From 7187eca72b6e73b895d888a27265f6fb7c0a982e Mon Sep 17 00:00:00 2001 From: Andrew Engelbrecht Date: Thu, 5 Jan 2023 18:36:55 -0500 Subject: [PATCH] updated bootstrap.inc from Drupal --- extlib/bootstrap.inc | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/extlib/bootstrap.inc b/extlib/bootstrap.inc index ce2c617..48d471f 100644 --- a/extlib/bootstrap.inc +++ b/extlib/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.83'); +define('VERSION', '7.95-dev'); /** * Core API compatibility. @@ -18,7 +18,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x'); /** * Minimum supported version of PHP. */ -define('DRUPAL_MINIMUM_PHP', '5.2.4'); +define('DRUPAL_MINIMUM_PHP', '5.3.3'); /** * Minimum recommended value of PHP memory_limit. @@ -809,6 +809,16 @@ function drupal_settings_initialize() { if (!empty($_SERVER['HTTP_HOST'])) { $cookie_domain = _drupal_get_cookie_domain($_SERVER['HTTP_HOST']); } + + // Drupal 7.83 included a security improvement whereby www. is no longer + // stripped from the cookie domain. However, this can cause problems with + // existing session cookies where some users are left unable to login. In + // order to avoid that, prepend a leading dot to the session_name that was + // derived from the base_url when a www. subdomain is in use. + // @see https://www.drupal.org/project/drupal/issues/2522002 + if (strpos($session_name, 'www.') === 0) { + $session_name = '.' . $session_name; + } } // Per RFC 2109, cookie domains must contain at least one dot other than the // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. @@ -1592,7 +1602,7 @@ function drupal_page_header() { */ function drupal_serve_page_from_cache(stdClass $cache) { // Negotiate whether to use compression. - $page_compression = !empty($cache->data['page_compressed']); + $page_compression = !empty($cache->data['page_compressed']) && !empty($cache->data['body']); $return_compressed = $page_compression && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE; // Get headers set in hook_boot(). Keys are lower-case. @@ -1895,7 +1905,7 @@ function format_string($string, array $args = array()) { * @ingroup sanitization */ function check_plain($text) { - return htmlspecialchars($text, ENT_QUOTES, 'UTF-8'); + return htmlspecialchars((string) $text, ENT_QUOTES, 'UTF-8'); } /** @@ -1923,7 +1933,7 @@ function check_plain($text) { * TRUE if the text is valid UTF-8, FALSE if not. */ function drupal_validate_utf8($text) { - if (strlen($text) == 0) { + if (strlen((string) $text) == 0) { return TRUE; } // With the PCRE_UTF8 modifier 'u', preg_match() fails silently on strings @@ -2338,7 +2348,7 @@ function drupal_random_bytes($count) { // the microtime() - is prepended rather than appended. This is to avoid // directly leaking $random_state via the $output stream, which could // allow for trivial prediction of further "random" numbers. - if (strlen($bytes) < $count) { + if (strlen((string) $bytes) < $count) { // Initialize on the first call. The contents of $_SERVER includes a mix of // user-specific and system information that varies a little with each page. if (!isset($random_state)) { @@ -3939,6 +3949,14 @@ function drupal_setcookie($name, $value, $options) { setcookie($name, $value, $options); } else { + $defaults = array( + 'expires' => 0, + 'path' => '', + 'domain' => '', + 'secure' => FALSE, + 'httponly' => FALSE, + ); + $options += $defaults; setcookie($name, $value, $options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']); } } -- 2.25.1