bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security upadtes

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2017-09-25 15:16:35 +02:00
parent 650c6448e4
commit 8d8a60b615
240 changed files with 3022 additions and 1300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sites/all/modules/views/includes/admin.inc
View File

@@ -994,7 +994,7 @@ function views_ui_edit_form($form, &$form_state, $view, $display_id = NULL) {
// @todo When more functionality is added to this form, cloning here may be
// too soon. But some of what we do with $view later in this function
// results in making it unserializable due to PDO limitations.
$form_state['view'] = clone($view);
$form_state['view'] = clone $view;
$form['#attached']['library'][] = array('system', 'ui.tabs');
$form['#attached']['library'][] = array('system', 'ui.dialog');

11
sites/all/modules/views/includes/ajax.inc
View File

@@ -40,15 +40,18 @@ function views_ajax() {
// Load the view.
$view = views_get_view($name);
if ($view && $view->access($display_id)) {
if ($view && $view->access($display_id) && $view->set_display($display_id) && $view->display_handler->use_ajax()) {
// Fix 'q' for paging.
if (!empty($path)) {
$_GET['q'] = $path;
}
// Add all $_POST data, because AJAX is always a post and many things,
// If page parameter is in the $_POST exclude it from $_GET,
// otherwise support views_ajax requests using $_GET.
$exclude = isset($_POST['page']) ? array('page') : array();
// Add all $_POST data to $_GET as many things,
// such as tablesorts, exposed filters and paging assume $_GET.
$_GET = $_POST + drupal_get_query_parameters($_GET, array('page'));
$_GET = $_POST + drupal_get_query_parameters($_GET, $exclude);
// Overwrite the destination.
// @see drupal_get_destination()
@@ -343,7 +346,7 @@ function views_ajax_autocomplete_taxonomy($vid, $tags_typed = '') {
$query = db_select('taxonomy_term_data', 't');
$query->addTag('translatable');
$query->addTag('term_access');
$query->addTag('taxonomy_term_access');
// Do not select already entered terms.
if (!empty($tags_typed)) {

144
sites/all/modules/views/includes/handlers.inc
View File

@@ -1544,9 +1544,16 @@ class views_join {
// Tack on the extra.
if (isset($this->extra)) {
if (is_array($this->extra)) {
$extras = array();
foreach ($this->extra as $info) {
// If extra has been provided as string instead of an array, convert it
// to an array.
if (!is_array($this->extra)) {
$this->extra = array($this->extra);
}
$extras = array();
foreach ($this->extra as $info) {
if (is_array($info)) {
$extra = '';
// Figure out the table name. Remember, only use aliases provided
// if at all possible.
$join_table = '';
@@ -1564,76 +1571,49 @@ class views_join {
}
}
// If left_field is set use it for a field-to-field condition.
if (!empty($info['left_field'])) {
$operator = !empty($info['operator']) ? $info['operator'] : '=';
$left_table = (isset($info['left_table'])) ? $info['left_table'] : $left['alias'];
$extras[] = "$join_table$info[field] $operator $left_table.$info[left_field]";
}
// Else if formula is set, us it for a flexible on clause.
elseif (!empty($info['formula'])) {
// If a field is given, we build a "$field $op $formula".
// Without it would only be "$formula".
$extra = '';
if (isset($info['field'])) {
// With a single value, the '=' operator is implicit.
$operator = !empty($info['operator']) ? $info['operator'] : '=';
$extra .= "$join_table$info[field] $operator ";
}
$extra .= $info['formula'];
// Add placeholder arguments.
if (isset($info['formula_arguments']) && is_array($info['formula_arguments'])) {
$arguments = array_merge($arguments, $info['formula_arguments']);
}
$extras[] = $extra;
}
// Otherwise - and if we have a value - use it for a field-to-value condition.
elseif (!empty($info['value'])) {
// Convert a single-valued array of values to the single-value case,
// and transform from IN() notation to = notation
if (is_array($info['value']) && count($info['value']) == 1) {
if (empty($info['operator'])) {
$operator = '=';
}
else {
$operator = $info['operator'] == 'NOT IN' ? '!=' : '=';
}
$info['value'] = array_shift($info['value']);
}
if (is_array($info['value'])) {
// With an array of values, we need multiple placeholders and the
// 'IN' operator is implicit.
foreach ($info['value'] as $value) {
$placeholder_i = ':views_join_condition_' . $select_query->nextPlaceholder();
$arguments[$placeholder_i] = $value;
}
$operator = !empty($info['operator']) ? $info['operator'] : 'IN';
$placeholder = '( ' . implode(', ', array_keys($arguments)) . ' )';
// Convert a single-valued array of values to the single-value case,
// and transform from IN() notation to = notation
if (is_array($info['value']) && count($info['value']) == 1) {
if (empty($info['operator'])) {
$operator = '=';
}
else {
// With a single value, the '=' operator is implicit.
$operator = !empty($info['operator']) ? $info['operator'] : '=';
$placeholder = ':views_join_condition_' . $select_query->nextPlaceholder();
$arguments[$placeholder] = $info['value'];
$operator = $info['operator'] == 'NOT IN' ? '!=' : '=';
}
$info['value'] = array_shift($info['value']);
}
if (is_array($info['value'])) {
// With an array of values, we need multiple placeholders and the
// 'IN' operator is implicit.
foreach ($info['value'] as $value) {
$placeholder_i = $view_query->placeholder('views_join_condition_');
$arguments[$placeholder_i] = $value;
}
$extras[] = "$join_table$info[field] $operator $placeholder";
}
}
if ($extras) {
if (count($extras) == 1) {
$condition .= ' AND ' . array_shift($extras);
$operator = !empty($info['operator']) ? $info['operator'] : 'IN';
$placeholder = '( ' . implode(', ', array_keys($arguments)) . ' )';
}
else {
$condition .= ' AND (' . implode(' ' . $this->extra_type . ' ', $extras) . ')';
// With a single value, the '=' operator is implicit.
$operator = !empty($info['operator']) ? $info['operator'] : '=';
$placeholder = $view_query->placeholder('views_join_condition_');
$arguments[$placeholder] = $info['value'];
}
$extras[] = "$join_table$info[field] $operator $placeholder";
}
elseif (is_string($info)) {
$extras[] = $info;
}
}
elseif ($this->extra && is_string($this->extra)) {
$condition .= " AND ($this->extra)";
if ($extras) {
if (count($extras) == 1) {
$condition .= ' AND ' . array_shift($extras);
}
else {
$condition .= ' AND (' . implode(' ' . $this->extra_type . ' ', $extras) . ')';
}
}
}
@@ -1681,11 +1661,19 @@ class views_join_subquery extends views_join {
$arguments = array();
// Tack on the extra.
// This is just copied verbatim from the parent class, which itself has a bug: http://drupal.org/node/1118100
// This is just copied verbatim from the parent class, which itself has a
// bug: http://drupal.org/node/1118100
if (isset($this->extra)) {
if (is_array($this->extra)) {
$extras = array();
foreach ($this->extra as $info) {
// If extra has been provided as string instead of an array, convert it
// to an array.
if (!is_array($this->extra)) {
$this->extra = array($this->extra);
}
$extras = array();
foreach ($this->extra as $info) {
if (is_array($info)) {
$extra = '';
// Figure out the table name. Remember, only use aliases provided
// if at all possible.
$join_table = '';
@@ -1713,18 +1701,18 @@ class views_join_subquery extends views_join {
$extras[] = "$join_table$info[field] $operator $placeholder";
$arguments[$placeholder] = $info['value'];
}
if ($extras) {
if (count($extras) == 1) {
$condition .= ' AND ' . array_shift($extras);
}
else {
$condition .= ' AND (' . implode(' ' . $this->extra_type . ' ', $extras) . ')';
}
elseif (is_string($info)) {
$extras[] = $info;
}
}
elseif ($this->extra && is_string($this->extra)) {
$condition .= " AND ($this->extra)";
if ($extras) {
if (count($extras) == 1) {
$condition .= ' AND ' . array_shift($extras);
}
else {
$condition .= ' AND (' . implode(' ' . $this->extra_type . ' ', $extras) . ')';
}
}
}

38
sites/all/modules/views/includes/view.inc
View File

@@ -411,18 +411,8 @@ class view extends views_db_object {
* Figure out what the exposed input for this view is.
*/
function get_exposed_input() {
// Fill our input either from $_GET or from something previously set on the
// view.
if (empty($this->exposed_input)) {
$this->exposed_input = $_GET;
// unset items that are definitely not our input:
foreach (array('page', 'q') as $key) {
if (isset($this->exposed_input[$key])) {
unset($this->exposed_input[$key]);
}
}
// If we have no input at all, check for remembered input via session.
$this->exposed_input = array();
// If filters are not overridden, store the 'remember' settings on the
// default display. If they are, store them on this display. This way,
@@ -430,9 +420,17 @@ class view extends views_db_object {
// remember settings.
$display_id = ($this->display_handler->is_defaulted('filters')) ? 'default' : $this->current_display;
if (empty($this->exposed_input) && !empty($_SESSION['views'][$this->name][$display_id])) {
// Start with remembered input via session.
if (!empty($_SESSION['views'][$this->name][$display_id])) {
$this->exposed_input = $_SESSION['views'][$this->name][$display_id];
}
// Fetch exposed input values from $_GET. Overwrite if clashing.
foreach ($_GET as $key => $value) {
if (!in_array($key, array('page', 'q'))) {
$this->exposed_input[$key] = $value;
}
}
}
return $this->exposed_input;
@@ -685,6 +683,10 @@ class view extends views_db_object {
*/
function init_pager() {
if (empty($this->query->pager)) {
// If the query doesn't exist, initialize it.
if (empty($this->query)) {
$this->init_query();
}
$this->query->pager = $this->display_handler->get_plugin('pager');
if ($this->query->pager->use_pager()) {
@@ -1282,7 +1284,7 @@ class view extends views_db_object {
foreach ($GLOBALS['base_theme_info'] as $base) {
$function = $base->name . '_views_post_render';
if (function_exists($function)) {
$function($this);
$function($this, $this->display_handler->output, $cache);
}
}
$function = $GLOBALS['theme'] . '_views_post_render';
@@ -1478,7 +1480,7 @@ class view extends views_db_object {
* this sets the display handler if it hasn't been.
*/
function access($displays = NULL, $account = NULL) {
// Noone should have access to disabled views.
// No one should have access to disabled views.
if (!empty($this->disabled)) {
return FALSE;
}
@@ -1960,12 +1962,12 @@ class view extends views_db_object {
* The cloned view.
*/
function clone_view() {
$clone = version_compare(phpversion(), '5.0') < 0 ? $this : clone($this);
$clone = clone $this;
$keys = array('current_display', 'display_handler', 'build_info', 'built', 'executed', 'attachment_before', 'attachment_after', 'field', 'argument', 'filter', 'sort', 'relationship', 'header', 'footer', 'empty', 'query', 'inited', 'style_plugin', 'plugin_name', 'exposed_data', 'exposed_input', 'exposed_widgets', 'many_to_one_tables', 'feed_icon');
foreach ($keys as $key) {
if (isset($clone->$key)) {
unset($clone->$key);
if (isset($clone->{$key})) {
unset($clone->{$key});
}
}
$clone->built = $clone->executed = FALSE;
@@ -1994,7 +1996,7 @@ class view extends views_db_object {
*/
function destroy() {
foreach (array_keys($this->display) as $display_id) {
if (isset($this->display[$display_id]->handler)) {
if (isset($this->display[$display_id]->handler) && is_object($this->display[$display_id]->handler)) {
$this->display[$display_id]->handler->destroy();
unset($this->display[$display_id]->handler);
}