Merge branch 'backdrop:1.x' into 1.x

Author: herbdool

README.md

@@ -9,7 +9,7 @@ Backdrop aims to provide:
 
 Requirements
 ------------
-- PHP 5.6.0 or higher. Even if Backdrop can run on older versions of PHP, we
+- PHP 7.1.0 or higher. Even if Backdrop can run on older versions of PHP, we
   strongly recommend that you use a
   [supported version of PHP](https://secure.php.net/supported-versions.php).
 - MySQL 5.5.0 or higher with PDO enabled

core/includes/bootstrap.inc

@@ -7,7 +7,7 @@
 /**
  * The current system version.
  */
-define('BACKDROP_VERSION', '1.32.x-dev');
+define('BACKDROP_VERSION', '1.33.x-dev');
 
 /**
  * Core API compatibility.
@@ -1016,8 +1016,8 @@ function backdrop_settings_initialize() {
     // Otherwise use $base_url as session name, without the protocol
     // to use the same session identifiers across HTTP and HTTPS.
     list( , $session_name) = explode('://', $base_url, 2);
-    // HTTP_HOST can be modified by a visitor, but we already sanitized it
-    // in backdrop_settings_initialize().
+    // HTTP_HOST can be modified by a visitor, but we already sanitized it in
+    // backdrop_environment_initialize().
     if (!empty($_SERVER['HTTP_HOST'])) {
       $cookie_domain = $_SERVER['HTTP_HOST'];
       // Strip leading periods, www., and port numbers from cookie domain.
@@ -3123,9 +3123,13 @@ function _backdrop_bootstrap_configuration() {
     install_goto('core/install.php');
   }
 
-  // Untrusted host names, throw an exception for the end-user.
+  // Untrusted host names, return 400 Bad Request to the end-user.
   if (!defined('MAINTENANCE_MODE') && !backdrop_check_trusted_hosts($_SERVER['HTTP_HOST'])) {
-    throw new Exception(format_string('The HTTP Host "@hostname" is not white-listed for this site. Check the trusted_host_patterns setting in settings.php.', array('@hostname' => $_SERVER['HTTP_HOST'])));
+    http_response_code(400);
+    print format_string('HTTP Host "@hostname" is not included in the "trusted_host_patterns" setting of this site.', array(
+      '@hostname' => $_SERVER['HTTP_HOST'],
+    ));
+    exit;
   }
 
   // Bootstrap the database if it is needed but not yet available.

core/includes/config.inc

@@ -288,28 +288,57 @@ function config_install_default_config($project, $config_name = NULL) {
     }
   }
   $project_config_dir = $project_path . '/config';
+  $storage = new ConfigFileStorage($project_config_dir);
+
+  $default_config_names = config_get_default_config_names($project);
+  foreach ($default_config_names as $default_config_name) {
+    // Load config data into the active store and write it out to the
+    // file system in the Backdrop config directory. Note the config name
+    // needs to be the same as the file name WITHOUT the extension.
+    if (is_null($config_name) || $default_config_name === $config_name) {
+      $data = $storage->read($default_config_name);
+      $config = config($default_config_name);
+      // We only create new configs, and do not overwrite existing ones.
+      if ($config->isNew()) {
+        $config->setData($data);
+        module_invoke_all('config_create', $config);
+        $config->save();
+      }
+    }
+  }
+}
+
+/**
+ * Gets the name of config files provided by a module or theme.
+ *
+ * @param $project
+ *   The name of the project for which config names should be returned.
+ *
+ * @return string[]
+ *   An unindexed array of config names, without the .json extension.
+ *
+ * @since 1.31.0 Function added.
+ */
+function config_get_default_config_names($project) {
+  $project_path = NULL;
+  foreach (array('module', 'theme') as $project_type) {
+    if ($project_path = backdrop_get_path($project_type, $project)) {
+      break;
+    }
+  }
+
+  $config_names = array();
+  $project_config_dir = $project_path . '/config';
   if (is_dir($project_config_dir)) {
-    $storage = new ConfigFileStorage($project_config_dir);
     $files = glob($project_config_dir . '/*.json');
     foreach ($files as $file) {
-      // Load config data into the active store and write it out to the
-      // file system in the Backdrop config directory. Note the config name
-      // needs to be the same as the file name WITHOUT the extension.
       $parts = explode('/', $file);
       $file = array_pop($parts);
-      $file_config_name = str_replace('.json', '', $file);
-      if (is_null($config_name) || $file_config_name === $config_name) {
-        $data = $storage->read($file_config_name);
-        $config = config($file_config_name);
-        // We only create new configs, and do not overwrite existing ones.
-        if ($config->isNew()) {
-          $config->setData($data);
-          module_invoke_all('config_create', $config);
-          $config->save();
-        }
-      }
+      $config_names[] = str_replace('.json', '', $file);
     }
   }
+
+  return $config_names;
 }
 
 /**
@@ -583,7 +612,12 @@ class Config {
    */
   public function validateData() {
     if (!$this->validated) {
+      // Get config info if available. This may not be present if the providing
+      // module is being enabled at the same time.
       $config_info = config_get_info($this->getName());
+      if (!$config_info) {
+        $config_info = NULL;
+      }
       module_invoke_all('config_data_validate', $this, $config_info);
       $this->validated = TRUE;
     }

core/includes/file.inc

@@ -1561,7 +1561,8 @@ function file_save_upload($form_field_name, $validators = array(), $destination
     'filesize' => $_FILES['files']['size'][$form_field_name],
   );
   $values['filemime'] = file_get_mimetype($values['filename']);
-  $file = new File($values);
+  /** @var File $file */
+  $file = entity_create('file', $values);
 
   $extensions = '';
   if (isset($validators['file_validate_extensions'])) {
@@ -2123,7 +2124,8 @@ function file_save_data($data, $destination = NULL, $replace = FILE_EXISTS_RENAM
 
   if ($uri = file_unmanaged_save_data($data, $destination, $replace)) {
     // Create a file entity.
-    $file = new File(array(
+    /** @var File $file */
+    $file = entity_create('file', array(
       'uri' => $uri,
       'uid' => $user->uid,
       'status' => FILE_STATUS_PERMANENT,

core/includes/install.inc

@@ -1082,17 +1082,24 @@ function backdrop_uninstall_modules($module_list = array(), $uninstall_dependent
     $module_list = array_keys($module_list);
   }
 
+  $system_extensions_config = config('system.extensions');
   foreach ($module_list as $module) {
     // Uninstall the module.
     module_load_install($module);
     module_invoke($module, 'uninstall');
     config_uninstall_config($module);
     backdrop_uninstall_schema($module);
 
+    // Remove the module from the system.extensions config.
+    $system_extensions_config->clear('modules.' . $module);
+
     watchdog('system', '%module module uninstalled.', array('%module' => $module), WATCHDOG_INFO);
     backdrop_set_installed_schema_version($module, SCHEMA_UNINSTALLED);
   }
 
+  // Save the new list of extensions with the modules removed.
+  $system_extensions_config->save();
+
   if (!empty($module_list)) {
     // Let other modules react.
     module_invoke_all('modules_uninstalled', $module_list);

core/includes/locale.inc

@@ -486,7 +486,12 @@ function locale_language_url_rewrite_url(&$path, &$options) {
       case LANGUAGE_NEGOTIATION_URL_PREFIX:
         $prefixes = locale_language_negotiation_url_prefixes();
         if (!empty($prefixes[$options['language']->langcode])) {
-          $options['prefix'] = $prefixes[$options['language']->langcode] . '/';
+          $path = ltrim((string) $path, '/');
+          $prefix = $prefixes[$options['language']->langcode] . '/';
+          $options['prefix'] = $prefix;
+          if (substr($path, 0, strlen($prefix)) == $prefix) {
+            $path = substr($path, strlen($prefix));
+          }
         }
         break;
     }

core/includes/module.inc

@@ -523,6 +523,14 @@ function module_enable($module_list, $enable_dependencies = TRUE) {
 
       // Record the fact that it was enabled.
       $modules_enabled[] = $module;
+
+      // Update the status of the module in the system.extensions config.
+      $config = config('system.extensions');
+      $modules_in_config = $config->get('modules') != NULL ? $config->get('modules') : array();
+      $modules_in_config[$module] = TRUE;
+      $config->set('modules', $modules_in_config);
+      $config->save();
+
       watchdog('system', '%module module enabled.', array('%module' => $module), WATCHDOG_INFO);
     }
   }
@@ -608,6 +616,14 @@ function module_disable($module_list, $disable_dependents = TRUE) {
         ->condition('name', $module)
         ->execute();
       $invoke_modules[] = $module;
+
+      // Update the status of the module in the system.extensions config.
+      $config = config('system.extensions');
+      $modules_in_config = $config->get('modules') != NULL ? $config->get('modules') : array();
+      $modules_in_config[$module] = FALSE;
+      $config->set('modules', $modules_in_config);
+      $config->save();
+
       watchdog('system', '%module module disabled.', array('%module' => $module), WATCHDOG_INFO);
     }
   }
@@ -1010,6 +1026,7 @@ function backdrop_merged_modules() {
     'field_formatter_settings', // Backdrop 1.13.0.
     'imagecache_token', // Backdrop 1.17.0.
     'fast_token_browser', // Backdrop 1.30.0.
+    'book_cache', // Backdrop 1.32.0.
   );
 }
 

core/includes/password.inc

@@ -232,6 +232,9 @@ function user_hash_password($password, $count_log2 = 0) {
  */
 function user_check_password($password, $account) {
   if (substr($account->pass, 0, 2) == 'U$') {
+    // This may be an updated password from user_update_7000(). Such hashes
+    // have 'U' added as the first character and need an extra md5() (see the
+    // Drupal 7 documentation).
     $stored_hash = substr($account->pass, 1);
     $password = md5($password);
   }
@@ -243,19 +246,21 @@ function user_check_password($password, $account) {
   switch ($type) {
     case '$S$':
       // A normal Backdrop password using sha512.
-      $hash = _password_crypt('sha512', $password, $stored_hash);
+      $computed_hash = _password_crypt('sha512', $password, $stored_hash);
       break;
     case '$H$':
       // phpBB3 uses "$H$" for the same thing as "$P$".
     case '$P$':
-      // A phpass password generated using md5.  This is an
-      // imported password or from an earlier Backdrop version.
-      $hash = _password_crypt('md5', $password, $stored_hash);
+      // A phpass password generated using md5. This is an imported password or
+      // from an earlier Backdrop version.
+      $computed_hash = _password_crypt('md5', $password, $stored_hash);
       break;
     default:
       return FALSE;
   }
-  return ($hash && $stored_hash == $hash);
+
+  // To mitigate timing attacks, compare using hash_equals() instead of ===.
+  return $computed_hash && hash_equals($stored_hash, $computed_hash);
 }
 
 /**

core/includes/theme.inc

@@ -1662,15 +1662,28 @@ function _theme_render_template_debug($template_function, $template_file, $varia
 function theme_enable($theme_list) {
   backdrop_clear_css_cache();
 
-  foreach ($theme_list as $key) {
+  foreach ($theme_list as $theme) {
     db_update('system')
       ->fields(array('status' => 1))
       ->condition('type', 'theme')
-      ->condition('name', $key)
+      ->condition('name', $theme)
       ->execute();
 
     // Copy any default configuration data to the system config directory.
-    config_install_default_config($key);
+    config_install_default_config($theme);
+
+    // Update the theme status in the system.extensions config.
+    $config = config('system.extensions');
+    $themes_in_config = $config->get('themes') != NULL ? $config->get('themes') : array();
+    $themes_in_config[$theme] = TRUE;
+
+    watchdog('system', '%theme theme enabled.', array('%theme' => $theme), WATCHDOG_INFO);
+  }
+
+  // Save the updated config.
+  if (isset($config) && isset($themes_in_config)) {
+    $config->set('themes', $themes_in_config);
+    $config->save();
   }
 
   list_themes(TRUE);
@@ -1698,14 +1711,19 @@ function theme_disable($theme_list) {
 
   backdrop_clear_css_cache();
 
-  foreach ($theme_list as $key) {
+  foreach ($theme_list as $theme) {
     db_update('system')
       ->fields(array('status' => 0))
       ->condition('type', 'theme')
-      ->condition('name', $key)
+      ->condition('name', $theme)
       ->execute();
 
-    config_uninstall_config($key);
+    config_uninstall_config($theme);
+
+    // Remove the theme from the system.extensions config.
+    config_clear('system.extensions', 'themes.' . $theme);
+
+    watchdog('system', '%theme theme disabled.', array('%theme' => $theme), WATCHDOG_INFO);
   }
 
   list_themes(TRUE);

core/modules/admin_bar/css/admin_bar.css

@@ -326,6 +326,10 @@
   padding: 0.5em 2em 0.5em 1em; /* LTR */
   width: 100%;
   box-sizing: border-box;
+  /* Reinforce the admin bar font so the search input is unaffected by the
+  theme. */
+  font: inherit;
+  line-height: 1.15;
 }
 [dir="rtl"] #admin-bar .admin-bar-search input {
   background-position: left 0.5em center;