Seamus Lee [Mon, 25 Feb 2019 20:35:58 +0000 (07:35 +1100)]
Merge pull request #13666 from eileenmcnaughton/case_fix
dev/core#739 Fix case detail report breaking when sorted by case type.
Eileen McNaughton [Mon, 25 Feb 2019 20:23:23 +0000 (09:23 +1300)]
Merge pull request #13658 from mfb/temp-force-utf8
Phase out CIVICRM_TEMP_FORCE_UTF8
Eileen McNaughton [Mon, 25 Feb 2019 20:20:49 +0000 (09:20 +1300)]
Merge pull request #13643 from eileenmcnaughton/recur
[REF] minor refactor around retrieving processor id for recur
Eileen McNaughton [Mon, 25 Feb 2019 20:02:23 +0000 (09:02 +1300)]
Merge pull request #13694 from eileenmcnaughton/extract_refund
Extract record refund function
eileen [Mon, 25 Feb 2019 05:03:33 +0000 (18:03 +1300)]
Extract record refund function
Eileen McNaughton [Mon, 25 Feb 2019 10:50:50 +0000 (23:50 +1300)]
Merge pull request #13582 from colemanw/kam
Migrate KAM smartmenus to core
Eileen McNaughton [Mon, 25 Feb 2019 05:55:35 +0000 (18:55 +1300)]
Merge pull request #13693 from civicrm/revert-13691-record_extract
Revert "[REF] Extract record refund function"
Eileen McNaughton [Mon, 25 Feb 2019 05:55:13 +0000 (18:55 +1300)]
Revert "[REF] Extract record refund function"
Monish Deb [Mon, 25 Feb 2019 05:13:35 +0000 (10:43 +0530)]
Merge pull request #13691 from eileenmcnaughton/record_extract
[REF] Extract record refund function
eileen [Mon, 25 Feb 2019 05:03:33 +0000 (18:03 +1300)]
Extract record refund function
Seamus Lee [Mon, 25 Feb 2019 03:06:44 +0000 (14:06 +1100)]
Merge pull request #13289 from mfb/pear-mail
Move pear/mail from packages to composer.json
Eileen McNaughton [Mon, 25 Feb 2019 02:51:52 +0000 (15:51 +1300)]
Merge pull request #13340 from mfb/street-number-max
Do not attempt to store out-of-range street number
colemanw [Mon, 25 Feb 2019 02:17:09 +0000 (21:17 -0500)]
Merge pull request #13668 from eileenmcnaughton/extract_order
[REF] Extract getSearchSQL from getSearchQuery.
mark burdett [Sun, 24 Feb 2019 23:56:20 +0000 (15:56 -0800)]
Add test case for parsing out-of-range street number.
Eileen McNaughton [Sun, 24 Feb 2019 23:54:18 +0000 (12:54 +1300)]
Merge pull request #13688 from mfb/export-temp-table
Use CRM_Utils_SQL_TempTable to drop and create table.
mark burdett [Sat, 22 Dec 2018 19:11:57 +0000 (11:11 -0800)]
Do not attempt to store out-of-range street number.
Eileen McNaughton [Sun, 24 Feb 2019 23:30:15 +0000 (12:30 +1300)]
Merge pull request #13276 from mfb/trash-change-log
Record change log entry when contact is moved to or restored from trash
Eileen McNaughton [Sun, 24 Feb 2019 23:05:51 +0000 (12:05 +1300)]
Merge pull request #13346 from mfb/geocode-job-db-error
geocode job: Do not return more messages than can fit in the log data column
mark burdett [Thu, 21 Feb 2019 21:56:23 +0000 (13:56 -0800)]
Deprecate CIVICRM_TEMP_FORCE_UTF8.
Eileen McNaughton [Sun, 24 Feb 2019 21:03:25 +0000 (10:03 +1300)]
Merge pull request #13578 from mattwire/entityform_view_towards
Towards supporting EntityForm for 'View Action'
Eileen McNaughton [Sun, 24 Feb 2019 20:29:31 +0000 (09:29 +1300)]
Merge pull request #13588 from jitendrapurohit/dev-631
dev/core#631 - Enable 'add new' by default on merge screen
Eileen McNaughton [Sun, 24 Feb 2019 20:26:49 +0000 (09:26 +1300)]
Merge pull request #13657 from MegaphoneJon/deprecateBasicContactFields
reporting#9: parity between getContactFields and getBasicContactFields
Eileen McNaughton [Sun, 24 Feb 2019 20:14:41 +0000 (09:14 +1300)]
Merge pull request #13654 from seamuslee001/lab_core_742
dev/core#742 Fix XML parasing by swapping & for ,
Eileen McNaughton [Sun, 24 Feb 2019 20:09:39 +0000 (09:09 +1300)]
Merge pull request #13042 from jackrabbithanna/dev-core-475
only set custom field to null if it is really null, not string 'null'
mark burdett [Sun, 24 Feb 2019 19:34:20 +0000 (11:34 -0800)]
Use CRM_Utils_SQL_TempTable to drop and create table.
Monish Deb [Sun, 24 Feb 2019 17:01:00 +0000 (22:31 +0530)]
Merge pull request #12641 from mfb/reply-forwarding
CiviMail: Fix reply forwarding for mailers with From: and Return-path: limitations
Eileen McNaughton [Sun, 24 Feb 2019 06:57:45 +0000 (19:57 +1300)]
Merge pull request #12337 from lcdservices/dev-core-190
dev/core#190 / CRM-21643 ensure custom data multi record profile returns correct …
Eileen McNaughton [Sun, 24 Feb 2019 05:20:17 +0000 (18:20 +1300)]
Merge pull request #13441 from greenpeace-cee/fix-schema-parsing
CRM/Logging - Fix various bugs in schema parsing
Eileen McNaughton [Sun, 24 Feb 2019 04:46:21 +0000 (17:46 +1300)]
Merge pull request #13682 from mfb/utf8mb4-check-exception
Force utf8mb4 query to throw exception as the check expects
Eileen McNaughton [Sun, 24 Feb 2019 04:42:24 +0000 (17:42 +1300)]
Merge pull request #13687 from eileenmcnaughton/activity_clean
Minor code cleanup
Seamus Lee [Sun, 24 Feb 2019 02:28:38 +0000 (13:28 +1100)]
Merge pull request #13634 from eileenmcnaughton/fin_type_speed
[NFC, test class] formatting, remove unused variables
Matthew Wire (MJW Consulting) [Sun, 24 Feb 2019 01:19:57 +0000 (14:19 +1300)]
Minor code cleanup
This is a reviewer's commit of https://github.com/civicrm/civicrm-core/pull/13672
I pulled out some lines I've checked & agree with to simplify that commit
Eileen McNaughton [Sun, 24 Feb 2019 00:56:01 +0000 (13:56 +1300)]
Merge pull request #13644 from mfb/temporary-tables
Refactor CRM_Utils_SQL_TempTable::build()->createWithQuery($sql) interface to support MEMORY tabls
Patrick Figel [Fri, 25 Jan 2019 18:57:49 +0000 (19:57 +0100)]
CRM/Logging - Improve enum handling in schema diff
Instead of storing permitted enum values in the LENGTH array key
when extracting column information, this adds a separate ENUM_VALUES
key. When schema differences are calculated for enum columns, this
value triggers a change when new permitted values are added.
Patrick Figel [Sun, 13 Jan 2019 18:11:41 +0000 (19:11 +0100)]
CRM/Logging - Fix various bugs in schema parsing
This fixes a couple of bugs in the schema parsing methods used by
Civi's extended logging feature:
- CRM_Logging_Schema::getIndexesForTable only queried for constraints,
not returning any indexes.
- CRM_Logging_Schema::getIndexesForTable returned an array in the form
[0 => ['constraint_name' => 'foo']] rather than the expected array
of index names (i.e. ['foo']).
- CRM_Logging_Schema::columnSpecsOf contained an off-by-one error and
a wrongly used substr parameter causing column lengths to include
surrounding parenthesis. This would result in a "varchar(42)"
column returning a length of "(42)" instead of "42".
Seamus Lee [Sat, 23 Feb 2019 07:23:37 +0000 (18:23 +1100)]
Merge pull request #13685 from seamuslee001/tests_746
dev/core#746 Add in unit tests to ensure that where clause is as is w…
Seamus Lee [Sat, 23 Feb 2019 06:08:28 +0000 (17:08 +1100)]
Merge pull request #13684 from civicrm/5.11
5.11
Seamus Lee [Sat, 23 Feb 2019 05:55:04 +0000 (16:55 +1100)]
dev/core#746 Add in unit tests to ensure that where clause is as is when multiple smart group where clauses are used in search builder
Add in a check of from clauses too
Seamus Lee [Sat, 23 Feb 2019 04:41:59 +0000 (15:41 +1100)]
Merge pull request #13683 from seamuslee001/5_11_5_10_4_Release_Notes
Add in 5.10.4 Release notes
Monish Deb [Sat, 23 Feb 2019 03:51:53 +0000 (09:21 +0530)]
Merge pull request #13669 from eileenmcnaughton/payment_format
Payment notification formatting, move greeting into table
Seamus Lee [Fri, 22 Feb 2019 23:02:29 +0000 (10:02 +1100)]
Add in 5.10.4 Release notes
Eileen McNaughton [Sat, 23 Feb 2019 01:10:55 +0000 (14:10 +1300)]
Merge pull request #13675 from greenpeace-cee/fix-logtable-exceptions
CRM/Logging - Fix log table exceptions
Eileen McNaughton [Sat, 23 Feb 2019 01:08:31 +0000 (14:08 +1300)]
Merge pull request #13673 from eileenmcnaughton/511geocode
Remove tests that no longer work due to dead service
Seamus Lee [Fri, 22 Feb 2019 23:37:33 +0000 (10:37 +1100)]
Merge pull request #13678 from MegaphoneJon/reporting-10-test
test for reporting#10
Seamus Lee [Fri, 22 Feb 2019 23:18:25 +0000 (10:18 +1100)]
Merge pull request #13663 from seamuslee001/lab_core_747
Hotfix for dev/core#747 To fix generation of contact image urls
mark burdett [Fri, 22 Feb 2019 23:05:07 +0000 (15:05 -0800)]
Force utf8mb4 query to throw exception as the check expects.
Fixes dev/core#749
Jon Goldberg [Fri, 22 Feb 2019 21:53:38 +0000 (16:53 -0500)]
test for reporting#10
Seamus Lee [Fri, 22 Feb 2019 21:00:43 +0000 (08:00 +1100)]
Extract checking of filename into own function and add tests
eileen [Fri, 22 Feb 2019 09:54:11 +0000 (22:54 +1300)]
Extract getSearchSQL from getSearchQuery.
Change one instance to call it directly. Next I'll deprecate it & change all instances hit by the tests
Eileen McNaughton [Fri, 22 Feb 2019 20:34:52 +0000 (09:34 +1300)]
Merge pull request #13671 from MegaphoneJon/reporting-11
reporting-11 - fix Soft Credit report with full group by
Eileen McNaughton [Fri, 22 Feb 2019 20:23:48 +0000 (09:23 +1300)]
Merge pull request #13676 from civicrm/5.11
5.11 to master
Eileen McNaughton [Fri, 22 Feb 2019 20:23:28 +0000 (09:23 +1300)]
Merge pull request #13670 from MegaphoneJon/reporting-10-rc
reporting#10 - fix pagination on Contribution Detail report
Eileen McNaughton [Fri, 22 Feb 2019 20:01:20 +0000 (09:01 +1300)]
Merge pull request #13364 from mattwire/activitytype_pseudoconstant
REF Convert deprecated functions to buildOptions for case
Patrick Figel [Fri, 22 Feb 2019 19:38:30 +0000 (20:38 +0100)]
CRM/Logging - Fix log table exceptions
This fixes a bug that caused columns that were excluded from being
considered "log-worthy" changes to be logged anyway. That happened
because columns were extracted with backticks but compared to strings
without backticks. To preserve compatibility with exceptions set by
alterLogTables which could contain backticks, the comparison is
performed against the column name with and without backticks.
eileen [Sun, 17 Feb 2019 01:42:47 +0000 (14:42 +1300)]
Remove tests that no longer work due to dead service
Jon Goldberg [Fri, 22 Feb 2019 17:59:15 +0000 (12:59 -0500)]
reporting-11 - fix Soft Credit report with full group by
Jon Goldberg [Fri, 22 Feb 2019 02:06:13 +0000 (21:06 -0500)]
reporting#10 - fix pagination on Contribution Detail report
Matthew Wire (MJW Consulting) [Fri, 28 Dec 2018 12:59:36 +0000 (12:59 +0000)]
Replace deprecated activityType/activityStatus functions with buildOptions for cases
Monish Deb [Fri, 22 Feb 2019 11:17:11 +0000 (16:47 +0530)]
Merge pull request #13649 from eileenmcnaughton/payment
Switch additional payment form to use Payment.sendconfirmation api
eileen [Fri, 22 Feb 2019 10:37:30 +0000 (23:37 +1300)]
Payment notification formatting, move greeting into table
Tim Otten [Fri, 22 Feb 2019 08:24:49 +0000 (00:24 -0800)]
CRM_Core_Page_File - Only delivers directly under the customFileUploadDir
Tim Otten [Fri, 22 Feb 2019 08:22:03 +0000 (00:22 -0800)]
CRM_Core_Page_File - Fix warning when using filename mode
The idea here is that `id+eid+fcs` and `filename` are two separate modes.
In `filename` mode, you don't need warnings about the missing `fcs`.
Tim Otten [Fri, 22 Feb 2019 06:45:45 +0000 (22:45 -0800)]
CRM_Core_Page_File - More consistent capitalization/prose
Seamus Lee [Fri, 22 Feb 2019 05:38:57 +0000 (16:38 +1100)]
Merge pull request #13662 from seamuslee001/hotfix_746
Deploy hotfix to fix dev/core#746 until tests can be written for fix
eileen [Fri, 22 Feb 2019 04:22:51 +0000 (17:22 +1300)]
Fix case detail report breaking when sorted by case type.
I removed the hacks to cope with poor metadata declaration & fixed the declaration - this should stop
breaking now. Test added
Seamus Lee [Fri, 22 Feb 2019 01:11:53 +0000 (12:11 +1100)]
Deploy hotfix to fix dev/core#746 until tests can be written for fix
Fix GroupContactCacheTest
eileen [Fri, 22 Feb 2019 04:03:45 +0000 (17:03 +1300)]
[NFC] code reformatting - use short array syntax
Seamus Lee [Fri, 22 Feb 2019 01:25:38 +0000 (12:25 +1100)]
Hotfix for dev/core#747 To fix generation of contact image urls
Eileen McNaughton [Fri, 22 Feb 2019 00:47:16 +0000 (13:47 +1300)]
Merge pull request #13661 from eileenmcnaughton/master
5.11 to master
eileen [Fri, 22 Feb 2019 00:46:16 +0000 (13:46 +1300)]
Merge branch '5.11' of https://github.com/civicrm/civicrm-core
Eileen McNaughton [Fri, 22 Feb 2019 00:42:32 +0000 (13:42 +1300)]
Merge pull request #13660 from seamuslee001/5.11
5.11 - merge in security
eileen [Wed, 20 Feb 2019 13:13:44 +0000 (02:13 +1300)]
Switch Additional Payment to call Payment.send_confirmation api, strip out text
eileen [Wed, 20 Feb 2019 12:38:46 +0000 (01:38 +1300)]
Switch to greeting for better, more consistent results in tpl, remove print statement
eileen [Wed, 20 Feb 2019 12:05:17 +0000 (01:05 +1300)]
Add test for receipt output (test written to pre-change output)
Tim Otten [Thu, 21 Feb 2019 06:38:50 +0000 (22:38 -0800)]
release-notes/5.10.3.md - Update "Feedback" to be... closer to reality wrt SA's
Tim Otten [Thu, 21 Feb 2019 06:27:09 +0000 (22:27 -0800)]
release-notes/5.10.3.md - TOC should match actual headings
Seamus Lee [Sat, 16 Feb 2019 03:59:52 +0000 (14:59 +1100)]
Add in 5.10.3 Security Release Notes
Seamus Lee [Tue, 19 Feb 2019 01:39:50 +0000 (12:39 +1100)]
Fix file e-notice by using the correct url variables
Seamus Lee [Wed, 13 Feb 2019 23:33:45 +0000 (10:33 +1100)]
Fix variables to match image file hash generation
Tim Otten [Wed, 13 Feb 2019 22:34:33 +0000 (14:34 -0800)]
CRM_Profile_Form - Add fcs for download link on custom field
Tim Otten [Wed, 13 Feb 2019 20:58:33 +0000 (12:58 -0800)]
(REF) Clearer docblocks and file names
Tim Otten [Wed, 13 Feb 2019 20:50:02 +0000 (12:50 -0800)]
Fix multiple issues with file URLs. Use clearer variables and docblocks to reduce confusion.
Seamus Lee [Wed, 13 Feb 2019 20:09:26 +0000 (07:09 +1100)]
Try and use the correct variable for file id in custom field uploads and use the standard checksum timout as well
Tim Otten [Tue, 12 Feb 2019 23:58:57 +0000 (15:58 -0800)]
generateFileHash() - If we can't generate a secure, then don't generate any token
Falling back to a constant negates any security benefit of using a hash.
IMHO, the edge-case where `CIVICRM_SITE_KEY` is missing should be
obscure/rare and signifies broader problems for the deployment. It needs to
be corrected. If you're worried that having an error-symptom here is too
obscure, then let's add a more prominent error-message via
`CRM_Utils_Check`.
NOTE: There is one pre-existing case in core where (in absence of a key) it
procedes with a constant in lieu of a `CIVICRM_SITE_KEY` . Specifically,
`CRM_Core_Error::generateLogFileHash()`. That is not a good example to
follow because it is qualitiatively different:
* In `generateLogFileHash`(), `CIVICRM_SITE_KEY` functions as one of
multiple redundant security mechanisms -- e.g. even if
`CIVICRM_SITE_KEY` is missing, the log file remains hard-to-access because
(1) the DSN is part of the hash and (2) the httpd protects `ConfigAndLog`.
(Contrast: The file-hash-code is not *redundant* in the same way.)
* In the context of logging, raising any error (even if it's real error
condition) can provoke a weird loop (because then that error needs to be
logged). The log needs to avoid such loops. (Contrast:
`generateFileHash()` is part of the normal post-boot application logic, so
it's free to register errors normally.)
Tim Otten [Tue, 12 Feb 2019 23:50:40 +0000 (15:50 -0800)]
generateFileHash() and validateFileHash() should be colocated
The two functions (`generateFileHash()` and `validateFileHash()`) are
tightly-coupled. Most changes to one would require a matching change in the
other. So they should be parallel.
It'd be OK to say "the hash formula is a general utility for any party using
file APIs" (so put `generateFileHash()` and `validateFileHash()` in `CRM_Core_BAO_File`).
It'd be OK to say "the hash formula is specific to the end-point/page which
serves files" (so put `generateFileHash()` and `validateFileHash()` in
`CRM_Core_Page_File`).
The former feels a bit more accurate, so I pushed it toward that.
Seamus Lee [Mon, 4 Feb 2019 21:48:25 +0000 (08:48 +1100)]
Switch to Sha256 and add in a ttl
Further WHIP fixing hmac implementation now need to get it generating consistant hashes
Remove debugging
Seamus Lee [Tue, 22 Jan 2019 19:11:45 +0000 (06:11 +1100)]
Block access if no Hash is supplied
Seamus Lee [Fri, 18 Jan 2019 22:01:17 +0000 (09:01 +1100)]
security/core#26 Add in a generated Hash to download files so that URLs can't just be tested by annon users
Seamus Lee [Fri, 8 Feb 2019 03:46:36 +0000 (14:46 +1100)]
prevent timing attacks on the contact checksum validation
eileen [Mon, 14 Jan 2019 04:03:28 +0000 (17:03 +1300)]
Remove support for passing a filename into civicrm/file.
I can find no evidence this is used & it feels like a security risk, albeit they still need
the path
eileen [Mon, 14 Jan 2019 01:25:29 +0000 (14:25 +1300)]
Remove unused file parameters
Coleman Watts [Wed, 23 Jan 2019 02:14:03 +0000 (21:14 -0500)]
security/core#33 - Patch jQuery for CVE-2015-9251
See https://github.com/jquery/jquery/issues/2432#issuecomment-
403761229
This will no longer be needed after upgrading to jQuery 3.x.
Tim Otten [Tue, 15 Jan 2019 00:01:26 +0000 (16:01 -0800)]
(NFC) Cleanup new docblocks
Tim Otten [Mon, 14 Jan 2019 23:58:53 +0000 (15:58 -0800)]
Follow-up security/core#25 - Consistently change interface
The previous commit
4c1e702f96403bdc84b6900027d1be61ea601321 expanded the
signature of `fillWithSql()` to accept a third argument, but it wasn't
consistent about whether the third argument was optional or required.
This makes it consistently optional (default `[]`).
Seamus Lee [Sat, 27 Oct 2018 21:44:08 +0000 (08:44 +1100)]
Resolve security/core#25 Escape use of cacheKey to prevent SQLI when populating the prevNextCache
Security #25 Update Redis implementation to match function sig of interface function
Patrick Figel [Sun, 6 Jan 2019 17:30:30 +0000 (18:30 +0100)]
security/core#16 - Smarty - Fix XSS in crmMoney plugin
This fixes an XSS in the crmMoney smarty plugin by checking the
currency against the currency list and adds some basic tests.
Fixes security/core#16
Patrick Figel [Sun, 6 Jan 2019 21:16:40 +0000 (22:16 +0100)]
security/core#28 - CRM_Contact - Use uniqid() for table alias
Patrick Figel [Sat, 27 Oct 2018 19:08:32 +0000 (21:08 +0200)]
security/core#28 - CRM_Contact - Fix SQL injection in group/tag search
This fixes various SQL injections in CRM_Contact_BAO_Query in the group
and tag search code. CRM_Contact_BAO_Query is used by the API and some
other core features such as the advanced contact search.
For CRM_Contact_BAO_Query::tag, the lack of input validation meant that
API syntax that would typically not work for other parameters works for
tag search, so the fix attempts to not break backwards-compatibility
for API calls like Contact.get tag="1, 2" (i.e. using a comma-separated
list with spaces).
Seamus Lee [Sun, 30 Dec 2018 01:09:45 +0000 (12:09 +1100)]
security/core#32 Fix Reflected XSS in Logging Detail report
Seamus Lee [Sat, 27 Oct 2018 04:08:25 +0000 (15:08 +1100)]
Also Purify the output of the frozen entity reference and that of a select2 output as well