From 54f6fd784e4ca36ced842b81e9d8651a0b1de2a9 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Mon, 16 Nov 2020 19:06:16 +1100
Subject: [PATCH 01/10] security/core#100 Escape uploaded data to prevent
 Reflected Cross site scripting from uploaded CSVs

---
 templates/CRM/Activity/Import/Form/MapTable.tpl   | 2 +-
 templates/CRM/Contact/Import/Form/MapTable.tpl    | 2 +-
 templates/CRM/Contribute/Import/Form/MapTable.tpl | 2 +-
 templates/CRM/Event/Import/Form/MapTable.tpl      | 2 +-
 templates/CRM/Member/Import/Form/MapTable.tpl     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/templates/CRM/Activity/Import/Form/MapTable.tpl b/templates/CRM/Activity/Import/Form/MapTable.tpl
index 626a37948fc0..6ecd9c181db0 100644
--- a/templates/CRM/Activity/Import/Form/MapTable.tpl
+++ b/templates/CRM/Activity/Import/Form/MapTable.tpl
@@ -39,7 +39,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/templates/CRM/Contact/Import/Form/MapTable.tpl b/templates/CRM/Contact/Import/Form/MapTable.tpl
index 21966b6aa5c7..6eb7c6534611 100644
--- a/templates/CRM/Contact/Import/Form/MapTable.tpl
+++ b/templates/CRM/Contact/Import/Form/MapTable.tpl
@@ -46,7 +46,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="odd-row">{$dataValues[$j][$i]}</td>
+                    <td class="odd-row">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/templates/CRM/Contribute/Import/Form/MapTable.tpl b/templates/CRM/Contribute/Import/Form/MapTable.tpl
index ad14bd8ae12b..4c6909d271af 100644
--- a/templates/CRM/Contribute/Import/Form/MapTable.tpl
+++ b/templates/CRM/Contribute/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/templates/CRM/Event/Import/Form/MapTable.tpl b/templates/CRM/Event/Import/Form/MapTable.tpl
index 2f602b38b9d6..00d7072721c9 100644
--- a/templates/CRM/Event/Import/Form/MapTable.tpl
+++ b/templates/CRM/Event/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}
diff --git a/templates/CRM/Member/Import/Form/MapTable.tpl b/templates/CRM/Member/Import/Form/MapTable.tpl
index 927ba7ceea89..0a3dfec5ae28 100644
--- a/templates/CRM/Member/Import/Form/MapTable.tpl
+++ b/templates/CRM/Member/Import/Form/MapTable.tpl
@@ -38,7 +38,7 @@
 
                 {section name=rows loop=$rowDisplayCount}
                     {assign var="j" value=$smarty.section.rows.index}
-                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]}</td>
+                    <td class="{if $skipColumnHeader AND $smarty.section.rows.iteration == 1}even-row labels{else}odd-row{/if}">{$dataValues[$j][$i]|escape}</td>
                 {/section}
 
                 {* Display mapper <select> field for 'Map Fields', and mapper value for 'Preview' *}

From a9f3bf65152087cbdad229cb52ddcfb312814270 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Mon, 9 Nov 2020 20:11:24 +1100
Subject: [PATCH 02/10] security/core#97 Ensure that php scripts where
 applicable in sql and tools that should only be run in CLI can be run in CLI

Use more portable check for cli and add in 404 header as per Rich's comments
---
 sql/GenerateData.php                        | 4 ++++
 sql/GenerateGroups.php                      | 4 ++++
 sql/GenerateMailing.php                     | 5 +++++
 sql/GenerateReportData.php                  | 5 ++++-
 tools/bin/scripts/NormalizePhone.php        | 5 ++++-
 tools/bin/scripts/ckeditorConfigScraper.php | 4 ++++
 tools/bin/scripts/set-version.php           | 5 ++++-
 tools/bin/scripts/testProcess.php           | 4 ++++
 8 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/sql/GenerateData.php b/sql/GenerateData.php
index 63c2b30b23a8..fe7b5b511d7f 100644
--- a/sql/GenerateData.php
+++ b/sql/GenerateData.php
@@ -69,6 +69,10 @@
  *
  */
 
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 CRM_Core_Config::singleton();
diff --git a/sql/GenerateGroups.php b/sql/GenerateGroups.php
index 205b73d51895..704b924f8660 100644
--- a/sql/GenerateGroups.php
+++ b/sql/GenerateGroups.php
@@ -14,6 +14,10 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 
diff --git a/sql/GenerateMailing.php b/sql/GenerateMailing.php
index d9af5ca11271..c70e51772d62 100644
--- a/sql/GenerateMailing.php
+++ b/sql/GenerateMailing.php
@@ -14,6 +14,11 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+
+  return;
+}
 
 require_once '../civicrm.config.php';
 
diff --git a/sql/GenerateReportData.php b/sql/GenerateReportData.php
index f415959c6a00..dee5d43e4af3 100644
--- a/sql/GenerateReportData.php
+++ b/sql/GenerateReportData.php
@@ -76,7 +76,10 @@
  * php versions.
  * @todo look to remove this file completely.
  */
-
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 
 require_once '../civicrm.config.php';
 
diff --git a/tools/bin/scripts/NormalizePhone.php b/tools/bin/scripts/NormalizePhone.php
index 795f1296292d..35a6526f09ad 100644
--- a/tools/bin/scripts/NormalizePhone.php
+++ b/tools/bin/scripts/NormalizePhone.php
@@ -16,7 +16,10 @@
  * issues
  *
  */
-
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 define('THROTTLE_REQUESTS', 0);
 function run() {
   session_start();
diff --git a/tools/bin/scripts/ckeditorConfigScraper.php b/tools/bin/scripts/ckeditorConfigScraper.php
index ba95cfb4a152..d98366e9d71e 100644
--- a/tools/bin/scripts/ckeditorConfigScraper.php
+++ b/tools/bin/scripts/ckeditorConfigScraper.php
@@ -1,4 +1,8 @@
 <?php
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 /**
  * Scrape all config options from the CKEditor documentation site.
  */
diff --git a/tools/bin/scripts/set-version.php b/tools/bin/scripts/set-version.php
index 1918e4e4bb2f..c95606d01928 100755
--- a/tools/bin/scripts/set-version.php
+++ b/tools/bin/scripts/set-version.php
@@ -10,7 +10,10 @@
 
 /* *********************************************************************** */
 /* Boot */
-
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 $civicrm_root = dirname(dirname(dirname(__DIR__)));
 chdir($civicrm_root);
 
diff --git a/tools/bin/scripts/testProcess.php b/tools/bin/scripts/testProcess.php
index 8d2668c5260d..fc8e19a07e23 100644
--- a/tools/bin/scripts/testProcess.php
+++ b/tools/bin/scripts/testProcess.php
@@ -1,4 +1,8 @@
 <?php
+if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+  header("HTTP/1.0 404 Not Found");
+  return;
+}
 require_once '../civicrm.config.php';
 require_once 'CRM/Core/Config.php';
 require_once 'CRM/Core/Error.php';

From 522936fab1249e719fd91ce4883bb9e4c88d5d36 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 23 Dec 2020 19:45:56 +1100
Subject: [PATCH 03/10] Escape information supplied by extensions to prevent
 XSS

---
 templates/CRM/Admin/Page/ExtensionDetails.tpl | 20 +++++++++----------
 templates/CRM/Admin/Page/Extensions/Main.tpl  | 10 +++++-----
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/templates/CRM/Admin/Page/ExtensionDetails.tpl b/templates/CRM/Admin/Page/ExtensionDetails.tpl
index bab021bf1484..a769842de6a3 100644
--- a/templates/CRM/Admin/Page/ExtensionDetails.tpl
+++ b/templates/CRM/Admin/Page/ExtensionDetails.tpl
@@ -1,6 +1,6 @@
 <table class="crm-info-panel">
         {foreach from=$extension.urls key=label item=url}
-            <tr><td class="label">{$label}</td><td><a href="{$url}">{$url}</a></td></tr>
+            <tr><td class="label">{$label|escape}</td><td><a href="{$url|escape}">{$url|escape}</a></td></tr>
         {/foreach}
     <tr>
         <td class="label">{ts}Author{/ts}</td>
@@ -16,19 +16,19 @@
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments}</td>
+      <td class="label">{ts}Comments{/ts}</td><td>{$extension.comments|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Version{/ts}</td><td>{$extension.version}</td>
+        <td class="label">{ts}Version{/ts}</td><td>{$extension.version|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate}</td>
+        <td class="label">{ts}Released on{/ts}</td><td>{$extension.releaseDate|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}License{/ts}</td><td>{$extension.license}</td>
+        <td class="label">{ts}License{/ts}</td><td>{$extension.license|escape}</td>
     </tr>
     <tr>
-        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage}</td>
+        <td class="label">{ts}Development stage{/ts}</td><td>{$extension.develStage|escape}</td>
     </tr>
     <tr>
         <td class="label">{ts}Requires{/ts}</td>
@@ -49,17 +49,17 @@
         <td class="label">{ts}Compatible with{/ts}</td>
         <td>
             {foreach from=$extension.compatibility.ver item=ver}
-                {$ver} &nbsp;
+                {$ver|escape} &nbsp;
             {/foreach}
         </td>
     </tr>
     <tr>
-      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path}</td>
+      <td class="label">{ts}Local path{/ts}</td><td>{$extension.path|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl}</td>
+      <td class="label">{ts}Download location{/ts}</td><td>{$extension.downloadUrl|escape}</td>
     </tr>
     <tr>
-      <td class="label">{ts}Key{/ts}</td><td>{$extension.key}</td>
+      <td class="label">{ts}Key{/ts}</td><td>{$extension.key|escape}</td>
     </tr>
 </table>
diff --git a/templates/CRM/Admin/Page/Extensions/Main.tpl b/templates/CRM/Admin/Page/Extensions/Main.tpl
index 881d1a4d0ce9..e7598bab0442 100644
--- a/templates/CRM/Admin/Page/Extensions/Main.tpl
+++ b/templates/CRM/Admin/Page/Extensions/Main.tpl
@@ -19,19 +19,19 @@ Depends: CRM/common/enableDisableApi.tpl and CRM/common/jsortable.tpl
       </thead>
       <tbody>
         {foreach from=$localExtensionRows key=extKey item=row}
-        <tr id="extension-{$row.file}" class="crm-entity crm-extension-{$row.file}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
+        <tr id="extension-{$row.file|escape}" class="crm-entity crm-extension-{$row.file|escape}{if $row.status eq 'disabled'} disabled{/if}{if $row.status eq 'installed-missing' or $row.status eq 'disabled-missing'} extension-missing{/if}{if $row.upgradable} extension-upgradable{elseif $row.status eq 'installed'} extension-installed{/if}">
           <td class="crm-extensions-label">
-              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label}</strong><br/>{$row.description}
+              <a class="collapsed" href="#"></a>&nbsp;<strong>{$row.label|escape}</strong><br/>{$row.description|escape}
               {if $extAddNewEnabled && $remoteExtensionRows[$extKey] && $remoteExtensionRows[$extKey].upgradelink}
                 <div class="crm-extensions-upgrade">{$remoteExtensionRows[$extKey].upgradelink}</div>
               {/if}
           </td>
           <td class="crm-extensions-label">{$row.statusLabel} {if $row.upgradable}<br/>({ts}Outdated{/ts}){/if}</td>
-          <td class="crm-extensions-label">{$row.version} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
-          <td class="crm-extensions-description">{$row.type|capitalize}</td>
+          <td class="crm-extensions-label">{$row.version|escape} {if $row.upgradable}<br/>({$row.upgradeVersion}){/if}</td>
+          <td class="crm-extensions-description">{$row.type|escape|capitalize}</td>
           <td>{$row.action|replace:'xx':$row.id}</td>
         </tr>
-        <tr class="hiddenElement" id="crm-extensions-details-{$row.file}">
+        <tr class="hiddenElement" id="crm-extensions-details-{$row.file|escape}">
             <td>
                 {include file="CRM/Admin/Page/ExtensionDetails.tpl" extension=$row localExtensionRows=$localExtensionRows remoteExtensionRows=$remoteExtensionRows}
             </td>

From 001810a149a8ce7d07b8150caa46fb5549f1bbb5 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 23 Dec 2020 20:04:18 +1100
Subject: [PATCH 04/10] Purify PCP introductory text field

---
 templates/CRM/PCP/Page/PCPInfo.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/CRM/PCP/Page/PCPInfo.tpl b/templates/CRM/PCP/Page/PCPInfo.tpl
index 866402fbfdb3..288572978275 100644
--- a/templates/CRM/PCP/Page/PCPInfo.tpl
+++ b/templates/CRM/PCP/Page/PCPInfo.tpl
@@ -38,7 +38,7 @@
 <div class="campaign">
 {crmRegion name="pcp-page-pcpinfo"}
     <div class="pcp-intro-text">
-      {$pcp.intro_text}
+      {$pcp.intro_text|purify}
   </div>
     {if $image}
     <div class="pcp-image">

From 4279d7d7f541da61e218985d6152743788901a2c Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 29 Jan 2021 14:30:38 -0500
Subject: [PATCH 05/10] Escape api params in APIv4 Explorer

---
 ang/api4Explorer/Explorer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ang/api4Explorer/Explorer.js b/ang/api4Explorer/Explorer.js
index 7def6e386f46..a0d03dd2f1a1 100644
--- a/ang/api4Explorer/Explorer.js
+++ b/ang/api4Explorer/Explorer.js
@@ -702,7 +702,7 @@
       }
       _.each($scope.code, function(vals) {
         _.each(vals, function(style) {
-          style.code = code[style.name] ? prettyPrintOne(code[style.name]) : '';
+          style.code = code[style.name] ? prettyPrintOne(_.escape(code[style.name])) : '';
         });
       });
     }

From 5c5ed6db491dfe88d18b2cbb278db46c849bb461 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 24 Feb 2021 21:01:26 -0800
Subject: [PATCH 06/10] (security/core#97) PHP CLI guard is the opposite of
 correct

---
 sql/GenerateData.php                        | 2 +-
 sql/GenerateGroups.php                      | 2 +-
 sql/GenerateMailing.php                     | 2 +-
 sql/GenerateReportData.php                  | 2 +-
 tools/bin/scripts/NormalizePhone.php        | 2 +-
 tools/bin/scripts/ckeditorConfigScraper.php | 2 +-
 tools/bin/scripts/set-version.php           | 2 +-
 tools/bin/scripts/testProcess.php           | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/sql/GenerateData.php b/sql/GenerateData.php
index fe7b5b511d7f..40dca615a15c 100644
--- a/sql/GenerateData.php
+++ b/sql/GenerateData.php
@@ -69,7 +69,7 @@
  *
  */
 
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/sql/GenerateGroups.php b/sql/GenerateGroups.php
index 704b924f8660..18381428ea91 100644
--- a/sql/GenerateGroups.php
+++ b/sql/GenerateGroups.php
@@ -14,7 +14,7 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/sql/GenerateMailing.php b/sql/GenerateMailing.php
index c70e51772d62..1ea8e744e8d0 100644
--- a/sql/GenerateMailing.php
+++ b/sql/GenerateMailing.php
@@ -14,7 +14,7 @@
  * @package CRM
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
 
   return;
diff --git a/sql/GenerateReportData.php b/sql/GenerateReportData.php
index dee5d43e4af3..bfb77ad0b354 100644
--- a/sql/GenerateReportData.php
+++ b/sql/GenerateReportData.php
@@ -76,7 +76,7 @@
  * php versions.
  * @todo look to remove this file completely.
  */
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/tools/bin/scripts/NormalizePhone.php b/tools/bin/scripts/NormalizePhone.php
index 35a6526f09ad..18e4e9d87292 100644
--- a/tools/bin/scripts/NormalizePhone.php
+++ b/tools/bin/scripts/NormalizePhone.php
@@ -16,7 +16,7 @@
  * issues
  *
  */
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/tools/bin/scripts/ckeditorConfigScraper.php b/tools/bin/scripts/ckeditorConfigScraper.php
index d98366e9d71e..348620023887 100644
--- a/tools/bin/scripts/ckeditorConfigScraper.php
+++ b/tools/bin/scripts/ckeditorConfigScraper.php
@@ -1,5 +1,5 @@
 <?php
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/tools/bin/scripts/set-version.php b/tools/bin/scripts/set-version.php
index c95606d01928..10220baf2a6d 100755
--- a/tools/bin/scripts/set-version.php
+++ b/tools/bin/scripts/set-version.php
@@ -10,7 +10,7 @@
 
 /* *********************************************************************** */
 /* Boot */
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }
diff --git a/tools/bin/scripts/testProcess.php b/tools/bin/scripts/testProcess.php
index fc8e19a07e23..a9238fc9a8a6 100644
--- a/tools/bin/scripts/testProcess.php
+++ b/tools/bin/scripts/testProcess.php
@@ -1,5 +1,5 @@
 <?php
-if (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)) {
+if (!(php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0))) {
   header("HTTP/1.0 404 Not Found");
   return;
 }

From a535ce3f0922467cf61bbb5c1b5350ef06a89e61 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 24 Feb 2021 17:54:42 -0800
Subject: [PATCH 07/10] (security/core#104) CRM_Utils_System::authenticateKey -
 Use secure equality test

---
 CRM/Utils/System.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php
index 5c27f998d451..4be0a9588857 100644
--- a/CRM/Utils/System.php
+++ b/CRM/Utils/System.php
@@ -629,7 +629,7 @@ public static function authenticateKey($abort = TRUE) {
       );
     }
 
-    if ($key !== $siteKey) {
+    if (!hash_equals($siteKey, $key)) {
       return self::authenticateAbort(
         "ERROR: Invalid key value sent. " . $docAdd . "\n",
         $abort

From 185ef241721489ba179bd11567f57ec9e9d83999 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 16 Feb 2021 13:42:52 -0800
Subject: [PATCH 08/10] (security/core#105) Joomla::checkUserNameEmailExists -
 Fix mismatched escaping

This uses the escaping rule from CRM_Core_DAO to construct a query for JDatabaseDriver.
However, they use different connections and (therefore) could require different
escaping rules.
---
 CRM/Utils/System/Joomla.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/CRM/Utils/System/Joomla.php b/CRM/Utils/System/Joomla.php
index 7651aeb82392..14245c28a8fb 100644
--- a/CRM/Utils/System/Joomla.php
+++ b/CRM/Utils/System/Joomla.php
@@ -105,9 +105,8 @@ public function updateCMSName($ufID, $ufName) {
   public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email') {
     $config = CRM_Core_Config::singleton();
 
-    $dao = new CRM_Core_DAO();
-    $name = $dao->escape(CRM_Utils_Array::value('name', $params));
-    $email = $dao->escape(CRM_Utils_Array::value('mail', $params));
+    $name = CRM_Utils_Array::value('name', $params);
+    $email = CRM_Utils_Array::value('mail', $params);
     //don't allow the special characters and min. username length is two
     //regex \\ to match a single backslash would become '/\\\\/'
     $isNotValid = (bool) preg_match('/[\<|\>|\"|\'|\%|\;|\(|\)|\&|\\\\|\/]/im', $name);
@@ -123,7 +122,7 @@ public function checkUserNameEmailExists(&$params, &$errors, $emailName = 'email
     $query->from($JUserTable->getTableName());
 
     // LOWER in query below roughly translates to 'hurt my database without deriving any benefit' See CRM-19811.
-    $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) OR (LOWER(email) = LOWER(\'' . $email . '\'))');
+    $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) OR (LOWER(email) = LOWER(' . $db->quote($email) . '))');
     $db->setQuery($query, 0, 10);
     $users = $db->loadAssocList();
 

From 4cb3f5126c41933427d69face23047543d86f7a8 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 16 Feb 2021 13:45:23 -0800
Subject: [PATCH 09/10] (security/core#105) Joomla::authenticate() - Fix
 escaping

---
 CRM/Utils/System/Joomla.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Utils/System/Joomla.php b/CRM/Utils/System/Joomla.php
index 14245c28a8fb..18637f3c1c41 100644
--- a/CRM/Utils/System/Joomla.php
+++ b/CRM/Utils/System/Joomla.php
@@ -342,7 +342,7 @@ public function authenticate($name, $password, $loadCMSBootstrap = FALSE, $realP
     $query = $db->getQuery(TRUE);
     $query->select('id, name, username, email, password');
     $query->from($JUserTable->getTableName());
-    $query->where('(LOWER(username) = LOWER(\'' . $name . '\')) AND (block = 0)');
+    $query->where('(LOWER(username) = LOWER(' . $db->quote($name) . ')) AND (block = 0)');
     $db->setQuery($query, 0, 0);
     $users = $db->loadObjectList();
 

From 6699cc13a510e46aff88fb5d57c47781f95471fd Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 17 Mar 2021 19:00:27 -0700
Subject: [PATCH 10/10] Add release-notes/5.35.1

---
 release-notes.md        | 10 +++++++
 release-notes/5.35.1.md | 58 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 release-notes/5.35.1.md

diff --git a/release-notes.md b/release-notes.md
index 220e60bd81b2..9a38911cf9e9 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -15,6 +15,16 @@ Other resources for identifying changes are:
     * https://github.com/civicrm/civicrm-joomla
     * https://github.com/civicrm/civicrm-wordpress
 
+## CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](release-notes/5.35.1.md#synopsis)**
+- **[Security advisories](release-notes/5.35.1.md#security)**
+- **[Bugs resolved](release-notes/5.35.1.md#bugs)**
+- **[Credits](release-notes/5.35.1.md#credits)**
+- **[Feedback](release-notes/5.35.1.md#feedback)**
+
 ## CiviCRM 5.35.0
 
 Released March 3, 2021
diff --git a/release-notes/5.35.1.md b/release-notes/5.35.1.md
new file mode 100644
index 000000000000..f539638e09e0
--- /dev/null
+++ b/release-notes/5.35.1.md
@@ -0,0 +1,58 @@
+# CiviCRM 5.35.1
+
+Released March 17, 2021
+
+- **[Synopsis](#synopsis)**
+- **[Bugs resolved](#bugs)**
+- **[Credits](#credits)**
+- **[Feedback](#feedback)**
+
+## <a name="synopsis"></a>Synopsis
+
+| *Does this version...?*                                         |          |
+| --------------------------------------------------------------- | -------- |
+| Change the database schema?                                     | no       |
+| Alter the API?                                                  | no       |
+| Require attention to configuration options?                     | no       |
+| **Fix problems installing or upgrading to a previous version?** | **yes**  |
+| Introduce features?                                             | no       |
+| **Fix bugs?**                                                   | **yes**  |
+
+## <a name="security"></a>Security advisories
+
+- **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs
+- **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts
+- **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions"
+- **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer
+- **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages
+- **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key
+- **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration
+
+## <a name="bugs"></a>Bugs resolved
+
+* **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))**
+* **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))**
+* **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))**
+
+  A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable.
+
+## <a name="credits"></a>Credits
+
+Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit
+GmbH contributed significantly to this release and other contemporaneous
+security improvements.
+
+This release was developed by the following authors and reviewers:
+
+Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin
+Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology
+Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA
+Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D;
+CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly
+Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt
+
+## <a name="feedback"></a>Feedback
+
+These release notes are edited by Tim Otten and Andrew Hunt.  If you'd like to
+provide feedback on them, please login to https://chat.civicrm.org/civicrm and
+contact `@agh1`.