diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php index 5c27f998d451..4be0a9588857 100644 --- a/CRM/Utils/System.php +++ b/CRM/Utils/System.php @@ -629,7 +629,7 @@ public static function authenticateKey($abort = TRUE) { ); } - if ($key !== $siteKey) { + if (!hash_equals($siteKey, $key)) { return self::authenticateAbort( "ERROR: Invalid key value sent. " . $docAdd . "\n", $abort diff --git a/CRM/Utils/System/Joomla.php b/CRM/Utils/System/Joomla.php index 7651aeb82392..18637f3c1c41 100644 --- a/CRM/Utils/System/Joomla.php +++ b/CRM/Utils/System/Joomla.php @@ -105,9 +105,8 @@ public function updateCMSName($ufID, $ufName) { public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email') { $config = CRM_Core_Config::singleton(); - $dao = new CRM_Core_DAO(); - $name = $dao->escape(CRM_Utils_Array::value('name', $params)); - $email = $dao->escape(CRM_Utils_Array::value('mail', $params)); + $name = CRM_Utils_Array::value('name', $params); + $email = CRM_Utils_Array::value('mail', $params); //don't allow the special characters and min. username length is two //regex \\ to match a single backslash would become '/\\\\/' $isNotValid = (bool) preg_match('/[\<|\>|\"|\'|\%|\;|\(|\)|\&|\\\\|\/]/im', $name); @@ -123,7 +122,7 @@ public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email $query->from($JUserTable->getTableName()); // LOWER in query below roughly translates to 'hurt my database without deriving any benefit' See CRM-19811. - $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) OR (LOWER(email) = LOWER(\'' . $email . '\'))'); + $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) OR (LOWER(email) = LOWER(' . $db->quote($email) . '))'); $db->setQuery($query, 0, 10); $users = $db->loadAssocList(); @@ -343,7 +342,7 @@ public function authenticate($name, $password, $loadCMSBootstrap = FALSE, $realP $query = $db->getQuery(TRUE); $query->select('id, name, username, email, password'); $query->from($JUserTable->getTableName()); - $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) AND (block = 0)'); + $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) AND (block = 0)'); $db->setQuery($query, 0, 0); $users = $db->loadObjectList(); diff --git a/ang/api4Explorer/Explorer.js b/ang/api4Explorer/Explorer.js index aa37c7e9575a..87ad2fe32f2b 100644 --- a/ang/api4Explorer/Explorer.js +++ b/ang/api4Explorer/Explorer.js @@ -706,7 +706,7 @@ } _.each($scope.code, function(vals) { _.each(vals, function(style) { - style.code = code[style.name] ? prettyPrintOne(code[style.name]) : ''; + style.code = code[style.name] ? prettyPrintOne(_.escape(code[style.name])) : ''; }); }); } diff --git a/release-notes.md b/release-notes.md index 220e60bd81b2..9a38911cf9e9 100644 --- a/release-notes.md +++ b/release-notes.md @@ -15,6 +15,16 @@ Other resources for identifying changes are: * https://github.com/civicrm/civicrm-joomla * https://github.com/civicrm/civicrm-wordpress +## CiviCRM 5.35.1 + +Released March 17, 2021 + +- **[Synopsis](release-notes/5.35.1.md#synopsis)** +- **[Security advisories](release-notes/5.35.1.md#security)** +- **[Bugs resolved](release-notes/5.35.1.md#bugs)** +- **[Credits](release-notes/5.35.1.md#credits)** +- **[Feedback](release-notes/5.35.1.md#feedback)** + ## CiviCRM 5.35.0 Released March 3, 2021 diff --git a/release-notes/5.35.1.md b/release-notes/5.35.1.md new file mode 100644 index 000000000000..f539638e09e0 --- /dev/null +++ b/release-notes/5.35.1.md @@ -0,0 +1,58 @@ +# CiviCRM 5.35.1 + +Released March 17, 2021 + +- **[Synopsis](#synopsis)** +- **[Bugs resolved](#bugs)** +- **[Credits](#credits)** +- **[Feedback](#feedback)** + +## Synopsis + +| *Does this version...?* | | +| --------------------------------------------------------------- | -------- | +| Change the database schema? | no | +| Alter the API? | no | +| Require attention to configuration options? | no | +| **Fix problems installing or upgrading to a previous version?** | **yes** | +| Introduce features? | no | +| **Fix bugs?** | **yes** | + +## Security advisories + +- **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs +- **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts +- **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions" +- **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer +- **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages +- **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key +- **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration + +## Bugs resolved + +* **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))** +* **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))** +* **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))** + + A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable. + +## Credits + +Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit +GmbH contributed significantly to this release and other contemporaneous +security improvements. + +This release was developed by the following authors and reviewers: + +Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin +Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology +Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA +Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D; +CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly +Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt + +## Feedback + +These release notes are edited by Tim Otten and Andrew Hunt. If you'd like to +provide feedback on them, please login to https://chat.civicrm.org/civicrm and +contact `@agh1`. diff --git a/sql/GenerateData.php b/sql/GenerateData.php index 63c2b30b23a8..40dca615a15c 100644 --- a/sql/GenerateData.php +++ b/sql/GenerateData.php @@ -69,6 +69,10 @@ * */ +if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) { + header("HTTP/1.0 404 Not Found"); + return; +} require_once '../civicrm.config.php'; CRM_Core_Config::singleton(); diff --git a/sql/GenerateGroups.php b/sql/GenerateGroups.php index 205b73d51895..18381428ea91 100644 --- a/sql/GenerateGroups.php +++ b/sql/GenerateGroups.php @@ -14,6 +14,10 @@ * @package CRM * @copyright CiviCRM LLC https://civicrm.org/licensing */ +if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) { + header("HTTP/1.0 404 Not Found"); + return; +} require_once '../civicrm.config.php'; diff --git a/sql/GenerateMailing.php b/sql/GenerateMailing.php index d9af5ca11271..1ea8e744e8d0 100644 --- a/sql/GenerateMailing.php +++ b/sql/GenerateMailing.php @@ -14,6 +14,11 @@ * @package CRM * @copyright CiviCRM LLC https://civicrm.org/licensing */ +if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) { + header("HTTP/1.0 404 Not Found"); + + return; +} require_once '../civicrm.config.php'; diff --git a/sql/GenerateReportData.php b/sql/GenerateReportData.php index f415959c6a00..bfb77ad0b354 100644 --- a/sql/GenerateReportData.php +++ b/sql/GenerateReportData.php @@ -76,7 +76,10 @@ * php versions. * @todo look to remove this file completely. */ - +if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) { + header("HTTP/1.0 404 Not Found"); + return; +} require_once '../civicrm.config.php'; diff --git a/templates/CRM/Activity/Import/Form/MapTable.tpl b/templates/CRM/Activity/Import/Form/MapTable.tpl index 626a37948fc0..6ecd9c181db0 100644 --- a/templates/CRM/Activity/Import/Form/MapTable.tpl +++ b/templates/CRM/Activity/Import/Form/MapTable.tpl @@ -39,7 +39,7 @@ {section name=rows loop=$rowDisplayCount} {assign var="j" value=$smarty.section.rows.index} - {$dataValues[$j][$i]} + {$dataValues[$j][$i]|escape} {/section} {* Display mapper field for 'Map Fields', and mapper value for 'Preview' *} diff --git a/templates/CRM/Contribute/Import/Form/MapTable.tpl b/templates/CRM/Contribute/Import/Form/MapTable.tpl index ad14bd8ae12b..4c6909d271af 100644 --- a/templates/CRM/Contribute/Import/Form/MapTable.tpl +++ b/templates/CRM/Contribute/Import/Form/MapTable.tpl @@ -38,7 +38,7 @@ {section name=rows loop=$rowDisplayCount} {assign var="j" value=$smarty.section.rows.index} - {$dataValues[$j][$i]} + {$dataValues[$j][$i]|escape} {/section} {* Display mapper field for 'Map Fields', and mapper value for 'Preview' *} diff --git a/templates/CRM/Member/Import/Form/MapTable.tpl b/templates/CRM/Member/Import/Form/MapTable.tpl index 927ba7ceea89..0a3dfec5ae28 100644 --- a/templates/CRM/Member/Import/Form/MapTable.tpl +++ b/templates/CRM/Member/Import/Form/MapTable.tpl @@ -38,7 +38,7 @@ {section name=rows loop=$rowDisplayCount} {assign var="j" value=$smarty.section.rows.index} - {$dataValues[$j][$i]} + {$dataValues[$j][$i]|escape} {/section} {* Display mapper