Merge pull request #19827 from civicrm/5.36

5.36

CRM/Utils/System.php

@@ -629,7 +629,7 @@ public static function authenticateKey($abort = TRUE) {
       );
     }
 
-    if ($key !== $siteKey) {
+    if (!hash_equals($siteKey, $key)) {
       return self::authenticateAbort(
         "ERROR: Invalid key value sent. " . $docAdd . "\n",
         $abort

CRM/Utils/System/Joomla.php

@@ -105,9 +105,8 @@ public function updateCMSName($ufID, $ufName) {
   public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email') {
     $config = CRM_Core_Config::singleton();
 
-    $dao = new CRM_Core_DAO();
-    $name = $dao->escape(CRM_Utils_Array::value('name', $params));
-    $email = $dao->escape(CRM_Utils_Array::value('mail', $params));
+    $name = CRM_Utils_Array::value('name', $params);
+    $email = CRM_Utils_Array::value('mail', $params);
     //don't allow the special characters and min. username length is two
     //regex \\ to match a single backslash would become '/\\\\/'
     $isNotValid = (bool) preg_match('/[\<|\>|\"|\'|\%|\;|\(|\)|\&|\\\\|\/]/im', $name);
@@ -123,7 +122,7 @@ public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email
     $query->from($JUserTable->getTableName());
 
     // LOWER in query below roughly translates to 'hurt my database without deriving any benefit' See CRM-19811.
-    $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) OR (LOWER(email) = LOWER(\'' . $email . '\'))');
+    $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) OR (LOWER(email) = LOWER(' . $db->quote($email) . '))');
     $db->setQuery($query, 0, 10);
     $users = $db->loadAssocList();
 
@@ -343,7 +342,7 @@ public function authenticate($name, $password, $loadCMSBootstrap = FALSE, $realP
     $query = $db->getQuery(TRUE);
     $query->select('id, name, username, email, password');
     $query->from($JUserTable->getTableName());
-    $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) AND (block = 0)');
+    $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) AND (block = 0)');
     $db->setQuery($query, 0, 0);
     $users = $db->loadObjectList();
 

ang/api4Explorer/Explorer.js

@@ -706,7 +706,7 @@
       }
       _.each($scope.code, function(vals) {
         _.each(vals, function(style) {
-          style.code = code[style.name] ? prettyPrintOne(code[style.name]) : '';
+          style.code = code[style.name] ? prettyPrintOne(_.escape(code[style.name])) : '';
         });
       });
     }

release-notes.md

@@ -15,6 +15,16 @@ Other resources for identifying changes are:
     * https://github.com/civicrm/civicrm-joomla
     * https://github.com/civicrm/civicrm-wordpress
 
+## CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](release-notes/5.35.1.md#synopsis)**
+- **[Security advisories](release-notes/5.35.1.md#security)**
+- **[Bugs resolved](release-notes/5.35.1.md#bugs)**
+- **[Credits](release-notes/5.35.1.md#credits)**
+- **[Feedback](release-notes/5.35.1.md#feedback)**
+
 ## CiviCRM 5.35.0
 
 Released March 3, 2021

release-notes/5.35.1.md

@@ -0,0 +1,58 @@
+# CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](#synopsis)**
+- **[Bugs resolved](#bugs)**
+- **[Credits](#credits)**
+- **[Feedback](#feedback)**
+
+## <a name="synopsis"></a>Synopsis
+
+| *Does this version...?*                                         |          |
+| --------------------------------------------------------------- | -------- |
+| Change the database schema?                                     | no       |
+| Alter the API?                                                  | no       |
+| Require attention to configuration options?                     | no       |
+| **Fix problems installing or upgrading to a previous version?** | **yes**  |
+| Introduce features?                                             | no       |
+| **Fix bugs?**                                                   | **yes**  |
+
+## <a name="security"></a>Security advisories
+
+- **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs
+- **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts
+- **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions"
+- **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer
+- **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages
+- **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key
+- **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration
+
+## <a name="bugs"></a>Bugs resolved
+
+* **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))**
+* **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))**
+* **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))**
+
+  A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable.
+
+## <a name="credits"></a>Credits
+
+Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit
+GmbH contributed significantly to this release and other contemporaneous
+security improvements.
+
+This release was developed by the following authors and reviewers:
+
+Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin
+Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology
+Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA
+Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D;
+CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly
+Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt
+
+## <a name="feedback"></a>Feedback
+
+These release notes are edited by Tim Otten and Andrew Hunt.  If you'd like to
+provide feedback on them, please login to https://chat.civicrm.org/civicrm and
+contact `@agh1`.

sql/GenerateData.php

@@ -69,6 +69,10 @@
  *
  */
 
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 CRM_Core_Config::singleton();

sql/GenerateGroups.php

@@ -14,6 +14,10 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 

sql/GenerateMailing.php

@@ -14,6 +14,11 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+
+  return;
+}
 
 require_once '../civicrm.config.php';
 

sql/GenerateReportData.php

@@ -76,7 +76,10 @@
  * php versions.
  * @todo look to remove this file completely.
  */
-
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 

templates/CRM/Activity/Import/Form/MapTable.tpl

@@ -39,7 +39,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

templates/CRM/Admin/Page/ExtensionDetails.tpl

@@ -1,6 +1,6 @@
 <table class="crm-info-panel">
         {foreach from=$extension.urls key=label item=url}
-            <tr><td class="label">{$label}</td><td><a href="{$url}">{$url}</a></td></tr>
+            <tr><td class="label">{$label|escape}</td><td><a href="{$url|escape}">{$url|escape}</a></td></tr>
         {/foreach}
     <tr>
         <td class="label">{ts}Author{/ts}</td>
@@ -16,19 +16,19 @@
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments}</td>
+      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Version{/ts}</td><td>{$extension.version}</td>
+        <td class="label">{ts}Version{/ts}</td><td>{$extension.version|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate}</td>
+        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}License{/ts}</td><td>{$extension.license}</td>
+        <td class="label">{ts}License{/ts}</td><td>{$extension.license|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage}</td>
+        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage|escape}</td>
     </tr>
     <tr>
         <td class="label">{ts}Requires{/ts}</td>
@@ -49,17 +49,17 @@
         <td class="label">{ts}Compatible with{/ts}</td>
         <td>
             {foreach from=$extension.compatibility.ver item=ver}
-                {$ver} &nbsp;
+                {$ver|escape} &nbsp;
             {/foreach}
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path}</td>
+      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl}</td>
+      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Key{/ts}</td><td>{$extension.key}</td>
+      <td class="label">{ts}Key{/ts}</td><td>{$extension.key|escape}</td>
     </tr>
 </table>

templates/CRM/Admin/Page/Extensions/Main.tpl

@@ -19,19 +19,19 @@ Depends: CRM/common/enableDisableApi.tpl and CRM/common/jsortable.tpl
       </thead>
       <tbody>
         {foreach from=$localExtensionRows key=extKey item=row}
-        <tr id="extension-{$row.file}" class="crm-entity crm-extension-{$row.file}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
+        <tr id="extension-{$row.file|escape}" class="crm-entity crm-extension-{$row.file|escape}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
           <td class="crm-extensions-label">
-              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label}</strong><br/>{$row.description}
+              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label|escape}</strong><br/>{$row.description|escape}
               {if $extAddNewEnabled && $remoteExtensionRows[$extKey] && $remoteExtensionRows[$extKey].upgradelink}
                 <div class="crm-extensions-upgrade">{$remoteExtensionRows[$extKey].upgradelink}</div>
               {/if}
           </td>
           <td class="crm-extensions-label">{$row.statusLabel} {if $row.upgradable}<br/>({ts}Outdated{/ts}){/if}</td>
-          <td class="crm-extensions-label">{$row.version} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
-          <td class="crm-extensions-description">{$row.type|capitalize}</td>
+          <td class="crm-extensions-label">{$row.version|escape} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
+          <td class="crm-extensions-description">{$row.type|escape|capitalize}</td>
           <td>{$row.action|replace:'xx':$row.id}</td>
         </tr>
-        <tr class="hiddenElement" id="crm-extensions-details-{$row.file}">
+        <tr class="hiddenElement" id="crm-extensions-details-{$row.file|escape}">
             <td>
                 {include file="CRM/Admin/Page/ExtensionDetails.tpl" extension=$row localExtensionRows=$localExtensionRows remoteExtensionRows=$remoteExtensionRows}
             </td>

templates/CRM/Contact/Import/Form/MapTable.tpl

@@ -46,7 +46,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="odd-row">{$dataValues[$j][$i]}</td>
+                    <td class="odd-row">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

templates/CRM/Contribute/Import/Form/MapTable.tpl

@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

templates/CRM/Event/Import/Form/MapTable.tpl

@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

templates/CRM/Member/Import/Form/MapTable.tpl

@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

templates/CRM/PCP/Page/PCPInfo.tpl

@@ -38,7 +38,7 @@
 <div class="campaign">
 {crmRegion name="pcp-page-pcpinfo"}
     <div class="pcp-intro-text">
-      {$pcp.intro_text}
+      {$pcp.intro_text|purify}
   </div>
     {if $image}
     <div class="pcp-image">

tools/bin/scripts/NormalizePhone.php

@@ -16,7 +16,10 @@
  * issues
  *
  */
-
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 define('THROTTLE_REQUESTS', 0);
 function run() {
   session_start();

tools/bin/scripts/ckeditorConfigScraper.php

@@ -1,4 +1,8 @@
 <?php
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 /**
  * Scrape all config options from the CKEditor documentation site.
  */

tools/bin/scripts/set-version.php

@@ -10,7 +10,10 @@
 
 /* *********************************************************************** */
 /* Boot */
-
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 $civicrm_root = dirname(dirname(dirname(__DIR__)));
 chdir($civicrm_root);
 

tools/bin/scripts/testProcess.php

@@ -1,4 +1,8 @@
 <?php
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 require_once '../civicrm.config.php';
 require_once 'CRM/Core/Config.php';
 require_once 'CRM/Core/Error.php';