Seamus Lee [Sun, 24 Feb 2019 02:28:38 +0000 (13:28 +1100)]
Merge pull request #13634 from eileenmcnaughton/fin_type_speed
[NFC, test class] formatting, remove unused variables
Eileen McNaughton [Sun, 24 Feb 2019 00:56:01 +0000 (13:56 +1300)]
Merge pull request #13644 from mfb/temporary-tables
Refactor CRM_Utils_SQL_TempTable::build()->createWithQuery($sql) interface to support MEMORY tabls
Seamus Lee [Sat, 23 Feb 2019 07:23:37 +0000 (18:23 +1100)]
Merge pull request #13685 from seamuslee001/tests_746
dev/core#746 Add in unit tests to ensure that where clause is as is w…
Seamus Lee [Sat, 23 Feb 2019 06:08:28 +0000 (17:08 +1100)]
Merge pull request #13684 from civicrm/5.11
5.11
Seamus Lee [Sat, 23 Feb 2019 05:55:04 +0000 (16:55 +1100)]
dev/core#746 Add in unit tests to ensure that where clause is as is when multiple smart group where clauses are used in search builder
Add in a check of from clauses too
Seamus Lee [Sat, 23 Feb 2019 04:41:59 +0000 (15:41 +1100)]
Merge pull request #13683 from seamuslee001/5_11_5_10_4_Release_Notes
Add in 5.10.4 Release notes
Monish Deb [Sat, 23 Feb 2019 03:51:53 +0000 (09:21 +0530)]
Merge pull request #13669 from eileenmcnaughton/payment_format
Payment notification formatting, move greeting into table
Seamus Lee [Fri, 22 Feb 2019 23:02:29 +0000 (10:02 +1100)]
Add in 5.10.4 Release notes
Eileen McNaughton [Sat, 23 Feb 2019 01:10:55 +0000 (14:10 +1300)]
Merge pull request #13675 from greenpeace-cee/fix-logtable-exceptions
CRM/Logging - Fix log table exceptions
Eileen McNaughton [Sat, 23 Feb 2019 01:08:31 +0000 (14:08 +1300)]
Merge pull request #13673 from eileenmcnaughton/511geocode
Remove tests that no longer work due to dead service
Seamus Lee [Fri, 22 Feb 2019 23:37:33 +0000 (10:37 +1100)]
Merge pull request #13678 from MegaphoneJon/reporting-10-test
test for reporting#10
Seamus Lee [Fri, 22 Feb 2019 23:18:25 +0000 (10:18 +1100)]
Merge pull request #13663 from seamuslee001/lab_core_747
Hotfix for dev/core#747 To fix generation of contact image urls
Jon Goldberg [Fri, 22 Feb 2019 21:53:38 +0000 (16:53 -0500)]
test for reporting#10
Seamus Lee [Fri, 22 Feb 2019 21:00:43 +0000 (08:00 +1100)]
Extract checking of filename into own function and add tests
Eileen McNaughton [Fri, 22 Feb 2019 20:34:52 +0000 (09:34 +1300)]
Merge pull request #13671 from MegaphoneJon/reporting-11
reporting-11 - fix Soft Credit report with full group by
Eileen McNaughton [Fri, 22 Feb 2019 20:23:48 +0000 (09:23 +1300)]
Merge pull request #13676 from civicrm/5.11
5.11 to master
Eileen McNaughton [Fri, 22 Feb 2019 20:23:28 +0000 (09:23 +1300)]
Merge pull request #13670 from MegaphoneJon/reporting-10-rc
reporting#10 - fix pagination on Contribution Detail report
Eileen McNaughton [Fri, 22 Feb 2019 20:01:20 +0000 (09:01 +1300)]
Merge pull request #13364 from mattwire/activitytype_pseudoconstant
REF Convert deprecated functions to buildOptions for case
Patrick Figel [Fri, 22 Feb 2019 19:38:30 +0000 (20:38 +0100)]
CRM/Logging - Fix log table exceptions
This fixes a bug that caused columns that were excluded from being
considered "log-worthy" changes to be logged anyway. That happened
because columns were extracted with backticks but compared to strings
without backticks. To preserve compatibility with exceptions set by
alterLogTables which could contain backticks, the comparison is
performed against the column name with and without backticks.
eileen [Sun, 17 Feb 2019 01:42:47 +0000 (14:42 +1300)]
Remove tests that no longer work due to dead service
Jon Goldberg [Fri, 22 Feb 2019 17:59:15 +0000 (12:59 -0500)]
reporting-11 - fix Soft Credit report with full group by
Jon Goldberg [Fri, 22 Feb 2019 02:06:13 +0000 (21:06 -0500)]
reporting#10 - fix pagination on Contribution Detail report
Matthew Wire (MJW Consulting) [Fri, 28 Dec 2018 12:59:36 +0000 (12:59 +0000)]
Replace deprecated activityType/activityStatus functions with buildOptions for cases
Monish Deb [Fri, 22 Feb 2019 11:17:11 +0000 (16:47 +0530)]
Merge pull request #13649 from eileenmcnaughton/payment
Switch additional payment form to use Payment.sendconfirmation api
eileen [Fri, 22 Feb 2019 10:37:30 +0000 (23:37 +1300)]
Payment notification formatting, move greeting into table
Tim Otten [Fri, 22 Feb 2019 08:24:49 +0000 (00:24 -0800)]
CRM_Core_Page_File - Only delivers directly under the customFileUploadDir
Tim Otten [Fri, 22 Feb 2019 08:22:03 +0000 (00:22 -0800)]
CRM_Core_Page_File - Fix warning when using filename mode
The idea here is that `id+eid+fcs` and `filename` are two separate modes.
In `filename` mode, you don't need warnings about the missing `fcs`.
Tim Otten [Fri, 22 Feb 2019 06:45:45 +0000 (22:45 -0800)]
CRM_Core_Page_File - More consistent capitalization/prose
Seamus Lee [Fri, 22 Feb 2019 05:38:57 +0000 (16:38 +1100)]
Merge pull request #13662 from seamuslee001/hotfix_746
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Seamus Lee [Fri, 22 Feb 2019 01:11:53 +0000 (12:11 +1100)]
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Fix GroupContactCacheTest
Seamus Lee [Fri, 22 Feb 2019 01:25:38 +0000 (12:25 +1100)]
Hotfix for dev/core#747 To fix generation of contact image urls
Eileen McNaughton [Fri, 22 Feb 2019 00:47:16 +0000 (13:47 +1300)]
Merge pull request #13661 from eileenmcnaughton/master
5.11 to master
eileen [Fri, 22 Feb 2019 00:46:16 +0000 (13:46 +1300)]
Merge branch '5.11' of https://github.com/civicrm/civicrm-core
Eileen McNaughton [Fri, 22 Feb 2019 00:42:32 +0000 (13:42 +1300)]
Merge pull request #13660 from seamuslee001/5.11
5.11 - merge in security
eileen [Wed, 20 Feb 2019 13:13:44 +0000 (02:13 +1300)]
Switch Additional Payment to call Payment.send_confirmation api, strip out text
eileen [Wed, 20 Feb 2019 12:38:46 +0000 (01:38 +1300)]
Switch to greeting for better, more consistent results in tpl, remove print statement
eileen [Wed, 20 Feb 2019 12:05:17 +0000 (01:05 +1300)]
Add test for receipt output (test written to pre-change output)
Tim Otten [Thu, 21 Feb 2019 06:38:50 +0000 (22:38 -0800)]
release-notes/5.10.3.md - Update "Feedback" to be... closer to reality wrt SA's
Tim Otten [Thu, 21 Feb 2019 06:27:09 +0000 (22:27 -0800)]
release-notes/5.10.3.md - TOC should match actual headings
Seamus Lee [Sat, 16 Feb 2019 03:59:52 +0000 (14:59 +1100)]
Add in 5.10.3 Security Release Notes
Seamus Lee [Tue, 19 Feb 2019 01:39:50 +0000 (12:39 +1100)]
Fix file e-notice by using the correct url variables
Seamus Lee [Wed, 13 Feb 2019 23:33:45 +0000 (10:33 +1100)]
Fix variables to match image file hash generation
Tim Otten [Wed, 13 Feb 2019 22:34:33 +0000 (14:34 -0800)]
CRM_Profile_Form - Add fcs for download link on custom field
Tim Otten [Wed, 13 Feb 2019 20:58:33 +0000 (12:58 -0800)]
(REF) Clearer docblocks and file names
Tim Otten [Wed, 13 Feb 2019 20:50:02 +0000 (12:50 -0800)]
Fix multiple issues with file URLs. Use clearer variables and docblocks to reduce confusion.
Seamus Lee [Wed, 13 Feb 2019 20:09:26 +0000 (07:09 +1100)]
Try and use the correct variable for file id in custom field uploads and use the standard checksum timout as well
Tim Otten [Tue, 12 Feb 2019 23:58:57 +0000 (15:58 -0800)]
generateFileHash() - If we can't generate a secure, then don't generate any token
Falling back to a constant negates any security benefit of using a hash.
IMHO, the edge-case where `CIVICRM_SITE_KEY` is missing should be
obscure/rare and signifies broader problems for the deployment. It needs to
be corrected. If you're worried that having an error-symptom here is too
obscure, then let's add a more prominent error-message via
`CRM_Utils_Check`.
NOTE: There is one pre-existing case in core where (in absence of a key) it
procedes with a constant in lieu of a `CIVICRM_SITE_KEY` . Specifically,
`CRM_Core_Error::generateLogFileHash()`. That is not a good example to
follow because it is qualitiatively different:
* In `generateLogFileHash`(), `CIVICRM_SITE_KEY` functions as one of
multiple redundant security mechanisms -- e.g. even if
`CIVICRM_SITE_KEY` is missing, the log file remains hard-to-access because
(1) the DSN is part of the hash and (2) the httpd protects `ConfigAndLog`.
(Contrast: The file-hash-code is not *redundant* in the same way.)
* In the context of logging, raising any error (even if it's real error
condition) can provoke a weird loop (because then that error needs to be
logged). The log needs to avoid such loops. (Contrast:
`generateFileHash()` is part of the normal post-boot application logic, so
it's free to register errors normally.)
Tim Otten [Tue, 12 Feb 2019 23:50:40 +0000 (15:50 -0800)]
generateFileHash() and validateFileHash() should be colocated
The two functions (`generateFileHash()` and `validateFileHash()`) are
tightly-coupled. Most changes to one would require a matching change in the
other. So they should be parallel.
It'd be OK to say "the hash formula is a general utility for any party using
file APIs" (so put `generateFileHash()` and `validateFileHash()` in `CRM_Core_BAO_File`).
It'd be OK to say "the hash formula is specific to the end-point/page which
serves files" (so put `generateFileHash()` and `validateFileHash()` in
`CRM_Core_Page_File`).
The former feels a bit more accurate, so I pushed it toward that.
Seamus Lee [Mon, 4 Feb 2019 21:48:25 +0000 (08:48 +1100)]
Switch to Sha256 and add in a ttl
Further WHIP fixing hmac implementation now need to get it generating consistant hashes
Remove debugging
Seamus Lee [Tue, 22 Jan 2019 19:11:45 +0000 (06:11 +1100)]
Block access if no Hash is supplied
Seamus Lee [Fri, 18 Jan 2019 22:01:17 +0000 (09:01 +1100)]
security/core#26 Add in a generated Hash to download files so that URLs can't just be tested by annon users
Seamus Lee [Fri, 8 Feb 2019 03:46:36 +0000 (14:46 +1100)]
prevent timing attacks on the contact checksum validation
eileen [Mon, 14 Jan 2019 04:03:28 +0000 (17:03 +1300)]
Remove support for passing a filename into civicrm/file.
I can find no evidence this is used & it feels like a security risk, albeit they still need
the path
eileen [Mon, 14 Jan 2019 01:25:29 +0000 (14:25 +1300)]
Remove unused file parameters
Coleman Watts [Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)]
security/core#33 - Patch jQuery for CVE-2015-9251
See https://github.com/jquery/jquery/issues/2432#issuecomment-
403761229
This will no longer be needed after upgrading to jQuery 3.x.
Tim Otten [Tue, 15 Jan 2019 00:01:26 +0000 (16:01 -0800)]
(NFC) Cleanup new docblocks
Tim Otten [Mon, 14 Jan 2019 23:58:53 +0000 (15:58 -0800)]
Follow-up security/core#25 - Consistently change interface
The previous commit
4c1e702f96403bdc84b6900027d1be61ea601321 expanded the
signature of `fillWithSql()` to accept a third argument, but it wasn't
consistent about whether the third argument was optional or required.
This makes it consistently optional (default `[]`).
Seamus Lee [Sat, 27 Oct 2018 21:44:08 +0000 (08:44 +1100)]
Resolve security/core#25 Escape use of cacheKey to prevent SQLI when populating the prevNextCache
Security #25 Update Redis implementation to match function sig of interface function
Patrick Figel [Sun, 6 Jan 2019 17:30:30 +0000 (18:30 +0100)]
security/core#16 - Smarty - Fix XSS in crmMoney plugin
This fixes an XSS in the crmMoney smarty plugin by checking the
currency against the currency list and adds some basic tests.
Fixes security/core#16
Patrick Figel [Sun, 6 Jan 2019 21:16:40 +0000 (22:16 +0100)]
security/core#28 - CRM_Contact - Use uniqid() for table alias
Patrick Figel [Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)]
security/core#28 - CRM_Contact - Fix SQL injection in group/tag search
This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.
For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).
Seamus Lee [Sun, 30 Dec 2018 01:09:45 +0000 (12:09 +1100)]
security/core#32 Fix Reflected XSS in Logging Detail report
Seamus Lee [Sat, 27 Oct 2018 04:08:25 +0000 (15:08 +1100)]
Also Purify the output of the frozen entity reference and that of a select2 output as well
Seamus Lee [Tue, 3 Jul 2018 23:49:35 +0000 (09:49 +1000)]
Resolve #9 by purifying label of entity reference values
Seamus Lee [Thu, 21 Feb 2019 23:55:17 +0000 (10:55 +1100)]
Merge pull request #13659 from francescbassas/patch-16
/dev/core#716 - Add decimals in Contribution Amount on Repeat Contrib…
Seamus Lee [Thu, 21 Feb 2019 23:50:21 +0000 (10:50 +1100)]
Merge pull request #13650 from eileenmcnaughton/order_by
[REF] minor code cleanup - do not build order var just to hurt brains
francescbassas [Thu, 21 Feb 2019 22:33:32 +0000 (23:33 +0100)]
/dev/core#716 - Add decimals in Contribution Amount on Repeat Contributions Report
mark burdett [Wed, 20 Feb 2019 00:46:46 +0000 (16:46 -0800)]
Provide API for creating TEMPORARY MEMORY tables.
colemanw [Thu, 21 Feb 2019 14:26:14 +0000 (09:26 -0500)]
Merge pull request #13656 from eileenmcnaughton/search_query
[REF] minor cleanup of groupBy definition.
eileen [Thu, 21 Feb 2019 09:33:59 +0000 (22:33 +1300)]
[REF] minor cleanup of groupBy definition.
If you read the code the groupBy statement creation can go with 'its friends'
and the groupBy in the removed line is overwritten. I'll extract this next ....
Monish Deb [Thu, 21 Feb 2019 08:34:46 +0000 (14:04 +0530)]
Merge pull request #13655 from eileenmcnaughton/payment_receipt
Update Payment Notification to use greeting, remove text to 'Please print this confirmation for your records.
eileen [Thu, 21 Feb 2019 01:56:56 +0000 (14:56 +1300)]
Update Payment Notification to use greeting, to not encourage printing
These changes are consistent with other changes. I also switched the parameters for when to include
extra detail to deprecate contributeMode
eileen [Wed, 20 Feb 2019 13:33:13 +0000 (02:33 +1300)]
[REF] minor code cleanup - do not build order var just to hurt brains
The order var is basically orderBy prepended by Order by - which is then stripped.
Just don't
Monish Deb [Wed, 20 Feb 2019 11:54:59 +0000 (17:24 +0530)]
Merge pull request #13610 from eileenmcnaughton/payment_conf2
Payment.sendconfirmation api - add further tpl variables.
Seamus Lee [Wed, 20 Feb 2019 00:48:15 +0000 (11:48 +1100)]
Merge pull request #13642 from eileenmcnaughton/atest
Authorizenet test - reduce chance of intermittent fails
eileen [Mon, 18 Feb 2019 23:20:59 +0000 (12:20 +1300)]
[NFC, test class] formatting, remove unused variables
eileen [Tue, 19 Feb 2019 23:07:26 +0000 (12:07 +1300)]
Authorizenet test - reduce chance of intermittent fails
I just saw this fail https://developer.authorize.net/api/reference/responseCodes.html?code=E00012
It seems we've already added uniqueness but we still hit a fail. Hopefully the timestamp
nature of uniqid + adding an extra degree of randomness will eliminate.
Also removed some deprecated params
eileen [Fri, 15 Feb 2019 20:57:44 +0000 (09:57 +1300)]
Update status comments
eileen [Fri, 15 Feb 2019 20:51:51 +0000 (09:51 +1300)]
Payment.sendconfirmation - add tpl var for fully paid
eileen [Fri, 15 Feb 2019 20:40:54 +0000 (09:40 +1300)]
Add thousandseparator variant to test
eileen [Fri, 15 Feb 2019 20:35:50 +0000 (09:35 +1300)]
Add refund relevant fields & tests to payment.sendconfirmation
Seamus Lee [Tue, 19 Feb 2019 19:42:21 +0000 (06:42 +1100)]
Merge pull request #13620 from eileenmcnaughton/signuptype
[unused code cleanup] Remove unused 'signupType' url support
Monish Deb [Tue, 19 Feb 2019 08:45:55 +0000 (14:15 +0530)]
Merge pull request #13609 from eileenmcnaughton/payment_conf
Payment.sendconfirmation api - add further tpl variables.
Eileen McNaughton [Tue, 19 Feb 2019 06:57:28 +0000 (19:57 +1300)]
Merge pull request #13534 from yashodha/dev-696
(dev/core#696) Changes to copied event phone and email reflects in or…
Eileen McNaughton [Tue, 19 Feb 2019 06:54:27 +0000 (19:54 +1300)]
Merge pull request #13639 from civicrm/5.11
5.11
Seamus Lee [Tue, 19 Feb 2019 05:46:05 +0000 (16:46 +1100)]
Merge pull request #13636 from eileenmcnaughton/strtolower
Remove another instance of 'lower'
Seamus Lee [Tue, 19 Feb 2019 05:44:08 +0000 (16:44 +1100)]
Merge pull request #13637 from jitendrapurohit/core737
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on…
Jitendra Purohit [Tue, 19 Feb 2019 04:02:20 +0000 (09:32 +0530)]
dev/core#737 - SMS not sent if 'Send Immediately' option is chosen on the last screen
eileen [Tue, 19 Feb 2019 03:38:41 +0000 (16:38 +1300)]
Remove another instance of 'lower'
We have removed almost all of these from the code base due to the performance cost
combined with the lack of any upside. Just found another
colemanw [Tue, 19 Feb 2019 01:36:17 +0000 (20:36 -0500)]
Merge pull request #13630 from eileenmcnaughton/goodbye_mode_and_median_hello_speed
dev/core#720 Remove median & mode stats from contribution summary in order to improve performance
colemanw [Mon, 18 Feb 2019 17:40:03 +0000 (12:40 -0500)]
Merge pull request #13629 from eileenmcnaughton/mailing_job_test_use
[Test changes] Mailing job test use
colemanw [Mon, 18 Feb 2019 17:27:28 +0000 (12:27 -0500)]
Merge pull request #13543 from mlutfy/fixDefaultPDFFormat
Fix html2pdf default PDF format when multiple pdf_format are available.
Eileen McNaughton [Mon, 18 Feb 2019 07:18:43 +0000 (20:18 +1300)]
Merge pull request #13631 from colemanw/entityRefs3
EntityRef - standardize on PascalCase for entity name and fix minor bug
Eileen McNaughton [Mon, 18 Feb 2019 07:18:30 +0000 (20:18 +1300)]
Merge pull request #13632 from colemanw/CRM_Report_Form_Event
[REF] Remove useless class CRM_Report_Form_Event
eileen [Mon, 18 Feb 2019 01:17:37 +0000 (14:17 +1300)]
Remove multiple currency handling as it seems to make it format worse
eileen [Mon, 18 Feb 2019 00:36:39 +0000 (13:36 +1300)]
Deprecate computeStats off to the one place that still uses it.
We MIGHT have reports calling it so to avoid a fatal we will not remove the function just yet
eileen [Mon, 18 Feb 2019 00:31:00 +0000 (13:31 +1300)]
Remove median & mode stats from contribution summary in order to improve performance
Eileen McNaughton [Mon, 18 Feb 2019 04:31:18 +0000 (17:31 +1300)]
Merge pull request #13579 from mattwire/contributionrecur_metadata
Contribution/ContributionRecur metadata updates for EntityForm
Coleman Watts [Mon, 18 Feb 2019 04:16:36 +0000 (23:16 -0500)]
Remove useless class CRM_Report_Form_Event
Coleman Watts [Mon, 18 Feb 2019 03:55:21 +0000 (22:55 -0500)]
Use PascalCase with CRM_Core_Form::addEntityRef
Although entityRef fields accept either snake_case or CamelCase, let's be consistent.