Commit 354a2618 authored by Jess's avatar Jess
Browse files

Merged 9.0.1.

parents 12fb3d86 32d737c5

composer.lock

+7 −550

File changed.

Preview size limit exceeded, changes collapsed.

core/includes/bootstrap.inc

+7 −1
Original line number Diff line number Diff line
@@ -382,11 +382,17 @@ function drupal_valid_test_ua($new_prefix = NULL) { 
    // Ensure that no information leaks on production sites.

    $test_db = new TestDatabase($prefix);

    $key_file = DRUPAL_ROOT . '/' . $test_db->getTestSitePath() . '/.htkey';

    if (!is_readable($key_file)) {

    if (!is_readable($key_file) || is_dir($key_file)) {

      header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');

      exit;

    }

    $private_key = file_get_contents($key_file);

    // The string from drupal_generate_test_ua() is 74 bytes long. If we don't

    // have it, tests cannot be allowed.

    if (empty($private_key) || strlen($private_key) < 74) {

      header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');

      exit;

    }

    // The file properties add more entropy not easily accessible to others.

    $key = $private_key . filectime(__FILE__) . fileinode(__FILE__);

    $time_diff = REQUEST_TIME - $time;

core/lib/Drupal/Core/Form/FormBuilder.php

+10 −1
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 
use Drupal\Core\Theme\ThemeManagerInterface;

use Symfony\Component\EventDispatcher\EventDispatcherInterface;

use Symfony\Component\HttpFoundation\FileBag;

use Symfony\Component\HttpFoundation\ParameterBag;

use Symfony\Component\HttpFoundation\RequestStack;

use Symfony\Component\HttpFoundation\Response;
@@ -957,8 +958,16 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state 
            // This value is checked in self::handleInputElement().

            $form_state->setInvalidToken(TRUE);



            // Ignore all submitted values.

            $form_state->setUserInput([]);



            $request = $this->requestStack->getCurrentRequest();

            // Do not trust any POST data.

            $request->request = new ParameterBag();

            // Make sure file uploads do not get processed.

            $this->requestStack->getCurrentRequest()->files = new FileBag();

            $request->files = new FileBag();

            // Ensure PHP globals reflect these changes.

            $request->overrideGlobals();

          }

        }

      }

core/lib/Drupal/Core/Form/FormValidator.php

+1 −3
Original line number Diff line number Diff line
@@ -124,10 +124,8 @@ public function validateForm($form_id, &$form, FormStateInterface &$form_state) 
   * {@inheritdoc}

   */

  public function setInvalidTokenError(FormStateInterface $form_state) {

    $url = $this->requestStack->getCurrentRequest()->getRequestUri();



    // Setting this error will cause the form to fail validation.

    $form_state->setErrorByName('form_token', $this->t('The form has become outdated. Copy any unsaved work in the form below and then <a href=":link">reload this page</a>.', [':link' => $url]));

    $form_state->setErrorByName('form_token', $this->t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.'));

  }



  /**

core/modules/file/tests/src/Functional/FileManagedFileElementTest.php

+1 −1
Original line number Diff line number Diff line
@@ -50,7 +50,7 @@ public function testManagedFile() { 
            $file_field_name => \Drupal::service('file_system')->realpath($test_file->getFileUri()),

          ];

          $this->drupalPostForm(NULL, $edit, t('Save'));

          $this->assertText('The form has become outdated. Copy any unsaved work in the form below');

          $this->assertText('The form has become outdated.');

          $last_fid = $this->getLastFileId();

          $this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');