Merge branch 'release/2.6.2984' into master-v2

CHANGELOG.md

@@ -1,14 +1,36 @@
 Craft CMS Changelog
 ===================
 
+## 2.6.2984 - 2017-06-26
+
+### Added
+- Added the [sanitizeSvgUploads](https://craftcms.com/docs/config-settings#sanitizeSvgUploads) config setting, which determines whether SVG files should be sanitized on uploads (`true` by default).
+
+### Changed
+- The `assets.onReplaceFile` event is now fired whenever a file is replaced, not only if it happens using the `Replace file` Asset action.
+- Updated HTML Purifier to 4.9.3.
+- Updated Redactor II to 2.7.
+
+### Fixed
+- Fixed a bug where changing a user acocunt’s email address to one that is already taken would silently fail.
+- Fixed a bug where a validation error would occur when saving two routes with the same URL Pattern in different locales.
+- Fixed a JavaScript error that would occur after sending in a support request from the Craft Support widget.
+- Fixed a bug where Rackspace Asset Sources would corrupt files with trailing whitespaces when downloading them.
+- Fixed a SQL error that would occur when saving a Dropdown or Radio Buttons field if the default option’s value contained quotation marks.
+- Fixed a bug where asset upload prompts would not always reset between uploads.
+
+### Security
+- Fixed several XSS vulnerabilities in the Control Panel.
+
+
 ## 2.6.2983 - 2017-06-09
 
 ### Changed
 - Date pickers’ “Previous” and “Next” buttons are now represented as arrows. ([#1538](https://github.com/craftcms/cms/issues/1538))
 - Updated Yii to 1.1.19.
 
 ### Fixed
-- Fixed a bug where doctype and XML declarations were getting stripped out of SVG files on upload.
+- Fixed a bug where doctype and XML declarations were getting stripped out of SVG files on upload. ([#1767](https://github.com/craftcms/cms/issues/1767))
 
 ## 2.6.2982 - 2017-06-07 [CRITICAL]
 
@@ -71,7 +93,7 @@ Craft CMS Changelog
 ## 2.6.2976 - 2017-04-27
 
 ### Changed
-- The `_layouts/cp.html` Control Panel now defines the `#container` element attributes within a `containerAttributes` block, so they can be overridden or added to from sub-templates. ([#1665](https://github.com/craftcms/cms/issues/1665))
+- The `_layouts/cp.html` Control Panel template now defines the `#container` element attributes within a `containerAttributes` block, so they can be overridden or added to from sub-templates. ([#1665](https://github.com/craftcms/cms/issues/1665))
 
 ### Fixed
 - Fixed a bug where `HttpRequestService::getSegments()` and `getActionSegments()` could return an array that started at a non-0 number allowing for a bypass of the XSS vulnerability fix in 2.6.2974.

composer.json

@@ -20,10 +20,6 @@
         {
             "type": "vcs",
             "url": "https://github.com/pixelandtonic/yii"
-        },
-        {
-            "type": "vcs",
-            "url": "https://github.com/pixelandtonic/svg-sanitizer"
         }
     ],
     "require": {
@@ -34,8 +30,8 @@
         "pixelandtonic/imagine": "v0.7.1.1",
         "lsolesen/pel": "0.9.4.2",
         "pclzip/pclzip": "2.8.2",
-        "yiisoft/yii": "1.1.19.1",
-        "enshrined/svg-sanitize": "0.5.3.1"
+        "yiisoft/yii": "1.1.19.2",
+        "enshrined/svg-sanitize": "0.6.0"
     },
     "require-dev": {
         "phpunit/phpunit": "4.8.16",

src/Info.php

@@ -1,6 +1,6 @@
 <?php
 namespace Craft;
 
-define('CRAFT_VERSION', '2.6.2983');
-define('CRAFT_SCHEMA_VERSION', '2.6.9');
+define('CRAFT_VERSION', '2.6.2984');
+define('CRAFT_SCHEMA_VERSION', '2.6.10');
 define('CRAFT_MIN_VERSION_REQUIRED', '2.6.2922');

src/assetsourcetypes/RackspaceAssetSourceType.php

@@ -798,7 +798,8 @@ private static function _extractHeader($response, $header)
 	 */
 	private static function _extractRequestResponse($response)
 	{
-		return rtrim(mb_substr($response, mb_strpos($response, "\r\n\r\n") + 4));
+	    $length = static::_extractHeader($response, 'Content-Length');
+		return mb_substr($response, mb_strpos($response, "\r\n\r\n") + 4, $length);
 	}
 
 	/**

src/controllers/UpdateController.php

@@ -77,110 +77,6 @@ public function actionGetAvailableUpdates()
 		}
 	}
 
-	/**
-	 * Returns the update info JSON.
-	 *
-	 * @return null
-	 */
-	public function actionGetUpdates()
-	{
-		craft()->userSession->requirePermission('performUpdates');
-
-		$this->requireAjaxRequest();
-
-		$handle = craft()->request->getRequiredPost('handle');
-
-		$return = array();
-		$updateInfo = craft()->updates->getUpdates();
-
-		if (!$updateInfo)
-		{
-			$this->returnErrorJson(Craft::t('There was a problem getting the latest update information.'));
-		}
-
-		try
-		{
-			switch ($handle)
-			{
-				case 'all':
-				{
-					// Craft first.
-					$return[] = array(
-						'handle' => 'Craft',
-						'name' => 'Craft',
-						'version' => $updateInfo->app->latestVersion,
-						'critical' => $updateInfo->app->criticalUpdateAvailable,
-						'releaseDate' => $updateInfo->app->latestDate->getTimestamp(),
-					);
-
-					// Plugins
-					if ($updateInfo->plugins !== null)
-					{
-						foreach ($updateInfo->plugins as $plugin)
-						{
-							if ($plugin->status == PluginUpdateStatus::UpdateAvailable && count($plugin->releases) > 0)
-							{
-								$return[] = array(
-									'handle' => $plugin->class,
-									'name' => $plugin->displayName,
-									'version' => $plugin->latestVersion,
-									'critical' => $plugin->criticalUpdateAvailable,
-									'releaseDate' => $plugin->latestDate->getTimestamp(),
-								);
-							}
-						}
-					}
-
-					break;
-				}
-
-				case 'craft':
-				{
-					$return[] = array(
-						'handle' => 'Craft',
-						'name' => 'Craft',
-						'version' => $updateInfo->app->latestVersion,
-						'critical' => $updateInfo->app->criticalUpdateAvailable,
-						'releaseDate' => $updateInfo->app->latestDate->getTimestamp(),
-					);
-					break;
-				}
-
-				// We assume it's a plugin handle.
-				default:
-				{
-					if (!empty($updateInfo->plugins))
-					{
-						if (isset($updateInfo->plugins[$handle]) && $updateInfo->plugins[$handle]->status == PluginUpdateStatus::UpdateAvailable && count($updateInfo->plugins[$handle]->releases) > 0)
-						{
-							$return[] = array(
-								'handle' => $updateInfo->plugins[$handle]->handle,
-								'name' => $updateInfo->plugins[$handle]->displayName,
-								'version' => $updateInfo->plugins[$handle]->latestVersion,
-								'critical' => $updateInfo->plugins[$handle]->criticalUpdateAvailable,
-								'releaseDate' => $updateInfo->plugins[$handle]->latestDate->getTimestamp(),
-							);
-						}
-						else
-						{
-							$this->returnErrorJson(Craft::t("Could not find any update information for the plugin with handle “{handle}”.", array('handle' => $handle)));
-						}
-					}
-					else
-					{
-						$this->returnErrorJson(Craft::t("Could not find any update information for the plugin with handle “{handle}”.", array('handle' => $handle)));
-					}
-				}
-			}
-
-			$this->returnJson(array('success' => true, 'updateInfo' => $return));
-		}
-		catch (\Exception $e)
-		{
-			$this->returnErrorJson($e->getMessage());
-		}
-	}
-
 	/**
 	 * Called during both a manual and auto-update.
 	 *

src/controllers/UsersController.php

@@ -420,17 +420,21 @@ public function actionVerifyEmail()
 			$userToProcess = $info['userToProcess'];
 			$userIsPending = $userToProcess->status == UserStatus::Pending;
 
-			craft()->users->verifyEmailForUser($userToProcess);
-
-			if ($userIsPending)
+			if (craft()->users->verifyEmailForUser($userToProcess))
 			{
-				// They were just activated, so treat this as an activation request
-				$this->_onAfterActivateUser($userToProcess);
+
+				if ($userIsPending)
+				{
+					// They were just activated, so treat this as an activation request
+					$this->_onAfterActivateUser($userToProcess);
+				}
+
+				// Redirect to the site/CP root
+				$url = UrlHelper::getUrl('');
+				$this->redirect($url);
 			}
 
-			// Redirect to the site/CP root
-			$url = UrlHelper::getUrl('');
-			$this->redirect($url);
+			$this->renderTemplate('_special/emailtaken', array('email' => $userToProcess->unverifiedEmail));
 		}
 	}
 

src/elementtypes/AssetElementType.php

@@ -631,7 +631,7 @@ private function _assembleSourceList($folders, $includeNestedFolders = true)
 	private function _assembleSourceInfoForFolder(AssetFolderModel $folder, $includeNestedFolders = true)
 	{
 		$source = array(
-			'label'     => ($folder->parentId ? $folder->name : Craft::t($folder->name)),
+			'label'     => HtmlHelper::encode($folder->parentId ? $folder->name : Craft::t($folder->name)),
 			'hasThumbs' => true,
 			'criteria'  => array('folderId' => $folder->id),
 			'data'      => array('upload' => is_null($folder->sourceId) ? true : craft()->assets->canUserPerformAction($folder->id, 'uploadToAssetSource'))

src/elementtypes/BaseElementType.php

@@ -310,7 +310,7 @@ public function getTableAttributeHtml(BaseElementModel $element, $attribute)
 		{
 			case 'link':
 			{
-				$url = $element->getUrl();
+				$url = HtmlHelper::encode($element->getUrl());
 
 				if ($url)
 				{
@@ -320,11 +320,13 @@ public function getTableAttributeHtml(BaseElementModel $element, $attribute)
 				{
 					return '';
 				}
+
+				break;
 			}
 
 			case 'uri':
 			{
-				$url = $element->getUrl();
+				$url = HtmlHelper::encode($element->getUrl());
 
 				if ($url)
 				{

src/elementtypes/CategoryElementType.php

@@ -92,7 +92,7 @@ public function getSources($context = null)
 			$key = 'group:'.$group->id;
 
 			$sources[$key] = array(
-				'label'             => Craft::t($group->name),
+				'label'             => HtmlHelper::encode(Craft::t($group->name)),
 				'data'              => array('handle' => $group->handle),
 				'criteria'          => array('groupId' => $group->id),
 				'structureId'       => $group->structureId,

src/elementtypes/EntryElementType.php

@@ -152,7 +152,7 @@ public function getSources($context = null)
 					$key = 'section:'.$section->id;
 
 					$sources[$key] = array(
-						'label'    => Craft::t($section->name),
+						'label'    => HtmlHelper::encode(Craft::t($section->name)),
 						'data'     => array('type' => $type, 'handle' => $section->handle),
 						'criteria' => array('sectionId' => $section->id, 'editable' => $editable)
 					);

src/elementtypes/TagElementType.php

@@ -72,7 +72,7 @@ public function getSources($context = null)
 			$key = 'taggroup:'.$tagGroup->id;
 
 			$sources[$key] = array(
-				'label'    => Craft::t($tagGroup->name),
+				'label'    => HtmlHelper::encode(Craft::t($tagGroup->name)),
 				'criteria' => array('groupId' => $tagGroup->id)
 			);
 		}

src/elementtypes/UserElementType.php

@@ -98,7 +98,7 @@ public function getSources($context = null)
 					$key = 'group:'.$group->id;
 
 					$sources[$key] = array(
-						'label'     => Craft::t($group->name),
+						'label'     => HtmlHelper::encode(Craft::t($group->name)),
 						'criteria'  => array('groupId' => $group->id),
 						'hasThumbs' => true
 					);

src/etc/config/defaults/general.php

@@ -536,6 +536,12 @@
 	 */
 	'runTasksAutomatically' => true,
 
+	/**
+	 * Whether Craft should sanitize uploaded SVG files and strip out potential malicious looking content.
+	 * Should definitely be enabled if you are accepting SVG uploads from untrusted sources.
+	 */
+	'sanitizeSvgUploads' => true,
+
 	/**
 	 * Whether the X-Powered-By header should be sent on each request, helping clients identify that the site is powered by Craft.
 	 */