security upadtes

2017-09-25 15:16:35 +02:00
parent 650c6448e4
commit 8d8a60b615
240 changed files with 3022 additions and 1300 deletions
--- a/sites/all/modules/views/tests/styles/views_plugin_style.test
+++ b/sites/all/modules/views/tests/styles/views_plugin_style.test
@@ -252,11 +252,11 @@ class ViewsPluginStyleTestCase extends ViewsPluginStyleTestBase {
    foreach ($rows as $row) {
      $attributes = $row->attributes();
      $class = (string) $attributes['class'][0];
-      $this->assertTrue(strpos($class, $random_name) !== FALSE, 'Take sure that a custom css class is added to the output.');
+      $this->assertTrue(strpos($class, $random_name) !== FALSE, 'Make sure that a custom css class is added to the output.');

      // Check token replacement.
-      $name = drupal_html_class($view->field['name']->get_value($view->result[$count]));
-      $this->assertTrue(strpos($class, "test-token-$name") !== FALSE, 'Take sure that a token in custom css class is replaced.');
+      $name = drupal_clean_css_identifier($view->field['name']->get_value($view->result[$count]));
+      $this->assertTrue(strpos($class, "test-token-$name") !== FALSE, 'Make sure that a token in custom css class is replaced.');

      $count++;
    }
--- a/sites/all/modules/views/tests/views_ajax.test
+++ b/sites/all/modules/views/tests/views_ajax.test
@@ -0,0 +1,109 @@
+<?php
+
+/**
+ * @file
+ * Definition of ViewsAjaxTest.
+ */
+
+/**
+ * Tests views ajax display.
+ */
+class ViewsAjaxTest extends ViewsSqlTest {
+  public static function getInfo() {
+    return array(
+      'name' => 'Ajax',
+      'description' => 'Test views with and without ajax enabled.',
+      'group' => 'Views Handlers',
+    );
+  }
+
+  public function setUp() {
+    parent::setUp('views', 'views_test');
+    // Create a second node.
+    $this->drupalCreateNode(array('type' => 'article', 'status' => NODE_PUBLISHED));
+  }
+
+  /**
+   * Perform a simple AJAX POST HTTP request.
+   *
+   * @param string $path
+   *   Drupal path where the request should be POSTed.
+   * @param string $accept
+   *   The value for the "Accept" header. Usually either 'application/json' or
+   *   'application/vnd.drupal-ajax'.
+   * @param array $post
+   *   The POST data. When making a 'application/vnd.drupal-ajax' request, the
+   *   Ajax page state data should be included. Use getAjaxPageStatePostData()
+   *   for that.
+   *
+   * @return
+   *   The content returned from the call to curl_exec().
+   */
+  public function simpleAjaxPost($path, $accept, $post = array()) {
+    $options['absolute'] = TRUE;
+    foreach ($post as $key => $value) {
+      // Encode according to application/x-www-form-urlencoded
+      // Both names and values needs to be urlencoded, according to
+      // http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1
+      $post[$key] = urlencode($key) . '=' . urlencode($value);
+    }
+    $postfields = implode('&', $post);
+    $headers = array(
+      'Accept: ' . $accept,
+      'Content-Type: application/x-www-form-urlencoded',
+    );
+    return $this->curlExec(array(
+      CURLOPT_URL => url($path, $options),
+      CURLOPT_POST => TRUE,
+      CURLOPT_POSTFIELDS => $postfields,
+      CURLOPT_HTTPHEADER => $headers,
+    ));
+  }
+
+  /**
+   * Tests an ajax and non-ajax view.
+   */
+  public function testAjaxView() {
+    $this->drupalCreateNode();
+    $this->drupalGet('test_ajax_view');
+    $drupal_settings = $this->drupalGetSettings();
+    $this->assertTrue(isset($drupal_settings['views']['ajax_path']), 'The Ajax callback path is set in drupalSettings.');
+    $this->assertEqual(count($drupal_settings['views']['ajaxViews']), 1);
+    $view_entry = current(array_keys($drupal_settings['views']['ajaxViews']));
+    $this->assertEqual($drupal_settings['views']['ajaxViews'][$view_entry]['view_name'], 'test_ajax_view', 'The view\'s ajaxViews array entry has the correct \'view_name\' key.');
+    $this->assertEqual($drupal_settings['views']['ajaxViews'][$view_entry]['view_display_id'], 'page_1', 'The view\'s ajaxViews array entry has the correct \'view_display_id\' key.');
+
+    $post = array(
+      'view_name' => 'test_ajax_view',
+      'view_display_id' => 'page_1',
+    );
+
+    $response = $this->simpleAjaxPost('views/ajax', 'application/json', $post);
+    $data = drupal_json_decode($response);
+
+    $this->assertTrue(isset($data[0]['settings']['views']['ajaxViews']));
+
+    // Ensure that the view insert command is part of the result.
+    $this->assertEqual($data[1]['command'], 'insert');
+    $this->assertTrue(strpos($data[1]['selector'], '.view-dom-id-') === 0);
+
+    $this->drupalSetContent($data[1]['data']);
+    $result = $this->xpath('//div[contains(@class, "views-row")]');
+    $this->assertEqual(count($result), 2, 'Ensure that two items are rendered in the HTML.');
+
+    $post = array(
+      'view_name' => 'test_noajax_view',
+      'view_display_id' => 'default',
+    );
+
+    $response = $this->simpleAjaxPost('views/ajax', 'application/json', $post);
+    $data = drupal_json_decode($response);
+    // In Drupal 7 we get an ajax response with no commands instead of a 403 if
+    // the view cannot be accessed.
+    foreach ($data as $item) {
+      $this->assertIdentical('settings', $item['command']);
+      $this->assertTrue(empty($item['data']));
+    }
+  }
+
+}
--- a/sites/all/modules/views/tests/views_exposed_form.test
+++ b/sites/all/modules/views/tests/views_exposed_form.test
@@ -56,6 +56,38 @@ class ViewsExposedFormTest extends ViewsSqlTest {
    $this->helperButtonHasLabel('edit-reset', $expected_label);
  }

+  /**
+   * Tests that exposed values are correctly stored.
+   */
+  public function testRemember() {
+    $account = $this->drupalCreateUser();
+    $this->drupalLogin($account);
+    // Create some random nodes.
+    for ($i = 0; $i < 5; $i++) {
+      $this->drupalCreateNode();
+    }
+
+    // Set the exposed filter.
+    $this->drupalGet('test_exposed_remember', array('query' => array('type' => 'page')));
+    $this->assertFieldByName('type', 'page');
+
+    // Request the page again, should still be set.
+    $this->drupalGet('test_exposed_remember');
+    $this->assertFieldByName('type', 'page');
+
+    // Request the page with an unrelated GET argument, filter should still be set.
+    $this->drupalGet('test_exposed_remember', array('query' => array('argument' => 'value')));
+    $this->assertFieldByName('type', 'page');
+
+    // Change the remembered exposed value.
+    $this->drupalGet('test_exposed_remember', array('query' => array('type' => 'article')));
+    $this->assertFieldByName('type', 'article');
+
+    // Request the page again, should have remembered the new value.
+    $this->drupalGet('test_exposed_remember');
+    $this->assertFieldByName('type', 'article');
+  }
+
  /**
   * Tests the admin interface of exposed filter and sort items.
   */
--- a/sites/all/modules/views/tests/views_test.info
+++ b/sites/all/modules/views/tests/views_test.info
@@ -5,9 +5,9 @@ core = 7.x
 dependencies[] = views
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2016-06-15
-version = "7.x-3.14"
+; Information added by Drupal.org packaging script on 2017-08-23
+version = "7.x-3.18"
 core = "7.x"
 project = "views"
-datestamp = "1466019588"
+datestamp = "1503495103"

--- a/sites/all/modules/views/tests/views_test.views_default.inc
+++ b/sites/all/modules/views/tests/views_test.views_default.inc
@@ -218,5 +218,113 @@ function views_test_views_default_views() {

  $views[$view->name] = $view;

+  $view = new view();
+  $view->name = 'test_exposed_remember';
+  $view->description = '';
+  $view->tag = '';
+  $view->base_table = 'node';
+  $view->human_name = 'test_exposed_remember';
+  $view->core = 0;
+  $view->api_version = '3.0';
+  $view->disabled = FALSE; /* Edit this to true to make a default view disabled initially */
+
+  /* Display: Master */
+  $handler = $view->new_display('default', 'Master', 'default');
+  $handler->display->display_options['use_more_always'] = FALSE;
+  $handler->display->display_options['access']['type'] = 'none';
+  $handler->display->display_options['cache']['type'] = 'none';
+  $handler->display->display_options['query']['type'] = 'views_query';
+  $handler->display->display_options['exposed_form']['type'] = 'basic';
+  $handler->display->display_options['exposed_form']['options']['reset_button'] = TRUE;
+  $handler->display->display_options['pager']['type'] = 'none';
+  $handler->display->display_options['style_plugin'] = 'default';
+  $handler->display->display_options['row_plugin'] = 'node';
+  /* Sort criterion: Content: Post date */
+  $handler->display->display_options['sorts']['created']['id'] = 'created';
+  $handler->display->display_options['sorts']['created']['table'] = 'node';
+  $handler->display->display_options['sorts']['created']['field'] = 'created';
+  /* Filter criterion: Content: Type */
+  $handler->display->display_options['filters']['type']['id'] = 'type';
+  $handler->display->display_options['filters']['type']['table'] = 'node';
+  $handler->display->display_options['filters']['type']['field'] = 'type';
+  $handler->display->display_options['filters']['type']['exposed'] = TRUE;
+  $handler->display->display_options['filters']['type']['expose']['operator_id'] = 'type_op';
+  $handler->display->display_options['filters']['type']['expose']['label'] = 'Type';
+  $handler->display->display_options['filters']['type']['expose']['operator'] = 'type_op';
+  $handler->display->display_options['filters']['type']['expose']['identifier'] = 'type';
+  $handler->display->display_options['filters']['type']['expose']['remember'] = TRUE;
+  $handler->display->display_options['filters']['type']['expose']['remember_roles'] = array(
+    2 => '2',
+  );
+
+  /* Display: Page */
+  $handler = $view->new_display('page', 'Page', 'page_1');
+  $handler->display->display_options['path'] = 'test_exposed_remember';
+  $translatables['test_exposed_remember'] = array(
+    t('Master'),
+    t('more'),
+    t('Apply'),
+    t('Reset'),
+    t('Sort by'),
+    t('Asc'),
+    t('Desc'),
+    t('Type'),
+    t('Page'),
+  );
+
+  $views[$view->name] = $view;
+
+  $view = new view();
+  $view->name = 'test_ajax_view';
+  $view->description = '';
+  $view->tag = '';
+  $view->base_table = 'node';
+  $view->human_name = '';
+  $view->core = 0;
+  $view->api_version = '3.0';
+  $view->disabled = FALSE; /* Edit this to true to make a default view disabled initially */
+
+  /* Display: Master */
+  $handler = $view->new_display('default', 'Master', 'default');
+  $handler->display->display_options['use_ajax'] = TRUE;
+  $handler->display->display_options['use_more_always'] = FALSE;
+  $handler->display->display_options['access']['type'] = 'none';
+  $handler->display->display_options['cache']['type'] = 'none';
+  $handler->display->display_options['query']['type'] = 'views_query';
+  $handler->display->display_options['exposed_form']['type'] = 'basic';
+  $handler->display->display_options['pager']['type'] = 'none';
+  $handler->display->display_options['style_plugin'] = 'default';
+  $handler->display->display_options['row_plugin'] = 'node';
+
+  /* Display: Page */
+  $handler = $view->new_display('page', 'Page', 'page_1');
+  $handler->display->display_options['path'] = 'test_ajax_view';
+
+  $views[$view->name] = $view;
+
+  $view = new view();
+  $view->name = 'test_noajax_view';
+  $view->description = '';
+  $view->tag = '';
+  $view->base_table = 'node';
+  $view->human_name = '';
+  $view->core = 0;
+  $view->api_version = '3.0';
+  $view->disabled = FALSE; /* Edit this to true to make a default view disabled initially */
+
+  /* Display: Master */
+  $handler = $view->new_display('default', 'Master', 'default');
+  $handler->display->display_options['use_ajax'] = FALSE;
+  $handler->display->display_options['use_more_always'] = FALSE;
+  $handler->display->display_options['access']['type'] = 'none';
+  $handler->display->display_options['cache']['type'] = 'none';
+  $handler->display->display_options['query']['type'] = 'views_query';
+  $handler->display->display_options['exposed_form']['type'] = 'basic';
+  $handler->display->display_options['pager']['type'] = 'none';
+  $handler->display->display_options['style_plugin'] = 'default';
+  $handler->display->display_options['row_plugin'] = 'node';
+
+  $views[$view->name] = $view;
+
  return $views;
 }
--- a/sites/all/modules/views/tests/views_view.test
+++ b/sites/all/modules/views/tests/views_view.test
@@ -7,8 +7,11 @@

 /**
 * Views class tests.
+ *
+ * @codingStandardsIgnoreStart
 */
 class ViewsViewTest extends ViewsSqlTest {
+  // @codingStandardsIgnoreEnd
  public static function getInfo() {
    return array(
      'name' => 'Test the view class',
@@ -227,6 +230,8 @@ class ViewsViewTest extends ViewsSqlTest {
      'default' => 'default',
      'page_1' => 'page_1',
    );
+
+    // @codingStandardsIgnoreLine
    $translatables['test_destroy'] = array(
      t('Master'),
      t('more'),
@@ -272,6 +277,8 @@ class ViewsViewTest extends ViewsSqlTest {
    $handler->display->display_options['pager']['type'] = 'full';
    $handler->display->display_options['style_plugin'] = 'default';
    $handler->display->display_options['row_plugin'] = 'fields';
+
+    // @codingStandardsIgnoreLine
    $translatables['test_view_delete'] = array(
      t('Defaults'),
      t('more'),