Update to 1.21.0

Author: herbdool

.github/misc/settings.local.php

@@ -0,0 +1,8 @@
+<?php
+/**
+ * @file
+ * Disable sending of telemetry data from GitHub Action runners.
+ * @see .github/workflows/functional-tests.yml
+ */
+
+$settings['telemetry_enabled'] = FALSE;

.github/workflows/functional-tests.yml

@@ -60,7 +60,9 @@ jobs:
           curl -sI 'http://localhost/'
 
       - name: Install Backdrop
-        run: core/scripts/install.sh --db-url=mysql://root:[email protected]/backdrop
+        run: |
+          cp ./.github/misc/settings.local.php .
+          core/scripts/install.sh --db-url=mysql://root:[email protected]/backdrop
 
       - name: Run tests
         run: |

.tugboat/settings.local.php

@@ -10,4 +10,7 @@
 // Trusted hosts.
 $settings['trusted_host_patterns'] = array('^.+\.tugboat\.qa$');
 
+// Disable sending Telemetry data on cron runs.
+$settings['telemetry_enabled'] = FALSE;
+
 // Miscellaneous.

README.md

@@ -80,15 +80,14 @@ project:
 
 User Guide
 ----------
-Please see the the [Backdrop Handbook](https://docs.backdropcms.org/documentation/getting-started).
+Please see the [Backdrop Handbook](https://docs.backdropcms.org/documentation/getting-started).
 
 Developer Documentation
 -----------------------
-Please see the the [Backdrop API Documentation](https://docs.backdropcms.org/api/backdrop/groups).
+Please see the [Backdrop API Documentation](https://docs.backdropcms.org/api/backdrop/groups).
 
 Code of Conduct
 ---------------
-
 A primary goal of the Backdrop CMS community is to be inclusive to the largest
 number of contributors, with the most varied and diverse backgrounds possible.
 As such, we are committed to providing a friendly, safe and welcoming
@@ -110,7 +109,7 @@ Backdrop is [GPL v2](http://www.gnu.org/licenses/gpl-2.0.html) (or higher)
 software. See the LICENSE.txt file for complete text. Distributions of this
 software may relicense it as any later version of the GPL.
 
-All Backdrop code is Copyright 2001 - 2021 by the original authors.
+All Backdrop code is Copyright 2001 - 2022 by the original authors.
 
 Backdrop also includes works under different copyright notices that are
 distributed according to the terms of the GNU General Public License or a

core/includes/ajax.inc

@@ -428,8 +428,8 @@ function ajax_form_callback() {
  * administration theme. Depending on whether the "Use the administration theme
  * when editing or creating content" checkbox is checked, the node edit form may
  * be displayed in either theme, but the Ajax response to the Field module's
- * "Add another item" button should be rendered using the same theme as the rest
- * of the page. Therefore, system_menu() sets the 'theme callback' for
+ * "Add another" button should be rendered using the same theme as the rest of
+ * the page. Therefore, system_menu() sets the 'theme callback' for
  * 'system/ajax' to this function, and it is recommended that modules
  * implementing other generic Ajax paths do the same.
  *

core/includes/bootstrap.inc

@@ -7,7 +7,7 @@
 /**
  * The current system version.
  */
-define('BACKDROP_VERSION', '1.20.3');
+define('BACKDROP_VERSION', '1.21.0');
 
 /**
  * Core API compatibility.
@@ -3224,26 +3224,30 @@ function _backdrop_bootstrap_page_header() {
  */
 function _backdrop_bootstrap_sanitize_request() {
   // Remove dangerous keys from input data.
-  $whitelist = settings_get('sanitize_input_whitelist', array());
+  $allowlist = settings_get('sanitize_input_allowlist', array());
+  if (empty($allowlist)) {
+    // Backwards compatible setting support. @todo Remove in 2.x.
+    $allowlist = settings_get('sanitize_input_whitelist', array());
+  }
   $log_sanitized_keys = settings_get('sanitize_input_logging');
 
   // Process query string parameters.
-  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_GET, $whitelist);
+  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_GET, $allowlist);
   if ($sanitized_keys && $log_sanitized_keys) {
     trigger_error(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
   }
   // Process request body parameters.
-  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_POST, $whitelist);
+  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_POST, $allowlist);
   if ($sanitized_keys && $log_sanitized_keys) {
     trigger_error(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
   }
   // Process cookie parameters.
-  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_COOKIE, $whitelist);
+  $sanitized_keys = _backdrop_bootstrap_sanitize_input($_COOKIE, $allowlist);
   if ($sanitized_keys && $log_sanitized_keys) {
     trigger_error(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $sanitized_keys))), E_USER_WARNING);
   }
   // Process request global. No need to log; already logged in $_GET and $_POST.
-  _backdrop_bootstrap_sanitize_input($_REQUEST, $whitelist);
+  _backdrop_bootstrap_sanitize_input($_REQUEST, $allowlist);
 
   // Sanitize the destination parameter (which is often used for redirects) to
   // prevent open redirect attacks leading to other domains. Sanitize both
@@ -3269,7 +3273,7 @@ function _backdrop_bootstrap_sanitize_request() {
     }
 
     if (!empty($destination_parts['query'])) {
-      $sanitized_keys = _backdrop_bootstrap_sanitize_input($destination_parts['query'], $whitelist);
+      $sanitized_keys = _backdrop_bootstrap_sanitize_input($destination_parts['query'], $allowlist);
     }
 
     if ($sanitized_keys) {
@@ -3287,23 +3291,23 @@ function _backdrop_bootstrap_sanitize_request() {
  *
  * @param mixed $input
  *   The input data array from a request to be sanitized.
- * @param string[] $whitelist
- *   Whitelist of input keys that are considered acceptable.
+ * @param string[] $allowlist
+ *   Allowed list of input keys that are considered acceptable.
  *
  * @return string[]
  *   The list of any input keys have been filtered out, if any.
  */
-function _backdrop_bootstrap_sanitize_input(&$input, $whitelist = array()) {
+function _backdrop_bootstrap_sanitize_input(&$input, $allowlist = array()) {
   $sanitized_keys = array();
 
   if (is_array($input)) {
     foreach ($input as $key => $value) {
-      if ($key !== '' && substr($key, 0, 1) === '#' && !in_array($key, $whitelist, TRUE)) {
+      if ($key !== '' && substr($key, 0, 1) === '#' && !in_array($key, $allowlist, TRUE)) {
         unset($input[$key]);
         $sanitized_keys[] = $key;
       }
       elseif (is_array($input[$key])) {
-        $sanitized_keys = array_merge($sanitized_keys, _backdrop_bootstrap_sanitize_input($input[$key], $whitelist));
+        $sanitized_keys = array_merge($sanitized_keys, _backdrop_bootstrap_sanitize_input($input[$key], $allowlist));
       }
     }
   }
@@ -3702,7 +3706,7 @@ function language_default() {
  * - http://example.com/node/306 returns "node/306".
  * - http://example.com/backdropfolder/node/306 returns "node/306" while
  *   base_path() returns "/backdropfolder/".
- * - http://example.com/path/alias (which is a path alias for node/306) returns
+ * - http://example.com/url-alias (which is a URL alias for node/306) returns
  *   "path/alias" as opposed to the internal path.
  * - http://example.com/index.php returns an empty string (meaning: home page).
  * - http://example.com/index.php?page=1 returns an empty string.

core/includes/common.inc

@@ -1834,7 +1834,7 @@ function filter_xss($string, $allowed_tags = NULL) {
 
   // Defuse all HTML entities.
   $string = str_replace('&', '&', $string);
-  // Change back only well-formed entities in our whitelist:
+  // Change back only well-formed entities in our allowlist:
   // Decimal numeric entities.
   $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
   // Hexadecimal numeric entities.
@@ -2544,7 +2544,7 @@ function _format_date_callback(array $matches = NULL, $new_langcode = NULL) {
  *     arguments for internal paths must be supplied in $options['query'], not
  *     included in $path.
  *   - If you provide an internal path and $options['alias'] is set to TRUE, the
- *     path is assumed already to be the correct path alias, and the alias is
+ *     path is assumed already to be the correct URL alias, and the alias is
  *     not looked up.
  *   - The special string '<front>' generates a link to the site's base URL.
  *   - If your external URL contains a query (e.g. http://example.com/foo?a=b),
@@ -2678,7 +2678,7 @@ function url($path = NULL, array $options = array()) {
     $langcode = isset($options['language']) && isset($options['language']->langcode) ? $options['language']->langcode : '';
     $alias = backdrop_get_path_alias($original_path, $langcode);
     if ($alias != $original_path) {
-      // Strip leading slashes from internal path aliases to prevent them
+      // Strip leading slashes from internal URL aliases to prevent them
       // becoming external URLs without protocol. /example.com should not be
       // turned into //example.com.
       $path = ltrim($alias, '/');
@@ -2814,7 +2814,7 @@ function backdrop_http_header_attributes(array $attributes = array()) {
  *   // will return an onmouseout attribute with JavaScript code that, when used
  *   // as attribute in a tag, will cause users to be redirected to another site.
  *   //
- *   // In this case, the 'onmouseout' attribute should not be whitelisted --
+ *   // In this case, the 'onmouseout' attribute should not be allowed --
  *   // you don't want users to have the ability to add this attribute or others
  *   // that take JavaScript commands.
  *   backdrop_attributes(array('onmouseout' => 'window.location="http://malicious.com/";')));
@@ -7814,7 +7814,7 @@ function backdrop_common_theme() {
       'variables' => array('type' => MARK_NEW),
     ),
     'item_list' => array(
-      'variables' => array('items' => array(), 'title' => '', 'type' => 'ul', 'attributes' => array()),
+      'variables' => array('items' => array(), 'title' => '', 'type' => 'ul', 'attributes' => array(), 'empty' => NULL),
     ),
     'more_help_link' => array(
       'variables' => array('url' => NULL),
@@ -8665,12 +8665,13 @@ function backdrop_parse_dependency($dependency) {
   $p_major = '(?P<major>\d+)';
   // By setting the minor version to x, branches can be matched.
   $p_minor = '(?P<minor>(?:\d+|x)(?:-[A-Za-z]+\d+)?)';
+  $p_patch = '(?P<patch>(?:\d+|x)(?:-[A-Za-z]+\d+)?)?';
   $parts = explode('(', $dependency, 2);
   $value['name'] = trim($parts[0]);
   if (isset($parts[1])) {
     $value['original_version'] = '(' . $parts[1];
     foreach (explode(',', $parts[1]) as $version) {
-      if (preg_match("/^\s*$p_op\s*$p_core$p_major\.$p_minor/", $version, $matches)) {
+      if (preg_match("/^\s*$p_op\s*$p_core$p_major\.$p_minor\.?$p_patch/", $version, $matches)) {
         $op = !empty($matches['operation']) ? $matches['operation'] : '=';
         if ($matches['minor'] == 'x') {
           // Backdrop considers "2.x" to mean any version that begins with
@@ -8688,7 +8689,23 @@ function backdrop_parse_dependency($dependency) {
             $op = '>=';
           }
         }
-        $value['versions'][] = array('op' => $op, 'version' => $matches['major'] . '.' . $matches['minor']);
+
+        if (isset($matches['patch']) && ($matches['patch'] === '0' || $matches['patch'])) {
+          if ($matches['patch'] == 'x' && $matches['minor'] !== 'x') {
+            // See comments above about "x" in minor. 
+            // Same principle applies to patch in relation to minor.
+            if ($op == '>' || $op == '<=') {
+              $matches['minor']++;
+            }
+            if ($op == '=' || $op == '==') {
+              $value['versions'][] = array('op' => '<', 'version' => $matches['major'] . '.' . ($matches['minor'] + 1) . '.x');
+              $op = '>=';
+            }
+          }
+        }
+        $version = $matches['major'] . '.' . $matches['minor'];
+        $version .= (isset($matches['patch']) && ($matches['patch'] === '0' || $matches['patch'])) ? '.' . $matches['patch'] : '';
+        $value['versions'][] = array('op' => $op, 'version' => $version);
       }
     }
   }
@@ -8726,12 +8743,18 @@ function backdrop_check_incompatibility(array $dependency_info, $current_version
  * Converts a Backdrop version string into numeric-only version string.
  *
  * @param string $version_string
- *   A version string such as 1.10.0-beta4 or 1.4.x-dev.
+ *   A version string such as 1.x-1.2.3, 1.10.0-beta4, or 1.4.x-dev.
  * @return string
  *   A converted string only containing numbers, for use in PHP's
  *   version_compare() function.
  */
 function _backdrop_version_compare_convert($version_string) {
+  // Remove the "1.x-" prefix (indicating Backdrop core version compatibility).
+  $core_prefix = BACKDROP_CORE_COMPATIBILITY . '-';
+  if (strpos($version_string, $core_prefix) === 0) {
+    $version_string = substr($version_string, strlen($core_prefix));
+  }
+
   // Convert "dev" releases to be the highest possible version number. For
   // example 1.5.x-dev should be considered higher than any other 1.5 release,
   // so we replace .x with 99999.

core/includes/drupal.inc

@@ -2175,7 +2175,7 @@ function drupal_get_path_alias($path = NULL, $langcode = NULL) {
 }
 
 /**
- * Given a path alias, return the internal path it represents.
+ * Given a URL alias, return the internal path it represents.
  *
  * @deprecated since 1.0.0
  * @see backdrop_get_normal_path()
@@ -2208,7 +2208,7 @@ function drupal_match_path($path, $patterns) {
 }
 
 /**
- * Rebuild the path alias white list.
+ * Rebuild the URL alias allowlist.
  *
  * @deprecated since 1.0.0
  */
@@ -2217,6 +2217,16 @@ function drupal_path_alias_whitelist_rebuild($source = NULL) {
   return array();
 }
 
+/**
+ * Rebuild the path alias allowlist.
+ *
+ * @deprecated since 1.21.0
+ */
+function drupal_path_alias_allowlist_rebuild($source = NULL) {
+  watchdog_deprecated_function('drupal', __FUNCTION__);
+  return drupal_path_alias_whitelist_rebuild();
+}
+
 /**
  * Checks a path exists and the current user has access to it.
  *

core/includes/errors.inc

@@ -270,10 +270,10 @@ function _backdrop_log_error($error, $fatal = FALSE) {
  */
 function _backdrop_get_last_caller($backtrace) {
   // Errors that occur inside PHP internal functions do not generate
-  // information about file and line. Ignore black listed functions.
-  $blacklist = array('debug', '_backdrop_error_handler', '_backdrop_exception_handler');
+  // information about file and line. Ignore disallowed functions.
+  $denylist = array('debug', '_backdrop_error_handler', '_backdrop_exception_handler');
   while (($backtrace && !isset($backtrace[0]['line'])) ||
-         (isset($backtrace[1]['function']) && in_array($backtrace[1]['function'], $blacklist))) {
+         (isset($backtrace[1]['function']) && in_array($backtrace[1]['function'], $denylist))) {
     array_shift($backtrace);
   }
 

core/includes/file.inc

@@ -1228,11 +1228,11 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
     // Remove any null bytes. See http://php.net/manual/security.filesystem.nullbytes.php
     $filename = str_replace(chr(0), '', $filename);
 
-    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
+    $allowlist = array_unique(explode(' ', strtolower(trim($extensions))));
 
     // Remove unsafe extensions from the list of allowed extensions. The list is
     // copied from file_save_upload().
-    $whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));
+    $allowlist = array_diff($allowlist, explode('|', 'php|phar|pl|py|cgi|asp|js'));
 
     // Split the filename up by periods. The first part becomes the basename
     // the last part the final extension.
@@ -1245,7 +1245,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
     // of allowed extensions.
     foreach ($filename_parts as $filename_part) {
       $new_filename .= '.' . $filename_part;
-      if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
+      if (!in_array(strtolower($filename_part), $allowlist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
         $new_filename .= '_';
       }
     }