Seamus Lee [Thu, 20 Aug 2020 06:30:48 +0000 (16:30 +1000)]
Merge pull request #18201 from seamuslee001/5.28
(dev/core#1846) Container, ClassLoader Caches - Separate caches by ve…
Tim Otten [Thu, 2 Jul 2020 21:03:34 +0000 (14:03 -0700)]
(dev/core#1846) Container, ClassLoader Caches - Separate caches by version number
Before
------
If you load a new version of the CiviCRM codebase, then a freshness check
should cause the container cache to reset automatically (based on the fact
that various files have new timestamps).
However, it's possible that some kind of bug or omission prevents this from working.
Many developers won't notice such a bug because they're obsessive-compulsive
about clearing caches anyway.
After
-----
If you load a new version of the CiviCRM codebase, then it should use a new
container cache - regardless of how well the freshness check works.
totten [Thu, 20 Aug 2020 00:45:49 +0000 (00:45 +0000)]
Merge branch '5_28_1_release_notes' into 'security-fixes'
5 28 1 release notes
See merge request security/core!127
Tim Otten [Thu, 20 Aug 2020 00:40:15 +0000 (17:40 -0700)]
Copy-edits for 5.28.1.md
Seamus Lee [Wed, 19 Aug 2020 07:41:16 +0000 (17:41 +1000)]
Add in release notes for 5.28.1
Seamus Lee [Wed, 19 Aug 2020 07:40:46 +0000 (17:40 +1000)]
Set version to 5.28.1
Seamus Lee [Wed, 5 Aug 2020 20:31:22 +0000 (06:31 +1000)]
security/core#95 Purify Summary and description fields for events on the event info and event cart screens
Seamus Lee [Wed, 5 Aug 2020 23:46:33 +0000 (09:46 +1000)]
security/core#96 Escape the profile description field
Seamus Lee [Wed, 5 Aug 2020 23:57:26 +0000 (09:57 +1000)]
Apply edit groups permission check to the button not the generaal permissionedForGroup check
Seamus Lee [Tue, 28 Jul 2020 03:48:39 +0000 (13:48 +1000)]
[REF] Only show button to edit smart group if user has permissions
Seamus Lee [Wed, 29 Apr 2020 07:53:46 +0000 (17:53 +1000)]
Security/core#61 Limit Access to update smart group task to only if the logged in user has edit groups permission.
Put a permission restriction on loading page without manage groups permission when saved search id is specified in the URL
Seamus Lee [Wed, 15 Jul 2020 03:00:33 +0000 (13:00 +1000)]
security/core#94 Escape subject content when loading the Activity list for a contact
Coleman Watts [Fri, 3 Jul 2020 02:37:03 +0000 (22:37 -0400)]
Fix auto-refresh of CKEditor configurator form
Coleman Watts [Thu, 28 May 2020 20:26:47 +0000 (16:26 -0400)]
Convert CK Config form to quickform
Coleman Watts [Thu, 28 May 2020 19:15:26 +0000 (15:15 -0400)]
CKEditor Config - Validate input before saving config file
Also removes support for 'customConfig' supplimental file.
Coleman Watts [Thu, 28 May 2020 19:08:43 +0000 (15:08 -0400)]
CRM_Utils_JS - Improve validation of strings
Runs strings through json_decode to ensure they are valid.
Optionally throws an exception on error.
Seamus Lee [Fri, 29 May 2020 07:17:04 +0000 (17:17 +1000)]
security/core#78 Purify HTML of activity details field when viewing the activity
Tim Otten [Mon, 6 Apr 2020 08:07:12 +0000 (01:07 -0700)]
CRM_Core_Key - Strengthen signature algorithm
This alters the qfKey signature algorithm, with a few aims:
1. If someone wants to perform a brute-force to figure the per-session
private-key, we want it go slow. Therefore, use a slower hash (ie
HMAC-SHA256 instead of MD5).
2. If someone performs a timing attack aimed at figuring a passable qfKey,
the execution-time for `validate()` should not provide any hints.
3. If someone finds a way to manipulate one of the constituent parts
($sessionID, $name, $privateKey), we want it to be hard to create a
collsion. So... (a) Use HMAC instead of a vanilla hash. (b) Use delimiters
between the data sections ($sessionID, $name).
Tim Otten [Mon, 6 Apr 2020 06:33:55 +0000 (23:33 -0700)]
CRM_Core_Key - Improve entropy of "privateKey"
In PHP 4/5, there was no good, universal source of entropy. The old code
mitigated this by aggregating mediocre sources. On my system, it appears
to be roughly:
* 2^31 for each `mt_rand()`
* 10^8 =~ 2^26 for each `uniqid(...TRUE)` (after discounting the non-random right half of the uniqid).
So that's ~114 bits (albeit low-quality bits).
In PHP 7, the docs describe `random_bytes()` as "generat[ing] cryptographically secure pseudo-random bytes."
Seamus Lee [Thu, 28 May 2020 07:46:06 +0000 (17:46 +1000)]
Additional code from Drupal's implementation
Seamus Lee [Thu, 28 May 2020 07:43:19 +0000 (17:43 +1000)]
Update to use code from Drupal's patch
Seamus Lee [Thu, 28 May 2020 06:00:57 +0000 (16:00 +1000)]
Patch jQuery for CVE-2020-11022 and CVE-2020-11023
Coleman Watts [Tue, 12 May 2020 14:14:32 +0000 (10:14 -0400)]
security/core#81 Escape html in CRM_Core_LegacyErrorHandler messages
Seamus Lee [Tue, 12 May 2020 05:07:32 +0000 (15:07 +1000)]
security/core#74 Prevent CSRF in CKEditor Config screen by switching to using Quickform built form
Seamus Lee [Wed, 19 Aug 2020 06:13:00 +0000 (16:13 +1000)]
Merge pull request #18191 from seamuslee001/5.28
dev/core#1945 Fix recur access regression
eileen [Mon, 17 Aug 2020 09:17:09 +0000 (21:17 +1200)]
dev/core#1945 Fix recur access regression
Seamus Lee [Sun, 16 Aug 2020 21:00:31 +0000 (07:00 +1000)]
Merge pull request #18167 from seamuslee001/5.28
cvv required html attribute should depend on backoffice setting
demeritcowboy [Sun, 16 Aug 2020 01:43:21 +0000 (21:43 -0400)]
required
Seamus Lee [Sun, 16 Aug 2020 01:28:29 +0000 (11:28 +1000)]
Merge pull request #18164 from seamuslee001/5.28
[REF] Remove unnecessary comma
Seamus Lee [Sat, 15 Aug 2020 23:31:54 +0000 (09:31 +1000)]
[REF] Remove unnecessary comma
Seamus Lee [Sat, 15 Aug 2020 02:33:29 +0000 (12:33 +1000)]
Merge pull request #18152 from seamuslee001/dev_core_1952_528
dev/core#1952 Remove uncessary component checking when exporting all …
Seamus Lee [Fri, 14 Aug 2020 23:22:08 +0000 (09:22 +1000)]
dev/core#1952 Remove uncessary component checking when exporting all activities
Seamus Lee [Fri, 14 Aug 2020 23:04:57 +0000 (09:04 +1000)]
Merge pull request #18145 from seamuslee001/dev_core_1953_28
dev/core#1953 Ensure that Contribution pages do not fail validation o…
Seamus Lee [Fri, 14 Aug 2020 21:09:00 +0000 (07:09 +1000)]
dev/core#1953 Ensure that Contribution pages do not fail validation on credit cards when a zero dollar price is offered
Eileen McNaughton [Wed, 12 Aug 2020 01:18:17 +0000 (13:18 +1200)]
Merge pull request #18129 from seamuslee001/5.28
dev/core#1934 fix regression on merging contacts with settings using …
eileen [Tue, 11 Aug 2020 21:38:05 +0000 (09:38 +1200)]
dev/core#1934 fix regression on merging contacts with settings using contact_id
This is an interim fix to a reported regression. I'll look at more carefully in master when time permits
Seamus Lee [Tue, 11 Aug 2020 23:03:16 +0000 (09:03 +1000)]
Merge pull request #18127 from seamuslee001/dev_core_1936_528
dev/core#1936 Make the label column on price_field_value table not re…
Seamus Lee [Tue, 11 Aug 2020 21:44:16 +0000 (07:44 +1000)]
dev/core#1936 Make the label column on price_field_value table not required
Eileen McNaughton [Sat, 8 Aug 2020 02:28:43 +0000 (14:28 +1200)]
Merge pull request #18099 from seamuslee001/5.28
[REF] Fix jquery validation for on behalf of fields when combined wit…
Seamus Lee [Fri, 7 Aug 2020 02:09:55 +0000 (12:09 +1000)]
[REF] Fix jquery validation for on behalf of fields when combined with a preimum
CiviCRM [Thu, 6 Aug 2020 03:45:32 +0000 (03:45 +0000)]
Set version to 5.28.0
Tim Otten [Thu, 6 Aug 2020 03:23:56 +0000 (20:23 -0700)]
Merge pull request #18083 from totten/5.28-rn
(NFC) 5.28.0.md - Describe last minute PR. Random copyedits.
Tim Otten [Thu, 6 Aug 2020 02:47:27 +0000 (19:47 -0700)]
5.28.0.md - Describe last minute PR. Random copyedits.
Seamus Lee [Thu, 6 Aug 2020 02:35:59 +0000 (12:35 +1000)]
Merge pull request #18079 from eileenmcnaughton/528
dev/core#1930 fix for move-related checkbox being overridden to true …
eileen [Thu, 6 Aug 2020 00:50:43 +0000 (12:50 +1200)]
dev/core#1930 fix for move-related checkbox being overridden to true in form
Mathieu Lu [Wed, 5 Aug 2020 20:33:23 +0000 (16:33 -0400)]
Merge pull request #18074 from agh1/5.28.0-releasenotes-final
5.28.0 release notes final edits
Andrew Hunt [Wed, 5 Aug 2020 18:50:10 +0000 (14:50 -0400)]
5.28.0 release notes: added late changes
Andrew Hunt [Wed, 5 Aug 2020 16:04:32 +0000 (12:04 -0400)]
5.28.0 release notes: misc edits
Seamus Lee [Wed, 5 Aug 2020 00:48:44 +0000 (10:48 +1000)]
Merge pull request #18070 from seamuslee001/dev_core_1927
dev/core#1927 Ensure that the contents of the database table are fixe…
Seamus Lee [Tue, 4 Aug 2020 23:19:17 +0000 (09:19 +1000)]
dev/core#1927 Ensure that the contents of the database table are fixed up before changing the column type
Seamus Lee [Tue, 4 Aug 2020 22:34:17 +0000 (08:34 +1000)]
Merge pull request #18066 from seamuslee001/dev_drupal_131
dev/drupal#131 Ensure that the General class exists
Seamus Lee [Tue, 4 Aug 2020 20:48:47 +0000 (06:48 +1000)]
dev/drupal#131 Ensure that the General class exists
Seamus Lee [Tue, 4 Aug 2020 10:13:27 +0000 (20:13 +1000)]
Merge pull request #18061 from seamuslee001/5274_notes
[NFC] 5.27.4 Release Notes
Matthew Wire [Tue, 4 Aug 2020 10:05:44 +0000 (11:05 +0100)]
Merge pull request #18062 from eileenmcnaughton/error_juice
Improve error handling on IPN
eileen [Tue, 4 Aug 2020 07:44:33 +0000 (19:44 +1200)]
Improve error handling on IPN
https://civicrm.stackexchange.com/questions/37277/paypal-standard-payments-are-being-accepted-but-marked-as-incomplete-transaction/37279#37279
shows how unhelpful this error is - getting data from the exception should help.
Targetting 5.28 in case the gitlab relates to a regression & we need to solicit more debug info
Tim Otten [Tue, 4 Aug 2020 06:26:11 +0000 (23:26 -0700)]
release-notes.md - Small copy-edits
Tim Otten [Mon, 3 Aug 2020 10:04:07 +0000 (03:04 -0700)]
Add release-notes/5.27.4.md
Seamus Lee [Tue, 4 Aug 2020 04:11:44 +0000 (14:11 +1000)]
Merge pull request #18053 from seamuslee001/test_ports
[NFC] Port some recent test fixes from master to 5.28
Tim Otten [Tue, 14 Jul 2020 18:18:08 +0000 (11:18 -0700)]
(REF) WebsiteTest - Mitigate flaky failures
Overview
--------
In recent days, api_v3_WebsiteTest has emitted sporadic failures like this:
```
api_v3_WebsiteTest::testDeleteWebsite with data set #0 (3)
Failed asserting that 3 matches expected 0.
/home/jenkins/bknix-max/build/build-2/web/sites/all/modules/civicrm/tests/phpunit/api/v3/WebsiteTest.php:75
/home/jenkins/bknix-max/build/build-2/web/sites/all/modules/civicrm/tests/phpunit/CiviTest/CiviUnitTestCase.php:209
/home/jenkins/bknix-max/extern/phpunit7/phpunit7.phar:615
```
and
```
api_v3_WebsiteTest::testDeleteWebsiteInvalid with data set #0 (3)
Failed asserting that 4 matches expected 1.
/home/jenkins/bknix-max/build/build-2/web/sites/all/modules/civicrm/tests/phpunit/api/v3/WebsiteTest.php:88
/home/jenkins/bknix-max/build/build-2/web/sites/all/modules/civicrm/tests/phpunit/CiviTest/CiviUnitTestCase.php:209
/home/jenkins/bknix-max/extern/phpunit7/phpunit7.phar:615
```
These failures do not reproduce for me in isolation.
Before
------
Both the failing assertions make an implicit assumption that the baseline content of `civicrm_website` is empty.
After
-----
The failing assertions use an explicit baseline (`$beforeCount`).
Comments
--------
The test failures are sporadic and only seem to seem occur when run in the full suite.
My theory is that something else is leaking `civicrm_website` records;
however, it's hard to track that down amidst a full suite (when the full
suite takes so long to execute). Therefore, I cannot be certain that this
is actually fixes the problem. However, this really just tightens up the
assumptions of the test - as long as it passes the PR tests, it should be
safe to merge and then watch in the `CiviCRM-Core-Matrix`.
eileen [Sun, 2 Aug 2020 04:41:16 +0000 (16:41 +1200)]
Fix for failing test
BY ensuring join_date is in the past we get away from situations where there is no valid status
demeritcowboy [Fri, 31 Jul 2020 15:39:56 +0000 (11:39 -0400)]
re-re-fix test
eileen [Fri, 31 Jul 2020 04:27:55 +0000 (16:27 +1200)]
Re-fix test
The strtotime calculation adds 4 months before setting the day of month. However
July 31 + 4 months is 1 Dec - ie the month is 12 not 11 due to there being only 30 days. So to
get 27 Nov we need to get the July month (7) and add 4 and voila 11, not 12
demeritcowboy [Thu, 30 Jul 2020 03:28:56 +0000 (23:28 -0400)]
update failing test
demeritcowboy [Tue, 21 Jul 2020 03:14:46 +0000 (23:14 -0400)]
make test less time-sensitive
eileen [Thu, 16 Jul 2020 07:12:54 +0000 (19:12 +1200)]
api_v3_TaxContributionPageTest fix - remove hard coded processor id
Eileen McNaughton [Sat, 1 Aug 2020 03:47:11 +0000 (15:47 +1200)]
Merge pull request #18017 from seamuslee001/dev_mail_72
dev/mail#72 Remove call to custom fatal error handler from CRM_Core_E…
Seamus Lee [Fri, 31 Jul 2020 23:33:52 +0000 (09:33 +1000)]
dev/mail#72 Remove call to custom fatal error handler from CRM_Core_Error::debug_log_message
Tim Otten [Fri, 31 Jul 2020 21:55:23 +0000 (14:55 -0700)]
Merge pull request #18011 from totten/5.28-tbl
FiveTwentyEight - Provide concrete details about civicrm.files
Tim Otten [Fri, 31 Jul 2020 04:47:26 +0000 (21:47 -0700)]
FiveTwentyEight - Provide concrete details about civicrm.files
This hopefully makes it easier to decide what to do without needing a
scavenger hunt.
Seamus Lee [Thu, 30 Jul 2020 23:43:33 +0000 (09:43 +1000)]
Merge pull request #17983 from kcristiano/5.28-wp-notices
dev/wordpress/66 Add Upgrade Notice regarding legacy paths
Seamus Lee [Wed, 29 Jul 2020 21:26:58 +0000 (07:26 +1000)]
Merge pull request #17868 from seamuslee001/remove_civicrm_files_override
[REF] Remove civicrm.files override for WordPress to fix issues with…
Kevin Cristiano [Tue, 28 Jul 2020 21:00:47 +0000 (17:00 -0400)]
dev/wordpress/66 Add Upgrade Notice regarding legacy paths
Signed-off-by: Kevin Cristiano <kcristiano@kcristiano.com>
Eileen McNaughton [Mon, 27 Jul 2020 09:58:19 +0000 (21:58 +1200)]
Merge pull request #17973 from seamuslee001/ref_profile_date_fields
[REF] Fix regression where adding any date based field onto a profile…
Seamus Lee [Mon, 27 Jul 2020 03:39:06 +0000 (13:39 +1000)]
[REF] Fix regression where adding any date based field onto a profile triggers an error date preferences not configured when previewing the profile
Seamus Lee [Sun, 26 Jul 2020 21:18:38 +0000 (07:18 +1000)]
Merge pull request #17960 from demeritcowboy/contribution-default
dev/core#1911 - Default not being set for fixed contribution amounts or any price field that is not type text
demeritcowboy [Sun, 26 Jul 2020 14:12:15 +0000 (10:12 -0400)]
default not being set for price fields
Eileen McNaughton [Sat, 25 Jul 2020 00:40:20 +0000 (12:40 +1200)]
Merge pull request #17947 from agh1/dev-core-1899-5-28
dev/core#1899 specify display mode for action links with icons
Andrew Hunt [Fri, 24 Jul 2020 00:46:27 +0000 (20:46 -0400)]
dev/core#1899 specify display mode for action links with icons
Eileen McNaughton [Thu, 23 Jul 2020 22:42:12 +0000 (10:42 +1200)]
Merge pull request #17929 from demeritcowboy/required-not-5.28
dev/core#1903 - Avoid E_WARNING and remove code
demeritcowboy [Thu, 23 Jul 2020 20:26:11 +0000 (16:26 -0400)]
avoid E_WARNING and remove code
Seamus Lee [Thu, 23 Jul 2020 06:44:09 +0000 (16:44 +1000)]
Merge pull request #17925 from seamuslee001/5.28
Add release-notes/5.27.3
Tim Otten [Thu, 23 Jul 2020 04:53:40 +0000 (21:53 -0700)]
Add release-notes/5.27.3
Seamus Lee [Wed, 22 Jul 2020 00:13:27 +0000 (10:13 +1000)]
Merge pull request #17906 from seamuslee001/lab_core_1846
dev/core#1846 Make DAO upgrade safe
Coleman Watts [Fri, 3 Jul 2020 16:20:04 +0000 (12:20 -0400)]
Fix failing settingTest and mark setting.fill as deprecated
The settingTest class was being too aggressive about creating and deleting domains,
this teaches it to not delete pre-existing domains.
Also marks an old unused api function deprecated.
Coleman Watts [Wed, 1 Jul 2020 17:25:31 +0000 (13:25 -0400)]
Add upgrade-safe DAO::getSupportedFields method
Switches api v3 and v4 to use that method so they are upgrade-safe by default.
Seamus Lee [Sun, 19 Jul 2020 21:36:49 +0000 (07:36 +1000)]
Merge pull request #17890 from christianwach/lab-core-1889-3
Prevent session from starting during WordPress pseudo-cron procedures
Christian Wach [Sat, 18 Jul 2020 20:08:50 +0000 (21:08 +0100)]
Prevent session from starting during WordPress pseudo-cron procedures
Seamus Lee [Fri, 17 Jul 2020 21:55:29 +0000 (07:55 +1000)]
Merge pull request #17875 from colemanw/customFieldVersionCheck
Ensure serialize field exists before adding to query
Coleman Watts [Fri, 17 Jul 2020 16:16:35 +0000 (12:16 -0400)]
Ensure serialize field exists before adding to query
Seamus Lee [Thu, 16 Jul 2020 21:39:01 +0000 (07:39 +1000)]
[REF] Remmove civicrm.files override for WordPress to fix issues with users struggling to find extensions
Monish Deb [Thu, 16 Jul 2020 06:51:35 +0000 (12:21 +0530)]
Merge pull request #17836 from seamuslee001/dev_core_1874
dev/core#1874 Fix fatal error by passing through the string formatTyp…
Seamus Lee [Thu, 16 Jul 2020 03:40:10 +0000 (13:40 +1000)]
Merge pull request #17851 from alifrumin/5.28rn
[NFC] 5.28 Release Notes First Pass
Seamus Lee [Thu, 16 Jul 2020 03:39:54 +0000 (13:39 +1000)]
Merge pull request #17857 from demeritcowboy/membershiptest-5.28
[Test framework] - Backport of membership test fix
Seamus Lee [Thu, 16 Jul 2020 01:25:41 +0000 (11:25 +1000)]
Merge pull request #17854 from demeritcowboy/missing-codeversion-5.28
dev/core#1882 - Missing version number in status check message about db version vs code version
demeritcowboy [Thu, 16 Jul 2020 01:21:52 +0000 (21:21 -0400)]
backport of membership test fix
Seamus Lee [Thu, 16 Jul 2020 00:42:15 +0000 (10:42 +1000)]
Merge pull request #17853 from seamuslee001/dev_wordpress_62
dev/wordpress#62 Update adrienrn/php-mimetyper gitignore file to ensu…
demeritcowboy [Wed, 15 Jul 2020 23:52:24 +0000 (19:52 -0400)]
missing version number in message
Alice Frumin [Tue, 14 Jul 2020 21:15:53 +0000 (17:15 -0400)]
5.28 release notes: first pass
Seamus Lee [Wed, 15 Jul 2020 21:44:41 +0000 (07:44 +1000)]
dev/wordpress#62 Update adrienrn/php-mimetyper gitignore file to ensure that sites that manage their systems using git can access the db.json file
Seamus Lee [Wed, 15 Jul 2020 00:41:00 +0000 (10:41 +1000)]
Merge pull request #17840 from seamuslee001/5272_rns
5.27.1 and 5.27.2 Release Notes
projects / civicrm-core.git / log