Skip to content
Commits on Source (38)
This diff is collapsed.
Drupal 8.2.8, 2017-04-19
------------------------
- Fixed security issues. See SA-CORE-2017-002.
Drupal 8.2.7, 2017-03-15
------------------------
- Fixed security issues. See SA-CORE-2017-001.
Drupal 8.2.3, 2016-11-16
------------------------
- Fixed security issues. See SA-CORE-2016-005.
......
......@@ -40,7 +40,7 @@
"jcalderonzumba/gastonjs": "~1.0.2",
"jcalderonzumba/mink-phantomjs-driver": "~0.3.1",
"mikey179/vfsStream": "~1.2",
"phpunit/phpunit": "~4.8",
"phpunit/phpunit": ">=4.8.28 <5",
"symfony/css-selector": "~2.8"
},
"replace": {
......
......@@ -20,6 +20,7 @@
use Drupal\Core\Site\Settings;
use Drupal\Core\StringTranslation\Translator\FileTranslation;
use Drupal\Core\StackMiddleware\ReverseProxyMiddleware;
use Drupal\Core\StreamWrapper\PublicStream;
use Drupal\Core\Extension\ExtensionDiscovery;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\Url;
......@@ -1036,6 +1037,21 @@ function install_base_system(&$install_state) {
// Install system.module.
drupal_install_system($install_state);
// Prevent the installer from using the system temporary directory after the
// system module has been installed.
if (drupal_valid_test_ua()) {
// While the temporary directory could be preset/enforced in settings.php
// like the public files directory, some tests expect it to be configurable
// in the UI. If declared in settings.php, they would no longer be
// configurable. The temporary directory needs to match what is set in each
// test types ::prepareEnvironment() step.
$temporary_directory = dirname(PublicStream::basePath()) . '/temp';
file_prepare_directory($temporary_directory, FILE_MODIFY_PERMISSIONS | FILE_CREATE_DIRECTORY);
\Drupal::configFactory()->getEditable('system.file')
->set('path.temporary', $temporary_directory)
->save();
}
// Call file_ensure_htaccess() to ensure that all of Drupal's standard
// directories (e.g., the public files directory and config directory) have
// appropriate .htaccess files. These directories will have already been
......
......@@ -81,7 +81,7 @@ class Drupal {
/**
* The current system version.
*/
const VERSION = '8.2.6-dev';
const VERSION = '8.2.8-dev';
/**
* Core API compatibility.
......
......@@ -297,7 +297,7 @@ public function getConfigEntitiesToChangeOnDependencyRemoval($type, array $names
$dependency_manager = $this->getConfigDependencyManager();
$dependents = $this->findConfigEntityDependentsAsEntities($type, $names, $dependency_manager);
$original_dependencies = $dependents;
$delete_uuids = $update_uuids = [];
$delete_uuids = [];
$return = [
'update' => [],
......@@ -305,6 +305,13 @@ public function getConfigEntitiesToChangeOnDependencyRemoval($type, array $names
'unchanged' => [],
];
// Create a map of UUIDs to $original_dependencies key so that we can remove
// fixed dependencies.
$uuid_map = [];
foreach ($original_dependencies as $key => $entity) {
$uuid_map[$entity->uuid()] = $key;
}
// Try to fix any dependencies and find out what will happen to the
// dependency graph. Entities are processed in the order of most dependent
// first. For example, this ensures that Menu UI third party dependencies on
......@@ -340,8 +347,9 @@ public function getConfigEntitiesToChangeOnDependencyRemoval($type, array $names
}
}
if ($fixed) {
// Remove the fixed dependency from the list of original dependencies.
unset($original_dependencies[$uuid_map[$dependent->uuid()]]);
$return['update'][] = $dependent;
$update_uuids[] = $dependent->uuid();
}
}
// If the entity cannot be fixed then it has to be deleted.
......@@ -354,8 +362,8 @@ public function getConfigEntitiesToChangeOnDependencyRemoval($type, array $names
}
// Use the lists of UUIDs to filter the original list to work out which
// configuration entities are unchanged.
$return['unchanged'] = array_filter($original_dependencies, function ($dependent) use ($delete_uuids, $update_uuids) {
return !(in_array($dependent->uuid(), $delete_uuids) || in_array($dependent->uuid(), $update_uuids));
$return['unchanged'] = array_filter($original_dependencies, function ($dependent) use ($delete_uuids) {
return !(in_array($dependent->uuid(), $delete_uuids));
});
return $return;
......
......@@ -1031,15 +1031,17 @@ protected function initializeSettings(Request $request) {
$prefix = Settings::getApcuPrefix('class_loader', $this->root);
$apc_loader = new ApcClassLoader($prefix, $this->classLoader);
$this->classLoader->unregister();
$apc_loader->register();
$old_loader = $this->classLoader;
$this->classLoader = $apc_loader;
// The optimized classloader might be persistent and store cache misses.
// For example, once a cache miss is stored in APCu clearing it on a
// specific web-head will not clear any other web-heads. Therefore
// fallback to the composer class loader that only statically caches
// misses.
$old_loader->register();
$old_loader = $this->classLoader;
$this->classLoader = $apc_loader;
// Our class loaders are preprended to ensure they come first like the
// class loader they are replacing.
$old_loader->register(TRUE);
$apc_loader->register(TRUE);
}
}
......
......@@ -303,6 +303,19 @@ public function fieldAccess($operation, FieldDefinitionInterface $field_definiti
// Get the default access restriction that lives within this field.
$default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed();
// Explicitly disallow changing the entity ID and entity UUID.
if ($operation === 'edit') {
if ($field_definition->getName() === $this->entityType->getKey('id')) {
return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE;
}
elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) {
// UUIDs can be set when creating an entity.
if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) {
return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE;
}
}
}
// Get the default access restriction as specified by the access control
// handler.
$entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items);
......
......@@ -52,21 +52,8 @@ public function __construct($text, Url $url) {
* @param array $route_parameters
* (optional) An associative array of parameter names and values.
* @param array $options
* (optional) An associative array of additional options, with the following
* elements:
* - 'query': An array of query key/value-pairs (without any URL-encoding)
* to append to the URL. Merged with the parameters array.
* - 'fragment': A fragment identifier (named anchor) to append to the URL.
* Do not include the leading '#' character.
* - 'absolute': Defaults to FALSE. Whether to force the output to be an
* absolute link (beginning with http:). Useful for links that will be
* displayed outside the site, such as in an RSS feed.
* - 'language': An optional language object used to look up the alias
* for the URL. If $options['language'] is omitted, it defaults to the
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* The options parameter takes exactly the same structure.
* See \Drupal\Core\Url::fromUri() for details.
*
* @return static
*/
......
......@@ -157,4 +157,11 @@ protected function getPluralIndex() {
return -1;
}
/**
* {@inheritdoc}
*/
public function __sleep() {
return array_merge(parent::__sleep(), array('count'));
}
}
......@@ -100,11 +100,12 @@
$(window)
.on('resize.dialogResize scroll.dialogResize', eventData, autoResize)
.trigger('resize.dialogResize');
$(document).on('drupalViewportOffsetChange', eventData, autoResize);
$(document).on('drupalViewportOffsetChange.dialogResize', eventData, autoResize);
}
},
'dialog:beforeclose': function (event, dialog, $element) {
$(window).off('.dialogResize');
$(document).off('.dialogResize');
}
});
......
......@@ -37,3 +37,24 @@ function aggregator_update_8001() {
/**
* @} End of "addtogroup updates-8.0.0-rc".
*/
/**
* @addtogroup updates-8.2.x
* @{
*/
/**
* Make the 'Source feed' field for aggregator items required.
*/
function aggregator_update_8200() {
// aggregator_update_8001() did not update the last installed field storage
// definition for the aggregator item's 'Source feed' field.
$definition_update_manager = \Drupal::entityDefinitionUpdateManager();
$field_definition = $definition_update_manager->getFieldStorageDefinition('fid', 'aggregator_item');
$field_definition->setRequired(TRUE);
$definition_update_manager->updateFieldStorageDefinition($field_definition);
}
/**
* @} End of "addtogroup updates-8.2.x".
*/
<?php
namespace Drupal\aggregator\Tests\Update;
use Drupal\system\Tests\Update\UpdatePathTestBase;
/**
* Tests that node settings are properly updated during database updates.
*
* @group aggregator
*/
class AggregatorUpdateTest extends UpdatePathTestBase {
/**
* {@inheritdoc}
*/
protected function setDatabaseDumpFiles() {
$this->databaseDumpFiles = [
__DIR__ . '/../../../../system/tests/fixtures/update/drupal-8.filled.standard.php.gz',
];
}
/**
* Tests that the 'Source feed' field is required.
*
* @see aggregator_update_8200()
*/
public function testSourceFeedRequired() {
// Check that the 'fid' field is not required prior to the update.
$field_definition = \Drupal::entityDefinitionUpdateManager()->getFieldStorageDefinition('fid', 'aggregator_item');
$this->assertFalse($field_definition->isRequired());
// Run updates.
$this->runUpdates();
// Check that the 'fid' field is now required.
$field_definition = \Drupal::entityDefinitionUpdateManager()->getFieldStorageDefinition('fid', 'aggregator_item');
$this->assertTrue($field_definition->isRequired());
}
}
......@@ -22,7 +22,7 @@ class BasicAuthTest extends WebTestBase {
*
* @var array
*/
public static $modules = array('basic_auth', 'router_test', 'locale');
public static $modules = array('basic_auth', 'router_test', 'locale', 'basic_auth_test');
/**
* Test http basic authentication.
......@@ -175,4 +175,25 @@ function testUnauthorizedErrorMessage() {
$this->assertText('Access denied', "A user friendly access denied message is displayed");
}
/**
* Tests if the controller is called before authentication.
*
* @see https://www.drupal.org/node/2817727
*/
public function testControllerNotCalledBeforeAuth() {
$this->drupalGet('/basic_auth_test/state/modify');
$this->assertResponse(401);
$this->drupalGet('/basic_auth_test/state/read');
$this->assertResponse(200);
$this->assertRaw('nope');
$account = $this->drupalCreateUser();
$this->basicAuthGet('/basic_auth_test/state/modify', $account->getUsername(), $account->pass_raw);
$this->assertResponse(200);
$this->assertRaw('Done');
$this->drupalGet('/basic_auth_test/state/read');
$this->assertResponse(200);
$this->assertRaw('yep');
}
}
name: 'HTTP Basic Authentication test'
type: module
description: 'Support module for HTTP Basic Authentication testing.'
package: Testing
version: VERSION
core: 8.x
basic_auth_test.state.modify:
path: '/basic_auth_test/state/modify'
defaults:
_controller: '\Drupal\basic_auth_test\BasicAuthTestController::modifyState'
options:
_auth:
- basic_auth
requirements:
_user_is_logged_in: 'TRUE'
basic_auth_test.state.read:
path: '/basic_auth_test/state/read'
defaults:
_controller: '\Drupal\basic_auth_test\BasicAuthTestController::readState'
requirements:
_access: 'TRUE'
<?php
namespace Drupal\basic_auth_test;
class BasicAuthTestController {
/**
* @see \Drupal\basic_auth\Tests\Authentication\BasicAuthTest::testControllerNotCalledBeforeAuth()
*/
public function modifyState() {
\Drupal::state()->set('basic_auth_test.state.controller_executed', TRUE);
return ['#markup' => 'Done'];
}
/**
* @see \Drupal\basic_auth\Tests\Authentication\BasicAuthTest::testControllerNotCalledBeforeAuth()
*/
public function readState() {
// Mark this page as being uncacheable.
\Drupal::service('page_cache_kill_switch')->trigger();
return [
'#markup' => \Drupal::state()->get('basic_auth_test.state.controller_executed') ? 'yep' : 'nope',
'#cache' => [
'max-age' => 0,
],
];
}
}
......@@ -33,6 +33,12 @@ config_test.dynamic.*.*:
type: config_test_dynamic
label: 'Config test dynamic settings'
config_test.dynamic.*.third_party.node:
type: mapping
mapping:
foo:
type: string
config_test.query.*:
type: config_entity
mapping:
......
......@@ -136,6 +136,10 @@ public function onDependencyRemoval(array $dependencies) {
}
}
}
// If any of the dependencies removed still exists, return FALSE.
if (array_intersect_key(array_flip($this->dependencies['enforced']['config']), $dependencies['config'])) {
return FALSE;
}
return $changed;
}
......
......@@ -12,3 +12,4 @@ process:
destination:
plugin: config
config_name: system.maintenance
translations: true