Merge branch 'develop'

.gitignore

@@ -4,8 +4,7 @@ sites/*/settings*.php
 # Ignore paths that contain user-generated content.
 # sites/*/files # Mukurtu patch -- we *want* sites/default/files in the rep so the end-user does not need to create it. Instead, we add the files dir into the rep, and add a .gitignore within there so that files within it are ignored but the directory is included.
 sites/*/private
-private:
-private:/*
-.ddev
+
 .ddev/*
+private:/*
 sites/default/drushrc.php

.htaccess

@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
+<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>

CHANGELOG.txt

@@ -1,3 +1,25 @@
+Drupal 7.95, 2023-03-15
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2023-004
+
+Drupal 7.94, 2022-12-14
+-----------------------
+- Hotfix for book.module and Select query properties
+
+Drupal 7.93, 2022-12-07
+-----------------------
+- Improved support for PHP 8.2
+- Minimum PHP version changed to PHP 5.3
+- Various security hardenings
+- Various bug fixes, optimizations and improvements
+
+Drupal 7.92, 2022-09-07
+-----------------------
+- Improved support for PHP 8.1
+- Various security hardenings
+- Various bug fixes, optimizations and improvements
+
 Drupal 7.91, 2022-07-20
 -----------------------
 - Fixed security issues:

INSTALL.sqlite.txt

@@ -3,7 +3,7 @@ SQLITE REQUIREMENTS
 -------------------
 
 To use SQLite with your Drupal installation, the following requirements must be
-met: Server has PHP 5.2 or later with PDO, and the PDO SQLite driver must be
+met: Server has PHP 5.3 or later with PDO, and the PDO SQLite driver must be
 enabled.
 
 SQLITE DATABASE CREATION

INSTALL.txt

@@ -15,19 +15,20 @@ REQUIREMENTS AND NOTES
 Drupal requires:
 
 - A web server. Apache (version 2.0 or greater) is recommended.
-- PHP 5.2.4 (or greater) (http://www.php.net/).
+- PHP 5.3.3 (at least, PHP 7.x or greater recommended) (https://www.php.net/).
 - One of the following databases:
-  - MySQL 5.0.15 (or greater) (http://www.mysql.com/).
-  - MariaDB 5.1.44 (or greater) (http://mariadb.org/). MariaDB is a fully
-    compatible drop-in replacement for MySQL.
-  - Percona Server 5.1.70 (or greater) (http://www.percona.com/). Percona
-    Server is a backwards-compatible replacement for MySQL.
-  - PostgreSQL 8.3 (or greater) (http://www.postgresql.org/).
-  - SQLite 3.3.7 (or greater) (http://www.sqlite.org/).
-
-For more detailed information about Drupal requirements, including a list of
-PHP extensions and configurations that are required, see "System requirements"
-(http://drupal.org/requirements) in the Drupal.org online documentation.
+  - MySQL 5.5 (or greater) (https://www.mysql.com/) or equivalent versions of a
+    compatible database such as MariaDB or Percona.
+  - PostgreSQL 9.5 (or greater) (https://www.postgresql.org/).
+  - SQLite 3.27 (or greater) (https://www.sqlite.org/).
+
+Note that version numbers above represent the minimum versions that Drupal 7 is
+routinely tested with. For more detailed information about compatibility with
+newer versions (that benefit from support from their maintainers), and
+requirements including a list of PHP extensions and configurations that are
+required, see "System requirements"
+(https://www.drupal.org/docs/7/system-requirements) in the Drupal.org online
+documentation.
 
 For detailed information on how to configure a test server environment using a
 variety of operating systems and web servers, see "Local server setup"

MAINTAINERS.txt

@@ -13,6 +13,7 @@ The branch maintainers for Drupal 7 are:
 - Dries Buytaert 'dries' https://www.drupal.org/u/dries
 - Fabian Franz 'Fabianx' https://www.drupal.org/u/fabianx
 - Drew Webber 'mcdruid' https://www.drupal.org/u/mcdruid
+- (provisional) Juraj Nemec 'poker10' https://www.drupal.org/u/poker10
 
 
 Component maintainers

README.md

@@ -1,4 +1,4 @@
-# Mukurtu CMS 3.0.3
+# Mukurtu CMS 3.0.4
 ### [Release Notes](VERSION.md)
 
 ## Contents

VERSION.md

@@ -1,3 +1,12 @@
+## Mukurtu 3.0.4
+- Updated to Drupal 7.95
+- Contrib module security updates
+- Add support for PHP 8
+
+#### Manual Upgrade Steps
+This version requires a database update.
+- database update: `drush updb`
+
 ## Mukurtu 3.0.3
 - Updated to Drupal 7.91
 - Contrib module security updates

includes/batch.inc

@@ -466,6 +466,10 @@ function _batch_finished() {
     }
 
     // Use drupal_redirect_form() to handle the redirection logic.
+    if (isset($_batch['form_state']['redirect']['path'])) {
+      array_unshift($_batch['form_state']['redirect'], $_batch['form_state']['redirect']['path']);
+      unset($_batch['form_state']['redirect']['path']);
+    }
     drupal_redirect_form($_batch['form_state']);
 
     // If no redirection happened, redirect to the originating page. In case the

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.91');
+define('VERSION', '7.95');
 
 /**
  * Core API compatibility.
@@ -18,7 +18,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x');
 /**
  * Minimum supported version of PHP.
  */
-define('DRUPAL_MINIMUM_PHP', '5.2.4');
+define('DRUPAL_MINIMUM_PHP', '5.3.3');
 
 /**
  * Minimum recommended value of PHP memory_limit.
@@ -2356,7 +2356,7 @@ function drupal_random_bytes($count)  {
     // the microtime() - is prepended rather than appended. This is to avoid
     // directly leaking $random_state via the $output stream, which could
     // allow for trivial prediction of further "random" numbers.
-    if (strlen($bytes) < $count) {
+    if (strlen((string) $bytes) < $count) {
       // Initialize on the first call. The contents of $_SERVER includes a mix of
       // user-specific and system information that varies a little with each page.
       if (!isset($random_state)) {
@@ -3957,6 +3957,14 @@ function drupal_setcookie($name, $value, $options) {
     setcookie($name, $value, $options);
   }
   else {
+    $defaults = array(
+      'expires' => 0,
+      'path' => '',
+      'domain' => '',
+      'secure' => FALSE,
+      'httponly' => FALSE,
+    );
+    $options += $defaults;
     setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
   }
 }

includes/bootstrap.inc.orig

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.91');
+define('VERSION', '7.95');
 
 /**
  * Core API compatibility.
@@ -18,7 +18,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x');
 /**
  * Minimum supported version of PHP.
  */
-define('DRUPAL_MINIMUM_PHP', '5.2.4');
+define('DRUPAL_MINIMUM_PHP', '5.3.3');
 
 /**
  * Minimum recommended value of PHP memory_limit.
@@ -2348,7 +2348,7 @@ function drupal_random_bytes($count)  {
     // the microtime() - is prepended rather than appended. This is to avoid
     // directly leaking $random_state via the $output stream, which could
     // allow for trivial prediction of further "random" numbers.
-    if (strlen($bytes) < $count) {
+    if (strlen((string) $bytes) < $count) {
       // Initialize on the first call. The contents of $_SERVER includes a mix of
       // user-specific and system information that varies a little with each page.
       if (!isset($random_state)) {
@@ -3949,6 +3949,14 @@ function drupal_setcookie($name, $value, $options) {
     setcookie($name, $value, $options);
   }
   else {
+    $defaults = array(
+      'expires' => 0,
+      'path' => '',
+      'domain' => '',
+      'secure' => FALSE,
+      'httponly' => FALSE,
+    );
+    $options += $defaults;
     setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
   }
 }

includes/common.inc

@@ -1104,6 +1104,14 @@ function drupal_http_request($url, array $options = array()) {
         // Redirect to the new location.
         $options['max_redirects']--;
 
+        // Check if we need to remove any potentially sensitive headers before
+        // following the redirect.
+        // @see https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
+        if (_drupal_should_strip_sensitive_headers_on_http_redirect($url, $location)) {
+          unset($options['headers']['Cookie']);
+          unset($options['headers']['Authorization']);
+        }
+
         // We need to unset the 'Host' header
         // as we are redirecting to a new location.
         unset($options['headers']['Host']);
@@ -1122,6 +1130,36 @@ function drupal_http_request($url, array $options = array()) {
   return $result;
 }
 
+/**
+ * Determine whether to strip sensitive headers from a request when redirected.
+ *
+ * @param string $url
+ *   The url from the original outbound http request.
+ *
+ * @param string $location
+ *   The location to which the request has been redirected.
+ *
+ * @return boolean
+ *   Whether sensitive headers should be stripped from the request before
+ *   following the redirect.
+ */
+function _drupal_should_strip_sensitive_headers_on_http_redirect($url, $location) {
+  $url_parsed = parse_url($url);
+  $location_parsed = parse_url($location);
+  if (!isset($location_parsed['host'])) {
+    return FALSE;
+  }
+  $strip_on_host_change = variable_get('drupal_http_request_strip_sensitive_headers_on_host_change', TRUE);
+  $strip_on_https_downgrade = variable_get('drupal_http_request_strip_sensitive_headers_on_https_downgrade', TRUE);
+  if ($strip_on_host_change && strcasecmp($url_parsed['host'], $location_parsed['host']) !== 0) {
+    return TRUE;
+  }
+  if ($strip_on_https_downgrade && $url_parsed['scheme'] !== $location_parsed['scheme'] && 'https' !== $location_parsed['scheme']) {
+    return TRUE;
+  }
+  return FALSE;
+}
+
 /**
  * Splits an HTTP response status line into components.
  *
@@ -1240,6 +1278,10 @@ function fix_gpc_magic() {
  *
  * This uses the
  * @link http://php.net/manual/filter.filters.validate.php PHP e-mail validation filter. @endlink
+ * However, a module may override this by implementing
+ * hook_valid_email_address_alter(&$valid, $mail).
+ *
+ * @see hook_valid_email_address_alter()
  *
  * @param $mail
  *   A string containing an e-mail address.
@@ -1248,7 +1290,9 @@ function fix_gpc_magic() {
  *   TRUE if the address is in a valid format.
  */
 function valid_email_address($mail) {
-  return (bool)filter_var($mail, FILTER_VALIDATE_EMAIL);
+  $valid = (bool) filter_var($mail, FILTER_VALIDATE_EMAIL);
+  drupal_alter('valid_email_address', $valid, $mail);
+  return $valid;
 }
 
 /**
@@ -2570,6 +2614,14 @@ function l($text, $path, array $options = array()) {
       $use_theme = FALSE;
     }
   }
+  $path = (string) $path;
+  // For backwards compatibility, do not strip a couple of specific javascript
+  // paths that are harmless.
+  // @see https://www.drupal.org/project/drupal/issues/3310081
+  $skip_js_paths = array('javascript:void()', 'javascript:void();', 'javascript:void(0)', 'javascript:void(0);');
+  if (!in_array(strtolower($path), $skip_js_paths)) {
+    $path = drupal_strip_dangerous_protocols($path);
+  }
   if ($use_theme) {
     return theme('link', array('text' => $text, 'path' => $path, 'options' => $options));
   }
@@ -2698,19 +2750,6 @@ function drupal_deliver_html_page($page_callback_result) {
   }
   drupal_add_http_header('X-Content-Type-Options', 'nosniff');
 
-  if (variable_get('block_interest_cohort', TRUE)) {
-    $permissions_policy = drupal_get_http_header('Permissions-Policy');
-    if (is_null($permissions_policy)) {
-      drupal_add_http_header('Permissions-Policy', 'interest-cohort=()');
-    }
-    else {
-      // Only add interest-cohort if the header does not contain it already.
-      if (strpos($permissions_policy, 'interest-cohort') === FALSE) {
-        drupal_add_http_header('Permissions-Policy', 'interest-cohort=()', TRUE);
-      }
-    }
-  }
-
   // Menu status constants are integers; page content is a string or array.
   if (is_int($page_callback_result)) {
     // @todo: Break these up into separate functions?
@@ -5493,7 +5532,8 @@ function drupal_cron_run() {
   drupal_alter('cron_queue_info', $queues);
 
   // Try to acquire cron lock.
-  if (!lock_acquire('cron', 240.0)) {
+  $cron_lock_expiration_timeout = variable_get('cron_lock_expiration_timeout', 900.0);
+  if (!lock_acquire('cron', $cron_lock_expiration_timeout)) {
     // Cron is still running normally.
     watchdog('cron', 'Attempting to re-run cron while it is already running.', array(), WATCHDOG_WARNING);
   }
@@ -6088,7 +6128,7 @@ function drupal_render_page($page) {
  */
 function drupal_render(&$elements) {
   // Early-return nothing if user does not have access.
-  if (empty($elements) || (isset($elements['#access']) && !$elements['#access'])) {
+  if (empty($elements) || !is_array($elements) || (isset($elements['#access']) && !$elements['#access'])) {
     return '';
   }