security update core+modules

modules/simpletest/tests/system_test.module

@@ -78,6 +78,13 @@ function system_test_menu() {
     'type' => MENU_CALLBACK,
   );
 
+  $items['system-test/drupal-set-message'] = array(
+    'title' => 'Set messages with drupal_set_message()',
+    'page callback' => 'system_test_drupal_set_message',
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
+
   $items['system-test/main-content-handling'] = array(
     'title' => 'Test main content handling',
     'page callback' => 'system_test_main_content_fallback',
@@ -106,6 +113,20 @@ function system_test_menu() {
     'type' => MENU_CALLBACK,
   );
 
+  $items['system-test/get-destination'] = array(
+    'title' => 'Test $_GET[\'destination\']',
+    'page callback' => 'system_test_get_destination',
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
+
+  $items['system-test/request-destination'] = array(
+    'title' => 'Test $_REQUEST[\'destination\']',
+    'page callback' => 'system_test_request_destination',
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
+
   return $items;
 }
 
@@ -114,8 +135,23 @@ function system_test_sleep($seconds) {
 }
 
 function system_test_basic_auth_page() {
-  $output = t('$_SERVER[\'PHP_AUTH_USER\'] is @username.', array('@username' => $_SERVER['PHP_AUTH_USER']));
-  $output .= t('$_SERVER[\'PHP_AUTH_PW\'] is @password.', array('@password' => $_SERVER['PHP_AUTH_PW']));
+  // The Authorization HTTP header is forwarded via Drupal's .htaccess file even
+  // for PHP CGI SAPIs.
+  if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+    $authorization_header = $_SERVER['HTTP_AUTHORIZATION'];
+  }
+  // If using CGI on Apache with mod_rewrite, the forwarded HTTP header appears
+  // in the redirected HTTP headers. See
+  // https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L61
+  elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+    $authorization_header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
+  }
+  // Resemble PHP_AUTH_USER and PHP_AUTH_PW for a Basic authentication from
+  // the HTTP_AUTHORIZATION header. See
+  // http://www.php.net/manual/features.http-auth.php
+  list($user, $pw) = explode(':', base64_decode(substr($authorization_header, 6)));
+  $output = t('Username is @username.', array('@username' => $user));
+  $output .= t('Password is @password.', array('@password' => $pw));
   return $output;
 }
 
@@ -405,3 +441,41 @@ function system_test_authorize_init_page($page_title) {
   system_authorized_init('system_test_authorize_run', drupal_get_path('module', 'system_test') . '/system_test.module', array(), $page_title);
   drupal_goto($authorize_url);
 }
+
+/**
+ * Sets two messages and removes the first one before the messages are displayed.
+ */
+function system_test_drupal_set_message() {
+  // Set two messages.
+  drupal_set_message('First message (removed).');
+  drupal_set_message('Second message (not removed).');
+
+  // Remove the first.
+  unset($_SESSION['messages']['status'][0]);
+
+  return '';
+}
+
+/**
+ * Page callback to print out $_GET['destination'] for testing.
+ */
+function system_test_get_destination() {
+  if (isset($_GET['destination'])) {
+    print $_GET['destination'];
+  }
+  // No need to render the whole page, we are just interested in this bit of
+  // information.
+  exit;
+}
+
+/**
+ * Page callback to print out $_REQUEST['destination'] for testing.
+ */
+function system_test_request_destination() {
+  if (isset($_REQUEST['destination'])) {
+    print $_REQUEST['destination'];
+  }
+  // No need to render the whole page, we are just interested in this bit of
+  // information.
+  exit;
+}