...
 
Commits (316)
# Drupal editor configuration normalization
# @see http://editorconfig.org/
# This is the top-most .editorconfig file; do not search in parent directories.
root = true
# All files.
[*]
end_of_line = LF
indent_style = space
indent_size = 2
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
......@@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Order allow,deny
</FilesMatch>
......@@ -141,3 +141,9 @@ DirectoryIndex index.php index.html index.htm
</FilesMatch>
</IfModule>
</IfModule>
# Add headers to all responses.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
</IfModule>
This diff is collapsed.
......@@ -23,7 +23,7 @@ Drupal requires:
- Percona Server 5.1.70 (or greater) (http://www.percona.com/). Percona
Server is a backwards-compatible replacement for MySQL.
- PostgreSQL 8.3 (or greater) (http://www.postgresql.org/).
- SQLite 3.4.2 (or greater) (http://www.sqlite.org/).
- SQLite 3.3.7 (or greater) (http://www.sqlite.org/).
For more detailed information about Drupal requirements, including a list of
PHP extensions and configurations that are required, see "System requirements"
......
This diff is collapsed.
......@@ -64,6 +64,9 @@ following the instructions in the INTRODUCTION section at the top of this file:
Sometimes an update includes changes to default.settings.php (this will be
noted in the release notes). If that's the case, follow these steps:
- Locate your settings.php file in the /sites/* directory. (Typically
sites/default.)
- Make a backup copy of your settings.php file, with a different file name.
- Make a copy of the new default.settings.php file, and name the copy
......@@ -74,6 +77,13 @@ following the instructions in the INTRODUCTION section at the top of this file:
database information, and you will also want to copy in any other
customizations you have added.
You can find the release notes for your version at
https://www.drupal.org/project/drupal. At bottom of the project page under
"Downloads" use the link for your version of Drupal to view the release
notes. If your version is not listed, use the 'View all releases' link. From
this page you can scroll down or use the filter to find your version and its
release notes.
4. Download the latest Drupal 7.x release from http://drupal.org to a
directory outside of your web root. Extract the archive and copy the files
into your Drupal directory.
......
......@@ -211,7 +211,7 @@
*
* When returning an Ajax command array, it is often useful to have
* status messages rendered along with other tasks in the command array.
* In that case the the Ajax commands array may be constructed like this:
* In that case the Ajax commands array may be constructed like this:
* @code
* $commands = array();
* $commands[] = ajax_command_replace(NULL, $output);
......@@ -230,6 +230,10 @@
* functions.
*/
function ajax_render($commands = array()) {
// Although ajax_deliver() does this, some contributed and custom modules
// render Ajax responses without using that delivery callback.
ajax_set_verification_header();
// Ajax responses aren't rendered with html.tpl.php, so we have to call
// drupal_get_css() and drupal_get_js() here, in order to have new files added
// during this request to be loaded by the page. We only want to send back
......@@ -390,7 +394,7 @@ function ajax_form_callback() {
if (!empty($form_state['triggering_element'])) {
$callback = $form_state['triggering_element']['#ajax']['callback'];
}
if (!empty($callback) && function_exists($callback)) {
if (!empty($callback) && is_callable($callback)) {
$result = $callback($form, $form_state);
if (!(is_array($result) && isset($result['#type']) && $result['#type'] == 'ajax')) {
......@@ -487,6 +491,9 @@ function ajax_deliver($page_callback_result) {
}
}
// Let ajax.js know that this response is safe to process.
ajax_set_verification_header();
// Print the response.
$commands = ajax_prepare_response($page_callback_result);
$json = ajax_render($commands);
......@@ -576,6 +583,29 @@ function ajax_prepare_response($page_callback_result) {
return $commands;
}
/**
* Sets a response header for ajax.js to trust the response body.
*
* It is not safe to invoke Ajax commands within user-uploaded files, so this
* header protects against those being invoked.
*
* @see Drupal.ajax.options.success()
*/
function ajax_set_verification_header() {
$added = &drupal_static(__FUNCTION__);
// User-uploaded files cannot set any response headers, so a custom header is
// used to indicate to ajax.js that this response is safe. Note that most
// Ajax requests bound using the Form API will be protected by having the URL
// flagged as trusted in Drupal.settings, so this header is used only for
// things like custom markup that gets Ajax behaviors attached.
if (empty($added)) {
drupal_add_http_header('X-Drupal-Ajax-Token', '1');
// Avoid sending the header twice.
$added = TRUE;
}
}
/**
* Performs end-of-Ajax-request tasks.
*
......@@ -764,7 +794,12 @@ function ajax_pre_render_element($element) {
$element['#attached']['js'][] = array(
'type' => 'setting',
'data' => array('ajax' => array($element['#id'] => $settings)),
'data' => array(
'ajax' => array($element['#id'] => $settings),
'urlIsAjaxTrusted' => array(
$settings['url'] => TRUE,
),
),
);
// Indicate that Ajax processing was successful.
......
......@@ -460,10 +460,10 @@ function _batch_finished() {
if (isset($batch_set['file']) && is_file($batch_set['file'])) {
include_once DRUPAL_ROOT . '/' . $batch_set['file'];
}
if (function_exists($batch_set['finished'])) {
if (is_callable($batch_set['finished'])) {
$queue = _batch_queue($batch_set);
$operations = $queue->getAllItems();
$batch_set['finished']($batch_set['success'], $batch_set['results'], $operations, format_interval($batch_set['elapsed'] / 1000));
call_user_func($batch_set['finished'], $batch_set['success'], $batch_set['results'], $operations, format_interval($batch_set['elapsed'] / 1000));
}
}
}
......
This diff is collapsed.
......@@ -14,6 +14,7 @@
*
* @param $bin
* The cache bin for which the cache object should be returned.
*
* @return DrupalCacheInterface
* The cache object associated with the specified bin.
*
......
This diff is collapsed.
......@@ -296,6 +296,20 @@ abstract class DatabaseConnection extends PDO {
*/
protected $prefixReplace = array();
/**
* List of escaped database, table, and field names, keyed by unescaped names.
*
* @var array
*/
protected $escapedNames = array();
/**
* List of escaped aliases names, keyed by unescaped aliases.
*
* @var array
*/
protected $escapedAliases = array();
function __construct($dsn, $username, $password, $driver_options = array()) {
// Initialize and prepare the connection prefix.
$this->setPrefix(isset($this->connectionOptions['prefix']) ? $this->connectionOptions['prefix'] : '');
......@@ -626,7 +640,7 @@ public function makeComment($comments) {
* A sanitized version of the query comment string.
*/
protected function filterComment($comment = '') {
return preg_replace('/(\/\*\s*)|(\s*\*\/)/', '', $comment);
return strtr($comment, array('*' => ' * '));
}
/**
......@@ -656,7 +670,7 @@ protected function filterComment($comment = '') {
* @return DatabaseStatementInterface
* This method will return one of: the executed statement, the number of
* rows affected by the query (not the number matched), or the generated
* insert IT of the last query, depending on the value of
* insert ID of the last query, depending on the value of
* $options['return']. Typically that value will be set by default or a
* query builder and should not be set by a user. If there is an error,
* this method will return NULL and may throw an exception if
......@@ -919,11 +933,14 @@ public function schema() {
* For some database drivers, it may also wrap the table name in
* database-specific escape characters.
*
* @return
* @return string
* The sanitized table name string.
*/
public function escapeTable($table) {
return preg_replace('/[^A-Za-z0-9_.]+/', '', $table);
if (!isset($this->escapedNames[$table])) {
$this->escapedNames[$table] = preg_replace('/[^A-Za-z0-9_.]+/', '', $table);
}
return $this->escapedNames[$table];
}
/**
......@@ -933,11 +950,14 @@ public function escapeTable($table) {
* For some database drivers, it may also wrap the field name in
* database-specific escape characters.
*
* @return
* @return string
* The sanitized field name string.
*/
public function escapeField($field) {
return preg_replace('/[^A-Za-z0-9_.]+/', '', $field);
if (!isset($this->escapedNames[$field])) {
$this->escapedNames[$field] = preg_replace('/[^A-Za-z0-9_.]+/', '', $field);
}
return $this->escapedNames[$field];
}
/**
......@@ -948,11 +968,14 @@ public function escapeField($field) {
* DatabaseConnection::escapeTable(), this doesn't allow the period (".")
* because that is not allowed in aliases.
*
* @return
* @return string
* The sanitized field name string.
*/
public function escapeAlias($field) {
return preg_replace('/[^A-Za-z0-9_]+/', '', $field);
if (!isset($this->escapedAliases[$field])) {
$this->escapedAliases[$field] = preg_replace('/[^A-Za-z0-9_]+/', '', $field);
}
return $this->escapedAliases[$field];
}
/**
......@@ -1313,6 +1336,39 @@ public function commit() {
* also larger than the $existing_id if one was passed in.
*/
abstract public function nextId($existing_id = 0);
/**
* Checks whether utf8mb4 support is configurable in settings.php.
*
* @return bool
*/
public function utf8mb4IsConfigurable() {
// Since 4 byte UTF-8 is not supported by default, there is nothing to
// configure.
return FALSE;
}
/**
* Checks whether utf8mb4 support is currently active.
*
* @return bool
*/
public function utf8mb4IsActive() {
// Since 4 byte UTF-8 is not supported by default, there is nothing to
// activate.
return FALSE;
}
/**
* Checks whether utf8mb4 support is available on the current database system.
*
* @return bool
*/
public function utf8mb4IsSupported() {
// By default we assume that the database backend may not support 4 byte
// UTF-8.
return FALSE;
}
}
/**
......
......@@ -28,6 +28,12 @@ public function __construct(array $connection_options = array()) {
$this->connectionOptions = $connection_options;
$charset = 'utf8';
// Check if the charset is overridden to utf8mb4 in settings.php.
if ($this->utf8mb4IsActive()) {
$charset = 'utf8mb4';
}
// The DSN should use either a socket or a host/port.
if (isset($connection_options['unix_socket'])) {
$dsn = 'mysql:unix_socket=' . $connection_options['unix_socket'];
......@@ -36,6 +42,10 @@ public function __construct(array $connection_options = array()) {
// Default to TCP connection on port 3306.
$dsn = 'mysql:host=' . $connection_options['host'] . ';port=' . (empty($connection_options['port']) ? 3306 : $connection_options['port']);
}
// Character set is added to dsn to ensure PDO uses the proper character
// set when escaping. This has security implications. See
// https://www.drupal.org/node/1201452 for further discussion.
$dsn .= ';charset=' . $charset;
$dsn .= ';dbname=' . $connection_options['database'];
// Allow PDO options to be overridden.
$connection_options += array(
......@@ -47,6 +57,11 @@ public function __construct(array $connection_options = array()) {
// Because MySQL's prepared statements skip the query cache, because it's dumb.
PDO::ATTR_EMULATE_PREPARES => TRUE,
);
if (defined('PDO::MYSQL_ATTR_MULTI_STATEMENTS')) {
// An added connection option in PHP 5.5.21+ to optionally limit SQL to a
// single statement like mysqli.
$connection_options['pdo'] += array(PDO::MYSQL_ATTR_MULTI_STATEMENTS => FALSE);
}
parent::__construct($dsn, $connection_options['username'], $connection_options['password'], $connection_options['pdo']);
......@@ -54,10 +69,10 @@ public function __construct(array $connection_options = array()) {
// certain one has been set; otherwise, MySQL defaults to 'utf8_general_ci'
// for UTF-8.
if (!empty($connection_options['collation'])) {
$this->exec('SET NAMES utf8 COLLATE ' . $connection_options['collation']);
$this->exec('SET NAMES ' . $charset . ' COLLATE ' . $connection_options['collation']);
}
else {
$this->exec('SET NAMES utf8');
$this->exec('SET NAMES ' . $charset);
}
// Set MySQL init_commands if not already defined. Default Drupal's MySQL
......@@ -72,10 +87,12 @@ public function __construct(array $connection_options = array()) {
'init_commands' => array(),
);
$connection_options['init_commands'] += array(
'sql_mode' => "SET sql_mode = 'ANSI,STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER'",
'sql_mode' => "SET sql_mode = 'REAL_AS_FLOAT,PIPES_AS_CONCAT,ANSI_QUOTES,IGNORE_SPACE,STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER'",
);
// Set connection options.
$this->exec(implode('; ', $connection_options['init_commands']));
// Execute initial commands.
foreach ($connection_options['init_commands'] as $sql) {
$this->exec($sql);
}
}
public function __destruct() {
......@@ -195,6 +212,42 @@ protected function popCommittableTransactions() {
}
}
}
public function utf8mb4IsConfigurable() {
return TRUE;
}
public function utf8mb4IsActive() {
return isset($this->connectionOptions['charset']) && $this->connectionOptions['charset'] === 'utf8mb4';
}
public function utf8mb4IsSupported() {
// Ensure that the MySQL driver supports utf8mb4 encoding.
$version = $this->getAttribute(PDO::ATTR_CLIENT_VERSION);
if (strpos($version, 'mysqlnd') !== FALSE) {
// The mysqlnd driver supports utf8mb4 starting at version 5.0.9.
$version = preg_replace('/^\D+([\d.]+).*/', '$1', $version);
if (version_compare($version, '5.0.9', '<')) {
return FALSE;
}
}
else {
// The libmysqlclient driver supports utf8mb4 starting at version 5.5.3.
if (version_compare($version, '5.5.3', '<')) {
return FALSE;
}
}
// Ensure that the MySQL server supports large prefixes and utf8mb4.
try {
$this->query("CREATE TABLE {drupal_utf8mb4_test} (id VARCHAR(255), PRIMARY KEY(id(255))) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci ROW_FORMAT=DYNAMIC ENGINE=INNODB");
}
catch (Exception $e) {
return FALSE;
}
$this->query("DROP TABLE {drupal_utf8mb4_test}");
return TRUE;
}
}
......
......@@ -39,8 +39,8 @@ protected function getPrefixInfo($table = 'default', $add_prefix = TRUE) {
$info['table'] = substr($table, ++$pos);
}
else {
$db_info = Database::getConnectionInfo();
$info['database'] = $db_info[$this->connection->getTarget()]['database'];
$db_info = $this->connection->getConnectionOptions();
$info['database'] = $db_info['database'];
$info['table'] = $table;
}
return $info;
......@@ -81,7 +81,8 @@ protected function createTableSql($name, $table) {
// Provide defaults if needed.
$table += array(
'mysql_engine' => 'InnoDB',
'mysql_character_set' => 'utf8',
// Allow the default charset to be overridden in settings.php.
'mysql_character_set' => $this->connection->utf8mb4IsActive() ? 'utf8mb4' : 'utf8',
);
$sql = "CREATE TABLE {" . $name . "} (\n";
......@@ -109,6 +110,13 @@ protected function createTableSql($name, $table) {
$sql .= ' COLLATE ' . $info['collation'];
}
// The row format needs to be either DYNAMIC or COMPRESSED in order to allow
// for the innodb_large_prefix setting to take effect, see
// https://dev.mysql.com/doc/refman/5.6/en/create-table.html
if ($this->connection->utf8mb4IsActive()) {
$sql .= ' ROW_FORMAT=DYNAMIC';
}
// Add table comment.
if (!empty($table['description'])) {
$sql .= ' COMMENT ' . $this->prepareComment($table['description'], self::COMMENT_MAX_TABLE);
......
......@@ -216,6 +216,14 @@ public function nextId($existing = 0) {
return $id;
}
public function utf8mb4IsActive() {
return TRUE;
}
public function utf8mb4IsSupported() {
return TRUE;
}
}
/**
......
......@@ -1694,7 +1694,7 @@ public function __construct($conjunction) {
* Implements Countable::count().
*
* Returns the size of this conditional. The size of the conditional is the
* size of its conditional array minus one, because one element is the the
* size of its conditional array minus one, because one element is the
* conjunction.
*/
public function count() {
......
......@@ -92,7 +92,8 @@
* specification). Each specification is an array containing the name of
* the referenced table ('table'), and an array of column mappings
* ('columns'). Column mappings are defined by key pairs ('source_column' =>
* 'referenced_column').
* 'referenced_column'). This key is for documentation purposes only; foreign
* keys are not created in the database, nor are they enforced by Drupal.
* - 'indexes': An associative array of indexes ('indexname' =>
* specification). Each specification is an array of one or more
* key column specifiers (see below) that form an index on the
......@@ -144,6 +145,8 @@
* 'unique keys' => array(
* 'vid' => array('vid'),
* ),
* // For documentation purposes only; foreign keys are not created in the
* // database.
* 'foreign keys' => array(
* 'node_revision' => array(
* 'table' => 'node_revision',
......
......@@ -1231,6 +1231,21 @@ public function preExecute(SelectQueryInterface $query = NULL) {
// Modules may alter all queries or only those having a particular tag.
if (isset($this->alterTags)) {
// Many contrib modules assume that query tags used for access-checking
// purposes follow the pattern $entity_type . '_access'. But this is
// not the case for taxonomy terms, since core used to add term_access
// instead of taxonomy_term_access to its queries. Provide backwards
// compatibility by adding both tags here instead of attempting to fix
// all contrib modules in a coordinated effort.
// TODO:
// - Extract this mechanism into a hook as part of a public (non-security)
// issue.
// - Emit E_USER_DEPRECATED if term_access is used.
// https://www.drupal.org/node/2575081
$term_access_tags = array('term_access' => 1, 'taxonomy_term_access' => 1);
if (array_intersect_key($this->alterTags, $term_access_tags)) {
$this->alterTags += $term_access_tags;
}
$hooks = array('query');
foreach ($this->alterTags as $tag => $value) {
$hooks[] = 'query_' . $tag;
......
......@@ -378,6 +378,14 @@ public function popTransaction($name) {
}
}
public function utf8mb4IsActive() {
return TRUE;
}
public function utf8mb4IsSupported() {
return TRUE;
}
}
/**
......
......@@ -14,8 +14,6 @@ public function name() {
/**
* Minimum engine version.
*
* @todo: consider upping to 3.6.8 in Drupal 8 to get SAVEPOINT support.
*/
public function minimumVersion() {
return '3.3.7';
......
......@@ -28,7 +28,9 @@ public function resetCache(array $ids = NULL);
* @param $ids
* An array of entity IDs, or FALSE to load all entities.
* @param $conditions
* An array of conditions in the form 'field' => $value.
* An array of conditions. Keys are field names on the entity's base table.
* Values will be compared for equality. All the comparisons will be ANDed
* together. This parameter is deprecated; use an EntityFieldQuery instead.
*
* @return
* An array of entity objects indexed by their ids. When no results are
......@@ -181,6 +183,11 @@ public function load($ids = array(), $conditions = array()) {
}
}
// Ensure integer entity IDs are valid.
if (!empty($ids)) {
$this->cleanIds($ids);
}
// Load any remaining entities from the database. This is the case if $ids
// is set to FALSE (so we load all entities), if there are any ids left to
// load, if loading a revision, or if $conditions was passed without $ids.
......@@ -221,6 +228,35 @@ public function load($ids = array(), $conditions = array()) {
return $entities;
}
/**
* Ensures integer entity IDs are valid.
*
* The identifier sanitization provided by this method has been introduced
* as Drupal used to rely on the database to facilitate this, which worked
* correctly with MySQL but led to errors with other DBMS such as PostgreSQL.
*
* @param array $ids
* The entity IDs to verify. Non-integer IDs are removed from this array if
* the entity type requires IDs to be integers.
*/
protected function cleanIds(&$ids) {
$entity_info = entity_get_info($this->entityType);
if (isset($entity_info['base table field types'])) {
$id_type = $entity_info['base table field types'][$this->idKey];
if ($id_type == 'serial' || $id_type == 'int') {
$ids = array_filter($ids, array($this, 'filterId'));
$ids = array_map('intval', $ids);
}
}
}
/**
* Callback for array_filter that removes non-integer IDs.
*/
protected function filterId($id) {
return is_numeric($id) && $id == (int) $id;
}
/**
* Builds the query to load the entity.
*
......@@ -236,7 +272,9 @@ public function load($ids = array(), $conditions = array()) {
* @param $ids
* An array of entity IDs, or FALSE to load all entities.
* @param $conditions
* An array of conditions in the form 'field' => $value.
* An array of conditions. Keys are field names on the entity's base table.
* Values will be compared for equality. All the comparisons will be ANDed
* together. This parameter is deprecated; use an EntityFieldQuery instead.
* @param $revision_id
* The ID of the revision to load, or FALSE if this query is asking for the
* most current revision(s).
......@@ -408,7 +446,7 @@ class EntityFieldQueryException extends Exception {}
*
* This class allows finding entities based on entity properties (for example,
* node->changed), field values, and generic entity meta data (bundle,
* entity type, entity id, and revision ID). It is not possible to query across
* entity type, entity ID, and revision ID). It is not possible to query across
* multiple entity types. For example, there is no facility to find published
* nodes written by users created in the last hour, as this would require
* querying both node->status and user->created.
......@@ -650,14 +688,36 @@ public function entityCondition($name, $value, $operator = NULL) {
* @param $field
* Either a field name or a field array.
* @param $column
* The column that should hold the value to be matched.
* The column that should hold the value to be matched, defined in the
* hook_field_schema() of this field. If this is omitted then all of the
* other parameters are ignored, except $field, and this call will just be
* adding a condition that says that the field has a value, rather than
* testing the value itself.
* @param $value
* The value to test the column value against.
* The value to test the column value against. In most cases, this is a
* scalar. For more complex options, it is an array. The meaning of each
* element in the array is dependent on $operator.
* @param $operator
* The operator to be used to test the given value.
* The operator to be used to test the given value. The possible values are:
* - '=', '<>', '>', '>=', '<', '<=', 'STARTS_WITH', 'CONTAINS': These
* operators expect $value to be a literal of the same type as the
* column.
* - 'IN', 'NOT IN': These operators expect $value to be an array of
* literals of the same type as the column.
* - 'BETWEEN': This operator expects $value to be an array of two literals
* of the same type as the column.
* The operator can be omitted, and will default to 'IN' if the value is an
* array, or to '=' otherwise.
* @param $delta_group
* An arbitrary identifier: conditions in the same group must have the same
* $delta_group.
* $delta_group. For example, let's presume a multivalue field which has
* two columns, 'color' and 'shape', and for entity ID 1, there are two
* values: red/square and blue/circle. Entity ID 1 does not have values
* corresponding to 'red circle'; however if you pass 'red' and 'circle' as
* conditions, it will appear in the results -- by default queries will run
* against any combination of deltas. By passing the conditions with the
* same $delta_group it will ensure that only values attached to the same
* delta are matched, and entity 1 would then be excluded from the results.
* @param $language_group
* An arbitrary identifier: conditions in the same group must have the same
* $language_group.
......@@ -732,9 +792,11 @@ public function fieldDeltaCondition($field, $value = NULL, $operator = NULL, $de
* @param $field
* Either a field name or a field array.
* @param $column
* A column defined in the hook_field_schema() of this field. If this is
* omitted then the query will find only entities that have data in this
* field, using the entity and property conditions if there are any.
* The column that should hold the value to be matched, defined in the
* hook_field_schema() of this field. If this is omitted then all of the
* other parameters are ignored, except $field, and this call will just be
* adding a condition that says that the field has a value, rather than
* testing the value itself.
* @param $value
* The value to test the column value against. In most cases, this is a
* scalar. For more complex options, it is an array. The meaning of each
......@@ -753,10 +815,10 @@ public function fieldDeltaCondition($field, $value = NULL, $operator = NULL, $de
* @param $delta_group
* An arbitrary identifier: conditions in the same group must have the same
* $delta_group. For example, let's presume a multivalue field which has
* two columns, 'color' and 'shape', and for entity id 1, there are two
* two columns, 'color' and 'shape', and for entity ID 1, there are two
* values: red/square and blue/circle. Entity ID 1 does not have values
* corresponding to 'red circle', however if you pass 'red' and 'circle' as
* conditions, it will appear in the results - by default queries will run
* conditions, it will appear in the results -- by default queries will run
* against any combination of deltas. By passing the conditions with the
* same $delta_group it will ensure that only values attached to the same
* delta are matched, and entity 1 would then be excluded from the results.
......
......@@ -199,7 +199,16 @@ function _drupal_log_error($error, $fatal = FALSE) {
$number++;
}
watchdog('php', '%type: !message in %function (line %line of %file).', $error, $error['severity_level']);
// Log the error immediately, unless this is a non-fatal error which has been
// triggered via drupal_trigger_error_with_delayed_logging(); in that case
// trigger it in a shutdown function. Fatal errors are always triggered
// immediately since for a fatal error the page request will end here anyway.
if (!$fatal && drupal_static('_drupal_trigger_error_with_delayed_logging')) {
drupal_register_shutdown_function('watchdog', 'php', '%type: !message in %function (line %line of %file).', $error, $error['severity_level']);
}
else {
watchdog('php', '%type: !message in %function (line %line of %file).', $error, $error['severity_level']);
}
if ($fatal) {
drupal_add_http_header('Status', '500 Service unavailable (with message)');
......
......@@ -273,7 +273,9 @@ function file_default_scheme() {
* The normalized URI.
*/
function file_stream_wrapper_uri_normalize($uri) {
$scheme = file_uri_scheme($uri);
// Inline file_uri_scheme() function call for performance reasons.
$position = strpos($uri, '://');
$scheme = $position ? substr($uri, 0, $position) : FALSE;
if ($scheme && file_stream_wrapper_valid_scheme($scheme)) {
$target = file_uri_target($uri);
......@@ -1559,7 +1561,7 @@ function file_save_upload($form_field_name, $validators = array(), $destination
return FALSE;
}
// Add in our check of the the file name length.
// Add in our check of the file name length.
$validators['file_validate_name_length'] = array();
// Call the validation functions specified by this function's caller.
......@@ -1785,7 +1787,7 @@ function file_validate_is_image(stdClass $file) {
/**
* Verifies that image dimensions are within the specified maximum and minimum.
*
* Non-image files will be ignored. If a image toolkit is available the image
* Non-image files will be ignored. If an image toolkit is available the image
* will be scaled to fit within the desired maximum dimensions.
*
* @param $file
......@@ -2022,7 +2024,7 @@ function file_download() {
*
* @see file_transfer()
* @see file_download_access()
* @see hook_file_downlaod()
* @see hook_file_download()
*/
function file_download_headers($uri) {
// Let other modules provide headers and control access to the file.
......
This diff is collapsed.
......@@ -362,7 +362,8 @@ function install_run_tasks(&$install_state) {
* Runs an individual installation task.
*
* @param $task
* An array of information about the task to be run.
* An array of information about the task to be run as returned by
* hook_install_tasks().
* @param $install_state
* An array of information about the current installation state. This is
* passed in by reference so that it can be modified by the task.
......@@ -478,11 +479,15 @@ function install_run_task($task, &$install_state) {
* the page request evolves (for example, if an installation profile hasn't
* been selected yet, we don't yet know which profile tasks need to be run).
*
* You can override this using hook_install_tasks() or
* hook_install_tasks_alter().
*
* @param $install_state
* An array of information about the current installation state.
*
* @return
* A list of tasks to be performed, with associated metadata.
* A list of tasks to be performed, with associated metadata as returned by
* hook_install_tasks().
*/
function install_tasks_to_perform($install_state) {
// Start with a list of all currently available tasks.
......@@ -804,6 +809,13 @@ function install_system_module(&$install_state) {
variable_set('install_profile_modules', array_diff($modules, array('system')));
$install_state['database_tables_exist'] = TRUE;
// Prevent the hook_requirements() check from telling us to convert the
// database to utf8mb4.
$connection = Database::getConnection();
if ($connection->utf8mb4IsConfigurable() && $connection->utf8mb4IsActive()) {
variable_set('drupal_all_databases_are_utf8mb4', TRUE);
}
}
/**
......@@ -1585,7 +1597,9 @@ function install_finished(&$install_state) {
}
/**
* Batch callback for batch installation of modules.
* Implements callback_batch_operation().
*
* Performs batch installation of modules.
*/
function _install_module_batch($module, $module_name, &$context) {
// Install and enable the module right away, so that the module will be
......@@ -1598,6 +1612,8 @@ function _install_module_batch($module, $module_name, &$context) {
}
/**
* Implements callback_batch_finished().
*
* 'Finished' callback for module installation batch.
*/
function _install_profile_modules_finished($success, $results, $operations) {
......
......@@ -653,6 +653,13 @@ function drupal_rewrite_settings($settings = array(), $prefix = '') {
if ($fp && fwrite($fp, $buffer) === FALSE) {
throw new Exception(st('Failed to modify %settings. Verify the file permissions.', array('%settings' => $settings_file)));
}
else {
// The existing settings.php file might have been included already. In
// case an opcode cache is enabled, the rewritten contents of the file
// will not be reflected in this process. Ensure to invalidate the file
// in case an opcode cache is enabled.
drupal_clear_opcode_cache(DRUPAL_ROOT . '/' . $settings_file);
}
}
else {
throw new Exception(st('Failed to open %settings. Verify the file permissions.', array('%settings' => $default_settings)));
......@@ -743,7 +750,7 @@ function drupal_install_system() {
/**
* Uninstalls a given list of disabled modules.
*
* @param array $module_list
* @param string[] $module_list
* The modules to uninstall. It is the caller's responsibility to ensure that
* all modules in this list have already been disabled before this function
* is called.
......@@ -762,6 +769,7 @@ function drupal_install_system() {
* included in $module_list).
*
* @see module_disable()
* @see module_enable()
*/
function drupal_uninstall_modules($module_list = array(), $uninstall_dependents = TRUE) {
if ($uninstall_dependents) {
......
......@@ -297,7 +297,7 @@ function language_negotiation_get_switch_links($type, $path) {
// Add support for WCAG 2.0's Language of Parts to add language identifiers.
// http://www.w3.org/TR/UNDERSTANDING-WCAG20/meaning-other-lang-id.html
foreach ($result as $langcode => $link) {
$result[$langcode]['attributes']['lang'] = $langcode;
$result[$langcode]['attributes']['xml:lang'] = $langcode;
}
if (!empty($result)) {
......
......@@ -435,6 +435,13 @@ function locale_language_url_rewrite_url(&$path, &$options) {
switch (variable_get('locale_language_negotiation_url_part', LOCALE_LANGUAGE_NEGOTIATION_URL_PREFIX)) {
case LOCALE_LANGUAGE_NEGOTIATION_URL_DOMAIN:
if ($options['language']->domain) {
// Save the original base URL. If it contains a port, we need to
// retain it below.
if (!empty($options['base_url'])) {
// The colon in the URL scheme messes up the port checking below.
$normalized_base_url = str_replace(array('https://', 'http://'), '', $options['base_url']);
}
// Ask for an absolute URL with our modified base_url.
global $is_https;
$url_scheme = ($is_https) ? 'https://' : 'http://';
......@@ -449,6 +456,19 @@ function locale_language_url_rewrite_url(&$path, &$options) {
// Apply the appropriate protocol to the URL.
$options['base_url'] = $url_scheme . $host;
// In case either the original base URL or the HTTP host contains a
// port, retain it.
$http_host = $_SERVER['HTTP_HOST'];
if (isset($normalized_base_url) && strpos($normalized_base_url, ':') !== FALSE) {
list($host, $port) = explode(':', $normalized_base_url);
$options['base_url'] .= ':' . $port;
}
elseif (strpos($http_host, ':') !== FALSE) {
list($host, $port) = explode(':', $http_host);
$options['base_url'] .= ':' . $port;
}
if (isset($options['https']) && variable_get('https', FALSE)) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
......@@ -523,6 +543,22 @@ function locale_language_url_rewrite_session(&$path, &$options) {
* possible attack vector (img).
*/
function locale_string_is_safe($string) {
// Some strings have tokens in them. For tokens in the first part of href or
// src HTML attributes, filter_xss() removes part of the token, the part
// before the first colon. filter_xss() assumes it could be an attempt to
// inject javascript. When filter_xss() removes part of tokens, it causes the
// string to not be translatable when it should be translatable. See
// LocaleStringIsSafeTest::testLocaleStringIsSafe().
//
// We can recognize tokens since they are wrapped with brackets and are only
// composed of alphanumeric characters, colon, underscore, and dashes. We can
// be sure these strings are safe to strip out before the string is checked in
// filter_xss() because no dangerous javascript will match that pattern.
//
// @todo Do not strip out the token. Fix filter_xss() to not incorrectly
// alter the string. https://www.drupal.org/node/2372127
$string = preg_replace('/\[[a-z0-9_-]+(:[a-z0-9_-]+)+\]/i', '', $string);
return decode_entities($string) == decode_entities(filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
}
......@@ -631,9 +667,6 @@ function locale_add_language($langcode, $name = NULL, $native = NULL, $direction
* translations).
*/
function _locale_import_po($file, $langcode, $mode, $group = NULL) {
// Try to allocate enough time to parse and import the data.
drupal_set_time_limit(240);
// Check if we have the language already in the database.
if (!db_query("SELECT COUNT(language) FROM {languages} WHERE language = :language", array(':language' => $langcode))->fetchField()) {
drupal_set_message(t('The language selected for import is not supported.'), 'error');
......@@ -717,6 +750,12 @@ function _locale_import_read_po($op, $file, $mode = NULL, $lang = NULL, $group =
$lineno = 0;
while (!feof($fd)) {
// Refresh the time limit every 10 parsed rows to ensure there is always
// enough time to import the data for large PO files.
if (!($lineno % 10)) {
drupal_set_time_limit(30);
}
// A line should not be longer than 10 * 1024.
$line = fgets($fd, 10 * 1024);
......@@ -1931,7 +1970,7 @@ function _locale_translate_seek() {
$groups[$string['group']],
array('data' => check_plain(truncate_utf8($string['source'], 150, FALSE, TRUE)) . '<br /><small>' . $string['location'] . '</small>'),
$string['context'],
array('data' => _locale_translate_language_list($string['languages'], $limit_language), 'align' => 'center'),
array('data' => _locale_translate_language_list($string, $limit_language), 'align' => 'center'),
array('data' => l(t('edit'), "admin/config/regional/translate/edit/$lid", array('query' => drupal_get_destination())), 'class' => array('nowrap')),
array('data' => l(t('delete'), "admin/config/regional/translate/delete/$lid", array('query' => drupal_get_destination())), 'class' => array('nowrap')),
);
......@@ -2126,16 +2165,21 @@ function _locale_rebuild_js($langcode = NULL) {
/**
* List languages in search result table
*/
function _locale_translate_language_list($translation, $limit_language) {
function _locale_translate_language_list($string, $limit_language) {
// Add CSS.
drupal_add_css(drupal_get_path('module', 'locale') . '/locale.css');
// Include both translated and not yet translated target languages in the
// list. The source language is English for built-in strings and the default
// language for other strings.
$languages = language_list();
unset($languages['en']);
$default = language_default();
$omit = $string['group'] == 'default' ? 'en' : $default->language;
unset($languages[$omit]);
$output = '';
foreach ($languages as $langcode => $language) {
if (!$limit_language || $limit_language == $langcode) {
$output .= (!empty($translation[$langcode])) ? $langcode . ' ' : "<em class=\"locale-untranslated\">$langcode</em> ";
$output .= (!empty($string['languages'][$langcode])) ? $langcode . ' ' : "<em class=\"locale-untranslated\">$langcode</em> ";
}
}
......@@ -2301,6 +2345,8 @@ function _locale_batch_build($files, $finished = NULL, $components = array()) {
}
/**
* Implements callback_batch_operation().
*
* Perform interface translation import as a batch step.
*
* @param $filepath
......@@ -2319,6 +2365,8 @@ function _locale_batch_import($filepath, &$context) {
}
/**
* Implements callback_batch_finished().
*
* Finished callback of system page locale import batch.
* Inform the user of translation files imported.
*/
......@@ -2329,6 +2377,8 @@ function _locale_batch_system_finished($success, $results) {
}
/**
* Implements callback_batch_finished().
*
* Finished callback of language addition locale import batch.
* Inform the user of translation files imported.
*/
......
......@@ -566,7 +566,7 @@ function _drupal_wrap_mail_line(&$line, $key, $values) {
// Use soft-breaks only for purely quoted or unindented text.
$line = wordwrap($line, 77 - $values['length'], $values['soft'] ? " \n" : "\n");
// Break really long words at the maximum width allowed.
$line = wordwrap($line, 996 - $values['length'], $values['soft'] ? " \n" : "\n");
$line = wordwrap($line, 996 - $values['length'], $values['soft'] ? " \n" : "\n", TRUE);
}
/**
......
......@@ -229,12 +229,20 @@
define('MENU_FOUND', 1);
/**
* Internal menu status code -- Menu item was not found.
* Menu status code -- Not found.
*
* This can be used as the return value from a page callback, although it is
* preferable to use a load function to accomplish this; see the hook_menu()
* documentation for details.
*/
define('MENU_NOT_FOUND', 2);
/**
* Internal menu status code -- Menu item access is denied.
* Menu status code -- Access denied.
*
* This can be used as the return value from a page callback, although it is
* preferable to use an access callback to accomplish this; see the hook_menu()
* documentation for details.
*/
define('MENU_ACCESS_DENIED', 3);
......@@ -431,7 +439,7 @@ function menu_set_item($path, $router_item) {
*
* @param $path
* The path; for example, 'node/5'. The function will find the corresponding
* node/% item and return that.
* node/% item and return that. Defaults to the current path.
* @param $router_item
* Internal use only.
*
......@@ -456,7 +464,9 @@ function menu_get_item($path = NULL, $router_item = NULL) {
// Rebuild if we know it's needed, or if the menu masks are missing which
// occurs rarely, likely due to a race condition of multiple rebuilds.
if (variable_get('menu_rebuild_needed', FALSE) || !variable_get('menu_masks', array())) {
menu_rebuild();
if (_menu_check_rebuild()) {
menu_rebuild();
}
}
$original_map = arg(NULL, $path);
......@@ -1485,7 +1495,7 @@ function menu_tree_collect_node_links(&$tree, &$node_links) {
* menu_tree_collect_node_links().
*/
function menu_tree_check_access(&$tree, $node_links = array()) {
if ($node_links) {
if ($node_links && (user_access('access content') || user_access('bypass node access'))) {
$nids = array_keys($node_links);
$select = db_select('node', 'n');
$select->addField('n', 'nid');
......@@ -2409,7 +2419,7 @@ function menu_set_active_trail($new_trail = NULL) {
// argument placeholders (%). Such links are not contained in regular
// menu trees, and have only been loaded for the additional
// translation that happens here, so as to be able to display them in
// the breadcumb for the current page.
// the breadcrumb for the current page.
// @see _menu_tree_check_access()
// @see _menu_link_translate()
if (strpos($link['href'], '%') !== FALSE) {
......@@ -2611,10 +2621,30 @@ function menu_get_active_breadcrumb() {
*/
function menu_get_active_title() {
$active_trail = menu_get_active_trail();
$local_task_title = NULL;
foreach (array_reverse($active_trail) as $item) {
if (!(bool) ($item['type'] & MENU_IS_LOCAL_TASK)) {
return $item['title'];
// Local task titles are displayed as tabs and therefore should not be
// repeated as the page title. However, if the local task appears in a
// top-level menu, it is no longer a "local task" anymore (the front page
// of the site does not have tabs) so it is better to use the local task
// title in that case than to fall back on the front page link in the
// active trail (which is usually "Home" and would not make sense in this
// context).
if ((bool) ($item['type'] & MENU_IS_LOCAL_TASK)) {
// A local task title is being skipped; track it in case it needs to be
// used later.
$local_task_title = $item['title'];
}
else {
// This is not a local task, so use it for the page title (unless the
// conditions described above are met).
if (isset($local_task_title) && isset($item['href']) && $item['href'] == '<front>') {
return $local_task_title;
}
else {
return $item['title'];
}
}
}
}
......@@ -2693,6 +2723,21 @@ function menu_reset_static_cache() {
drupal_static_reset('menu_link_get_preferred');
}
/**
* Checks whether a menu_rebuild() is necessary.
*/
function _menu_check_rebuild() {
// To absolutely ensure that the menu rebuild is required, re-load the
// variables in case they were set by another process.
$variables = variable_initialize();
if (empty($variables['menu_rebuild_needed']) && !empty($variables['menu_masks'])) {
unset($GLOBALS['conf']['menu_rebuild_needed']);
$GLOBALS['conf']['menu_masks'] = $variables['menu_masks'];
return FALSE;
}
return TRUE;
}
/**
* Populates the database tables used by various menu functions.
*
......@@ -2713,6 +2758,14 @@ function menu_rebuild() {
// We choose to block here since otherwise the router item may not
// be available in menu_execute_active_handler() resulting in a 404.
lock_wait('menu_rebuild');
if (_menu_check_rebuild()) {
// If we get here and menu_masks was not set, then it is possible a menu
// is being reloaded, or that the process rebuilding the menu was unable
// to complete successfully. A missing menu_masks variable could result
// in a 404, so re-run the function.
return menu_rebuild();
}
return FALSE;
}
......@@ -2737,6 +2790,12 @@ function menu_rebuild() {
$transaction->rollback();
watchdog_exception('menu', $e);
}
// Explicitly commit the transaction now; this ensures that the database
// operations during the menu rebuild are committed before the lock is made
// available again, since locks may not always reside in the same database
// connection. The lock is acquired outside of the transaction so should also
// be released outside of it.
unset($transaction);
lock_release('menu_rebuild');
return TRUE;
......
......@@ -227,6 +227,10 @@ function system_list_reset() {
drupal_static_reset('list_themes');
cache_clear_all('bootstrap_modules', 'cache_bootstrap');
cache_clear_all('system_list', 'cache_bootstrap');
// Clean up the bootstrap file scan cache.
drupal_static_reset('_drupal_file_scan_cache');
cache_clear_all('_drupal_file_scan_cache', 'cache_bootstrap');
}
/**
......@@ -320,16 +324,27 @@ function module_load_install($module) {
* The name of the included file, if successful; FALSE otherwise.
*/
function module_load_include($type, $module, $name = NULL) {
static $files = array();
if (!isset($name)) {
$name = $module;
}
$key = $type . ':' . $module . ':' . $name;
if (isset($files[$key])) {
return $files[$key];
}
if (function_exists('drupal_get_path')) {
$file = DRUPAL_ROOT . '/' . drupal_get_path('module', $module) . "/$name.$type";
if (is_file($file)) {
require_once $file;
$files[$key] = $file;
return $file;
}
else {
$files[$key] = FALSE;
}
}
return FALSE;
}
......@@ -365,20 +380,22 @@ function module_load_all_includes($type, $name = NULL) {
* - Invoke hook_modules_installed().
* - Invoke hook_modules_enabled().
*
* @param $module_list
* @param string[] $module_list
* An array of module names.
* @param $enable_dependencies
* @param bool $enable_dependencies
* If TRUE, dependencies will automatically be added and enabled in the
* correct order. This incurs a significant performance cost, so use FALSE
* if you know $module_list is already complete and in the correct order.
*
* @return
* @return bool
* FALSE if one or more dependencies are missing, TRUE otherwise.
*
* @see hook_install()
* @see hook_enable()
* @see hook_modules_installed()
* @see hook_modules_enabled()
* @see module_disable()
* @see drupal_uninstall_modules()
*/
function module_enable($module_list, $enable_dependencies = TRUE) {
if ($enable_dependencies) {
......@@ -505,12 +522,15 @@ function module_enable($module_list, $enable_dependencies = TRUE) {
/**
* Disables a given set of modules.
*
* @param $module_list
* @param string[] $module_list
* An array of module names.
* @param $disable_dependents
* @param bool $disable_dependents
* If TRUE, dependent modules will automatically be added and disabled in the
* correct order. This incurs a significant performance cost, so use FALSE
* if you know $module_list is already complete and in the correct order.
*
* @see drupal_uninstall_modules()
* @see module_enable()
*/
function module_disable($module_list, $disable_dependents = TRUE) {
if ($disable_dependents) {
......@@ -676,12 +696,16 @@ function module_hook($module, $hook) {
/**
* Determines which modules are implementing a hook.
*
* @param $hook
* Lazy-loaded include files specified with "group" via hook_hook_info() or
* hook_module_implements_alter() will be automatically included by this
* function when necessary.
*