Eileen McNaughton [Sat, 2 Mar 2019 01:07:50 +0000 (14:07 +1300)]
Merge pull request #13743 from greenpeace-cee/fix-tag-search
CRM/Contact - Fix fatal error on tag search
Patrick Figel [Fri, 1 Mar 2019 18:28:27 +0000 (19:28 +0100)]
CRM/Contact - Fix fatal error on tag search
This fixes a fatal error caused by the CommaSeparatedIntegers not
accepting empty strings. This can be triggered by performing a
search with "Tag(s) IS NULL" using the search builder.
Eileen McNaughton [Fri, 1 Mar 2019 06:50:26 +0000 (19:50 +1300)]
Merge pull request #13734 from eileenmcnaughton/mem
dev/membership#10 fix incorrect validation error saying Start date must be the same or later than Member since
Seamus Lee [Fri, 1 Mar 2019 04:03:01 +0000 (15:03 +1100)]
Merge pull request #13738 from jitendrapurohit/core-768-rc
dev/core#768 - Fix fatal error on group search
Eileen McNaughton [Fri, 1 Mar 2019 03:43:21 +0000 (16:43 +1300)]
Merge pull request #13737 from seamuslee001/pdf_receipts_fix_enotice
Fix up e-notice error when using a user from email address same issue…
Jitendra Purohit [Fri, 1 Mar 2019 02:39:31 +0000 (08:09 +0530)]
dev/core#768 - Fix fatal error on group search
Seamus Lee [Fri, 1 Mar 2019 00:28:00 +0000 (11:28 +1100)]
Fix up e-notice error when using a user from email address same issue as dev/core#644
eileen [Thu, 28 Feb 2019 22:33:13 +0000 (11:33 +1300)]
dev/membership#10 fix incorrect validation error saying Start date must be the same or later than Member since
This problem is because both dates exclude time but the default setting includes it - leading to a
comparison of a datetime with a date+midnight time
Eileen McNaughton [Thu, 28 Feb 2019 20:59:46 +0000 (09:59 +1300)]
Merge pull request #13723 from eileenmcnaughton/5.11
financial#46 - clean money format at form layer - Fix mistreatment of event fees > 1000 when saving
Eileen McNaughton [Thu, 28 Feb 2019 19:47:11 +0000 (08:47 +1300)]
Merge pull request #13725 from JMAConsulting/CRM-21754-rc
Don't break loop if address fields not found while formatting rows in Reports
Monish Deb [Thu, 28 Feb 2019 09:49:29 +0000 (15:19 +0530)]
Don't break loop if address fields not found while formatting rows in Reports
eileen [Thu, 28 Feb 2019 06:01:39 +0000 (19:01 +1300)]
Fix mistreatment of event fees > 1000 when saving
Eileen McNaughton [Thu, 28 Feb 2019 05:33:35 +0000 (18:33 +1300)]
Merge pull request #13721 from MegaphoneJon/5.11
financial#46 - clean money format at form layer
Eileen McNaughton [Thu, 28 Feb 2019 05:23:20 +0000 (18:23 +1300)]
Merge pull request #13711 from greenpeace-cee/fix-multi-currency-soft-credit
dev/core#756 - CRM/Contribute - Fix multi-currency soft credit summary
Jon Goldberg [Thu, 28 Feb 2019 03:24:40 +0000 (22:24 -0500)]
financial#46 - clean money format at form layer
Patrick Figel [Tue, 26 Feb 2019 20:06:13 +0000 (21:06 +0100)]
dev/core#756 - CRM/Contribute - Fix multi-currency soft credit summary
This fixes an exception caused by multiple currencies being passed to
CRM_Utils_Money::format. It also resolves some inconsistencies in how
the summary table is rendered for soft credits.
colemanw [Tue, 26 Feb 2019 17:44:48 +0000 (12:44 -0500)]
Merge pull request #13709 from JMAConsulting/dev-core#757-rc
Viewing Contact Note comments is broken in 5.10.4.
Ken West [Tue, 26 Feb 2019 11:33:52 +0000 (22:33 +1100)]
Viewing Contact Note comments is broken in 5.10.4.
Update Javascript to use Note-NNNNN rather than cnote_NNNN as the ID of Note rows.
Completes change started in commit
57abcbbf5cf85b1266377e0ad9af4fb5865d5bc0.
Seamus Lee [Sat, 23 Feb 2019 04:41:59 +0000 (15:41 +1100)]
Merge pull request #13683 from seamuslee001/5_11_5_10_4_Release_Notes
Add in 5.10.4 Release notes
Seamus Lee [Fri, 22 Feb 2019 23:02:29 +0000 (10:02 +1100)]
Add in 5.10.4 Release notes
Eileen McNaughton [Sat, 23 Feb 2019 01:08:31 +0000 (14:08 +1300)]
Merge pull request #13673 from eileenmcnaughton/511geocode
Remove tests that no longer work due to dead service
Seamus Lee [Fri, 22 Feb 2019 23:18:25 +0000 (10:18 +1100)]
Merge pull request #13663 from seamuslee001/lab_core_747
Hotfix for dev/core#747 To fix generation of contact image urls
Seamus Lee [Fri, 22 Feb 2019 21:00:43 +0000 (08:00 +1100)]
Extract checking of filename into own function and add tests
Eileen McNaughton [Fri, 22 Feb 2019 20:23:28 +0000 (09:23 +1300)]
Merge pull request #13670 from MegaphoneJon/reporting-10-rc
reporting#10 - fix pagination on Contribution Detail report
eileen [Sun, 17 Feb 2019 01:42:47 +0000 (14:42 +1300)]
Remove tests that no longer work due to dead service
Jon Goldberg [Fri, 22 Feb 2019 02:06:13 +0000 (21:06 -0500)]
reporting#10 - fix pagination on Contribution Detail report
Tim Otten [Fri, 22 Feb 2019 08:24:49 +0000 (00:24 -0800)]
CRM_Core_Page_File - Only delivers directly under the customFileUploadDir
Tim Otten [Fri, 22 Feb 2019 08:22:03 +0000 (00:22 -0800)]
CRM_Core_Page_File - Fix warning when using filename mode
The idea here is that `id+eid+fcs` and `filename` are two separate modes.
In `filename` mode, you don't need warnings about the missing `fcs`.
Tim Otten [Fri, 22 Feb 2019 06:45:45 +0000 (22:45 -0800)]
CRM_Core_Page_File - More consistent capitalization/prose
Seamus Lee [Fri, 22 Feb 2019 05:38:57 +0000 (16:38 +1100)]
Merge pull request #13662 from seamuslee001/hotfix_746
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Seamus Lee [Fri, 22 Feb 2019 01:11:53 +0000 (12:11 +1100)]
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Fix GroupContactCacheTest
Seamus Lee [Fri, 22 Feb 2019 01:25:38 +0000 (12:25 +1100)]
Hotfix for dev/core#747 To fix generation of contact image urls
Eileen McNaughton [Fri, 22 Feb 2019 00:42:32 +0000 (13:42 +1300)]
Merge pull request #13660 from seamuslee001/5.11
5.11 - merge in security
Tim Otten [Thu, 21 Feb 2019 06:38:50 +0000 (22:38 -0800)]
release-notes/5.10.3.md - Update "Feedback" to be... closer to reality wrt SA's
Tim Otten [Thu, 21 Feb 2019 06:27:09 +0000 (22:27 -0800)]
release-notes/5.10.3.md - TOC should match actual headings
Seamus Lee [Sat, 16 Feb 2019 03:59:52 +0000 (14:59 +1100)]
Add in 5.10.3 Security Release Notes
Seamus Lee [Tue, 19 Feb 2019 01:39:50 +0000 (12:39 +1100)]
Fix file e-notice by using the correct url variables
Seamus Lee [Wed, 13 Feb 2019 23:33:45 +0000 (10:33 +1100)]
Fix variables to match image file hash generation
Tim Otten [Wed, 13 Feb 2019 22:34:33 +0000 (14:34 -0800)]
CRM_Profile_Form - Add fcs for download link on custom field
Tim Otten [Wed, 13 Feb 2019 20:58:33 +0000 (12:58 -0800)]
(REF) Clearer docblocks and file names
Tim Otten [Wed, 13 Feb 2019 20:50:02 +0000 (12:50 -0800)]
Fix multiple issues with file URLs. Use clearer variables and docblocks to reduce confusion.
Seamus Lee [Wed, 13 Feb 2019 20:09:26 +0000 (07:09 +1100)]
Try and use the correct variable for file id in custom field uploads and use the standard checksum timout as well
Tim Otten [Tue, 12 Feb 2019 23:58:57 +0000 (15:58 -0800)]
generateFileHash() - If we can't generate a secure, then don't generate any token
Falling back to a constant negates any security benefit of using a hash.
IMHO, the edge-case where `CIVICRM_SITE_KEY` is missing should be
obscure/rare and signifies broader problems for the deployment. It needs to
be corrected. If you're worried that having an error-symptom here is too
obscure, then let's add a more prominent error-message via
`CRM_Utils_Check`.
NOTE: There is one pre-existing case in core where (in absence of a key) it
procedes with a constant in lieu of a `CIVICRM_SITE_KEY` . Specifically,
`CRM_Core_Error::generateLogFileHash()`. That is not a good example to
follow because it is qualitiatively different:
* In `generateLogFileHash`(), `CIVICRM_SITE_KEY` functions as one of
multiple redundant security mechanisms -- e.g. even if
`CIVICRM_SITE_KEY` is missing, the log file remains hard-to-access because
(1) the DSN is part of the hash and (2) the httpd protects `ConfigAndLog`.
(Contrast: The file-hash-code is not *redundant* in the same way.)
* In the context of logging, raising any error (even if it's real error
condition) can provoke a weird loop (because then that error needs to be
logged). The log needs to avoid such loops. (Contrast:
`generateFileHash()` is part of the normal post-boot application logic, so
it's free to register errors normally.)
Tim Otten [Tue, 12 Feb 2019 23:50:40 +0000 (15:50 -0800)]
generateFileHash() and validateFileHash() should be colocated
The two functions (`generateFileHash()` and `validateFileHash()`) are
tightly-coupled. Most changes to one would require a matching change in the
other. So they should be parallel.
It'd be OK to say "the hash formula is a general utility for any party using
file APIs" (so put `generateFileHash()` and `validateFileHash()` in `CRM_Core_BAO_File`).
It'd be OK to say "the hash formula is specific to the end-point/page which
serves files" (so put `generateFileHash()` and `validateFileHash()` in
`CRM_Core_Page_File`).
The former feels a bit more accurate, so I pushed it toward that.
Seamus Lee [Mon, 4 Feb 2019 21:48:25 +0000 (08:48 +1100)]
Switch to Sha256 and add in a ttl
Further WHIP fixing hmac implementation now need to get it generating consistant hashes
Remove debugging
Seamus Lee [Tue, 22 Jan 2019 19:11:45 +0000 (06:11 +1100)]
Block access if no Hash is supplied
Seamus Lee [Fri, 18 Jan 2019 22:01:17 +0000 (09:01 +1100)]
security/core#26 Add in a generated Hash to download files so that URLs can't just be tested by annon users
Seamus Lee [Fri, 8 Feb 2019 03:46:36 +0000 (14:46 +1100)]
prevent timing attacks on the contact checksum validation
eileen [Mon, 14 Jan 2019 04:03:28 +0000 (17:03 +1300)]
Remove support for passing a filename into civicrm/file.
I can find no evidence this is used & it feels like a security risk, albeit they still need
the path
eileen [Mon, 14 Jan 2019 01:25:29 +0000 (14:25 +1300)]
Remove unused file parameters
Coleman Watts [Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)]
security/core#33 - Patch jQuery for CVE-2015-9251
See https://github.com/jquery/jquery/issues/2432#issuecomment-
403761229
This will no longer be needed after upgrading to jQuery 3.x.
Tim Otten [Tue, 15 Jan 2019 00:01:26 +0000 (16:01 -0800)]
(NFC) Cleanup new docblocks
Tim Otten [Mon, 14 Jan 2019 23:58:53 +0000 (15:58 -0800)]
Follow-up security/core#25 - Consistently change interface
The previous commit
4c1e702f96403bdc84b6900027d1be61ea601321 expanded the
signature of `fillWithSql()` to accept a third argument, but it wasn't
consistent about whether the third argument was optional or required.
This makes it consistently optional (default `[]`).
Seamus Lee [Sat, 27 Oct 2018 21:44:08 +0000 (08:44 +1100)]
Resolve security/core#25 Escape use of cacheKey to prevent SQLI when populating the prevNextCache
Security #25 Update Redis implementation to match function sig of interface function
Patrick Figel [Sun, 6 Jan 2019 17:30:30 +0000 (18:30 +0100)]
security/core#16 - Smarty - Fix XSS in crmMoney plugin
This fixes an XSS in the crmMoney smarty plugin by checking the
currency against the currency list and adds some basic tests.
Fixes security/core#16
Patrick Figel [Sun, 6 Jan 2019 21:16:40 +0000 (22:16 +0100)]
security/core#28 - CRM_Contact - Use uniqid() for table alias
Patrick Figel [Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)]
security/core#28 - CRM_Contact - Fix SQL injection in group/tag search
This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.
For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).
Seamus Lee [Sun, 30 Dec 2018 01:09:45 +0000 (12:09 +1100)]
security/core#32 Fix Reflected XSS in Logging Detail report
Seamus Lee [Sat, 27 Oct 2018 04:08:25 +0000 (15:08 +1100)]
Also Purify the output of the frozen entity reference and that of a select2 output as well
Seamus Lee [Tue, 3 Jul 2018 23:49:35 +0000 (09:49 +1000)]
Resolve #9 by purifying label of entity reference values
Seamus Lee [Tue, 19 Feb 2019 05:44:08 +0000 (16:44 +1100)]
Merge pull request #13637 from jitendrapurohit/core737
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on…
Jitendra Purohit [Tue, 19 Feb 2019 04:02:20 +0000 (09:32 +0530)]
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on the last screen
Eileen McNaughton [Sat, 16 Feb 2019 23:33:06 +0000 (12:33 +1300)]
Merge pull request #13613 from colemanw/openCampaignWidget
Auto-open campaign widget and sort by start date
Coleman Watts [Sat, 16 Feb 2019 21:25:18 +0000 (16:25 -0500)]
Auto-open campaign widget and sort by start date
Seamus Lee [Thu, 14 Feb 2019 22:26:45 +0000 (09:26 +1100)]
Merge pull request #13599 from seamuslee001/5.11
Add in release notes for 5.10.2
Tim Otten [Thu, 14 Feb 2019 22:14:38 +0000 (14:14 -0800)]
Update 5.10.2.md
Tim Otten [Thu, 14 Feb 2019 22:14:19 +0000 (14:14 -0800)]
Update 5.10.2.md
Minor copy-edits:
* Punctuation to match other point-release docs
* Use consistent reverse-alpha in credits
* Add some more authors+reviewers from Github
Seamus Lee [Thu, 14 Feb 2019 21:45:19 +0000 (08:45 +1100)]
Merge pull request #13593 from eileenmcnaughton/acl_regression
dev/core#721 Fix regression on refreshing group_contact cache before checking acls
Seamus Lee [Thu, 14 Feb 2019 20:34:43 +0000 (07:34 +1100)]
Add in release notes for 5.10.2
Update release notes as per Eileen's comment
Add in notes on merge of dev/core#715 fix
eileen [Thu, 14 Feb 2019 05:37:14 +0000 (18:37 +1300)]
Fix regression on refreshing group_contact cache before checking acls
We seem to be checking if the cache needs a rebuild and IF SO doing 2 actions
1) rebuilding it
2) permitting access to contacts related to it
When really it should do only 1) above - this patch changes as such
This seems to be whackamole off https://github.com/civicrm/civicrm-core/pull/12344
going too far one way & https://github.com/civicrm/civicrm-core/pull/13448
fixing but adding this new variant
Eileen McNaughton [Wed, 13 Feb 2019 01:46:07 +0000 (14:46 +1300)]
Merge pull request #13581 from colemanw/dev/core#715
dev/core#715 - Fix delete action on RelationshipType form
Coleman Watts [Tue, 12 Feb 2019 17:08:48 +0000 (12:08 -0500)]
dev/core#715 - Fix delete action on RelationshipType form
Eileen McNaughton [Tue, 12 Feb 2019 02:23:03 +0000 (15:23 +1300)]
Merge pull request #13575 from seamuslee001/5_10_1_release_notes_11
Release notes for 5.10.1 release
Seamus Lee [Mon, 11 Feb 2019 22:46:38 +0000 (09:46 +1100)]
Merge pull request #13572 from eileenmcnaughton/cc_511
Fix regression whereby making receive_date required breaks back offic…
Seamus Lee [Mon, 11 Feb 2019 21:09:03 +0000 (08:09 +1100)]
Release notes for 5.10.1 release
eileen [Mon, 11 Feb 2019 20:16:22 +0000 (09:16 +1300)]
Fix regression whereby making receive_date required breaks back office cc
Regression from https://lab.civicrm.org/dev/core/issues/680
led to https://civicrm.stackexchange.com/questions/28410/unable-to-take-credit-card-payment-after-civi-update
CiviCRM [Thu, 7 Feb 2019 01:44:56 +0000 (01:44 +0000)]
Set version to 5.11.beta1
Tim Otten [Thu, 7 Feb 2019 01:40:32 +0000 (20:40 -0500)]
Merge pull request #13552 from seamuslee001/master
Update 5.10.0.md
Tim Otten [Thu, 7 Feb 2019 00:30:09 +0000 (19:30 -0500)]
Update 5.10.0.md
Seamus Lee [Wed, 6 Feb 2019 22:10:40 +0000 (09:10 +1100)]
Merge pull request #13550 from civicrm/5.10
5.10
Seamus Lee [Wed, 6 Feb 2019 20:47:11 +0000 (12:47 -0800)]
Merge pull request #13494 from agh1/5.10.0-releasenotes
5.10.0 release notes
colemanw [Wed, 6 Feb 2019 18:01:47 +0000 (13:01 -0500)]
Merge pull request #13544 from pradpnayak/ContactImage
core/issues/698, send correct MIME type for .jpg files
Andrew Hunt [Wed, 6 Feb 2019 14:49:40 +0000 (09:49 -0500)]
5.10.0 release notes: late changes, credits, and last-minute fixes
Tim Otten [Wed, 16 Jan 2019 22:12:16 +0000 (14:12 -0800)]
Add release-notes/5.9.1.md
Alice Frumin [Wed, 6 Feb 2019 14:29:08 +0000 (09:29 -0500)]
5.10.0 release notes: bulk of edits
* pulling out misc and organizing lines with gitlab issue numbers
* linking to gitlab issues
* update lines with gitlab issues to have the gitlab titles
* progress
* second pass
* finished first pass of notes
* deleting rows related to merge
* reorganizing sections
Andrew Hunt [Tue, 22 Jan 2019 19:05:14 +0000 (14:05 -0500)]
5.10.0 release notes: added boilerplate
Andrew Hunt [Tue, 22 Jan 2019 19:01:53 +0000 (14:01 -0500)]
5.10.0 release notes: raw from script
Eileen McNaughton [Wed, 6 Feb 2019 04:19:03 +0000 (17:19 +1300)]
Merge pull request #13548 from civicrm/5.10
5.10 to master
Monish Deb [Wed, 6 Feb 2019 04:16:32 +0000 (09:46 +0530)]
Merge pull request #13536 from eileenmcnaughton/export_sc
dev/core#651 Fix group by on export soft credits (possible recent regression, clearly wrong).
Eileen McNaughton [Wed, 6 Feb 2019 02:19:44 +0000 (15:19 +1300)]
Merge pull request #13547 from eileenmcnaughton/master
Re-run gencode for fix on PriceField DAO
eileen [Tue, 5 Feb 2019 22:22:03 +0000 (11:22 +1300)]
Re-run gencode for fix on PriceField DAO
Eileen McNaughton [Tue, 5 Feb 2019 21:42:08 +0000 (10:42 +1300)]
Merge pull request #13546 from civicrm/5.10
5.10 to master
Pradeep Nayak [Tue, 5 Feb 2019 19:40:36 +0000 (19:40 +0000)]
Added few more mime type that needs over-ride
Eileen McNaughton [Tue, 5 Feb 2019 20:27:39 +0000 (09:27 +1300)]
Merge pull request #13403 from pradpnayak/FieldLength
Donot allow to enter more than max length of the field
eileen [Tue, 5 Feb 2019 06:04:21 +0000 (19:04 +1300)]
dev/core#651 Fix group by on export soft credits (possible recent regression, clearly wrong).
As pointed out by the reporter the group by is being calculated as if it were a string but it's an array, this fixes.
This code has been touched recently so it might be a recent regression. 5.10 is the first release in a long time where
export is working in some mysql / output configs after a big refactor to get rid of wide temp tables
Pradeep Nayak [Tue, 5 Feb 2019 18:06:44 +0000 (18:06 +0000)]
core/issues/698, send correct MIME type for .jpg files
Pradeep Nayak [Tue, 5 Feb 2019 16:14:33 +0000 (16:14 +0000)]
Use addField to generated form fields on Note form
Monish Deb [Tue, 5 Feb 2019 13:51:09 +0000 (19:21 +0530)]
Merge pull request #13537 from eileenmcnaughton/cont_comp
dev/core#680 make receive_date required on backoffice contribution form
Monish Deb [Tue, 5 Feb 2019 13:50:19 +0000 (19:20 +0530)]
Merge pull request #13390 from MegaphoneJon/core-609
fixes core#609 - view 'Advanced Search' links without 'view all conta…
eileen [Tue, 5 Feb 2019 08:07:16 +0000 (21:07 +1300)]
dev/core#680 make receive_date required on backoffice contribution form
and api
Discussion on https://lab.civicrm.org/dev/core/issues/680#note_13205
projects / civicrm-core.git / log