
dataType: 'json',
jsonp: false,
type: 'POST'
};
// For multipart forms (e.g., file uploads), jQuery Form targets the form
// submission to an iframe instead of using an XHR object. The initial "src"
// of the iframe, prior to the form submission, is set to options.iframeSrc.
// "about:blank" is the semantically correct, standards-compliant, way to
// initialize a blank iframe; however, some old IE versions (possibly only 6)
// incorrectly report a mixed content warning when iframes with an
// "about:blank" src are added to a parent document with an https:// origin.
// jQuery Form works around this by defaulting to "javascript:false" instead,
// but that breaks on Chrome 83, so here we force the semantically correct
// behavior for all browsers except old IE.
// @see https://www.drupal.org/project/drupal/issues/3143016
// @see https://github.com/jquery-form/form/blob/df9cb101b9c9c085c8d75ad980c7ff1cf62063a1/jquery.form.js#L68
// @see https://bugs.chromium.org/p/chromium/issues/detail?id=1084874
// @see https://html.spec.whatwg.org/multipage/browsers.html#creating-browsing-contexts
// @see https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
if (navigator.userAgent.indexOf("MSIE") === -1) {
ajax.options.iframeSrc = 'about:blank';
}
// Bind the ajaxSubmit function to the element event.
$(ajax.element).bind(element_settings.event, function (event) {
if (!Drupal.settings.urlIsAjaxTrusted[ajax.url] && !Drupal.urlIsLocal(ajax.url)) {
@@ -388,7 +408,7 @@ Drupal.ajax.prototype.beforeSend = function (xmlhttprequest, options) {
// Insert progressbar or throbber.
if (this.progress.type == 'bar') {
var progressBar = new Drupal.progressBar('ajax-progress-' + this.element.id, eval(this.progress.update_callback), this.progress.method, eval(this.progress.error_callback));
var progressBar = new Drupal.progressBar('ajax-progress-' + this.element.id, $.noop, this.progress.method, $.noop);
if (this.progress.message) {
progressBar.setProgress(-1, this.progress.message);
}

3
misc/autocomplete.js
View File

@@ -297,8 +297,9 @@ Drupal.ACDB.prototype.search = function (searchString) {
// encodeURIComponent to allow autocomplete search terms to contain slashes.
$.ajax({
type: 'GET',
url: db.uri + '/' + Drupal.encodePath(searchString),
url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
dataType: 'json',
jsonp: false,
success: function (matches) {
if (typeof matches.status == 'undefined' || matches.status != 0) {
db.cache[searchString] = matches;

17
misc/drupal.js
View File

@@ -424,6 +424,23 @@ Drupal.urlIsLocal = function (url) {
return absoluteUrl === baseUrl || absoluteUrl.indexOf(baseUrl + '/') === 0;
};
/**
* Sanitizes a URL for use with jQuery.ajax().
*
* @param url
* The URL string to be sanitized.
*
* @return
* The sanitized URL.
*/
Drupal.sanitizeAjaxUrl = function (url) {
var regex = /\=\?(&|$)/;
while (url.match(regex)) {
url = url.replace(regex, '');
}
return url;
}
/**
* Generate the themed representation of a Drupal object.
*

251
misc/jquery-html-prefilter-3.5.0-backport.js Normal file
View File

@@ -0,0 +1,251 @@
/**
* For jQuery versions less than 3.5.0, this replaces the jQuery.htmlPrefilter()
* function with one that fixes these security vulnerabilities while also
* retaining the pre-3.5.0 behavior where it's safe to do so.
* - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
* - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
*
* Additionally, for jQuery versions that do not have a jQuery.htmlPrefilter()
* function (1.x prior to 1.12 and 2.x prior to 2.2), this adds it, and
* extends the functions that need to call it to do so.
*
* Drupal core's jQuery version is 1.4.4, but jQuery Update can provide a
* different version, so this covers all versions between 1.4.4 and 3.4.1.
* The GitHub links in the code comments below link to jQuery 1.5 code, because
* 1.4.4 isn't on GitHub, but the referenced code didn't change from 1.4.4 to
* 1.5.
*/
(function (jQuery) {
// Parts of this backport differ by jQuery version.
var versionParts = jQuery.fn.jquery.split('.');
var majorVersion = parseInt(versionParts[0]);
var minorVersion = parseInt(versionParts[1]);
// No backport is needed if we're already on jQuery 3.5 or higher.
if ( (majorVersion > 3) || (majorVersion === 3 && minorVersion >= 5) ) {
return;
}
// Prior to jQuery 3.5, jQuery converted XHTML-style self-closing tags to
// their XML equivalent: e.g., "<div />" to "<div></div>". This is
// problematic for several reasons, including that it's vulnerable to XSS
// attacks. However, since this was jQuery's behavior for many years, many
// Drupal modules and jQuery plugins may be relying on it. Therefore, we
// preserve that behavior, but for a limited set of tags only, that we believe
// to not be vulnerable. This is the set of HTML tags that satisfy all of the
// following conditions:
// - In DOMPurify's list of HTML tags. If an HTML tag isn't safe enough to
// appear in that list, then we don't want to mess with it here either.
// @see https://github.com/cure53/DOMPurify/blob/2.0.11/dist/purify.js#L128
// - A normal element (not a void, template, text, or foreign element).
// @see https://html.spec.whatwg.org/multipage/syntax.html#elements-2
// - An element that is still defined by the current HTML specification
// (not a deprecated element), because we do not want to rely on how
// browsers parse deprecated elements.
// @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element
// - Not 'html', 'head', or 'body', because this pseudo-XHTML expansion is
// designed for fragments, not entire documents.
// - Not 'colgroup', because due to an idiosyncrasy of jQuery's original
// regular expression, it didn't match on colgroup, and we don't want to
// introduce a behavior change for that.
var selfClosingTagsToReplace = [
'a', 'abbr', 'address', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo',
'blockquote', 'button', 'canvas', 'caption', 'cite', 'code', 'data',
'datalist', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em',
'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3',
'h4', 'h5', 'h6', 'header', 'hgroup', 'i', 'ins', 'kbd', 'label', 'legend',
'li', 'main', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup',
'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt',
'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span',
'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th',
'thead', 'time', 'tr', 'u', 'ul', 'var', 'video'
];
// Define regular expressions for <TAG/> and <TAG ATTRIBUTES/>. Doing this as
// two expressions makes it easier to target <a/> without also targeting
// every tag that starts with "a".
var xhtmlRegExpGroup = '(' + selfClosingTagsToReplace.join('|') + ')';
var whitespace = '[\\x20\\t\\r\\n\\f]';
var rxhtmlTagWithoutSpaceOrAttributes = new RegExp('<' + xhtmlRegExpGroup + '\\/>', 'gi');
var rxhtmlTagWithSpaceAndMaybeAttributes = new RegExp('<' + xhtmlRegExpGroup + '(' + whitespace + '[^>]*)\\/>', 'gi');
// jQuery 3.5 also fixed a vulnerability for when </select> appears within
// an <option> or <optgroup>, but it did that in local code that we can't
// backport directly. Instead, we filter such cases out. To do so, we need to
// determine when jQuery would otherwise invoke the vulnerable code, which it
// uses this regular expression to determine. The regular expression changed
// for version 3.0.0 and changed again for 3.4.0.
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4958
// @see https://github.com/jquery/jquery/blob/3.0.0/dist/jquery.js#L4584
// @see https://github.com/jquery/jquery/blob/3.4.0/dist/jquery.js#L4712
var rtagName;
if (majorVersion < 3) {
rtagName = /<([\w:]+)/;
}
else if (minorVersion < 4) {
rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]+)/i;
}
else {
rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]*)/i;
}
// The regular expression that jQuery uses to determine which self-closing
// tags to expand to open and close tags. This is vulnerable, because it
// matches all tag names except the few excluded ones. We only use this
// expression for determining vulnerability. The expression changed for
// version 3, but we only need to check for vulnerability in versions 1 and 2,
// so we use the expression from those versions.
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4957
var rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi;
jQuery.extend({
htmlPrefilter: function (html) {
// This is how jQuery determines the first tag in the HTML.
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5521
var tag = ( rtagName.exec( html ) || [ "", "" ] )[ 1 ].toLowerCase();
// It is not valid HTML for <option> or <optgroup> to have <select> as
// either a descendant or sibling, and attempts to inject one can cause
// XSS on jQuery versions before 3.5. Since this is invalid HTML and a
// possible XSS attack, reject the entire string.
// @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
if ((tag === 'option' || tag === 'optgroup') && html.match(/<\/?select/i)) {
html = '';
}
// Retain jQuery's prior to 3.5 conversion of pseudo-XHTML, but for only
// the tags in the `selfClosingTagsToReplace` list defined above.
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5518
// @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
html = html.replace(rxhtmlTagWithoutSpaceOrAttributes, "<$1></$1>");
html = html.replace(rxhtmlTagWithSpaceAndMaybeAttributes, "<$1$2></$1>");
// Prior to jQuery 1.12 and 2.2, this function gets called (via code later
// in this file) in addition to, rather than instead of, the unsafe
// expansion of self-closing tags (including ones not in the list above).
// We can't prevent that unsafe expansion from running, so instead we
// check to make sure that it doesn't affect the DOM returned by the
// browser's parsing logic. If it does affect it, then it's vulnerable to
// XSS, so we reject the entire string.
if ( (majorVersion === 1 && minorVersion < 12) || (majorVersion === 2 && minorVersion < 2) ) {
var htmlRisky = html.replace(rxhtmlTag, "<$1></$2>");
if (htmlRisky !== html) {
// Even though htmlRisky and html are different strings, they might
// represent the same HTML structure once parsed, in which case,
// htmlRisky is actually safe. We can ask the browser to parse both
// to find out, but the browser can't parse table fragments (e.g., a
// root-level "<td>"), so we need to wrap them. We just need this
// technique to work on all supported browsers; we don't need to
// copy from the specific jQuery version we're using.
// @see https://github.com/jquery/jquery/blob/3.5.1/dist/jquery.js#L4939
var wrapMap = {
thead: [ 1, "<table>", "</table>" ],
col: [ 2, "<table><colgroup>", "</colgroup></table>" ],
tr: [ 2, "<table><tbody>", "</tbody></table>" ],
td: [ 3, "<table><tbody><tr>", "</tr></tbody></table>" ],
};
wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
wrapMap.th = wrapMap.td;
// Function to wrap HTML into something that a browser can parse.
// @see https://github.com/jquery/jquery/blob/3.5.1/dist/jquery.js#L5032
var getWrappedHtml = function (html) {
var wrap = wrapMap[tag];
if (wrap) {
html = wrap[1] + html + wrap[2];
}
return html;
};
// Function to return canonical HTML after parsing it. This parses
// only; it doesn't execute scripts.
// @see https://github.com/jquery/jquery-migrate/blob/3.3.0/src/jquery/manipulation.js#L5
var getParsedHtml = function (html) {
var doc = window.document.implementation.createHTMLDocument( "" );
doc.body.innerHTML = html;
return doc.body ? doc.body.innerHTML : '';
};
// If the browser couldn't parse either one successfully, or if
// htmlRisky parses differently than html, then html is vulnerable,
// so reject it.
var htmlParsed = getParsedHtml(getWrappedHtml(html));
var htmlRiskyParsed = getParsedHtml(getWrappedHtml(htmlRisky));
if (htmlRiskyParsed === '' || htmlParsed === '' || (htmlRiskyParsed !== htmlParsed)) {
html = '';
}
}
}
return html;
}
});
// Prior to jQuery 1.12 and 2.2, jQuery.clean(), jQuery.buildFragment(), and
// jQuery.fn.html() did not call jQuery.htmlPrefilter(), so we add that.
if ( (majorVersion === 1 && minorVersion < 12) || (majorVersion === 2 && minorVersion < 2) ) {
// Filter the HTML coming into jQuery.fn.html().
var fnOriginalHtml = jQuery.fn.html;
jQuery.fn.extend({
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5147
html: function (value) {
if (typeof value === "string") {
value = jQuery.htmlPrefilter(value);
}
// .html() can be called as a setter (with an argument) or as a getter
// (without an argument), so invoke fnOriginalHtml() the same way that
// we were invoked.
return fnOriginalHtml.apply(this, arguments.length ? [value] : []);
}
});
// The regular expression that jQuery uses to determine if a string is HTML.
// Used by both clean() and buildFragment().
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4960
var rhtml = /<|&#?\w+;/;
// Filter HTML coming into:
// - jQuery.clean() for versions prior to 1.9.
// - jQuery.buildFragment() for 1.9 and above.
//
// The looping constructs in the two functions might be essentially
// identical, but they're each expressed here in the way that most closely
// matches their original expression in jQuery, so that we filter all of
// the items and only the items that jQuery will treat as HTML strings.
if (majorVersion === 1 && minorVersion < 9) {
var originalClean = jQuery.clean;
jQuery.extend({
// @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5493
'clean': function (elems, context, fragment, scripts) {
for ( var i = 0, elem; (elem = elems[i]) != null; i++ ) {
if ( typeof elem === "string" && rhtml.test( elem ) ) {
elems[i] = elem = jQuery.htmlPrefilter(elem);
}
}
return originalClean.call(this, elems, context, fragment, scripts);
}
});
}
else {
var originalBuildFragment = jQuery.buildFragment;
jQuery.extend({
// @see https://github.com/jquery/jquery/blob/1.9.0/jquery.js#L6419
'buildFragment': function (elems, context, scripts, selection) {
var l = elems.length;
for ( var i = 0; i < l; i++ ) {
var elem = elems[i];
if (elem || elem === 0) {
if ( jQuery.type( elem ) !== "object" && rhtml.test( elem ) ) {
elems[i] = elem = jQuery.htmlPrefilter(elem);
}
}
}
return originalBuildFragment.call(this, elems, context, scripts, selection);
}
});
}
}
})(jQuery);

1
misc/jquery.js vendored
View File

@@ -1,4 +1,3 @@
/*!
* jQuery JavaScript Library v1.4.4
* http://jquery.com/

5
misc/typo3/phar-stream-wrapper/README.md
View File

@@ -1,5 +1,6 @@
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/badges/quality-score.png?b=v2)](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/?branch=v2)
[![Travis CI Build Status](https://travis-ci.org/TYPO3/phar-stream-wrapper.svg?branch=v2)](https://travis-ci.org/TYPO3/phar-stream-wrapper)
[![AppVeyor Build status](https://ci.appveyor.com/api/projects/status/q4ls5tg4w1d6sf4i/branch/v2?svg=true)](https://ci.appveyor.com/project/ohader/phar-stream-wrapper)
# PHP Phar Stream Wrapper
@@ -21,9 +22,11 @@ and has been addressed concerning the specific attack vector and for this generi
`PharStreamWrapper` in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th
July 2018.
* https://typo3.org/security/advisory/typo3-core-sa-2018-002/
* https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
* https://youtu.be/GePBmsNJw6Y
* https://typo3.org/security/advisory/typo3-psa-2018-001/
* https://typo3.org/security/advisory/typo3-psa-2019-007/
* https://typo3.org/security/advisory/typo3-psa-2019-008/
## License

4
misc/typo3/phar-stream-wrapper/composer.json
View File

@@ -7,7 +7,6 @@
"keywords": ["php", "phar", "stream-wrapper", "security"],
"require": {
"php": "^5.3.3|^7.0",
"ext-fileinfo": "*",
"ext-json": "*",
"brumann/polyfill-unserialize": "^1.0"
},
@@ -15,6 +14,9 @@
"ext-xdebug": "*",
"phpunit/phpunit": "^4.8.36"
},
"suggest": {
"ext-fileinfo": "For PHP builtin file type guessing, otherwise uses internal processing"
},
"autoload": {
"psr-4": {
"TYPO3\\PharStreamWrapper\\": "src/"

4
misc/typo3/phar-stream-wrapper/src/Helper.php
View File

@@ -52,7 +52,7 @@ class Helper
while (count($parts)) {
$currentPath = implode('/', $parts);
if (@is_file($currentPath)) {
if (@is_file($currentPath) && realpath($currentPath) !== false) {
return $currentPath;
}
array_pop($parts);
@@ -106,7 +106,7 @@ class Helper
* @param string $path File path to process
* @return string
*/
private static function normalizeWindowsPath($path)
public static function normalizeWindowsPath($path)
{
return str_replace('\\', '/', $path);
}

40
misc/typo3/phar-stream-wrapper/src/Phar/Reader.php
View File

@@ -19,6 +19,11 @@ class Reader
private $fileName;
/**
* Mime-type in order to use zlib, bzip2 or no compression.
* In case ext-fileinfo is not present only the relevant types
* 'application/x-gzip' and 'application/x-bzip2' are assigned
* to this class property.
*
* @var string
*/
private $fileType;
@@ -139,7 +144,7 @@ class Reader
*/
private function resolveStream()
{
if ($this->fileType === 'application/x-gzip') {
if ($this->fileType === 'application/x-gzip' || $this->fileType === 'application/gzip') {
return 'compress.zlib://';
} elseif ($this->fileType === 'application/x-bzip2') {
return 'compress.bzip2://';
@@ -152,8 +157,37 @@ class Reader
*/
private function determineFileType()
{
$fileInfo = new \finfo();
return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
if (class_exists('\\finfo')) {
$fileInfo = new \finfo();
return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
}
return $this->determineFileTypeByHeader();
}
/**
* In case ext-fileinfo is not present only the relevant types
* 'application/x-gzip' and 'application/x-bzip2' are resolved.
*
* @return string
*/
private function determineFileTypeByHeader()
{
$resource = fopen($this->fileName, 'r');
if (!is_resource($resource)) {
throw new ReaderException(
sprintf('Resource %s could not be opened', $this->fileName),
1557753055
);
}
$header = fgets($resource, 4);
fclose($resource);
$mimeType = '';
if (strpos($header, "\x42\x5a\x68") === 0) {
$mimeType = 'application/x-bzip2';
} elseif (strpos($header, "\x1f\x8b") === 0) {
$mimeType = 'application/x-gzip';
}
return $mimeType;
}
/**

2
misc/typo3/phar-stream-wrapper/src/PharStreamWrapper.php
View File

@@ -476,7 +476,7 @@ class PharStreamWrapper
{
$arguments = func_get_args();
array_shift($arguments);
$silentExecution = $functionName{0} === '@';
$silentExecution = $functionName[0] === '@';
$functionName = ltrim($functionName, '@');
$this->restoreInternalSteamWrapper();

18
misc/typo3/phar-stream-wrapper/src/Resolver/PharInvocationResolver.php
View File

@@ -14,6 +14,7 @@ namespace TYPO3\PharStreamWrapper\Resolver;
use TYPO3\PharStreamWrapper\Helper;
use TYPO3\PharStreamWrapper\Manager;
use TYPO3\PharStreamWrapper\Phar\Reader;
use TYPO3\PharStreamWrapper\Phar\ReaderException;
use TYPO3\PharStreamWrapper\Resolvable;
class PharInvocationResolver implements Resolvable
@@ -59,7 +60,7 @@ class PharInvocationResolver implements Resolvable
{
$hasPharPrefix = Helper::hasPharPrefix($path);
if ($flags === null) {
$flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS | static::ASSERT_INTERNAL_INVOCATION;
$flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS;
}
if ($hasPharPrefix && $flags & static::RESOLVE_ALIAS) {
@@ -147,9 +148,14 @@ class PharInvocationResolver implements Resolvable
}
// ensure the possible alias name (how we have been called initially) matches
// the resolved alias name that was retrieved by the current possible base name
$reader = new Reader($currentBaseName);
$currentAlias = $reader->resolveContainer()->getAlias();
if ($currentAlias !== $possibleAlias) {
try {
$reader = new Reader($currentBaseName);
$currentAlias = $reader->resolveContainer()->getAlias();
} catch (ReaderException $exception) {
// most probably that was not a Phar file
continue;
}
if (empty($currentAlias) || $currentAlias !== $possibleAlias) {
continue;
}
$this->addBaseName($currentBaseName);
@@ -215,7 +221,9 @@ class PharInvocationResolver implements Resolvable
if (isset($this->baseNames[$baseName])) {
return;
}
$this->baseNames[$baseName] = realpath($baseName);
$this->baseNames[$baseName] = Helper::normalizeWindowsPath(
realpath($baseName)
);
}
/**