Drupal 7.98

docroot/CHANGELOG.txt

@@ -1,3 +1,12 @@
+Drupal 7.98, 2023-06-07
+-----------------------
+- Various security improvements
+- Various bug fixes, optimizations and improvements
+
+Drupal 7.97, 2023-04-21
+-----------------------
+- Fix PHP 5.x regression caused by SA-CORE-2023-005
+
 Drupal 7.96, 2023-04-19
 -----------------------
 - Fixed security issues:

docroot/cron.php

@@ -13,12 +13,12 @@
 include_once DRUPAL_ROOT . '/includes/bootstrap.inc';
 drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
 
-if (!isset($_GET['cron_key']) || variable_get('cron_key', 'drupal') != $_GET['cron_key']) {
-  watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE);
-  drupal_access_denied();
-}
-elseif (variable_get('maintenance_mode', 0)) {
+if (variable_get('maintenance_mode', 0)) {
   watchdog('cron', 'Cron could not run because the site is in maintenance mode.', array(), WATCHDOG_NOTICE);
+  drupal_site_offline();
+}
+elseif (!isset($_GET['cron_key']) || variable_get('cron_key', 'drupal') != $_GET['cron_key']) {
+  watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE);
   drupal_access_denied();
 }
 else {

docroot/includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.96');
+define('VERSION', '7.98');
 
 /**
  * Core API compatibility.
@@ -2303,15 +2303,30 @@ function drupal_base64_encode($string) {
 /**
  * Returns a string of highly randomized bytes (over the full 8-bit range).
  *
- * This function is better than simply calling mt_rand() or any other built-in
- * PHP function because it can return a long string of bytes (compared to < 4
- * bytes normally from mt_rand()) and uses the best available pseudo-random
- * source.
+ * On PHP 7 and later, this function is a wrapper around the built-in PHP
+ * function random_bytes(). If that function does not exist or cannot find an
+ * appropriate source of randomness, this function is better than simply calling
+ * mt_rand() or any other built-in PHP function because it can return a long
+ * string of bytes (compared to < 4 bytes normally from mt_rand()) and uses the
+ * best available pseudo-random source.
  *
- * @param $count
+ * @param int $count
  *   The number of characters (bytes) to return in the string.
+ *
+ * @return string
+ *   A randomly generated string.
  */
 function drupal_random_bytes($count)  {
+  if (function_exists('random_bytes')) {
+    try {
+      return random_bytes($count);
+    }
+    catch (Exception $e) {
+      // An appropriate source of randomness could not be found. Fall back to a
+      // less secure implementation.
+    }
+  }
+
   // $random_state does not use drupal_static as it stores random bytes.
   static $random_state, $bytes, $has_openssl;
 

docroot/includes/common.inc

@@ -7363,6 +7363,13 @@ function _drupal_schema_initialize(&$schema, $module, $remove_descriptions = TRU
         unset($field['description']);
       }
     }
+    // Set the type key for all fields where it is not set (mostly when using
+    // datatabase specific data types).
+    foreach ($table['fields'] as &$field) {
+      if (!isset($field['type'])) {
+        $field['type'] = NULL;
+      }
+    }
   }
 }
 

docroot/includes/file.inc

@@ -69,6 +69,13 @@ define('FILE_EXISTS_ERROR', 2);
  */
 define('FILE_STATUS_PERMANENT', 1);
 
+/**
+ * A pipe-separated list of insecure extensions.
+ *
+ * @see file_munge_filename(), file_save_upload()
+ */
+define('FILE_INSECURE_EXTENSIONS', 'php|phar|pl|py|cgi|asp|js|phtml');
+
 /**
  * Provides Drupal stream wrapper registry.
  *
@@ -1180,9 +1187,8 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
 
     $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
 
-    // Remove unsafe extensions from the list of allowed extensions. The list is
-    // copied from file_save_upload().
-    $whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));
+    // Remove unsafe extensions from the list of allowed extensions.
+    $whitelist = array_diff($whitelist, explode('|', FILE_INSECURE_EXTENSIONS));
 
     // Split the filename up by periods. The first part becomes the basename
     // the last part the final extension.
@@ -1562,7 +1568,7 @@ function file_save_upload($form_field_name, $validators = array(), $destination
     // rename filename.php.foo and filename.php to filename.php_.foo_.txt and
     // filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'
     // evaluates to TRUE.
-    if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
+    if (preg_match('/\.(' . FILE_INSECURE_EXTENSIONS . ')(\.|$)/i', $file->filename)) {
       // If the file will be rejected anyway due to a disallowed extension, it
       // should not be renamed; rather, we'll let file_validate_extensions()
       // reject it below.
@@ -1754,7 +1760,7 @@ function file_validate(stdClass &$file, $validators = array()) {
   // malicious extension. Contributed and custom code that calls this method
   // needs to take similar steps if they need to permit files with malicious
   // extensions to be uploaded.
-  if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
+  if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(' . FILE_INSECURE_EXTENSIONS . ')(\.|$)/i', $file->filename)) {
     $errors[] = t('For security reasons, your upload has been rejected.');
   }
 
@@ -2749,7 +2755,7 @@ function file_uri_normalize_dot_segments($uri) {
     if ($target !== FALSE) {
       if (!in_array($scheme, variable_get('file_sa_core_2023_005_schemes', array()))) {
         $class = file_stream_wrapper_get_class($scheme);
-        $is_local = is_subclass_of($class, DrupalLocalStreamWrapper::class);
+        $is_local = is_subclass_of($class, 'DrupalLocalStreamWrapper');
         if ($is_local) {
           $target = str_replace(DIRECTORY_SEPARATOR, '/', $target);
         }

docroot/includes/form.inc

@@ -1682,7 +1682,10 @@ function form_clear_error() {
 }
 
 /**
- * Returns an associative array of all errors.
+ * Returns an associative array of all errors if any.
+ *
+ * @return array|null
+ *   The form errors if any, NULL otherwise.
  */
 function form_get_errors() {
   $form = form_set_error();
@@ -2307,8 +2310,8 @@ function form_state_values_clean(&$form_state) {
  *   A keyed array containing the current state of the form.
  *
  * @return
- *   The data that will appear in the $form_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_image_button_value($form, $input, $form_state) {
   if ($input !== FALSE) {
@@ -2353,8 +2356,8 @@ function form_type_image_button_value($form, $input, $form_state) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_checkbox_value($element, $input = FALSE) {
   if ($input === FALSE) {
@@ -2394,8 +2397,8 @@ function form_type_checkbox_value($element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_checkboxes_value($element, $input = FALSE) {
   if ($input === FALSE) {
@@ -2435,8 +2438,8 @@ function form_type_checkboxes_value($element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_tableselect_value($element, $input = FALSE) {
   // If $element['#multiple'] == FALSE, then radio buttons are displayed and
@@ -2471,8 +2474,8 @@ function form_type_tableselect_value($element, $input = FALSE) {
  *   element's default value is returned. Defaults to FALSE.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection for
- *   this element.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_radios_value(&$element, $input = FALSE) {
   if ($input !== FALSE) {
@@ -2510,8 +2513,8 @@ function form_type_radios_value(&$element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_password_confirm_value($element, $input = FALSE) {
   if ($input === FALSE) {
@@ -2541,8 +2544,8 @@ function form_type_password_confirm_value($element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_select_value($element, $input = FALSE) {
   if ($input !== FALSE) {
@@ -2578,12 +2581,12 @@ function form_type_select_value($element, $input = FALSE) {
  * @param array $element
  *   The form element whose value is being populated.
  * @param mixed $input
- *   The incoming input to populate the form element. If this is FALSE,
- *   the element's default value should be returned.
+ *   The incoming input to populate the form element. If this is FALSE, the
+ *   element's default value should be returned.
  *
  * @return string
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_textarea_value($element, $input = FALSE) {
   if ($input !== FALSE && $input !== NULL) {
@@ -2603,8 +2606,8 @@ function form_type_textarea_value($element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_textfield_value($element, $input = FALSE) {
   if ($input !== FALSE && $input !== NULL) {
@@ -2627,8 +2630,8 @@ function form_type_textfield_value($element, $input = FALSE) {
  *   the element's default value should be returned.
  *
  * @return
- *   The data that will appear in the $element_state['values'] collection
- *   for this element. Return nothing to use the default.
+ *   The data that will appear in $form_state['values'] for this element, or
+ *   nothing to use the default.
  */
 function form_type_token_value($element, $input = FALSE) {
   if ($input !== FALSE) {
@@ -3377,6 +3380,30 @@ function form_process_actions($element, &$form_state) {
   return $element;
 }
 
+/**
+ * Processes a form button element.
+ *
+ * @param $element
+ *   An associative array containing the properties and children of the
+ *   form button.
+ * @param $form_state
+ *   The $form_state array for the form this element belongs to.
+ *
+ * @return
+ *   The processed element.
+ */
+function form_process_button($element, &$form_state) {
+  // We normally want to add drupal.form-single-submit so that the double submit
+  // protection can be added to the site, however, with the addition of
+  // javascript_always_use_jquery, this would make most pages with a login
+  // block or a search form have jquery always added, changing what people who
+  // set the javascript_always_use_jquery variable to FALSE would have expected.
+  if (variable_get('javascript_always_use_jquery', TRUE) && variable_get('javascript_use_double_submit_protection', TRUE)) {
+    $element['#attached']['library'][] = array('system', 'drupal.form-single-submit');
+  }
+  return $element;
+}
+
 /**
  * Processes a container element.
  *

docroot/includes/locale.inc

@@ -1093,7 +1093,7 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
  *
  * @param $report
  *   Report array summarizing the number of changes done in the form:
- *   array(inserts, updates, deletes).
+ *   array(additions, deletes, skips, updates).
  * @param $langcode
  *   Language code to import string into.
  * @param $context