Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backdrop 1.28.0 #52

Merged
merged 1 commit into from
May 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
4 changes: 2 additions & 2 deletions docroot/core/authorize.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
* user interface which knows how to redirect the user to this script as part of
* a multistep process. This script actually performs the selected operations
* without loading all of Backdrop, to be able to more gracefully recover from
* errors. Access to the script is controlled by a global killswitch in
* errors. Access to the script is controlled by a global kill switch in
* settings.php ('allow_authorize_operations') and via the 'administer software
* updates' permission.
*
Expand Down Expand Up @@ -54,7 +54,7 @@ function authorize_access_denied_page() {
/**
* Determines if the current user is allowed to run authorize.php.
*
* The killswitch in settings.php overrides all else, otherwise, the user must
* The kill switch in settings.php overrides all else, otherwise, the user must
* have access to the 'administer software updates' permission.
*
* @return
Expand Down
26 changes: 20 additions & 6 deletions docroot/core/includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
/**
* The current system version.
*/
define('BACKDROP_VERSION', '1.27.1');
define('BACKDROP_VERSION', '1.28.0');

/**
* Core API compatibility.
Expand Down Expand Up @@ -421,7 +421,7 @@ abstract class BackdropCacheArray implements ArrayAccess {
* @param $persist
* Optional boolean to specify whether the offset should be persisted or
* not, defaults to TRUE. When called with $persist = FALSE the offset will
* be unflagged so that it will not be written at the end of the request.
* be un-flagged so that it will not be written at the end of the request.
*/
protected function persist($offset, $persist = TRUE) {
$this->keysToPersist[$offset] = $persist;
Expand Down Expand Up @@ -806,6 +806,12 @@ function backdrop_is_https() {
* @since 1.9.2
*/
function backdrop_is_apache() {
// Test runs always emulate Apache.
$test_info = &$GLOBALS['backdrop_test_info'];
if (!empty($test_info['in_child_site'])) {
return TRUE;
}

$server_software = $_SERVER['SERVER_SOFTWARE'];
return (bool) preg_match("/apache/i", $server_software);
}
Expand Down Expand Up @@ -845,7 +851,6 @@ function backdrop_settings_initialize() {
// Export these settings.php variables to the global namespace.
global $databases, $cookie_domain, $conf, $settings, $installed_profile, $is_https, $base_secure_url, $base_insecure_url, $config_directories, $config;
$conf = array();
$settings = array();

$conf_path = conf_path();
if (file_exists($conf_path . '/settings.php')) {
Expand Down Expand Up @@ -3043,11 +3048,20 @@ function _backdrop_bootstrap_configuration() {
throw new Exception(format_string('The HTTP Host "@hostname" is not white-listed for this site. Check the trusted_host_patterns setting in settings.php.', array('@hostname' => $_SERVER['HTTP_HOST'])));
}

// Bootstrap the database if it is needed but not yet available.
$config_storage = config_get_config_storage('active');

// Check that the config directory is not empty.
if (!defined('MAINTENANCE_MODE') && ($config_storage = config_get_config_storage('active'))) {
if (!defined('MAINTENANCE_MODE') && (!empty($config_storage))) {
if (!($config_storage->exists('system.core') || $config_storage->exists('system.performance'))) {
$directory = config_get_config_directory('active');
throw new Exception("The configuration directory in settings.php is specified as '$directory', but this directory is either empty or missing crucial files. Check that the \$config_directories variable is correct in settings.php.");
if (is_a($config_storage, 'ConfigFileStorage')) {
$directory = config_get_config_directory('active');
$exception_message = "The configuration directory in settings.php is specified as '$directory', but this directory is either empty or missing crucial files. Check that the \$config_directories variable is correct in settings.php.";
}
else {
$exception_message = "The active configuration location is either empty or missing crucial information. Check that the \$settings['config_active_class'] variable is correct in settings.php.";
}
throw new Exception($exception_message);
}
}
}
Expand Down
121 changes: 111 additions & 10 deletions docroot/core/includes/common.inc
Original file line number Diff line number Diff line change
Expand Up @@ -953,6 +953,9 @@ function backdrop_access_denied() {
* @see backdrop_http_build_query()
*
* @since 1.18.4 The $options['data'] key may now be passed as an array.
* @since 1.27.2 Now removes any potentially sensitive headers before following
* a redirect. See the 'strip_sensitive_headers_on_host_change' setting in
* settings.php for details.
*/
function backdrop_http_request($url, array $options = array()) {
// Allow an alternate HTTP client library to replace Backdrop's default
Expand Down Expand Up @@ -1226,6 +1229,7 @@ function backdrop_http_request($url, array $options = array()) {
415 => 'Unsupported Media Type',
416 => 'Requested range not satisfiable',
417 => 'Expectation Failed',
429 => 'Too Many Requests',
500 => 'Internal Server Error',
501 => 'Not Implemented',
502 => 'Bad Gateway',
Expand Down Expand Up @@ -1262,6 +1266,15 @@ function backdrop_http_request($url, array $options = array()) {
elseif ($options['max_redirects']) {
// Redirect to the new location.
$options['max_redirects']--;

// Check if we need to remove any potentially sensitive headers before
// following the redirect.
// @see https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
if (_backdrop_should_strip_sensitive_headers_on_http_redirect($url, $location)) {
unset($options['headers']['Cookie']);
unset($options['headers']['Authorization']);
}

// Remove the automatically added Host header, as the redirect may
// be on a different domain name.
if (isset($options['headers']['Host'])) {
Expand All @@ -1281,6 +1294,36 @@ function backdrop_http_request($url, array $options = array()) {
return $result;
}

/**
* Determine whether to strip sensitive headers from a request when redirected.
*
* @param string $url
* The url from the original outbound http request.
*
* @param string $location
* The location to which the request has been redirected.
*
* @return boolean
* Whether sensitive headers should be stripped from the request before
* following the redirect.
*/
function _backdrop_should_strip_sensitive_headers_on_http_redirect($url, $location) {
$url_parsed = parse_url($url);
$location_parsed = parse_url($location);
if (!isset($location_parsed['host'])) {
return FALSE;
}
$strip_on_host_change = config_get('system.core', 'backdrop_http_request.strip_sensitive_headers_on_host_change');
$strip_on_https_downgrade = config_get('system.core', 'backdrop_http_request.strip_sensitive_headers_on_https_downgrade');
if ($strip_on_host_change && strcasecmp($url_parsed['host'], $location_parsed['host']) !== 0) {
return TRUE;
}
if ($strip_on_https_downgrade && $url_parsed['scheme'] !== $location_parsed['scheme'] && $location_parsed['scheme'] !== 'https') {
return TRUE;
}
return FALSE;
}

/**
* Split an HTTP response status line into components.
*
Expand Down Expand Up @@ -2166,9 +2209,9 @@ function format_rss_item($title, $link, $description, $args = array()) {
* @since 1.12.7 Added $indentation_level parameter.
*
* @return string
* A string of XML representing the elements passed in.
* A string of XML representing the elements passed in.
*/
function format_xml_elements($array, $indentation_level = 0) {
function format_xml_elements(array $array, $indentation_level = 0) {
$output = '';

// Indent two spaces per level.
Expand Down Expand Up @@ -2484,7 +2527,7 @@ function format_date($timestamp, $date_format_name = 'medium', $pattern = '', $t
*
* Callback for preg_replace_callback() within format_date().
*
* @param $matches
* @param array $matches
* The array of matches as found by preg_replace_callback().
* @param string $new_langcode
* Sets the internal langcode to be used. Set the langcode prior to calling
Expand Down Expand Up @@ -2757,8 +2800,8 @@ function url_is_external($path) {
$colon_position = strpos($path, ':');
// Some browsers treat \ as / so normalize to forward slashes.
$path = str_replace('\\', '/', $path);
// Avoid calling backdrop_strip_dangerous_protocols(). If the path starts with 2
// slashes then it is always considered an external URL without an explicit
// Avoid calling backdrop_strip_dangerous_protocols(). If the path starts with
// 2 slashes then it is always considered an external URL without an explicit
// protocol part.
return (strpos($path, '//') === 0)
// Leading control characters may be ignored or mishandled by browsers, so
Expand Down Expand Up @@ -2803,7 +2846,7 @@ function backdrop_http_header_attributes(array $attributes = array()) {
*
* Attribute values are sanitized by running them through check_plain().
* Attribute names are not automatically sanitized. When using user-supplied
* attribute names, it is strongly recommended to allow only white-listed names,
* attribute names, it is strongly recommended to ensure that they are allowed,
* since certain attributes carry security risks and can be abused.
*
* Examples of security aspects when using backdrop_attributes:
Expand Down Expand Up @@ -4702,7 +4745,6 @@ function backdrop_add_js($data = NULL, $options = NULL) {
// Register all required libraries.
backdrop_add_library('system', 'jquery', TRUE);
backdrop_add_library('system', 'jquery.once', TRUE);
backdrop_add_library('system', 'html5shiv', TRUE);
}

switch ($options['type']) {
Expand Down Expand Up @@ -5076,6 +5118,7 @@ function backdrop_aggregate_js(&$js_groups) {
* to elements using the #attached property. The #attached property is an
* associative array, where the keys are the the attachment types and the values
* are the attached data. For example:
*
* @code
* $build['#attached'] = array(
* 'js' => array(backdrop_get_path('module', 'taxonomy') . '/js/taxonomy.admin.js'),
Expand Down Expand Up @@ -5123,6 +5166,7 @@ function backdrop_aggregate_js(&$js_groups) {
* @see backdrop_add_library()
* @see backdrop_add_js()
* @see backdrop_add_css()
* @see backdrop_add_icon()
* @see backdrop_render()
*/
function backdrop_process_attached($elements, $group = JS_DEFAULT, $dependency_check = FALSE, $every_page = NULL) {
Expand All @@ -5131,6 +5175,7 @@ function backdrop_process_attached($elements, $group = JS_DEFAULT, $dependency_c
'library' => array(),
'js' => array(),
'css' => array(),
'icons' => array(),
);

// Add the libraries first.
Expand Down Expand Up @@ -5176,6 +5221,10 @@ function backdrop_process_attached($elements, $group = JS_DEFAULT, $dependency_c
unset($elements['#attached'][$type]);
}

// Icons are added all at once, no need to apply separate options.
backdrop_add_icons($elements['#attached']['icons']);
unset($elements['#attached']['icons']);

// Add additional types of attachments specified in the render() structure.
// Libraries, JavaScript and CSS have been added already, as they require
// special handling.
Expand Down Expand Up @@ -5397,6 +5446,7 @@ function backdrop_add_library($module, $name, $every_page = NULL) {
'library' => $library['dependencies'],
'js' => $library['js'],
'css' => $library['css'],
'icons' => $library['icons'],
);
$added[$module][$name] = backdrop_process_attached($elements, JS_LIBRARY, TRUE, $every_page);
}
Expand Down Expand Up @@ -5455,7 +5505,12 @@ function backdrop_get_library($module, $name = NULL) {
foreach ($module_libraries as $key => $data) {
if (is_array($data)) {
// Add default elements to allow for easier processing.
$module_libraries[$key] += array('dependencies' => array(), 'js' => array(), 'css' => array());
$module_libraries[$key] += array(
'dependencies' => array(),
'js' => array(),
'css' => array(),
'icons' => array(),
);
foreach ($module_libraries[$key]['js'] as $file => $options) {
$module_libraries[$key]['js'][$file]['version'] = $module_libraries[$key]['version'];
}
Expand All @@ -5472,6 +5527,42 @@ function backdrop_get_library($module, $name = NULL) {
return $libraries[$module];
}

/**
* Adds icons to the page to make them available in JS and CSS files.
*
* The icon name is resolved to a file path and then added to the page as both
* a JavaScript variable (Backdrop.icons['icon-name']) and as a CSS variable
* (--icon-[icon-name]). Note that use of this function is not necessary if
* embedding an icon directly onto the page using the icon() function. This is
* only needed if using icons in JS and CSS files.
*
* @param array $icon_names
* An array of unique icon names be added, without the extensions. Most icon
* names can be found by browsing the core/misc/icons directory. The icon
* list can either be a plain list of names in an unindexed array, or the
* icon name can be the key, with an array of options as the value. The
* available options for each icon include:
* - immutable: Whether to use the original icon instead of any overrides.
*
* @see icon()
*
* @since 1.28.0 Function added.
*/
function backdrop_add_icons(array $icon_names) {
$icon_paths = array();
foreach ($icon_names as $icon_key => $icon_options) {
$icon_name = is_array($icon_options) ? $icon_key : $icon_options;
$immutable = is_array($icon_options) && !empty($icon_options['immutable']);
if ($icon_path = icon_get_path($icon_name, $immutable)) {
$icon_paths[$icon_name] = base_path() . $icon_path;
}
}
if ($icon_paths) {
backdrop_add_js(array('icons' => $icon_paths), 'setting');
backdrop_add_library('system', 'backdrop.icons');
}
}

/**
* Assists in adding the tableDrag JavaScript behavior to a themed table.
*
Expand Down Expand Up @@ -5702,8 +5793,8 @@ function backdrop_clear_js_cache() {
* readable by humans, or emulates this functionality if running an older
* version of PHP.
*
* @return string
* The given $var encoded as a JSON string.
* @return string|FALSE
* The given $var encoded as a JSON string or FALSE on failure.
*
* @see backdrop_json_decode()
* @ingroup php_wrappers
Expand Down Expand Up @@ -5986,6 +6077,7 @@ function _backdrop_bootstrap_full() {
require_once BACKDROP_ROOT . '/core/includes/tablesort.inc';
require_once BACKDROP_ROOT . '/core/includes/file.inc';
require_once BACKDROP_ROOT . '/core/includes/unicode.inc';
require_once BACKDROP_ROOT . '/core/includes/icon.inc';
require_once BACKDROP_ROOT . '/core/includes/image.inc';
require_once BACKDROP_ROOT . '/core/includes/form.inc';
require_once BACKDROP_ROOT . '/core/includes/mail.inc';
Expand Down Expand Up @@ -8050,6 +8142,15 @@ function backdrop_common_theme() {
'details' => array(
'render element' => 'element',
),
// From icon.inc.
'icon' => array(
'variables' => array(
'name' => NULL,
'path' => NULL,
'attributes' => array('class' => array()),
'wrapper_attributes' => array('class' => array()),
),
),
);
}

Expand Down
Loading
Loading