updated core to 7.73

CHANGELOG.txt

@@ -1,5 +1,23 @@
-Drupal 7.xx, xxxx-xx-xx (development version)
+Drupal 7.73, 2020-09-16
 -----------------------
+- Fixed security issues:
+   - SA-CORE-2020-007
+
+Drupal 7.72, 2020-06-17
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-004
+
+Drupal 7.71, 2020-06-03
+-----------------------
+- Fix for jQuery Form bug in Chromium-based browsers
+- Full support for PHP 7.4
+
+Drupal 7.70, 2020-05-19
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-002
+   - SA-CORE-2020-003
 
 Drupal 7.69, 2019-12-18
 -----------------------

includes/batch.inc

@@ -478,18 +478,17 @@ function _batch_finished() {
         $queue->deleteQueue();
       }
     }
+    // Clean-up the session. Not needed for CLI updates.
+    if (isset($_SESSION)) {
+      unset($_SESSION['batches'][$batch['id']]);
+      if (empty($_SESSION['batches'])) {
+        unset($_SESSION['batches']);
+      }
+    }
   }
   $_batch = $batch;
   $batch = NULL;
 
-  // Clean-up the session. Not needed for CLI updates.
-  if (isset($_SESSION)) {
-    unset($_SESSION['batches'][$batch['id']]);
-    if (empty($_SESSION['batches'])) {
-      unset($_SESSION['batches']);
-    }
-  }
-
   // Redirect if needed.
   if ($_batch['progressive']) {
     // Revert the 'destination' that was saved in batch_process().

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.69');
+define('VERSION', '7.73');
 
 /**
  * Core API compatibility.

includes/common.inc

@@ -391,7 +391,7 @@ function drupal_add_feed($url = NULL, $title = '') {
  */
 function drupal_get_feeds($delimiter = "\n") {
   $feeds = drupal_add_feed();
-  return implode($feeds, $delimiter);
+  return implode($delimiter, $feeds);
 }
 
 /**
@@ -684,7 +684,10 @@ function drupal_goto($path = '', array $options = array(), $http_response_code =
   // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
   if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
     $destination = drupal_parse_url($_GET['destination']);
-    $path = $destination['path'];
+    // Double check the path derived by drupal_parse_url() is not external.
+    if (!url_is_external($destination['path'])) {
+      $path = $destination['path'];
+    }
     $options['query'] = $destination['query'];
     $options['fragment'] = $destination['fragment'];
   }
@@ -3740,7 +3743,7 @@ function _drupal_build_css_path($matches, $base = NULL) {
   }
 
   // Prefix with base and remove '../' segments where possible.
-  $path = $_base . $matches[1];
+  $path = $_base . (isset($matches[1]) ? $matches[1] : '');
   $last = '';
   while ($path != $last) {
     $last = $path;
@@ -6653,7 +6656,7 @@ function element_children(&$elements, $sort = FALSE) {
   $children = array();
   $sortable = FALSE;
   foreach ($elements as $key => $value) {
-    if ($key === '' || $key[0] !== '#') {
+    if (is_int($key) || $key === '' || $key[0] !== '#') {
       $children[$key] = $value;
       if (is_array($value) && isset($value['#weight'])) {
         $sortable = TRUE;

includes/filetransfer/filetransfer.inc

@@ -301,7 +301,7 @@ abstract class FileTransfer {
     $parts = explode('/', $path);
     $chroot = '';
     while (count($parts)) {
-      $check = implode($parts, '/');
+      $check = implode('/', $parts);
       if ($this->isFile($check . '/' . drupal_basename(__FILE__))) {
         // Remove the trailing slash.
         return substr($chroot, 0, -1);

includes/form.inc

@@ -1135,12 +1135,8 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
  * Helper function to call form_set_error() if there is a token error.
  */
 function _drupal_invalid_token_set_form_error() {
-  $path = current_path();
-  $query = drupal_get_query_parameters();
-  $url = url($path, array('query' => $query));
-
   // Setting this error will cause the form to fail validation.
-  form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
+  form_set_error('form_token', t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.'));
 }
 
 /**
@@ -1181,6 +1177,11 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
   if (!empty($form['#token'])) {
     if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) {
       _drupal_invalid_token_set_form_error();
+      // Ignore all submitted values.
+      $form_state['input'] = array();
+      $_POST = array();
+      // Make sure file uploads do not get processed.
+      $_FILES = array();
       // Stop here and don't run any further validation handlers, because they
       // could invoke non-safe operations which opens the door for CSRF
       // vulnerabilities.
@@ -1848,6 +1849,9 @@ function form_builder($form_id, &$element, &$form_state) {
           _drupal_invalid_token_set_form_error();
           // This value is checked in _form_builder_handle_input_element().
           $form_state['invalid_token'] = TRUE;
+          // Ignore all submitted values.
+          $form_state['input'] = array();
+          $_POST = array();
           // Make sure file uploads do not get processed.
           $_FILES = array();
         }

includes/menu.inc

@@ -2483,6 +2483,9 @@ function menu_link_get_preferred($path = NULL, $selected_menu = NULL) {
     // untranslated paths). Afterwards, the most relevant path is picked from
     // the menus, ordered by menu preference.
     $item = menu_get_item($path);
+    if ($item === FALSE) {
+      return FALSE;
+    }
     $path_candidates = array();
     // 1. The current item href.
     $path_candidates[$item['href']] = $item['href'];

includes/pager.inc

@@ -324,6 +324,16 @@ function theme_pager($variables) {
   $quantity = empty($variables['quantity']) ? 0 : $variables['quantity'];
   global $pager_page_array, $pager_total;
 
+  // Nothing to do if there is no pager.
+  if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
+    return;
+  }
+
+  // Nothing to do if there is only one page.
+  if ($pager_total[$element] <= 1) {
+    return;
+  }
+
   // Calculate various markers within this pager piece:
   // Middle is used to "center" pages around the current page.
   $pager_middle = ceil($quantity / 2);
@@ -455,6 +465,11 @@ function theme_pager_first($variables) {
   global $pager_page_array;
   $output = '';
 
+  // Nothing to do if there is no pager.
+  if (!isset($pager_page_array[$element])) {
+    return;
+  }
+
   // If we are anywhere but the first page
   if ($pager_page_array[$element] > 0) {
     $output = theme('pager_link', array('text' => $text, 'page_new' => pager_load_array(0, $element, $pager_page_array), 'element' => $element, 'parameters' => $parameters));
@@ -485,6 +500,11 @@ function theme_pager_previous($variables) {
   global $pager_page_array;
   $output = '';
 
+  // Nothing to do if there is no pager.
+  if (!isset($pager_page_array[$element])) {
+    return;
+  }
+
   // If we are anywhere but the first page
   if ($pager_page_array[$element] > 0) {
     $page_new = pager_load_array($pager_page_array[$element] - $interval, $element, $pager_page_array);
@@ -524,6 +544,11 @@ function theme_pager_next($variables) {
   global $pager_page_array, $pager_total;
   $output = '';
 
+  // Nothing to do if there is no pager.
+  if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
+    return;
+  }
+
   // If we are anywhere but the last page
   if ($pager_page_array[$element] < ($pager_total[$element] - 1)) {
     $page_new = pager_load_array($pager_page_array[$element] + $interval, $element, $pager_page_array);
@@ -560,6 +585,11 @@ function theme_pager_last($variables) {
   global $pager_page_array, $pager_total;
   $output = '';
 
+  // Nothing to do if there is no pager.
+  if (!isset($pager_page_array[$element]) || !isset($pager_total[$element])) {
+    return;
+  }
+
   // If we are anywhere but the last page
   if ($pager_page_array[$element] < ($pager_total[$element] - 1)) {
     $output = theme('pager_link', array('text' => $text, 'page_new' => pager_load_array($pager_total[$element] - 1, $element, $pager_page_array), 'element' => $element, 'parameters' => $parameters));

includes/path.inc

@@ -466,13 +466,15 @@ function path_delete($criteria) {
     $criteria = array('pid' => $criteria);
   }
   $path = path_load($criteria);
-  $query = db_delete('url_alias');
-  foreach ($criteria as $field => $value) {
-    $query->condition($field, $value);
+  if (isset($path['source'])) {
+    $query = db_delete('url_alias');
+    foreach ($criteria as $field => $value) {
+      $query->condition($field, $value);
+    }
+    $query->execute();
+    module_invoke_all('path_delete', $path);
+    drupal_clear_path_cache($path['source']);
   }
-  $query->execute();
-  module_invoke_all('path_delete', $path);
-  drupal_clear_path_cache($path['source']);
 }
 
 /**

includes/request-sanitizer.inc

@@ -99,7 +99,7 @@ class DrupalRequestSanitizer {
   protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
     if (is_array($input)) {
       foreach ($input as $key => $value) {
-        if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+        if ($key !== '' && is_string($key) && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
           unset($input[$key]);
           $sanitized_keys[] = $key;
         }

misc/ajax.js

@@ -149,7 +149,7 @@ Drupal.ajax = function (base, element, element_settings) {
   // The 'this' variable will not persist inside of the options object.
   var ajax = this;
   ajax.options = {
-    url: ajax.url,
+    url: Drupal.sanitizeAjaxUrl(ajax.url),
     data: ajax.submit,
     beforeSerialize: function (element_settings, options) {
       return ajax.beforeSerialize(element_settings, options);
@@ -195,9 +195,29 @@ Drupal.ajax = function (base, element, element_settings) {
       }
     },
     dataType: 'json',
+    jsonp: false,
     type: 'POST'
   };
 
+  // For multipart forms (e.g., file uploads), jQuery Form targets the form
+  // submission to an iframe instead of using an XHR object. The initial "src"
+  // of the iframe, prior to the form submission, is set to options.iframeSrc.
+  // "about:blank" is the semantically correct, standards-compliant, way to
+  // initialize a blank iframe; however, some old IE versions (possibly only 6)
+  // incorrectly report a mixed content warning when iframes with an
+  // "about:blank" src are added to a parent document with an https:// origin.
+  // jQuery Form works around this by defaulting to "javascript:false" instead,
+  // but that breaks on Chrome 83, so here we force the semantically correct
+  // behavior for all browsers except old IE.
+  // @see https://www.drupal.org/project/drupal/issues/3143016
+  // @see https://github.com/jquery-form/form/blob/df9cb101b9c9c085c8d75ad980c7ff1cf62063a1/jquery.form.js#L68
+  // @see https://bugs.chromium.org/p/chromium/issues/detail?id=1084874
+  // @see https://html.spec.whatwg.org/multipage/browsers.html#creating-browsing-contexts
+  // @see https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
+  if (navigator.userAgent.indexOf("MSIE") === -1) {
+    ajax.options.iframeSrc = 'about:blank';
+  }
+
   // Bind the ajaxSubmit function to the element event.
   $(ajax.element).bind(element_settings.event, function (event) {
     if (!Drupal.settings.urlIsAjaxTrusted[ajax.url] && !Drupal.urlIsLocal(ajax.url)) {

misc/autocomplete.js

@@ -297,8 +297,9 @@ Drupal.ACDB.prototype.search = function (searchString) {
     // encodeURIComponent to allow autocomplete search terms to contain slashes.
     $.ajax({
       type: 'GET',
-      url: db.uri + '/' + Drupal.encodePath(searchString),
+      url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
       dataType: 'json',
+      jsonp: false,
       success: function (matches) {
         if (typeof matches.status == 'undefined' || matches.status != 0) {
           db.cache[searchString] = matches;

misc/drupal.js

@@ -424,6 +424,23 @@ Drupal.urlIsLocal = function (url) {
   return absoluteUrl === baseUrl || absoluteUrl.indexOf(baseUrl + '/') === 0;
 };
 
+/**
+ * Sanitizes a URL for use with jQuery.ajax().
+ *
+ * @param url
+ *   The URL string to be sanitized.
+ *
+ * @return
+ *   The sanitized URL.
+ */
+Drupal.sanitizeAjaxUrl = function (url) {
+  var regex = /\=\?(&|$)/;
+  while (url.match(regex)) {
+    url = url.replace(regex, '');
+  }
+  return url;
+}
+
 /**
  * Generate the themed representation of a Drupal object.
  *

misc/jquery-html-prefilter-3.5.0-backport.js

@@ -0,0 +1,251 @@
+/**
+ * For jQuery versions less than 3.5.0, this replaces the jQuery.htmlPrefilter()
+ * function with one that fixes these security vulnerabilities while also
+ * retaining the pre-3.5.0 behavior where it's safe to do so.
+ * - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
+ * - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
+ *
+ * Additionally, for jQuery versions that do not have a jQuery.htmlPrefilter()
+ * function (1.x prior to 1.12 and 2.x prior to 2.2), this adds it, and
+ * extends the functions that need to call it to do so.
+ *
+ * Drupal core's jQuery version is 1.4.4, but jQuery Update can provide a
+ * different version, so this covers all versions between 1.4.4 and 3.4.1.
+ * The GitHub links in the code comments below link to jQuery 1.5 code, because
+ * 1.4.4 isn't on GitHub, but the referenced code didn't change from 1.4.4 to
+ * 1.5.
+ */
+
+(function (jQuery) {
+
+  // Parts of this backport differ by jQuery version.
+  var versionParts = jQuery.fn.jquery.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+
+  // No backport is needed if we're already on jQuery 3.5 or higher.
+  if ( (majorVersion > 3) || (majorVersion === 3 && minorVersion >= 5) ) {
+    return;
+  }
+
+  // Prior to jQuery 3.5, jQuery converted XHTML-style self-closing tags to
+  // their XML equivalent: e.g., "<div />" to "<div></div>". This is
+  // problematic for several reasons, including that it's vulnerable to XSS
+  // attacks. However, since this was jQuery's behavior for many years, many
+  // Drupal modules and jQuery plugins may be relying on it. Therefore, we
+  // preserve that behavior, but for a limited set of tags only, that we believe
+  // to not be vulnerable. This is the set of HTML tags that satisfy all of the
+  // following conditions:
+  // - In DOMPurify's list of HTML tags. If an HTML tag isn't safe enough to
+  //   appear in that list, then we don't want to mess with it here either.
+  //   @see https://github.com/cure53/DOMPurify/blob/2.0.11/dist/purify.js#L128
+  // - A normal element (not a void, template, text, or foreign element).
+  //   @see https://html.spec.whatwg.org/multipage/syntax.html#elements-2
+  // - An element that is still defined by the current HTML specification
+  //   (not a deprecated element), because we do not want to rely on how
+  //   browsers parse deprecated elements.
+  //   @see https://developer.mozilla.org/en-US/docs/Web/HTML/Element
+  // - Not 'html', 'head', or 'body', because this pseudo-XHTML expansion is
+  //   designed for fragments, not entire documents.
+  // - Not 'colgroup', because due to an idiosyncrasy of jQuery's original
+  //   regular expression, it didn't match on colgroup, and we don't want to
+  //   introduce a behavior change for that.
+  var selfClosingTagsToReplace = [
+    'a', 'abbr', 'address', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo',
+    'blockquote', 'button', 'canvas', 'caption', 'cite', 'code', 'data',
+    'datalist', 'dd', 'del', 'details', 'dfn', 'div', 'dl', 'dt', 'em',
+    'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3',
+    'h4', 'h5', 'h6', 'header', 'hgroup', 'i', 'ins', 'kbd', 'label', 'legend',
+    'li', 'main', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup',
+    'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt',
+    'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span',
+    'strong', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th',
+    'thead', 'time', 'tr', 'u', 'ul', 'var', 'video'
+  ];
+
+  // Define regular expressions for <TAG/> and <TAG ATTRIBUTES/>. Doing this as
+  // two expressions makes it easier to target <a/> without also targeting
+  // every tag that starts with "a".
+  var xhtmlRegExpGroup = '(' + selfClosingTagsToReplace.join('|') + ')';
+  var whitespace = '[\\x20\\t\\r\\n\\f]';
+  var rxhtmlTagWithoutSpaceOrAttributes = new RegExp('<' + xhtmlRegExpGroup + '\\/>', 'gi');
+  var rxhtmlTagWithSpaceAndMaybeAttributes = new RegExp('<' + xhtmlRegExpGroup + '(' + whitespace + '[^>]*)\\/>', 'gi');
+
+  // jQuery 3.5 also fixed a vulnerability for when </select> appears within
+  // an <option> or <optgroup>, but it did that in local code that we can't
+  // backport directly. Instead, we filter such cases out. To do so, we need to
+  // determine when jQuery would otherwise invoke the vulnerable code, which it
+  // uses this regular expression to determine. The regular expression changed
+  // for version 3.0.0 and changed again for 3.4.0.
+  // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4958
+  // @see https://github.com/jquery/jquery/blob/3.0.0/dist/jquery.js#L4584
+  // @see https://github.com/jquery/jquery/blob/3.4.0/dist/jquery.js#L4712
+  var rtagName;
+  if (majorVersion < 3) {
+    rtagName = /<([\w:]+)/;
+  }
+  else if (minorVersion < 4) {
+    rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]+)/i;
+  }
+  else {
+    rtagName = /<([a-z][^\/\0>\x20\t\r\n\f]*)/i;
+  }
+
+  // The regular expression that jQuery uses to determine which self-closing
+  // tags to expand to open and close tags. This is vulnerable, because it
+  // matches all tag names except the few excluded ones. We only use this
+  // expression for determining vulnerability. The expression changed for
+  // version 3, but we only need to check for vulnerability in versions 1 and 2,
+  // so we use the expression from those versions.
+  // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4957
+  var rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi;
+
+  jQuery.extend({
+    htmlPrefilter: function (html) {
+      // This is how jQuery determines the first tag in the HTML.
+      // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5521
+      var tag = ( rtagName.exec( html ) || [ "", "" ] )[ 1 ].toLowerCase();
+
+      // It is not valid HTML for <option> or <optgroup> to have <select> as
+      // either a descendant or sibling, and attempts to inject one can cause
+      // XSS on jQuery versions before 3.5. Since this is invalid HTML and a
+      // possible XSS attack, reject the entire string.
+      // @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
+      if ((tag === 'option' || tag === 'optgroup') && html.match(/<\/?select/i)) {
+        html = '';
+      }
+
+      // Retain jQuery's prior to 3.5 conversion of pseudo-XHTML, but for only
+      // the tags in the `selfClosingTagsToReplace` list defined above.
+      // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5518
+      // @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
+      html = html.replace(rxhtmlTagWithoutSpaceOrAttributes, "<$1></$1>");
+      html = html.replace(rxhtmlTagWithSpaceAndMaybeAttributes, "<$1$2></$1>");
+
+      // Prior to jQuery 1.12 and 2.2, this function gets called (via code later
+      // in this file) in addition to, rather than instead of, the unsafe
+      // expansion of self-closing tags (including ones not in the list above).
+      // We can't prevent that unsafe expansion from running, so instead we
+      // check to make sure that it doesn't affect the DOM returned by the
+      // browser's parsing logic. If it does affect it, then it's vulnerable to
+      // XSS, so we reject the entire string.
+      if ( (majorVersion === 1 && minorVersion < 12) || (majorVersion === 2 && minorVersion < 2) ) {
+        var htmlRisky = html.replace(rxhtmlTag, "<$1></$2>");
+        if (htmlRisky !== html) {
+          // Even though htmlRisky and html are different strings, they might
+          // represent the same HTML structure once parsed, in which case,
+          // htmlRisky is actually safe. We can ask the browser to parse both
+          // to find out, but the browser can't parse table fragments (e.g., a
+          // root-level "<td>"), so we need to wrap them. We just need this
+          // technique to work on all supported browsers; we don't need to
+          // copy from the specific jQuery version we're using.
+          // @see https://github.com/jquery/jquery/blob/3.5.1/dist/jquery.js#L4939
+          var wrapMap = {
+            thead: [ 1, "<table>", "</table>" ],
+            col: [ 2, "<table><colgroup>", "</colgroup></table>" ],
+            tr: [ 2, "<table><tbody>", "</tbody></table>" ],
+            td: [ 3, "<table><tbody><tr>", "</tr></tbody></table>" ],
+          };
+          wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
+          wrapMap.th = wrapMap.td;
+
+          // Function to wrap HTML into something that a browser can parse.
+          // @see https://github.com/jquery/jquery/blob/3.5.1/dist/jquery.js#L5032
+          var getWrappedHtml = function (html) {
+            var wrap = wrapMap[tag];
+            if (wrap) {
+              html = wrap[1] + html + wrap[2];
+            }
+            return html;
+          };
+
+          // Function to return canonical HTML after parsing it. This parses
+          // only; it doesn't execute scripts.
+          // @see https://github.com/jquery/jquery-migrate/blob/3.3.0/src/jquery/manipulation.js#L5
+          var getParsedHtml = function (html) {
+            var doc = window.document.implementation.createHTMLDocument( "" );
+            doc.body.innerHTML = html;
+            return doc.body ? doc.body.innerHTML : '';
+          };
+
+          // If the browser couldn't parse either one successfully, or if
+          // htmlRisky parses differently than html, then html is vulnerable,
+          // so reject it.
+          var htmlParsed = getParsedHtml(getWrappedHtml(html));
+          var htmlRiskyParsed = getParsedHtml(getWrappedHtml(htmlRisky));
+          if (htmlRiskyParsed === '' || htmlParsed === '' || (htmlRiskyParsed !== htmlParsed)) {
+            html = '';
+          }
+        }
+      }
+
+      return html;
+    }
+  });
+
+  // Prior to jQuery 1.12 and 2.2, jQuery.clean(), jQuery.buildFragment(), and
+  // jQuery.fn.html() did not call jQuery.htmlPrefilter(), so we add that.
+  if ( (majorVersion === 1 && minorVersion < 12) || (majorVersion === 2 && minorVersion < 2) ) {
+    // Filter the HTML coming into jQuery.fn.html().
+    var fnOriginalHtml = jQuery.fn.html;
+    jQuery.fn.extend({
+      // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5147
+      html: function (value) {
+        if (typeof value === "string") {
+          value = jQuery.htmlPrefilter(value);
+        }
+        // .html() can be called as a setter (with an argument) or as a getter
+        // (without an argument), so invoke fnOriginalHtml() the same way that
+        // we were invoked.
+        return fnOriginalHtml.apply(this, arguments.length ? [value] : []);
+      }
+    });
+
+    // The regular expression that jQuery uses to determine if a string is HTML.
+    // Used by both clean() and buildFragment().
+    // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L4960
+    var rhtml = /<|&#?\w+;/;
+
+    // Filter HTML coming into:
+    // - jQuery.clean() for versions prior to 1.9.
+    // - jQuery.buildFragment() for 1.9 and above.
+    //
+    // The looping constructs in the two functions might be essentially
+    // identical, but they're each expressed here in the way that most closely
+    // matches their original expression in jQuery, so that we filter all of
+    // the items and only the items that jQuery will treat as HTML strings.
+    if (majorVersion === 1 && minorVersion < 9) {
+      var originalClean = jQuery.clean;
+      jQuery.extend({
+        // @see https://github.com/jquery/jquery/blob/1.5/jquery.js#L5493
+        'clean': function (elems, context, fragment, scripts) {
+          for ( var i = 0, elem; (elem = elems[i]) != null; i++ ) {
+            if ( typeof elem === "string" && rhtml.test( elem ) ) {
+              elems[i] = elem = jQuery.htmlPrefilter(elem);
+            }
+          }
+          return originalClean.call(this, elems, context, fragment, scripts);
+        }
+      });
+    }
+    else {
+      var originalBuildFragment = jQuery.buildFragment;
+      jQuery.extend({
+        // @see https://github.com/jquery/jquery/blob/1.9.0/jquery.js#L6419
+        'buildFragment': function (elems, context, scripts, selection) {
+          var l = elems.length;
+          for ( var i = 0; i < l; i++ ) {
+            var elem = elems[i];
+            if (elem || elem === 0) {
+              if ( jQuery.type( elem ) !== "object" && rhtml.test( elem ) ) {
+                elems[i] = elem = jQuery.htmlPrefilter(elem);
+              }
+            }
+          }
+          return originalBuildFragment.call(this, elems, context, scripts, selection);
+        }
+      });
+    }
+  }
+
+})(jQuery);

misc/typo3/phar-stream-wrapper/README.md

@@ -1,5 +1,6 @@
 [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/badges/quality-score.png?b=v2)](https://scrutinizer-ci.com/g/TYPO3/phar-stream-wrapper/?branch=v2)
 [![Travis CI Build Status](https://travis-ci.org/TYPO3/phar-stream-wrapper.svg?branch=v2)](https://travis-ci.org/TYPO3/phar-stream-wrapper)
+[![AppVeyor Build status](https://ci.appveyor.com/api/projects/status/q4ls5tg4w1d6sf4i/branch/v2?svg=true)](https://ci.appveyor.com/project/ohader/phar-stream-wrapper)
 
 # PHP Phar Stream Wrapper
 
@@ -21,9 +22,11 @@ and has been addressed concerning the specific attack vector and for this generi
 `PharStreamWrapper` in TYPO3 versions 7.6.30 LTS, 8.7.17 LTS and 9.3.1 on 12th
 July 2018.
 
-* https://typo3.org/security/advisory/typo3-core-sa-2018-002/
 * https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
 * https://youtu.be/GePBmsNJw6Y
+* https://typo3.org/security/advisory/typo3-psa-2018-001/
+* https://typo3.org/security/advisory/typo3-psa-2019-007/
+* https://typo3.org/security/advisory/typo3-psa-2019-008/
 
 ## License
 

misc/typo3/phar-stream-wrapper/composer.json

@@ -7,7 +7,6 @@
     "keywords": ["php", "phar", "stream-wrapper", "security"],
     "require": {
         "php": "^5.3.3|^7.0",
-        "ext-fileinfo": "*",
         "ext-json": "*",
         "brumann/polyfill-unserialize": "^1.0"
     },
@@ -15,6 +14,9 @@
         "ext-xdebug": "*",
         "phpunit/phpunit": "^4.8.36"
     },
+    "suggest": {
+        "ext-fileinfo": "For PHP builtin file type guessing, otherwise uses internal processing"
+    },
     "autoload": {
         "psr-4": {
             "TYPO3\\PharStreamWrapper\\": "src/"

misc/typo3/phar-stream-wrapper/src/Helper.php

@@ -52,7 +52,7 @@ class Helper
 
         while (count($parts)) {
             $currentPath = implode('/', $parts);
-            if (@is_file($currentPath)) {
+            if (@is_file($currentPath) && realpath($currentPath) !== false) {
                 return $currentPath;
             }
             array_pop($parts);
@@ -106,7 +106,7 @@ class Helper
      * @param string $path File path to process
      * @return string
      */
-    private static function normalizeWindowsPath($path)
+    public static function normalizeWindowsPath($path)
     {
         return str_replace('\\', '/', $path);
     }

misc/typo3/phar-stream-wrapper/src/Phar/Reader.php

@@ -19,6 +19,11 @@ class Reader
     private $fileName;
 
     /**
+     * Mime-type in order to use zlib, bzip2 or no compression.
+     * In case ext-fileinfo is not present only the relevant types
+     * 'application/x-gzip' and 'application/x-bzip2' are assigned
+     * to this class property.
+     *
      * @var string
      */
     private $fileType;
@@ -139,7 +144,7 @@ class Reader
      */
     private function resolveStream()
     {
-        if ($this->fileType === 'application/x-gzip') {
+        if ($this->fileType === 'application/x-gzip' || $this->fileType === 'application/gzip') {
             return 'compress.zlib://';
         } elseif ($this->fileType === 'application/x-bzip2') {
             return 'compress.bzip2://';
@@ -152,8 +157,37 @@ class Reader
      */
     private function determineFileType()
     {
-        $fileInfo = new \finfo();
-        return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
+        if (class_exists('\\finfo')) {
+            $fileInfo = new \finfo();
+            return $fileInfo->file($this->fileName, FILEINFO_MIME_TYPE);
+        }
+        return $this->determineFileTypeByHeader();
+    }
+
+    /**
+     * In case ext-fileinfo is not present only the relevant types
+     * 'application/x-gzip' and 'application/x-bzip2' are resolved.
+     *
+     * @return string
+     */
+    private function determineFileTypeByHeader()
+    {
+        $resource = fopen($this->fileName, 'r');
+        if (!is_resource($resource)) {
+            throw new ReaderException(
+                sprintf('Resource %s could not be opened', $this->fileName),
+                1557753055
+            );
+        }
+        $header = fgets($resource, 4);
+        fclose($resource);
+        $mimeType = '';
+        if (strpos($header, "\x42\x5a\x68") === 0) {
+            $mimeType = 'application/x-bzip2';
+        } elseif (strpos($header, "\x1f\x8b") === 0) {
+            $mimeType = 'application/x-gzip';
+        }
+        return $mimeType;
     }
 
     /**

misc/typo3/phar-stream-wrapper/src/PharStreamWrapper.php

@@ -476,7 +476,7 @@ class PharStreamWrapper
     {
         $arguments = func_get_args();
         array_shift($arguments);
-        $silentExecution = $functionName{0} === '@';
+        $silentExecution = $functionName[0] === '@';
         $functionName = ltrim($functionName, '@');
         $this->restoreInternalSteamWrapper();
 

misc/typo3/phar-stream-wrapper/src/Resolver/PharInvocationResolver.php

@@ -14,6 +14,7 @@ namespace TYPO3\PharStreamWrapper\Resolver;
 use TYPO3\PharStreamWrapper\Helper;
 use TYPO3\PharStreamWrapper\Manager;
 use TYPO3\PharStreamWrapper\Phar\Reader;
+use TYPO3\PharStreamWrapper\Phar\ReaderException;
 use TYPO3\PharStreamWrapper\Resolvable;
 
 class PharInvocationResolver implements Resolvable
@@ -59,7 +60,7 @@ class PharInvocationResolver implements Resolvable
     {
         $hasPharPrefix = Helper::hasPharPrefix($path);
         if ($flags === null) {
-            $flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS | static::ASSERT_INTERNAL_INVOCATION;
+            $flags = static::RESOLVE_REALPATH | static::RESOLVE_ALIAS;
         }
 
         if ($hasPharPrefix && $flags & static::RESOLVE_ALIAS) {
@@ -147,9 +148,14 @@ class PharInvocationResolver implements Resolvable
             }
             // ensure the possible alias name (how we have been called initially) matches
             // the resolved alias name that was retrieved by the current possible base name
-            $reader = new Reader($currentBaseName);
-            $currentAlias = $reader->resolveContainer()->getAlias();
-            if ($currentAlias !== $possibleAlias) {
+            try {
+                $reader = new Reader($currentBaseName);
+                $currentAlias = $reader->resolveContainer()->getAlias();
+            } catch (ReaderException $exception) {
+                // most probably that was not a Phar file
+                continue;
+            }
+            if (empty($currentAlias) || $currentAlias !== $possibleAlias) {
                 continue;
             }
             $this->addBaseName($currentBaseName);
@@ -215,7 +221,9 @@ class PharInvocationResolver implements Resolvable
         if (isset($this->baseNames[$baseName])) {
             return;
         }
-        $this->baseNames[$baseName] = realpath($baseName);
+        $this->baseNames[$baseName] = Helper::normalizeWindowsPath(
+            realpath($baseName)
+        );
     }
 
     /**

modules/aggregator/aggregator.info

@@ -7,7 +7,7 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/aggregator/tests/aggregator_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/block/block.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/block/block.module

@@ -263,7 +263,7 @@ function block_page_build(&$page) {
   $all_regions = system_region_list($theme);
 
   $item = menu_get_item();
-  if ($item['path'] != 'admin/structure/block/demo/' . $theme) {
+  if ($item === FALSE || $item['path'] != 'admin/structure/block/demo/' . $theme) {
     // Load all region content assigned via blocks.
     foreach (array_keys($all_regions) as $region) {
       // Assign blocks to region.
@@ -283,7 +283,6 @@ function block_page_build(&$page) {
   }
   else {
     // Append region description if we are rendering the regions demo page.
-    $item = menu_get_item();
     if ($item['path'] == 'admin/structure/block/demo/' . $theme) {
       foreach (system_region_list($theme, REGIONS_VISIBLE, FALSE) as $region) {
         $description = '<div class="block-region">' . $all_regions[$region] . '</div>';

modules/block/tests/block_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/block/tests/themes/block_test_theme/block_test_theme.info

@@ -13,7 +13,7 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/blog/blog.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/book/book.info

@@ -7,7 +7,7 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/color/color.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/color/color.module

@@ -734,8 +734,9 @@ function _color_blend($img, $hex1, $hex2, $alpha) {
  * Converts a hex color into an RGB triplet.
  */
 function _color_unpack($hex, $normalize = FALSE) {
-  if (strlen($hex) == 4) {
-    $hex = $hex[1] . $hex[1] . $hex[2] . $hex[2] . $hex[3] . $hex[3];
+  $hex = substr($hex, 1);
+  if (strlen($hex) == 3) {
+    $hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2];
   }
   $c = hexdec($hex);
   for ($i = 16; $i >= 0; $i -= 8) {

modules/comment/comment.info

@@ -9,7 +9,7 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/comment/comment.install

@@ -9,9 +9,6 @@
  * Implements hook_uninstall().
  */
 function comment_uninstall() {
-  // Delete comment_body field.
-  field_delete_field('comment_body');
-
   // Remove variables.
   variable_del('comment_block_count');
   $node_types = array_keys(node_type_get_types());

modules/comment/comment.test

@@ -6,6 +6,7 @@
  */
 
 class CommentHelperCase extends DrupalWebTestCase {
+  protected $super_user;
   protected $admin_user;
   protected $web_user;
   protected $node;
@@ -19,6 +20,7 @@ class CommentHelperCase extends DrupalWebTestCase {
     parent::setUp($modules);
 
     // Create users and test node.
+    $this->super_user = $this->drupalCreateUser(array('access administration pages', 'administer modules'));
     $this->admin_user = $this->drupalCreateUser(array('administer content types', 'administer comments', 'administer blocks', 'administer actions', 'administer fields'));
     $this->web_user = $this->drupalCreateUser(array('access comments', 'post comments', 'create article content', 'edit own comments'));
     $this->node = $this->drupalCreateNode(array('type' => 'article', 'promote' => 1, 'uid' => $this->web_user->uid));
@@ -2264,3 +2266,56 @@ class CommentNodeChangesTestCase extends CommentHelperCase {
     $this->assertFalse(comment_load($comment->id), 'The comment could not be loaded after the node was deleted.');
   }
 }
+
+/**
+ * Tests uninstalling the comment module.
+ */
+class CommentUninstallTestCase extends CommentHelperCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Comment module uninstallation',
+      'description' => 'Tests that the comments module can be properly uninstalled.',
+      'group' => 'Comment',
+    );
+  }
+
+  function testCommentUninstall() {
+    $this->drupalLogin($this->super_user);
+
+    // Disable comment module.
+    $edit['modules[Core][comment][enable]'] = FALSE;
+    $this->drupalPost('admin/modules', $edit, t('Save configuration'));
+    $this->assertText(t('The configuration options have been saved.'), 'Comment module was disabled.');
+
+    // Uninstall comment module.
+    $edit = array('uninstall[comment]' => 'comment');
+    $this->drupalPost('admin/modules/uninstall', $edit, t('Uninstall'));
+    $this->drupalPost(NULL, NULL, t('Uninstall'));
+    $this->assertText(t('The selected modules have been uninstalled.'), 'Comment module was uninstalled.');
+
+    // Run cron and clear field cache so that comment fields and instances
+    // marked for deletion are actually removed.
+    $this->cronRun();
+    field_cache_clear();
+
+    // Verify that comment fields have been removed.
+    $all_fields = array_keys(field_info_field_map());
+    $this->assertFalse(in_array('comment_body', $all_fields), 'Comment fields were removed by uninstall.');
+
+    // Verify that comment field instances have been removed (or at least marked
+    // for deletion).
+    // N.B. field_read_instances does an INNER JOIN on field_config so if the
+    // comment_body row has been removed successfully from there no instances
+    // will be returned, but that does not guarantee that no rows are left over
+    // in the field_config_instance table.
+    $count = db_select('field_config_instance', 'fci')
+      ->condition('entity_type', 'comment')
+      ->condition('field_name', 'comment_body')
+      ->condition('deleted', 0)
+      ->countQuery()
+      ->execute()
+      ->fetchField();
+    $this->assertTrue($count == 0, 'Comment field instances were removed by uninstall.');
+  }
+}

modules/contact/contact.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/contextual/contextual.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/dashboard/dashboard.info

@@ -7,7 +7,7 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/dblog/dblog.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/field.info

@@ -11,7 +11,7 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/field_sql_storage/field_sql_storage.info

@@ -7,7 +7,7 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/list/list.info

@@ -7,7 +7,7 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/list/tests/list_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/number/number.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = number.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/number/number.test

@@ -174,7 +174,7 @@ class NumberFieldTestCase extends DrupalWebTestCase {
       ),
       'display' => array(
         'default' => array(
-          'type' => 'number_float',
+          'type' => 'number_decimal',
         ),
       ),
     );

modules/field/modules/options/options.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = options.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/modules/text/text.info

@@ -7,7 +7,7 @@ dependencies[] = field
 files[] = text.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/tests/field_test.info

@@ -6,7 +6,7 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field/tests/field_test.storage.inc

@@ -455,13 +455,13 @@ function field_test_field_attach_rename_bundle($bundle_old, $bundle_new) {
 function field_test_field_attach_delete_bundle($entity_type, $bundle, $instances) {
   $data = _field_test_storage_data();
 
-  foreach ($instances as $field_name => $instance) {
-    $field = field_info_field($field_name);
+  foreach ($instances as $instance) {
+    $field = field_info_field_by_id($instance['field_id']);
     if ($field['storage']['type'] == 'field_test_storage') {
       $field_data = &$data[$field['id']];
       foreach (array('current', 'revisions') as $sub_table) {
         foreach ($field_data[$sub_table] as &$row) {
-          if ($row->bundle == $bundle_old) {
+          if ($row->bundle == $bundle) {
             $row->deleted = TRUE;
           }
         }

modules/field_ui/field_ui.admin.inc

@@ -1026,6 +1026,10 @@ function field_ui_display_overview_form($form, &$form_state, $entity_type, $bund
 
     $instance['display'][$view_mode]['type'] = $formatter_type;
     $formatter = field_info_formatter_types($formatter_type);
+    // For hidden fields, $formatter will be NULL, but we expect an array later.
+    // To maintain BC, but avoid PHP 7.4 Notices, ensure $formatter is an array
+    // with a 'module' element.
+    $formatter['module'] = isset($formatter['module']) ? $formatter['module'] : '';
     $instance['display'][$view_mode]['module'] = $formatter['module'];
     $instance['display'][$view_mode]['settings'] = $settings;
 

modules/field_ui/field_ui.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/field_ui/field_ui.module

@@ -265,6 +265,12 @@ function field_ui_menu_title($instance) {
  * Menu access callback for the 'view mode display settings' pages.
  */
 function _field_ui_view_mode_menu_access($entity_type, $bundle, $view_mode, $access_callback) {
+  // It's good practice to call func_get_args() at the beginning of a function
+  // to avoid problems with function parameters being modified later. The
+  // behavior of func_get_args() changed in PHP7.
+  // @see https://www.php.net/manual/en/migration70.incompatible.php#migration70.incompatible.other.func-parameter-modified
+  $all_args = func_get_args();
+
   // First, determine visibility according to the 'use custom display'
   // setting for the view mode.
   $bundle = field_extract_bundle($entity_type, $bundle);
@@ -275,7 +281,6 @@ function _field_ui_view_mode_menu_access($entity_type, $bundle, $view_mode, $acc
   // part of _menu_check_access().
   if ($visibility) {
     // Grab the variable 'access arguments' part.
-    $all_args = func_get_args();
     $args = array_slice($all_args, 4);
     $callback = empty($access_callback) ? 0 : trim($access_callback);
     if (is_numeric($callback)) {

modules/file/file.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/file/tests/file.test

@@ -409,7 +409,7 @@ class FileManagedFileElementTestCase extends FileFieldTestCase {
           'form_token' => 'invalid token',
         );
         $this->drupalPost($path, $edit, t('Save'));
-        $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
+        $this->assertText('The form has become outdated.');
         $last_fid = $this->getLastFileId();
         $this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');
 

modules/file/tests/file_module_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/filter/filter.api.php

@@ -202,7 +202,7 @@ function callback_filter_settings($form, &$form_state, $filter, $format, $defaul
  */
 function callback_filter_prepare($text, $filter, $format, $langcode, $cache, $cache_id) {
   // Escape <code> and </code> tags.
-  $text = preg_replace('|<code>(.+?)</code>|se', "[codefilter_code]$1[/codefilter_code]", $text);
+  $text = preg_replace('|<code>(.+?)</code>|s', "[codefilter_code]$1[/codefilter_code]", $text);
   return $text;
 }
 
@@ -234,7 +234,7 @@ function callback_filter_prepare($text, $filter, $format, $langcode, $cache, $ca
  * @ingroup callbacks
  */
 function callback_filter_process($text, $filter, $format, $langcode, $cache, $cache_id) {
-  $text = preg_replace('|\[codefilter_code\](.+?)\[/codefilter_code\]|se', "<pre>$1</pre>", $text);
+  $text = preg_replace('|\[codefilter_code\](.+?)\[/codefilter_code\]|s', "<pre>$1</pre>", $text);
 
   return $text;
 }

modules/filter/filter.info

@@ -7,7 +7,7 @@ files[] = filter.test
 required = TRUE
 configure = admin/config/content/formats
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/forum/forum.info

@@ -9,7 +9,7 @@ files[] = forum.test
 configure = admin/structure/forum
 stylesheets[all][] = forum.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/forum/forum.module

@@ -922,7 +922,8 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
   );
 
   $order = _forum_get_topic_order($sortby);
-  for ($i = 0; $i < count($forum_topic_list_header); $i++) {
+  // Skip element with index 0 which is NULL.
+  for ($i = 1; $i < count($forum_topic_list_header); $i++) {
     if ($forum_topic_list_header[$i]['field'] == $order['field']) {
       $forum_topic_list_header[$i]['sort'] = $order['sort'];
     }

modules/help/help.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = help.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/image/image.info

@@ -7,7 +7,7 @@ dependencies[] = file
 files[] = image.test
 configure = admin/config/media/image-styles
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/image/tests/image_module_test.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = image_module_test.module
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/locale/locale.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = locale.test
 configure = admin/config/regional/language
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/locale/tests/locale_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/menu/menu.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = menu.test
 configure = admin/structure/menu
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/node/node.info

@@ -9,7 +9,7 @@ required = TRUE
 configure = admin/structure/types
 stylesheets[all][] = node.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/node/tests/node_access_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/node/tests/node_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/node/tests/node_test_exception.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/openid/openid.info

@@ -5,7 +5,7 @@ package = Core
 core = 7.x
 files[] = openid.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/openid/tests/openid_test.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = openid
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/overlay/overlay.info

@@ -4,7 +4,7 @@ package = Core
 version = VERSION
 core = 7.x
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/path/path.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = path.test
 configure = admin/config/search/path
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/php/php.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = php.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/poll/poll.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = poll.test
 stylesheets[all][] = poll.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/profile/profile.info

@@ -11,7 +11,7 @@ configure = admin/config/people/profile
 ; See user_system_info_alter().
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/rdf/rdf.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = rdf.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/rdf/tests/rdf_test.info

@@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = blog
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/search/search.extender.inc

@@ -219,7 +219,7 @@ class SearchQuery extends SelectQueryExtender {
       }
       $phrase = FALSE;
       // Strip off phrase quotes.
-      if ($match[2]{0} == '"') {
+      if ($match[2][0] == '"') {
         $match[2] = substr($match[2], 1, -1);
         $phrase = TRUE;
         $this->simple = FALSE;

modules/search/search.info

@@ -8,7 +8,7 @@ files[] = search.test
 configure = admin/config/search/settings
 stylesheets[all][] = search.css
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/search/search.module

@@ -1172,7 +1172,7 @@ function search_excerpt($keys, $text) {
       }
       else {
         $info = search_simplify_excerpt_match($key, $text, $included[$key], $boundary);
-        if ($info['where']) {
+        if (isset($info['where'])) {
           $p = $info['where'];
           if ($info['keyword']) {
             $foundkeys[] = $info['keyword'];

modules/search/tests/search_embedded_form.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/search/tests/search_extra_type.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/search/tests/search_node_tags.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/shortcut/shortcut.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = shortcut.test
 configure = admin/config/user-interface/shortcut
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/simpletest.info

@@ -33,6 +33,7 @@ files[] = tests/pager.test
 files[] = tests/password.test
 files[] = tests/path.test
 files[] = tests/registry.test
+files[] = tests/request_sanitizer.test
 files[] = tests/schema.test
 files[] = tests/session.test
 files[] = tests/tablesort.test
@@ -57,7 +58,7 @@ files[] = tests/upgrade/update.trigger.test
 files[] = tests/upgrade/update.field.test
 files[] = tests/upgrade/update.user.test
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/actions_loop_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/ajax_forms_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/ajax_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/batch_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/boot_test_1.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/boot_test_2.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/common_test.info

@@ -7,7 +7,7 @@ stylesheets[all][] = common_test.css
 stylesheets[print][] = common_test.print.css
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/common_test_cron_helper.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/database_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/drupal_autoload_test/drupal_autoload_test.info

@@ -7,7 +7,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/entity_cache_test.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = entity_cache_test_dependency
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/entity_cache_test_dependency.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/entity_crud_hook_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"

modules/simpletest/tests/entity_query_access_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2019-12-18
-version = "7.69"
+; Information added by Drupal.org packaging script on 2020-09-16
+version = "7.73"
 project = "drupal"
-datestamp = "1576696221"
+datestamp = "1600272641"