civicrm-core.git
4 years ago[NFC] [Test] minor code cleanup
eileen [Thu, 23 Apr 2020 03:33:45 +0000 (15:33 +1200)]
[NFC] [Test] minor code cleanup

4 years agoMerge pull request #17150 from civicrm/5.25
Seamus Lee [Thu, 23 Apr 2020 02:50:34 +0000 (12:50 +1000)]
Merge pull request #17150 from civicrm/5.25

5.25

4 years agoMerge pull request #17149 from seamuslee001/5.25
Seamus Lee [Thu, 23 Apr 2020 02:48:46 +0000 (12:48 +1000)]
Merge pull request #17149 from seamuslee001/5.25

Add release-notes/5.24.5.md

4 years agoAdd release-notes/5.24.5.md
Tim Otten [Thu, 23 Apr 2020 00:03:35 +0000 (17:03 -0700)]
Add release-notes/5.24.5.md

4 years agoMerge pull request #17141 from mlutfy/reportOutput
colemanw [Wed, 22 Apr 2020 15:57:36 +0000 (11:57 -0400)]
Merge pull request #17141 from mlutfy/reportOutput

[NFC] Cleanup CRM_Report_Form

4 years agoMerge pull request #17136 from demeritcowboy/portugal-provinces
Matthew Wire [Wed, 22 Apr 2020 12:33:42 +0000 (13:33 +0100)]
Merge pull request #17136 from demeritcowboy/portugal-provinces

Update more Portugal provinces

4 years agoMerge pull request #17139 from civicrm/5.25
Seamus Lee [Wed, 22 Apr 2020 06:32:08 +0000 (16:32 +1000)]
Merge pull request #17139 from civicrm/5.25

5.25

4 years agoMerge pull request #17134 from jitendrapurohit/core-1723-rc
Seamus Lee [Wed, 22 Apr 2020 03:54:42 +0000 (13:54 +1000)]
Merge pull request #17134 from jitendrapurohit/core-1723-rc

dev/core#1723 - Adv Search - Reciprocal relationship search with custom fields leads to error

4 years agoRC fix for #17132
Jitendra Purohit [Tue, 21 Apr 2020 11:31:34 +0000 (17:01 +0530)]
RC fix for #17132

unit test fix

4 years agoMerge pull request #17133 from eileenmcnaughton/dep
Tim Otten [Wed, 22 Apr 2020 02:07:27 +0000 (19:07 -0700)]
Merge pull request #17133 from eileenmcnaughton/dep

(NFC) Comment clarification in test class

4 years agoCleanup CRM_Report_Form
Mathieu Lutfy [Wed, 22 Apr 2020 02:03:37 +0000 (22:03 -0400)]
Cleanup CRM_Report_Form

4 years agoMerge pull request #17137 from seamuslee001/dev_core_1717
Seamus Lee [Wed, 22 Apr 2020 01:26:33 +0000 (11:26 +1000)]
Merge pull request #17137 from seamuslee001/dev_core_1717

dev/core#1717 - Fix SMTP failure involving `disconnect()` method

4 years agodev/core#1717 Fix SMTP failure on fail to disconnect due to new wrapper smtp mailer
Seamus Lee [Tue, 21 Apr 2020 21:11:29 +0000 (07:11 +1000)]
dev/core#1717 Fix SMTP failure on fail to disconnect due to new wrapper smtp mailer

Add in wrapper around to check if we can call it

4 years agoMerge pull request #17105 from colemanw/psr-4
Tim Otten [Tue, 21 Apr 2020 22:05:23 +0000 (15:05 -0700)]
Merge pull request #17105 from colemanw/psr-4

dev/core#1684 - Use PSR-4 autoloader instead of PSR-0 for "Civi" namespace

4 years agoMerge pull request #16716 from mattwire/cancelsubscriptionaddemail
colemanw [Tue, 21 Apr 2020 21:49:52 +0000 (17:49 -0400)]
Merge pull request #16716 from mattwire/cancelsubscriptionaddemail

Add contributor email address to cancelSubscription form so it is cle…

4 years agoupdate Portugal provinces
demeritcowboy [Tue, 21 Apr 2020 21:07:32 +0000 (17:07 -0400)]
update Portugal provinces

4 years agoMerge pull request #17135 from demeritcowboy/leftover-description
Eileen McNaughton [Tue, 21 Apr 2020 20:00:30 +0000 (08:00 +1200)]
Merge pull request #17135 from demeritcowboy/leftover-description

dev/user-interface#19 - Remove leftover description text on contribution form mistakenly left in

4 years agoleftover description text from net amount field removal years ago
demeritcowboy [Tue, 21 Apr 2020 18:31:50 +0000 (14:31 -0400)]
leftover description text from net amount field removal years ago

4 years agoAdd contributor email address to cancelSubscription form so it is clear where it...
Matthew Wire [Mon, 9 Mar 2020 12:35:28 +0000 (12:35 +0000)]
Add contributor email address to cancelSubscription form so it is clear where it will be sent

4 years agoComment clarification in test class
eileen [Tue, 21 Apr 2020 11:25:16 +0000 (23:25 +1200)]
Comment clarification in test class

I just updated the comments on this helper to clarify the limitations of the function & the
fact that it should not be our only way to test thousand separators.

I was noticing perfect was becoming the enemy of the good here. The function was marked as deprecated
because it doesn't cover all scenarios - but the upshot was that we stopped increasing out
thousand separator testing. In fact we need lots of form tests to do some testing of
the separators and a very small number to test more variants - this latter has been added
& the comments point to the need for more without going as far as deprecating

4 years agoMerge pull request #17123 from civicrm/5.25
Seamus Lee [Tue, 21 Apr 2020 04:19:13 +0000 (14:19 +1000)]
Merge pull request #17123 from civicrm/5.25

5.25

4 years agoMerge pull request #17099 from lcdservices/dev-core-1718
Yashodha Chaku [Tue, 21 Apr 2020 03:21:50 +0000 (08:51 +0530)]
Merge pull request #17099 from lcdservices/dev-core-1718

dev/core#1718 membership batch entry join date fix

4 years agoMerge pull request #17119 from agh1/5.25.0-releasenotes
Seamus Lee [Tue, 21 Apr 2020 02:27:10 +0000 (12:27 +1000)]
Merge pull request #17119 from agh1/5.25.0-releasenotes

5.25.0 release notes first run

4 years agoMerge pull request #17064 from eileenmcnaughton/email3
colemanw [Tue, 21 Apr 2020 00:14:29 +0000 (20:14 -0400)]
Merge pull request #17064 from eileenmcnaughton/email3

Convert bcc field to use an entity reference.

4 years agoMerge pull request #17121 from eileenmcnaughton/update
colemanw [Tue, 21 Apr 2020 00:10:03 +0000 (20:10 -0400)]
Merge pull request #17121 from eileenmcnaughton/update

[REF] Minor var simplification

4 years ago[REF] Minor var simplification
eileen [Mon, 20 Apr 2020 22:39:33 +0000 (10:39 +1200)]
[REF] Minor var simplification

4 years agoMerge pull request #17106 from pradpnayak/statepro1
Eileen McNaughton [Mon, 20 Apr 2020 22:11:35 +0000 (10:11 +1200)]
Merge pull request #17106 from pradpnayak/statepro1

Update Colmbra state/province to Coimbra

4 years agoMerge pull request #17109 from colemanw/noAlias
Eileen McNaughton [Mon, 20 Apr 2020 22:09:48 +0000 (10:09 +1200)]
Merge pull request #17109 from colemanw/noAlias

APIv4 - Prevent field alias conflicts.

4 years ago5.25.0 release notes: added boilerplate
Andrew Hunt [Mon, 20 Apr 2020 21:52:21 +0000 (17:52 -0400)]
5.25.0 release notes: added boilerplate

4 years ago5.25.0 release notes: raw from script
Andrew Hunt [Mon, 20 Apr 2020 21:47:41 +0000 (17:47 -0400)]
5.25.0 release notes: raw from script

4 years agoMerge pull request #17113 from colemanw/restoreApiSql
colemanw [Mon, 20 Apr 2020 17:29:33 +0000 (13:29 -0400)]
Merge pull request #17113 from colemanw/restoreApiSql

Restore #16947 - APIv4 support for sql functions and grouping

4 years agoRestore #16947 - APIv4 support for sql functions and grouping
Coleman Watts [Mon, 20 Apr 2020 15:43:18 +0000 (11:43 -0400)]
Restore #16947 - APIv4 support for sql functions and grouping

4 years agoMerge pull request #17111 from seamuslee001/master
Seamus Lee [Mon, 20 Apr 2020 09:17:44 +0000 (19:17 +1000)]
Merge pull request #17111 from seamuslee001/master

5.25

4 years agoMerge in 5.25
Seamus Lee [Mon, 20 Apr 2020 09:16:14 +0000 (19:16 +1000)]
Merge in 5.25

4 years agoMerge pull request #17093 from eileenmcnaughton/cont
Seamus Lee [Mon, 20 Apr 2020 09:11:39 +0000 (19:11 +1000)]
Merge pull request #17093 from eileenmcnaughton/cont

[NFC] Remove calculation of unused parameter

4 years agoMerge pull request #17108 from colemanw/revertSqlFn
Seamus Lee [Mon, 20 Apr 2020 08:54:32 +0000 (18:54 +1000)]
Merge pull request #17108 from colemanw/revertSqlFn

Revert #16947 from 5.25RC

4 years agoAPIv4 - Prevent field alias conflicts.
Coleman Watts [Mon, 20 Apr 2020 00:55:19 +0000 (20:55 -0400)]
APIv4 - Prevent field alias conflicts.

Do not allow regular fields to be aliased - only expressions.
Prevent an alias from using the same name as an existing field.

4 years agoMerge pull request #17069 from colemanw/removeUselessChecks
colemanw [Mon, 20 Apr 2020 00:50:55 +0000 (20:50 -0400)]
Merge pull request #17069 from colemanw/removeUselessChecks

[REF] Remove duplicate checks for an array key existing

4 years agoRevert "APIv4 - Add rudimentary support for groupBy"
Coleman Watts [Sun, 19 Apr 2020 23:56:26 +0000 (19:56 -0400)]
Revert "APIv4 - Add rudimentary support for groupBy"

This reverts commit fba513f62ec8815e08fa838e0d0501279bf34501.

4 years agoRevert "Api4SelectQuery - add more metadata to apiFieldSpec"
Coleman Watts [Sun, 19 Apr 2020 23:56:25 +0000 (19:56 -0400)]
Revert "Api4SelectQuery - add more metadata to apiFieldSpec"

This reverts commit 9b06167d3c8dc54bb51e22e3583b18799a46c930.

4 years agoRevert "APIv4 - Add SQL expression handling and aggregate functions"
Coleman Watts [Sun, 19 Apr 2020 23:56:20 +0000 (19:56 -0400)]
Revert "APIv4 - Add SQL expression handling and aggregate functions"

This reverts commit 3176b04cb62b0e8f94454e367736f50454f89de8.

4 years agoupdated civicrm_generated.mysql file
Pradeep Nayak [Sun, 19 Apr 2020 19:58:58 +0000 (20:58 +0100)]
updated civicrm_generated.mysql file

4 years agoUpdate Colmbra state/province to Coimbra
Pradeep Nayak [Sun, 19 Apr 2020 17:39:50 +0000 (18:39 +0100)]
Update Colmbra state/province to Coimbra

4 years agodev/core#1684 Use psr-4 autoloader instead of psr-0 for Civi directory
Coleman Watts [Sun, 19 Apr 2020 01:08:38 +0000 (21:08 -0400)]
dev/core#1684 Use psr-4 autoloader instead of psr-0 for Civi directory

This change is to allow underscores in class names, which were being misinterpreted as directory separators.

4 years agoMerge pull request #17080 from colemanw/importExtract
colemanw [Sun, 19 Apr 2020 01:33:06 +0000 (21:33 -0400)]
Merge pull request #17080 from colemanw/importExtract

[REF] Import - extract duplicate code to function

4 years agoMerge pull request #17101 from totten/master-gitlab-tpl
colemanw [Sat, 18 Apr 2020 15:50:56 +0000 (11:50 -0400)]
Merge pull request #17101 from totten/master-gitlab-tpl

(NFC) Gitlab Template - Request more detail about upgrade problems

4 years agoMerge pull request #17100 from artfulrobot/artfulrobot-lab-1917
colemanw [Sat, 18 Apr 2020 15:14:09 +0000 (11:14 -0400)]
Merge pull request #17100 from artfulrobot/artfulrobot-lab-1917

Replace CaseType's own XML encoding function

4 years agodev-core/1719: replace xml encoding function in CaseType
Rich Lott / Artful Robot [Sat, 18 Apr 2020 07:55:51 +0000 (08:55 +0100)]
dev-core/1719: replace xml encoding function in CaseType

4 years agoMerge pull request #17098 from mattwire/removeunusedparameterjob
colemanw [Fri, 17 Apr 2020 23:32:06 +0000 (19:32 -0400)]
Merge pull request #17098 from mattwire/removeunusedparameterjob

Remove unused parameter from function

4 years agoMerge pull request #17051 from eileenmcnaughton/ex
Seamus Lee [Fri, 17 Apr 2020 21:49:07 +0000 (07:49 +1000)]
Merge pull request #17051 from eileenmcnaughton/ex

Remove outputHeader as a param for writeCSVFile as it is always true

4 years agoMerge pull request #17102 from mattwire/removevar
Seamus Lee [Fri, 17 Apr 2020 21:48:22 +0000 (07:48 +1000)]
Merge pull request #17102 from mattwire/removevar

Remove var that is defined on parent

4 years agoRemove var that is defined on parent
Matthew Wire [Fri, 17 Apr 2020 19:47:51 +0000 (20:47 +0100)]
Remove var that is defined on parent

4 years ago(NFC) Gitlab Template - Request more detail about upgrades
Tim Otten [Fri, 17 Apr 2020 19:25:27 +0000 (12:25 -0700)]
(NFC) Gitlab Template - Request more detail about upgrades

4 years agodev/core#1718 membership batch entry join date fix
Brian Shaughnessy [Fri, 17 Apr 2020 15:34:04 +0000 (11:34 -0400)]
dev/core#1718 membership batch entry join date fix

4 years agoMerge pull request #17087 from eileenmcnaughton/ids
Matthew Wire [Fri, 17 Apr 2020 14:40:34 +0000 (15:40 +0100)]
Merge pull request #17087 from eileenmcnaughton/ids

[REF] Stop passing ids to membership::create from createRelatedMemberships

4 years agoMerge pull request #17086 from eileenmcnaughton/memview
Matthew Wire [Fri, 17 Apr 2020 14:39:46 +0000 (15:39 +0100)]
Merge pull request #17086 from eileenmcnaughton/memview

Don't pass empty ids parameter, fix fatal

4 years agoRemove unused parameter from function
Matthew Wire [Fri, 17 Jan 2020 19:02:32 +0000 (19:02 +0000)]
Remove unused parameter from function

4 years agoMerge pull request #17089 from eileenmcnaughton/memdate
colemanw [Fri, 17 Apr 2020 12:40:59 +0000 (08:40 -0400)]
Merge pull request #17089 from eileenmcnaughton/memdate

[REF] get rid of variable variable structure

4 years agoMerge pull request #16714 from christianwach/lab-1638
Matthew Wire [Fri, 17 Apr 2020 10:53:22 +0000 (11:53 +0100)]
Merge pull request #16714 from christianwach/lab-1638

Introduce "civi.dao.preUpdate" and "civi.dao.preInsert" events

4 years agoMerge pull request #17095 from civicrm/5.25
Seamus Lee [Fri, 17 Apr 2020 09:44:14 +0000 (19:44 +1000)]
Merge pull request #17095 from civicrm/5.25

5.25

4 years agoMerge pull request #17097 from seamuslee001/5.25
Seamus Lee [Fri, 17 Apr 2020 09:43:20 +0000 (19:43 +1000)]
Merge pull request #17097 from seamuslee001/5.25

Add release-notes/5.24.4.md

4 years agoAdd release-notes/5.24.4.md
Tim Otten [Fri, 17 Apr 2020 09:30:06 +0000 (02:30 -0700)]
Add release-notes/5.24.4.md

4 years agoMerge pull request #17085 from seamuslee001/typo3_drupal8
Tim Otten [Fri, 17 Apr 2020 03:56:19 +0000 (20:56 -0700)]
Merge pull request #17085 from seamuslee001/typo3_drupal8

Generalise typo3/phar-stream-wrapper so CiviCRM can be installed on d…

4 years ago[REF] get rid of variable variable structure
eileen [Thu, 16 Apr 2020 06:23:26 +0000 (18:23 +1200)]
[REF] get rid of variable variable structure

Readability improvement

4 years ago[NFC] Remove calculation of unused parameter
eileen [Fri, 17 Apr 2020 02:57:34 +0000 (14:57 +1200)]
[NFC] Remove calculation of unused parameter

4 years agoMerge pull request #17092 from civicrm/5.25
Eileen McNaughton [Fri, 17 Apr 2020 02:27:53 +0000 (14:27 +1200)]
Merge pull request #17092 from civicrm/5.25

5.25

4 years agoMerge pull request #17090 from colemanw/ssCleanup
Eileen McNaughton [Fri, 17 Apr 2020 02:22:49 +0000 (14:22 +1200)]
Merge pull request #17090 from colemanw/ssCleanup

[REF] SavedSearch - additional cleanup & bugfixes

4 years agoMerge pull request #17081 from eileenmcnaughton/session
Seamus Lee [Fri, 17 Apr 2020 02:04:38 +0000 (12:04 +1000)]
Merge pull request #17081 from eileenmcnaughton/session

Fix unsubscribe regression

4 years agoMerge pull request #17088 from eileenmcnaughton/ids2
Seamus Lee [Fri, 17 Apr 2020 02:01:36 +0000 (12:01 +1000)]
Merge pull request #17088 from eileenmcnaughton/ids2

[NFC] Remove all the places where tests unnecessarily pass  to Membership::create

4 years agoMerge pull request #17073 from eileenmcnaughton/msg_template
Seamus Lee [Fri, 17 Apr 2020 02:00:12 +0000 (12:00 +1000)]
Merge pull request #17073 from eileenmcnaughton/msg_template

Add MessageTemplate api to v4

4 years agoMerge pull request #17074 from joshgowans/patch-4
Eileen McNaughton [Fri, 17 Apr 2020 01:39:11 +0000 (13:39 +1200)]
Merge pull request #17074 from joshgowans/patch-4

Archive text

4 years agoSavedSearch - additional cleanup & bugfixes
Coleman Watts [Thu, 9 Apr 2020 15:31:23 +0000 (11:31 -0400)]
SavedSearch - additional cleanup & bugfixes

4 years agoMerge pull request #17062 from colemanw/apiExpPerf
colemanw [Thu, 16 Apr 2020 14:38:54 +0000 (10:38 -0400)]
Merge pull request #17062 from colemanw/apiExpPerf

[REF] APIv4 Explorer - improve performance

4 years agoCorrect spelling
joshgowans [Thu, 16 Apr 2020 12:45:30 +0000 (13:45 +0100)]
Correct spelling

Correct spelling of work 'recognition'.

4 years agoMerge pull request #17003 from colemanw/smartererGroups
colemanw [Thu, 16 Apr 2020 11:56:19 +0000 (07:56 -0400)]
Merge pull request #17003 from colemanw/smartererGroups

Allow other base tables for api4-based smart groups

4 years agoAllow other base tables for api4-based smart groups
Coleman Watts [Tue, 7 Apr 2020 00:56:43 +0000 (20:56 -0400)]
Allow other base tables for api4-based smart groups

4 years ago[NFC] Remove all the places where tests unnecessarily pass to Membership::create
eileen [Thu, 16 Apr 2020 06:04:27 +0000 (18:04 +1200)]
[NFC] Remove all the places where tests unnecessarily pass  to Membership::create

The param is deprecated - no reasonn to pass in the tests

4 years agoStop passing ids to membership::create from createRelatedMemberships
eileen [Thu, 16 Apr 2020 05:54:24 +0000 (17:54 +1200)]
Stop passing ids to membership::create from createRelatedMemberships

We are passing in an empty array. Per the code comments there was concern that the array might NOT be empty after calling
create & that needed to be checked out. However, I just went through it & concluded that values in the ids var would
only ever be set if ids['membership'] was passed in - so if it goes in empty it will come out empty

4 years agoDon't pass empty ids paramter, fix fatal
eileen [Thu, 16 Apr 2020 05:33:28 +0000 (17:33 +1200)]
Don't pass empty ids paramter, fix fatal

4 years agoGeneralise typo3/phar-stream-wrapper so CiviCRM can be installed on drupal8
Seamus Lee [Thu, 16 Apr 2020 04:45:16 +0000 (14:45 +1000)]
Generalise typo3/phar-stream-wrapper so CiviCRM can be installed on drupal8

4 years agoMerge pull request #17083 from seamuslee001/master
Seamus Lee [Thu, 16 Apr 2020 02:12:23 +0000 (12:12 +1000)]
Merge pull request #17083 from seamuslee001/master

5.25

4 years agoMerge 5.25
Seamus Lee [Thu, 16 Apr 2020 02:11:08 +0000 (12:11 +1000)]
Merge 5.25

4 years agoFix issue with form values not being available onn submit
eileen [Thu, 16 Apr 2020 01:37:00 +0000 (13:37 +1200)]
Fix issue with form values not being available onn submit

Possible fix for https://civicrm.stackexchange.com/questions/35323/missing-parameters-error-in-unsubscribe-confirmation

The theory is that not having committed the transaction is causing the session not to be saved

4 years agoSet version to 5.25.beta2
CiviCRM [Thu, 16 Apr 2020 02:04:24 +0000 (02:04 +0000)]
Set version to 5.25.beta2

4 years agorelease-notes - Small copy edits
Tim Otten [Thu, 16 Apr 2020 01:28:50 +0000 (18:28 -0700)]
release-notes - Small copy edits

4 years agoAdd in release notes for 5.24.3
Seamus Lee [Thu, 16 Apr 2020 01:02:23 +0000 (11:02 +1000)]
Add in release notes for 5.24.3

4 years agoUpdate composer.lock (`composer update --lock`)
Tim Otten [Fri, 3 Apr 2020 02:45:21 +0000 (19:45 -0700)]
Update composer.lock (`composer update --lock`)

4 years ago[MOSS] CIV-01-001 - Display sensible error if someone tries to use "qunit" when it...
Tim Otten [Fri, 3 Apr 2020 02:34:00 +0000 (19:34 -0700)]
[MOSS] CIV-01-001 - Display sensible error if someone tries to use "qunit" when it's missing

4 years ago[MOSS] CIV-01-001 - Remove more unnecessary files from google-code-prettifier
Tim Otten [Fri, 3 Apr 2020 02:23:03 +0000 (19:23 -0700)]
[MOSS] CIV-01-001 - Remove more unnecessary files from google-code-prettifier

4 years ago[MOSS] CIV-01-001 Remove Qunit and google-code-prettifier demo html file
Seamus Lee [Wed, 18 Mar 2020 01:25:01 +0000 (12:25 +1100)]
[MOSS] CIV-01-001 Remove Qunit and google-code-prettifier demo html file

4 years agoInclude the job name and job details on the popup notice and also on the form asking...
Seamus Lee [Thu, 12 Dec 2019 20:08:34 +0000 (07:08 +1100)]
Include the job name and job details on the popup notice and also on the form asking if your sure about executing it

Allow disabled jobs to be executed and fix copy

4 years agosecurity/core#10 Ensure there is CSRF Protection when running Scheduled Jobs from...
Seamus Lee [Tue, 10 Dec 2019 20:07:57 +0000 (07:07 +1100)]
security/core#10 Ensure there is CSRF Protection when running Scheduled Jobs from the Admin scheduled jobs UI

4 years agoRemove code handling for profile search listing
Seamus Lee [Sun, 29 Mar 2020 21:23:33 +0000 (08:23 +1100)]
Remove code handling for profile search listing

4 years agoAlso escape when value starts with a [ and validate the negative operation as well
Seamus Lee [Sun, 29 Mar 2020 20:55:14 +0000 (07:55 +1100)]
Also escape when value starts with a [ and validate the negative operation as well

4 years ago[MOSS] CIV-01-020 Validate value in the query building logic for privacy flag fields
Seamus Lee [Tue, 3 Mar 2020 20:48:35 +0000 (07:48 +1100)]
[MOSS] CIV-01-020 Validate value in the query building logic for privacy flag fields

4 years ago[MOSS] CIV-01-014 Validate status_id and campaign_type_id for camapginSummary functio...
Seamus Lee [Sat, 29 Feb 2020 22:32:21 +0000 (09:32 +1100)]
[MOSS] CIV-01-014 Validate status_id and campaign_type_id for camapginSummary function and the source_record_id and activity_type_id for Activity delete function

4 years agosecurity/core#40 Purify activity details when viewing case activities and case reports
Seamus Lee [Sun, 9 Feb 2020 08:32:48 +0000 (19:32 +1100)]
security/core#40 Purify activity details when viewing case activities and case reports

4 years agosecurity/core#60 - Fix PHP Object Injection via Phar Deserialization
Patrick Figel [Tue, 18 Feb 2020 19:44:11 +0000 (20:44 +0100)]
security/core#60 - Fix PHP Object Injection via Phar Deserialization

This mitigates Phar deserialization vulnerabilities by registering an
alternative Phar stream wrapper that filters out insecure Phar files.

PHP makes it possible to trigger Object Injection vulnerabilities by using
a side-effect of the phar:// stream wrapper that unserializes Phar
metadata. To mitigate this vulnerability, projects such as TYPO3 and Drupal
have implemented an alternative Phar stream wrapper that disallows
inclusion of phar files based on certain parameters. This change implements
a similar approach for Civi in environments where the vulnerability isn't
mitigated by the CMS.

Fixes security/core#60

4 years agoCIV-01-021 - Improve entity name sanitization
Tim Otten [Wed, 4 Mar 2020 02:54:50 +0000 (18:54 -0800)]
CIV-01-021 - Improve entity name sanitization

Before
------

* There exist two functions which purport to take an API entity name and sanitize it,
  producing a canonical API entity name. (`\Civi\API\Request::normalizeEntityName`
  and `_civicrm_api_get_camel_name`)
* The two functions are identical for typical inputs. Both call `convertStringToCamel()`.
* The difference relates to unusual/unspecified input characters like `/` or `.` or `+`.
   * `_civicrm_api_get_camel_name()` allows/returns unusual characters.
   * `normalizeEntityName()` filters them out via `\CRM_Utils_String::munge()`

After
-----

* `_civicrm_api_get_camel_name()` just calls `normalizeEntityName()`
* A unit-test provides some comparison/contrast between the old+new behaviors.

Comments
--------

I came into this because CIV-01-021 pointed out that `_civicrm_api_get_camel_name()` had
insufficient sanitization of wonky inputs and could potentially lead to unexpected file-reads.

You can potentially address those wonky inputs by filtering them out or by throwing an exception.
I initially started doing an exception... but it turned out that `normalizeEntityName()` was already
filtering out and didn't really need a change. Also, regardless of the policy, the functions should be
brought into alignment.

Anyway, it seemed like this was the simpler change - it keeps `normalizeEntityName()` working exactly
as before, and only changes `_civicrm_api_get_camel_name()` to match.

4 years agosecurity/core#73 - Fix Contact.getquick API key exposure
Patrick Figel [Tue, 18 Feb 2020 20:54:05 +0000 (21:54 +0100)]
security/core#73 - Fix Contact.getquick API key exposure

This fixes an issue where API keys can be exposed via the field_name
parameter of the Contact.getquick API. Since there is no valid use-case
for requesting API keys via getquick, the fix simply triggers an API
error if the API key is requested.