Webspark 1.66 (Wisconsin)

Please review the changes to this release in your site's /profiles/openasu/CHANGELOG.txt file.

Author: ctestama

CHANGELOG.txt

@@ -1,6 +1,11 @@
 Drupal 7.xx, xxxx-xx-xx (development version)
 -----------------------
 
+Drupal 7.66, 2019-04-17
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2019-006
+
 Drupal 7.65, 2019-03-20
 -----------------------
 - Fixed security issues:

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.65');
+define('VERSION', '7.66');
 
 /**
  * Core API compatibility.

misc/jquery-extend-3.4.0.js

@@ -0,0 +1,112 @@
+/**
+ * For jQuery versions less than 3.4.0, this replaces the jQuery.extend
+ * function with the one from jQuery 3.4.0, slightly modified (documented
+ * below) to be compatible with older jQuery versions and browsers.
+ *
+ * This provides the Object.prototype pollution vulnerability fix to Drupal
+ * installations running older jQuery versions, including the versions shipped
+ * with Drupal core and https://www.drupal.org/project/jquery_update.
+ *
+ * @see https://github.com/jquery/jquery/pull/4333
+ */
+
+(function (jQuery) {
+
+// Do not override jQuery.extend() if the jQuery version is already >=3.4.0.
+var versionParts = jQuery.fn.jquery.split('.');
+var majorVersion = parseInt(versionParts[0]);
+var minorVersion = parseInt(versionParts[1]);
+var patchVersion = parseInt(versionParts[2]);
+var isPreReleaseVersion = (patchVersion.toString() !== versionParts[2]);
+if (
+  (majorVersion > 3) ||
+  (majorVersion === 3 && minorVersion > 4) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion > 0) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion === 0 && !isPreReleaseVersion)
+) {
+  return;
+}
+
+/**
+ * This is almost verbatim copied from jQuery 3.4.0.
+ *
+ * Only two minor changes have been made:
+ * - The call to isFunction() is changed to jQuery.isFunction().
+ * - The two calls to Array.isArray() is changed to jQuery.isArray().
+ *
+ * The above two changes ensure compatibility with all older jQuery versions
+ * (1.4.4 - 3.3.1) and older browser versions (e.g., IE8).
+ */
+jQuery.extend = jQuery.fn.extend = function() {
+  var options, name, src, copy, copyIsArray, clone,
+    target = arguments[ 0 ] || {},
+    i = 1,
+    length = arguments.length,
+    deep = false;
+
+  // Handle a deep copy situation
+  if ( typeof target === "boolean" ) {
+    deep = target;
+
+    // Skip the boolean and the target
+    target = arguments[ i ] || {};
+    i++;
+  }
+
+  // Handle case when target is a string or something (possible in deep copy)
+  if ( typeof target !== "object" && !jQuery.isFunction( target ) ) {
+    target = {};
+  }
+
+  // Extend jQuery itself if only one argument is passed
+  if ( i === length ) {
+    target = this;
+    i--;
+  }
+
+  for ( ; i < length; i++ ) {
+
+    // Only deal with non-null/undefined values
+    if ( ( options = arguments[ i ] ) != null ) {
+
+      // Extend the base object
+      for ( name in options ) {
+        copy = options[ name ];
+
+        // Prevent Object.prototype pollution
+        // Prevent never-ending loop
+        if ( name === "__proto__" || target === copy ) {
+          continue;
+        }
+
+        // Recurse if we're merging plain objects or arrays
+        if ( deep && copy && ( jQuery.isPlainObject( copy ) ||
+          ( copyIsArray = jQuery.isArray( copy ) ) ) ) {
+          src = target[ name ];
+
+          // Ensure proper type for the source value
+          if ( copyIsArray && !jQuery.isArray( src ) ) {
+            clone = [];
+          } else if ( !copyIsArray && !jQuery.isPlainObject( src ) ) {
+            clone = {};
+          } else {
+            clone = src;
+          }
+          copyIsArray = false;
+
+          // Never move original objects, clone them
+          target[ name ] = jQuery.extend( deep, clone, copy );
+
+          // Don't bring in undefined values
+        } else if ( copy !== undefined ) {
+          target[ name ] = copy;
+        }
+      }
+    }
+  }
+
+  // Return the modified object
+  return target;
+};
+
+})(jQuery);

modules/system/system.install

@@ -3300,6 +3300,13 @@ function system_update_7081() {
     ->execute();
 }
 
+/**
+ * Add 'jquery-extend-3.4.0.js' to the 'jquery' library.
+ */
+function system_update_7082() {
+  // Empty update to force a rebuild of hook_library() and JS aggregates.
+}
+
 /**
  * @} End of "defgroup updates-7.x-extra".
  * The next series of updates should start at 8000.

modules/system/system.module

@@ -1182,6 +1182,9 @@ function system_library() {
     'version' => '1.4.4',
     'js' => array(
       'misc/jquery.js' => array('group' => JS_LIBRARY, 'weight' => -20),
+      // This includes a security fix, so assign a weight that makes this load
+      // as soon after jquery.js is loaded as possible.
+      'misc/jquery-extend-3.4.0.js' => array('group' => JS_LIBRARY, 'weight' => -19),
     ),
   );
 

pantheon.upstream.yml

@@ -3,5 +3,5 @@
 # Override the defaults specified here in a site-specific `pantheon.yml` file.
 # For more information see: https://pantheon.io/docs/pantheon-upstream-yml
 api_version: 1
-php_version: 5.6
+php_version: 7.0
 drush_version: 8

profiles/openasu/CHANGELOG.txt

@@ -1,3 +1,19 @@
+Webspark 1.66 (Wisconsin), 2019-04-18
+-------------------------------------
+- Webspark core
+
+  * Drupal - v7.66
+    * This release fixes security vulnerabilities. See https://www.drupal.org/project/drupal/releases/7.66 for more details.
+  * Panopoly - v1.66
+    * Multiple Panopoly releases (1.65-1.66) rolled into one update; Includes updates to contrib modules. See https://www.drupal.org/project/panopoly/releases/7.x-1.66 for more info.
+
+- Contrib module updates
+
+  - Managed by Panopoly
+
+    * Module Filter (module_filter) - v2.2
+    * Tablefield (tablefield) - v3.4
+
 Webspark 1.64.1 (San Diego), 2019-04-05
 ---------------------------------------
 - Web standards components in Webspark

profiles/openasu/modules/contrib/module_filter/js/module_filter_tab.js

@@ -57,7 +57,7 @@ Drupal.behaviors.moduleFilterTabs = {
         // Build tabs from package title rows.
         var tabs = '<ul>';
         for (var i in Drupal.settings.moduleFilter.packageIDs) {
-          var id = Drupal.settings.moduleFilter.packageIDs[i];
+          var id = Drupal.checkPlain(Drupal.settings.moduleFilter.packageIDs[i]);
 
           var name = id;
           var tabClass = 'project-tab';
@@ -85,8 +85,8 @@ Drupal.behaviors.moduleFilterTabs = {
               }
               break;
             default:
-              var $row = $('#' + id + '-package');
-              name = $.trim($row.text());
+              var $row = $('#' + id + '-package', this);
+              name = Drupal.checkPlain($.trim($row.text()));
               $row.remove();
               break;
           }
@@ -233,8 +233,8 @@ Drupal.behaviors.moduleFilterTabs = {
         }
 
         if (Drupal.settings.moduleFilter.useSwitch) {
-          $('td.checkbox div.form-item').hide();
-          $('td.checkbox').each(function(i) {
+          $('td.checkbox div.form-item', table).hide();
+          $('td.checkbox', table).each(function(i) {
             var $cell = $(this);
             var $checkbox = $(':checkbox', $cell);
             var $switch = $('.toggle-enable', $cell);
@@ -517,7 +517,7 @@ Drupal.ModuleFilter.updateVisualAid = function(type, $row) {
   }
 
   var tab = Drupal.ModuleFilter.tabs[id];
-  var name = $('td:nth(1) strong', $row).text();
+  var name = Drupal.checkPlain($('td:nth(1) strong', $row).text());
   switch (type) {
     case 'enable':
       if (Drupal.ModuleFilter.disabling[id + name] != undefined) {

profiles/openasu/modules/contrib/module_filter/module_filter.info

@@ -16,9 +16,8 @@ files[] = js/module_filter_tab.js
 
 configure = admin/config/user-interface/modulefilter
 
-; Information added by Drupal.org packaging script on 2017-06-09
-version = "7.x-2.1"
+; Information added by Drupal.org packaging script on 2019-03-27
+version = "7.x-2.2"
 core = "7.x"
 project = "module_filter"
-datestamp = "1497029349"
-
+datestamp = "1553698385"

profiles/openasu/modules/contrib/tablefield/tablefield.info

@@ -7,8 +7,8 @@ package = Fields
 dependencies[] = field
 configure = admin/config/content/tablefield
 
-; Information added by Drupal.org packaging script on 2018-12-08
-version = "7.x-3.2"
+; Information added by Drupal.org packaging script on 2019-04-16
+version = "7.x-3.4"
 core = "7.x"
 project = "tablefield"
-datestamp = "1544293992"
+datestamp = "1555444847"