release notes

NaturalHistoryMuseum · Nov 30, 2021 · 89cb02d · 89cb02d
2 parents 6332028 + 171cfc3
commit 89cb02d
Show file tree

Hide file tree

Showing 2,314 changed files with 71,974 additions and 176,750 deletions.
diff --git a/.htaccess b/.htaccess
@@ -2,11 +2,8 @@
 # Apache/PHP/Drupal settings:
 #
 
-# Turn off opcache.enable if developing
-# php_flag opcache.enable Off
-
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
+<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,12 +21,6 @@ Options +FollowSymLinks
 # Make Drupal handle any 404 errors.
 ErrorDocument 404 /index.php
 
-# Force simple error message for requests for non-existent favicon.ico.
-<Files favicon.ico>
-  # There is no end quote below, for compatibility with Apache 1.3.
-  ErrorDocument 404 "The requested file favicon.ico was not found.
-</Files>
-
 # Set the default handler.
 DirectoryIndex index.php index.html index.htm
 
@@ -46,16 +37,15 @@ DirectoryIndex index.php index.html index.htm
   php_value mbstring.http_input             pass
   php_value mbstring.http_output            pass
   php_flag mbstring.encoding_translation    off
-  php_value memory_limit                    512M
 </IfModule>
 
 # Requires mod_expires to be enabled.
 <IfModule mod_expires.c>
   # Enable expirations.
   ExpiresActive On
 
-  # Cache all files for one month after access (A).
-  ExpiresDefault A2628000
+  # Cache all files for 2 weeks after access (A).
+  ExpiresDefault A1209600
 
   <FilesMatch \.php$>
     # Do not allow PHP scripts to be cached unless they explicitly send cache
@@ -144,9 +134,9 @@ DirectoryIndex index.php index.html index.htm
     RewriteCond %{REQUEST_FILENAME}\.gz -s
     RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
 
-    # Serve correct content types, and prevent mod_deflate double gzip.
-    RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
-    RewriteRule \.js\.gz$ - [T=application/javascript,E=no-gzip:1]
+    # Serve correct content types, and prevent double compression.
+    RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1,E=no-brotli:1]
+    RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
 
     <FilesMatch "(\.js\.gz|\.css\.gz)$">
       # Serve correct encoding type.
@@ -157,8 +147,10 @@ DirectoryIndex index.php index.html index.htm
   </IfModule>
 </IfModule>
 
-# Add headers to all responses.
+# Various header fixes.
 <IfModule mod_headers.c>
   # Disable content sniffing, since it's an attack vector.
   Header always set X-Content-Type-Options nosniff
+  # Disable Proxy header, since it's an attack vector.
+  RequestHeader unset Proxy
 </IfModule>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,11 +4,14 @@
 
 - working implementation for hide menu options for non species taxonomy. Solve access denied when accessing tabs in taxonomy
 [#6400](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6420)
-
 - Add Services module to provide scratchpad API for machine access to scratchpad public data already on the public site. Preparation for a 'Scratchpads Explorer' [#6426](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6429)
 
 - Add ddev tools defacto standard local personal developer environment for building scratchpads sites on developer's own setup.  [#6408](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6416)
 
+- Update openids to fix logins for HTTPS [#6430](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6430)
+
+- Add optional taxonomic scope for gbif dwc-a file [#6373](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6373)
+- Update Drupal to 7.82
 
 - Taxonomic scope field for gbif dwc-a file
 [#6373](https://github.com/NaturalHistoryMuseum/scratchpads2/pull/6410)

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.78');
+define('VERSION', '7.82');
 
 /**
  * Core API compatibility.
@@ -2596,13 +2596,10 @@ function drupal_get_hash_salt() {
  *   The filename that the error was raised in.
  * @param $line
  *   The line number the error was raised at.
- * @param $context
- *   An array that points to the active symbol table at the point the error
- *   occurred.
  */
-function _drupal_error_handler($error_level, $message, $filename, $line, $context) {
+function _drupal_error_handler($error_level, $message, $filename, $line) {
   require_once DRUPAL_ROOT . '/includes/errors.inc';
-  _drupal_error_handler_real($error_level, $message, $filename, $line, $context);
+  _drupal_error_handler_real($error_level, $message, $filename, $line);
 }
 
 /**
@@ -3879,3 +3876,85 @@ function drupal_clear_opcode_cache($filepath) {
     @apc_delete_file($filepath);
   }
 }
+
+/**
+ * Drupal's wrapper around PHP's setcookie() function.
+ *
+ * This allows the cookie's $value and $options to be altered.
+ *
+ * @param $name
+ *   The name of the cookie.
+ * @param $value
+ *   The value of the cookie.
+ * @param $options
+ *   An associative array which may have any of the keys expires, path, domain,
+ *   secure, httponly, samesite.
+ *
+ * @see setcookie()
+ * @ingroup php_wrappers
+ */
+function drupal_setcookie($name, $value, $options) {
+  $options = _drupal_cookie_params($options);
+  if (\PHP_VERSION_ID >= 70300) {
+    setcookie($name, $value, $options);
+  }
+  else {
+    setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
+  }
+}
+
+/**
+ * Process the params for cookies. This emulates support for the SameSite
+ * attribute in earlier versions of PHP, and allows the value of that attribute
+ * to be overridden.
+ *
+ * @param $options
+ *   An associative array which may have any of the keys expires, path, domain,
+ *   secure, httponly, samesite.
+ *
+ * @return
+ *   An associative array which may have any of the keys expires, path, domain,
+ *   secure, httponly, and samesite.
+ */
+function _drupal_cookie_params($options) {
+  $options['samesite'] = _drupal_samesite_cookie($options);
+  if (\PHP_VERSION_ID < 70300) {
+    // Emulate SameSite support in older PHP versions.
+    if (!empty($options['samesite'])) {
+      // Ensure the SameSite attribute is only added once.
+      if (!preg_match('/SameSite=/i', $options['path'])) {
+        $options['path'] .= '; SameSite=' . $options['samesite'];
+      }
+    }
+  }
+  return $options;
+}
+
+/**
+ * Determine the value for the samesite cookie attribute, in the following order
+ * of precedence:
+ *
+ * 1) A value explicitly passed to drupal_setcookie()
+ * 2) A value set in $conf['samesite_cookie_value']
+ * 3) The setting from php ini
+ * 4) The default of None, or FALSE (no attribute) if the cookie is not Secure
+ *
+ * @param $options
+ *   An associative array as passed to drupal_setcookie().
+ * @return
+ *   The value for the samesite cookie attribute.
+ */
+function _drupal_samesite_cookie($options) {
+  if (isset($options['samesite'])) {
+    return $options['samesite'];
+  }
+  $override = variable_get('samesite_cookie_value', NULL);
+  if ($override !== NULL) {
+    return $override;
+  }
+  $ini_options = session_get_cookie_params();
+  if (isset($ini_options['samesite'])) {
+    return $ini_options['samesite'];
+  }
+  return empty($options['secure']) ? FALSE : 'None';
+}
diff --git a/includes/common.inc b/includes/common.inc
@@ -1559,7 +1559,7 @@ function _filter_xss_split($m, $store = FALSE) {
     return '&lt;';
   }
 
-  if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9\-]+)([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
+  if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9\-]+)\s*([^>]*)>?|(<!--.*?-->)$%', $string, $matches)) {
     // Seriously malformed.
     return '';
   }
@@ -1618,7 +1618,13 @@ function _filter_xss_attributes($attr) {
         // Attribute name, href for instance.
         if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
           $attrname = strtolower($match[1]);
-          $skip = ($attrname == 'style' || substr($attrname, 0, 2) == 'on');
+          $skip = (
+            $attrname == 'style' ||
+            substr($attrname, 0, 2) == 'on' ||
+            substr($attrname, 0, 1) == '-' ||
+            // Ignore long attributes to avoid unnecessary processing overhead.
+            strlen($attrname) > 96
+          );
           $working = $mode = 1;
           $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
         }
@@ -2329,6 +2335,7 @@ function url($path = NULL, array $options = array()) {
   }
   elseif (!empty($path) && !$options['alias']) {
     $language = isset($options['language']) && isset($options['language']->language) ? $options['language']->language : '';
+    require_once DRUPAL_ROOT . '/' . variable_get('path_inc', 'includes/path.inc');
     $alias = drupal_get_path_alias($original_path, $language);
     if ($alias != $original_path) {
       // Strip leading slashes from internal path aliases to prevent them
@@ -2689,6 +2696,19 @@ function drupal_deliver_html_page($page_callback_result) {
     drupal_add_http_header('X-Frame-Options', $frame_options);
   }
 
+  if (variable_get('block_interest_cohort', TRUE)) {
+    $permissions_policy = drupal_get_http_header('Permissions-Policy');
+    if (is_null($permissions_policy)) {
+      drupal_add_http_header('Permissions-Policy', 'interest-cohort=()');
+    }
+    else {
+      // Only add interest-cohort if the header does not contain it already.
+      if (strpos($permissions_policy, 'interest-cohort') === FALSE) {
+        drupal_add_http_header('Permissions-Policy', 'interest-cohort=()', TRUE);
+      }
+    }
+  }
+
   // Menu status constants are integers; page content is a string or array.
   if (is_int($page_callback_result)) {
     // @todo: Break these up into separate functions?
@@ -3385,7 +3405,7 @@ function drupal_group_css($css) {
  * @see system_element_info()
  */
 function drupal_aggregate_css(&$css_groups) {
-  $preprocess_css = (variable_get('preprocess_css', FALSE) && (!defined('MAINTENANCE_MODE') || MAINTENANCE_MODE != 'update'));
+  $preprocess_css = (variable_get('preprocess_css', FALSE) && !defined('MAINTENANCE_MODE'));
 
   // For each group that needs aggregation, aggregate its items.
   foreach ($css_groups as $key => $group) {
@@ -3844,20 +3864,22 @@ function drupal_load_stylesheet_content($contents, $optimize = FALSE) {
     // whitespace.
     // @see http://php.net/manual/regexp.reference.subpatterns.php
     $contents = preg_replace('<
+      # Do not strip any space from within single or double quotes
+        (' . $double_quot . '|' . $single_quot . ')
       # Strip leading and trailing whitespace.
-        \s*([@{};,])\s*
+      | \s*([@{};,])\s*
       # Strip only leading whitespace from:
       # - Closing parenthesis: Retain "@media (bar) and foo".
       | \s+([\)])
       # Strip only trailing whitespace from:
       # - Opening parenthesis: Retain "@media (bar) and foo".
       # - Colon: Retain :pseudo-selectors.
       | ([\(:])\s+
-    >xS',
-      // Only one of the three capturing groups will match, so its reference
+    >xSs',
+      // Only one of the four capturing groups will match, so its reference
       // will contain the wanted value and the references for the
       // two non-matching groups will be replaced with empty strings.
-      '$1$2$3',
+      '$1$2$3$4',
       $contents
     );
     // End the file with a new line.
@@ -4498,7 +4520,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL, $skip_alter = FALS
  * @see drupal_add_js()
  */
 function drupal_pre_render_scripts(array $elements) {
-  $preprocess_js = (variable_get('preprocess_js', FALSE) && (!defined('MAINTENANCE_MODE') || MAINTENANCE_MODE != 'update'));
+  $preprocess_js = (variable_get('preprocess_js', FALSE) && !defined('MAINTENANCE_MODE'));
 
   // A dummy query-string is added to filenames, to gain control over
   // browser-caching. The string changes on every update or full cache
@@ -5166,6 +5188,8 @@ function drupal_build_js_cache($files) {
         $contents .= file_get_contents($path) . ";\n";
       }
     }
+    // Remove JS source and source mapping urls or these may cause 404 errors.
+    $contents = preg_replace('/\/\/(#|@)\s(sourceURL|sourceMappingURL)=\s*(\S*?)\s*$/m', '', $contents);
     // Prefix filename to prevent blocking by firewalls which reject files
     // starting with "ad*".
     $filename = 'js_' . drupal_hash_base64($contents) . '.js';
@@ -6915,7 +6939,7 @@ function drupal_array_set_nested_value(array &$array, array $parents, $value, $f
 function &drupal_array_get_nested_value(array &$array, array $parents, &$key_exists = NULL) {
   $ref = &$array;
   foreach ($parents as $parent) {
-    if (is_array($ref) && array_key_exists($parent, $ref)) {
+    if (is_array($ref) && (isset($ref[$parent]) || array_key_exists($parent, $ref))) {
       $ref = &$ref[$parent];
     }
     else {