From 181e2dd50b270fc8abe110b204511bafe8892765 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Mon, 29 Aug 2016 20:32:12 -0700 Subject: [PATCH 1/9] CRM-15928 - Display warning if `remote_profile_submissions` is enabled --- CRM/Utils/Check/Component/Security.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php index 19e7f66183d6..b1e13148a42c 100644 --- a/CRM/Utils/Check/Component/Security.php +++ b/CRM/Utils/Check/Component/Security.php @@ -256,6 +256,28 @@ public function checkFilesAreNotPresent() { return $messages; } + /** + * Discourage use of remote profile forms. + */ + public function checkRemoteProfile() { + $messages = array(); + + if (Civi::settings()->get('remote_profile_submissions')) { + $messages[] = new CRM_Utils_Check_Message( + __FUNCTION__, + ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in system settings. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.', + array(1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1')) + ), + ts('Remote Profiles Enabled'), + \Psr\Log\LogLevel::WARNING, + 'fa-lock' + ); + } + + return $messages; + } + + /** * Check that the sysadmin has not modified the Cxn * security setup. From a742ee50f3e121bb89a6dfbe39f5312628f209c1 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Mon, 29 Aug 2016 20:34:42 -0700 Subject: [PATCH 2/9] CRM-15928 - CRM_Upgrade - Remove post-upgrade msg re: profiles We'll be switching the upgrade to enable this feature by default on existing sites. --- CRM/Upgrade/Incremental/php/FourSeven.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index 8d3f576b503f..76245a6eb5db 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -99,9 +99,9 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) { $postUpgradeMessage .= '

' . ts('The custom fatal error template setting has been removed.') . '

'; } - if ($rev == '4.7.11') { - $postUpgradeMessage .= '

' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'"); - } + //if ($rev == '4.7.11') { + // $postUpgradeMessage .= '

' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'"); + //} } /** From 11769bd1aa1088fb8e38da07ee3380404a0eb8a5 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Mon, 29 Aug 2016 20:51:51 -0700 Subject: [PATCH 3/9] CRM-15925 - CRM/Upgrade - Add post-upgrade msg re: "import SQL datasource" --- CRM/Upgrade/Incremental/php/FourSeven.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index 76245a6eb5db..087f98394356 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -102,6 +102,9 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) { //if ($rev == '4.7.11') { // $postUpgradeMessage .= '

' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'"); //} + if ($rev == '4.7.11') { + $postUpgradeMessage .= '

' . ts("By default, CiviCRM now disables the ability to import directly fro SQL. To use this feature, you must explicitly grant permission 'import SQL datasource'."); + } } /** From 9e42a50177c5bb2c8577de3b4004f55018a14390 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Mon, 29 Aug 2016 21:18:30 -0700 Subject: [PATCH 4/9] CRM-15928 - CRM/Upgrade - Enable remote_profile_submissions --- CRM/Upgrade/Incremental/php/FourSeven.php | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index 087f98394356..973c155d2168 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -235,6 +235,7 @@ public function upgrade_4_7_10($rev) { public function upgrade_4_7_11($rev) { $this->addTask(ts('Upgrade DB to %1: SQL', array(1 => $rev)), 'runSql', $rev); $this->addTask('Dashboard schema updates', 'dashboardSchemaUpdate'); + $this->addTask(ts('Fill in setting "remote_profile_submissions"'), 'migrateRemoteSubmissionsSetting'); } /* @@ -460,6 +461,35 @@ public static function migrateOnBehalfOfInfo(CRM_Queue_TaskContext $ctx) { return TRUE; } + /** + * v4.7.11 adds a new setting "remote_profile_submissions". This is + * long-standing feature that existing sites may be using; however, it's + * a bit prone to abuse. For new sites, the default is to disable it + * (since that is more secure). For existing sites, the default is to + * enable it (since that is more compatible). + * + * @param \CRM_Queue_TaskContext $ctx + * + * @return bool + */ + public function migrateRemoteSubmissionsSetting(CRM_Queue_TaskContext $ctx) { + $domains = CRM_Core_DAO::executeQuery("SELECT DISTINCT d.id FROM civicrm_domain d LEFT JOIN civicrm_setting s ON d.id=s.domain_id AND s.name = 'remote_profile_submissions' WHERE s.id IS NULL"); + while ($domains->fetch()) { + CRM_Core_DAO::executeQuery( + "INSERT INTO civicrm_setting (`name`, `value`, `domain_id`, `is_domain`, `contact_id`, `component_id`, `created_date`, `created_id`) + VALUES (%2, %3, %4, %5, NULL, NULL, %6, NULL)", + array( + 2 => array('remote_profile_submissions', 'String'), + 3 => array('s:1:"1";', 'String'), + 4 => array($domains->id, 'Integer'), + 5 => array(1, 'Integer'), + 6 => array(date('Y-m-d H:i:s'), 'String'), + ) + ); + } + return TRUE; + } + /** * CRM-11782 - Get rid of VALUE_SEPARATOR character in saved search form values * From 457238cdbd0126f34f4c63491da89edbeaca6401 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Thu, 1 Sep 2016 20:05:32 +1000 Subject: [PATCH 5/9] CRM-19291 put Eileen's fix into upgrade script --- CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl b/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl index 64ff7ebd63d4..7337da12b06a 100644 --- a/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl +++ b/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl @@ -14,6 +14,9 @@ UPDATE civicrm_dashboard SET name = 'myCases' WHERE (name IS NULL OR name = '') UPDATE civicrm_dashboard SET name = 'allCases' WHERE (name IS NULL OR name = '') AND url LIKE "civicrm/dashlet/allCases?%"; UPDATE civicrm_dashboard SET name = 'casedashboard' WHERE (name IS NULL OR name = '') AND url LIKE "civicrm/dashlet/casedashboard?%"; +-- CRM-19291 Fix names on dashlets where name is an empty string +UPDATE civicrm_dashboard SET name = label WHERE name = ''; + -- CRM-18508 Display State/Province in event address in registration emails {include file='../CRM/Upgrade/4.7.11.msg_template/civicrm_msg_template.tpl'} From 87568e34ea5e3820aad245274836e59460c90673 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Fri, 2 Sep 2016 18:17:32 +1000 Subject: [PATCH 6/9] CRM-19301 fix dashboard upgrade for multilingual sites --- CRM/Core/BAO/SchemaHandler.php | 11 +++++++++-- CRM/Upgrade/Incremental/php/FourSeven.php | 6 ++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CRM/Core/BAO/SchemaHandler.php b/CRM/Core/BAO/SchemaHandler.php index e68007d18af9..5bb971ef05fb 100644 --- a/CRM/Core/BAO/SchemaHandler.php +++ b/CRM/Core/BAO/SchemaHandler.php @@ -370,11 +370,18 @@ public static function dropTable($tableName) { /** * @param string $tableName * @param string $columnName + * @param bool $l10n + * */ - public static function dropColumn($tableName, $columnName) { + public static function dropColumn($tableName, $columnName, $l10n = FALSE) { if (self::checkIfFieldExists($tableName, $columnName)) { $sql = "ALTER TABLE $tableName DROP COLUMN $columnName"; - CRM_Core_DAO::executeQuery($sql); + if ($l10n) { + CRM_Core_DAO::executeQuery($sql); + } + else { + CRM_Core_DAO::executeQuery($sql, array(), TRUE, NULL, FALSE, FALSE); + } } } diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index 973c155d2168..ef1ffa03c37e 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -786,6 +786,8 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) { CRM_Core_DAO::executeQuery('DELETE c1 FROM civicrm_dashboard_contact c1, civicrm_dashboard_contact c2 WHERE c1.contact_id = c2.contact_id AND c1.dashboard_id = c2.dashboard_id AND c1.id > c2.id'); CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard_contact ADD UNIQUE INDEX index_dashboard_id_contact_id (dashboard_id, contact_id);'); } + $domain = new CRM_Core_DAO_Domain(); + $domain->find(TRUE); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'content'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'is_minimized'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard_contact', 'is_fullscreen'); @@ -794,6 +796,10 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) { CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'is_minimized'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'column_no'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'weight'); + if ($domain->locales) { + $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales); + CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL); + } CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET url = REPLACE(url, "&snippet=5", ""), fullscreen_url = REPLACE(fullscreen_url, "&snippet=5", "")'); From 1285e4880e21fdc3a6363bca6dae11cba5b9d18d Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Sat, 3 Sep 2016 08:06:19 +1000 Subject: [PATCH 7/9] Rebuild localisation schema after dropping column --- CRM/Core/BAO/SchemaHandler.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CRM/Core/BAO/SchemaHandler.php b/CRM/Core/BAO/SchemaHandler.php index 5bb971ef05fb..5b664f7b9da1 100644 --- a/CRM/Core/BAO/SchemaHandler.php +++ b/CRM/Core/BAO/SchemaHandler.php @@ -382,6 +382,12 @@ public static function dropColumn($tableName, $columnName, $l10n = FALSE) { else { CRM_Core_DAO::executeQuery($sql, array(), TRUE, NULL, FALSE, FALSE); } + $domain = new CRM_Core_DAO_Domain(); + $domain->find(TRUE); + if ($domain->locales) { + $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales); + CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL); + } } } From 8c3f9072fdd947043a0fc2c827b1375d66da7662 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Sat, 3 Sep 2016 08:14:31 +1000 Subject: [PATCH 8/9] Ensure new column is added to base table when fixing up dashboard and rebuild multilingual structure afterwads --- CRM/Upgrade/Incremental/php/FourSeven.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index ef1ffa03c37e..1bfbe1068d1b 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -804,7 +804,12 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) { CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET url = REPLACE(url, "&snippet=5", ""), fullscreen_url = REPLACE(fullscreen_url, "&snippet=5", "")'); if (!CRM_Core_BAO_SchemaHandler::checkIfFieldExists('civicrm_dashboard', 'cache_minutes')) { - CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard ADD COLUMN cache_minutes int unsigned NOT NULL DEFAULT 60 COMMENT "Number of minutes to cache dashlet content in browser localStorage."'); + CRM_Core_DAO::executeQuery('ALTER TABLE civicrm_dashboard ADD COLUMN cache_minutes int unsigned NOT NULL DEFAULT 60 COMMENT "Number of minutes to cache dashlet content in browser localStorage."', + array(), TRUE, NULL, FALSE, FALSE); + } + if ($domain->locales) { + $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales); + CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL); } CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET cache_minutes = 1440 WHERE name = "blog"'); From 3abab0f817e676a6eb352bd5cf33aeb9e2a66170 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Sat, 3 Sep 2016 09:46:15 +1000 Subject: [PATCH 9/9] CRM-19291 Fix up eileen's fix for multilingual use practice from 4.6.0 to use first locale for name --- CRM/Core/BAO/SchemaHandler.php | 6 +++--- CRM/Upgrade/Incremental/php/FourSeven.php | 4 ---- CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl | 4 ++++ 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CRM/Core/BAO/SchemaHandler.php b/CRM/Core/BAO/SchemaHandler.php index 5b664f7b9da1..3cc3e3e4826f 100644 --- a/CRM/Core/BAO/SchemaHandler.php +++ b/CRM/Core/BAO/SchemaHandler.php @@ -370,13 +370,13 @@ public static function dropTable($tableName) { /** * @param string $tableName * @param string $columnName - * @param bool $l10n + * @param bool $l18n * */ - public static function dropColumn($tableName, $columnName, $l10n = FALSE) { + public static function dropColumn($tableName, $columnName, $l18n = FALSE) { if (self::checkIfFieldExists($tableName, $columnName)) { $sql = "ALTER TABLE $tableName DROP COLUMN $columnName"; - if ($l10n) { + if ($l18n) { CRM_Core_DAO::executeQuery($sql); } else { diff --git a/CRM/Upgrade/Incremental/php/FourSeven.php b/CRM/Upgrade/Incremental/php/FourSeven.php index 1bfbe1068d1b..9d820e8a0b02 100644 --- a/CRM/Upgrade/Incremental/php/FourSeven.php +++ b/CRM/Upgrade/Incremental/php/FourSeven.php @@ -796,10 +796,6 @@ public function dashboardSchemaUpdate(CRM_Queue_TaskContext $ctx) { CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'is_minimized'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'column_no'); CRM_Core_BAO_SchemaHandler::dropColumn('civicrm_dashboard', 'weight'); - if ($domain->locales) { - $locales = explode(CRM_Core_DAO::VALUE_SEPARATOR, $domain->locales); - CRM_Core_I18n_Schema::rebuildMultilingualSchema($locales, NULL); - } CRM_Core_DAO::executeQuery('UPDATE civicrm_dashboard SET url = REPLACE(url, "&snippet=5", ""), fullscreen_url = REPLACE(fullscreen_url, "&snippet=5", "")'); diff --git a/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl b/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl index 7337da12b06a..d0eeed5ce4ee 100644 --- a/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl +++ b/CRM/Upgrade/Incremental/sql/4.7.11.mysql.tpl @@ -15,7 +15,11 @@ UPDATE civicrm_dashboard SET name = 'allCases' WHERE (name IS NULL OR name = '') UPDATE civicrm_dashboard SET name = 'casedashboard' WHERE (name IS NULL OR name = '') AND url LIKE "civicrm/dashlet/casedashboard?%"; -- CRM-19291 Fix names on dashlets where name is an empty string +{if $multilingual} +UPDATE civicrm_dashboard SET name = label_{$locales.0} WHERE name = ''; +{else} UPDATE civicrm_dashboard SET name = label WHERE name = ''; +{/if} -- CRM-18508 Display State/Province in event address in registration emails {include file='../CRM/Upgrade/4.7.11.msg_template/civicrm_msg_template.tpl'}