Verified Commit c6b4d6c3 authored by Dave Long's avatar Dave Long
Browse files

SA-CORE-2024-004 by zengenuity, cilefen, kristiaanvandeneynde, mcdruid, larowlan

parent 7f99ea2f

core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldConstraint.php

+10 −0
Original line number Diff line number Diff line
@@ -17,6 +17,16 @@ class UniqueFieldConstraint extends SymfonyConstraint { 


  public $message = 'A @entity_type with @field_name %value already exists.';



  /**

   * This constraint is case-insensitive by default.

   *

   * For example "FOO" and "foo" would be considered as equivalent, and

   * validation of the constraint would fail.

   *

   * @var bool

   */

  public $caseSensitive = FALSE;



  /**

   * Returns the name of the class that validates this constraint.

   *

core/lib/Drupal/Core/Validation/Plugin/Validation/Constraint/UniqueFieldValueValidator.php

+12 −1
Original line number Diff line number Diff line
@@ -64,12 +64,23 @@ public function validate($items, Constraint $constraint) { 
      ->getStorage($entity_type_id)

      ->getAggregateQuery()

      ->accessCheck(FALSE)

      ->condition($field_name, $item_values, 'IN')

      ->groupBy("$field_name.$property_name");

    if (!$is_new) {

      $entity_id = $entity->id();

      $query->condition($id_key, $entity_id, '<>');

    }



    if ($constraint->caseSensitive) {

      $query->condition($field_name, $item_values, 'IN');

    }

    else {

      $or_group = $query->orConditionGroup();

      foreach ($item_values as $item_value) {

        $or_group->condition($field_name, \Drupal::database()->escapeLike($item_value), 'LIKE');

      }

      $query->condition($or_group);

    }



    $results = $query->execute();



    if (!empty($results)) {

core/modules/file/src/Plugin/Validation/Constraint/FileUriUnique.php

+15 −4
Original line number Diff line number Diff line
@@ -4,7 +4,8 @@ 


use Drupal\Core\StringTranslation\TranslatableMarkup;

use Drupal\Core\Validation\Attribute\Constraint;

use Symfony\Component\Validator\Constraint as SymfonyConstraint;

use Drupal\Core\Validation\Plugin\Validation\Constraint\UniqueFieldConstraint;

use Drupal\Core\Validation\Plugin\Validation\Constraint\UniqueFieldValueValidator;



/**

 * Supports validating file URIs.
@@ -13,15 +14,25 @@ 
  id: 'FileUriUnique',

  label: new TranslatableMarkup('File URI', [], ['context' => 'Validation'])

)]

class FileUriUnique extends SymfonyConstraint {

class FileUriUnique extends UniqueFieldConstraint {



  public $message = 'The file %value already exists. Enter a unique file URI.';



  /**

   * This constraint is case-sensitive.

   *

   * For example "public://foo.txt" and "public://FOO.txt" are treated as

   * different values, and can co-exist.

   *

   * @var bool

   */

  public $caseSensitive = TRUE;



  /**

   * {@inheritdoc}

   */

  public function validatedBy() {

    return '\Drupal\Core\Validation\Plugin\Validation\Constraint\UniqueFieldValueValidator';

  public function validatedBy(): string {

    return UniqueFieldValueValidator::class;

  }



}

core/modules/user/user.install

+25 −9
Original line number Diff line number Diff line
@@ -100,6 +100,7 @@ function user_requirements($phase): array { 
  if ($phase !== 'runtime') {

    return [];

  }

  $return = [];



  $result = (bool) \Drupal::entityQuery('user')

    ->accessCheck(FALSE)
@@ -108,17 +109,32 @@ function user_requirements($phase): array { 
    ->execute();



  if ($result === FALSE) {

    return [

      'anonymous user' => [

    $return['anonymous user'] = [

      'title' => t('Anonymous user'),

      'description' => t('The anonymous user does not exist. See the <a href=":url">restore the anonymous (user ID 0) user record</a> for more information', [

        ':url' => 'https://www.drupal.org/node/1029506',

      ]),

      'severity' => REQUIREMENT_WARNING,

      ],

    ];

  }

  return [];



  $query = \Drupal::database()->select('users_field_data');

  $query->addExpression('LOWER(mail)', 'lower_mail');

  $query->groupBy('lower_mail');

  $query->having('COUNT(uid) > :matches', [':matches' => 1]);

  $conflicts = $query->countQuery()->execute()->fetchField();



  if ($conflicts > 0) {

    $return['conflicting emails'] = [

      'title' => t('Conflicting user emails'),

      'description' => t('Some user accounts have email addresses that differ only by case. For example, one account might have alice@example.com and another might have Alice@Example.com. See <a href=":url">Conflicting User Emails</a> for more information.', [

        ':url' => 'https://www.drupal.org/node/3486109',

      ]),

      'severity' => REQUIREMENT_WARNING,

    ];

  }



  return $return;

}



/**