Prepare 3.9.3 release

.gitignore

@@ -193,6 +193,9 @@ Desktop.ini
 /libraries/vendor/simplepie/simplepie/build
 /libraries/vendor/simplepie/simplepie/idn/ReadMe.txt
 /libraries/vendor/simplepie/simplepie/composer.json
+/libraries/vendor/typo3/phar-stream-wrapper/README.md
+/libraries/vendor/typo3/phar-stream-wrapper/LICENSE
+/libraries/vendor/typo3/phar-stream-wrapper/.gitignore
 
 # System Test related files
 tests/codeception/acceptance.suite.yml

administrator/components/com_admin/postinstall/addnosniff.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * @package     Joomla.Administrator
+ * @subpackage  com_admin
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ *
+ * This file contains post-installation message handling for notifying users of a change
+ * in the default .htaccess and web.config files.
+ */
+
+defined('_JEXEC') or die;
+
+/**
+ * Notifies users of the add the nosniff headers by applying the changes from the default .htaccess or web.config file
+ *
+ * This check returns true regardless of condition.
+ *
+ * @return  boolean
+ *
+ * @since   3.4
+ */
+function admin_postinstall_addnosniff_condition()
+{
+	return true;
+}

administrator/components/com_admin/sql/updates/mysql/3.9.3-2019-02-07.sql

@@ -0,0 +1,3 @@
+INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `action_key`, `language_extension`, `language_client_id`, `type`, `action_file`, `action`, `condition_file`, `condition_method`, `version_introduced`, `enabled`)
+VALUES
+(700, 'COM_CPANEL_MSG_ADDNOSNIFF_TITLE', 'COM_CPANEL_MSG_ADDNOSNIFF_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/addnosniff.php', 'admin_postinstall_addnosniff_condition', '3.9.3', 1);

administrator/components/com_admin/sql/updates/postgresql/3.9.3-2019-02-07.sql

@@ -0,0 +1,3 @@
+INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "action_key", "language_extension", "language_client_id", "type", "action_file", "action", "condition_file", "condition_method", "version_introduced", "enabled")
+VALUES
+(700, 'COM_CPANEL_MSG_ADDNOSNIFF_TITLE', 'COM_CPANEL_MSG_ADDNOSNIFF_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/addnosniff.php', 'admin_postinstall_addnosniff_condition', '3.9.3', 1);

administrator/components/com_admin/sql/updates/sqlazure/3.9.3-2019-02-07.sql

@@ -0,0 +1,2 @@
+INSERT INTO [#__postinstall_messages] ([extension_id], [title_key], [description_key], [action_key], [language_extension], [language_client_id], [type], [action_file], [action], [condition_file], [condition_method], [version_introduced], [enabled])
+SELECT 700, 'COM_CPANEL_MSG_ADDNOSNIFF_TITLE', 'COM_CPANEL_MSG_ADDNOSNIFF_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/addnosniff.php', 'admin_postinstall_addnosniff_condition', '3.9.3', 1;

administrator/components/com_banners/models/forms/banner.xml

@@ -122,6 +122,7 @@
 			label="COM_BANNERS_FIELD_CLICKURL_LABEL"
 			description="COM_BANNERS_FIELD_CLICKURL_DESC"
 			filter="url"
+			validate="url"
 		/>
 	</fieldset>
 

administrator/components/com_config/model/field/filters.php

@@ -35,6 +35,48 @@ class JFormFieldFilters extends JFormField
 	 */
 	protected function getInput()
 	{
+		// Load Framework
+		JHtml::_('jquery.framework');
+
+		// Add translation string for notification
+		JText::script('COM_CONFIG_TEXT_FILTERS_NOTE');
+
+		// Add Javascript
+		$doc = JFactory::getDocument();
+		$doc->addScriptDeclaration('
+			jQuery( document ).ready(function( $ ) {
+				$("#filter-config select").change(function() {
+					var currentFilter = $(this).children("option:selected").val();
+
+					if($(this).children("option:selected").val() === "NONE") {
+						var child = $("#filter-config select[data-parent=" + $(this).attr("data-id") + "]");
+					
+						while(child.length !== 0) {
+							if(child.children("option:selected").val() !== "NONE") {
+								alert(Joomla.JText._("COM_CONFIG_TEXT_FILTERS_NOTE"));
+								break;
+							}
+							
+							child = $("#filter-config select[data-parent=" + child.attr("data-id") + "]");
+						}
+						
+						return;
+					}
+
+					var parent = $("#filter-config select[data-id=" + $(this).attr("data-parent") + "]");
+
+					while(parent.length !== 0) {
+						if(parent.children("option:selected").val() === "NONE") {
+							alert(Joomla.JText._("COM_CONFIG_TEXT_FILTERS_NOTE"));
+							break;
+						}
+						
+						parent = $("#filter-config select[data-id=" + parent.attr("data-parent") + "]")
+					}
+				});
+			});
+		');
+
 		// Get the available user groups.
 		$groups = $this->getUserGroups();
 
@@ -85,6 +127,8 @@ protected function getInput()
 			$html[] = '				<select'
 				. ' name="' . $this->name . '[' . $group->value . '][filter_type]"'
 				. ' id="' . $this->id . $group->value . '_filter_type"'
+				. ' data-parent="' . ($group->parent) . '" '
+				. ' data-id="' . ($group->value) . '" '
 				. ' class="novalidate"'
 				. '>';
 			$html[] = '					<option value="BL"' . ($group_filter['filter_type'] == 'BL' ? ' selected="selected"' : '') . '>'
@@ -147,7 +191,7 @@ protected function getUserGroups()
 
 		// Get the user groups from the database.
 		$query = $db->getQuery(true);
-		$query->select('a.id AS value, a.title AS text, COUNT(DISTINCT b.id) AS level');
+		$query->select('a.id AS value, a.title AS text, COUNT(DISTINCT b.id) AS level, a.parent_id as parent');
 		$query->from('#__usergroups AS a');
 		$query->join('LEFT', '#__usergroups AS b on a.lft > b.lft AND a.rgt < b.rgt');
 		$query->group('a.id, a.title, a.lft');

administrator/components/com_config/model/form/application.xml

@@ -1200,6 +1200,7 @@
 			label="COM_CONFIG_FIELD_HELP_SERVER_LABEL"
 			description="COM_CONFIG_FIELD_HELP_SERVER_DESC"
 			showDefault="false"
+			validate="options"
 		/>
 
 	</fieldset>

administrator/components/com_contact/models/forms/contact.xml

@@ -401,6 +401,7 @@
 			description="COM_CONTACT_FIELD_INFORMATION_WEBPAGE_DESC"
 			size="30"
 			filter="url"
+			validate="url"
 		/>
 
 		<field
@@ -786,6 +787,7 @@
 				description="COM_CONTACT_FIELD_LINKA_DESC"
 				size="30"
 				filter="url"
+				validate="url"
 			/>
 
 			<field
@@ -803,6 +805,7 @@
 				description="COM_CONTACT_FIELD_LINKB_DESC"
 				size="30"
 				filter="url"
+				validate="url"
 			/>
 
 			<field
@@ -820,6 +823,7 @@
 				description="COM_CONTACT_FIELD_LINKC_DESC"
 				size="30"
 				filter="url"
+				validate="url"
 			/>
 
 			<field
@@ -837,6 +841,7 @@
 				description="COM_CONTACT_FIELD_LINKD_DESC"
 				size="30"
 				filter="url"
+				validate="url"
 			/>
 
 			<field
@@ -854,6 +859,7 @@
 				description="COM_CONTACT_FIELD_LINKE_DESC"
 				size="30"
 				filter="url"
+				validate="url"
 			/>
 
 			<field

administrator/components/com_newsfeeds/models/forms/newsfeed.xml

@@ -105,6 +105,7 @@
 			size="60"
 			required="true"
 			filter="url"
+			validate="url"
 		/>
 
 		<field

administrator/language/en-GB/en-GB.com_config.ini

@@ -266,5 +266,6 @@ COM_CONFIG_SYSTEM_SETTINGS="System Settings"
 COM_CONFIG_TEXT_FILTER_SETTINGS="Text Filter Settings"
 COM_CONFIG_TEXT_FILTERS="Text Filters"
 COM_CONFIG_TEXT_FILTERS_DESC="These text filter settings will be applied to all text editor fields in the selected groups.<br />These filtering options give more control over the HTML your content providers submit. You can be as strict or as liberal as you require to suit your site's needs. The filtering is opt-in and the default settings provide good protection against markup commonly associated with website attacks."
+COM_CONFIG_TEXT_FILTERS_NOTE="WARNING: You have configured a parent group with the setting 'No Filtering' - this setting can't be overriden in child groups and any other configured filter will not be applied."
 COM_CONFIG_XML_DESCRIPTION="Configuration Manager"
 JLIB_RULES_SETTING_NOTES="If you change the setting, it will apply to this and all child groups, components and content. Note that:<br /><em><strong>Inherited</strong></em> means that the permissions from the parent group will be used.<br /><em><strong>Denied</strong></em> means that no matter what the parent group's setting is, the group being edited can't take this action.<br /><em><strong>Allowed</strong></em> means that the group being edited will be able to take this action (but if this is in conflict with the parent group it will have no impact; a conflict will be indicated by <em><strong>Not Allowed (Locked)</strong></em> under Calculated Settings).<br /><em><strong>Not Set</strong></em> is used only for the Public group in global configuration. The Public group is the parent of all other groups. If a permission is not set, it is treated as deny but can be changed for child groups, components, categories and items."

administrator/language/en-GB/en-GB.com_cpanel.ini

@@ -34,6 +34,8 @@ COM_CPANEL_MSG_STATS_COLLECTION_BODY="<p>Since Joomla! 3.5 a statistics plugin w
 COM_CPANEL_MSG_STATS_COLLECTION_TITLE="Stats Collection in Joomla"
 COM_CPANEL_MSG_UPDATEDEFAULTSETTINGS_BODY="<p>As part of our security team's review, we have made some changes to the default settings in a new Joomla installation. As these changes are only applied to new installations, we strongly recommend that you review these changes and update your site.</p><p>The changed settings are:</p><ul><li>Global Configuration > Text Filters: The default \"Administrator\" user group has changed from \"No Filtering\" to \"Default Blacklist\"</li><li>Users > Send Password: The option to send a user their password in plain text when an account is created is now disabled by default</li><li>Media Manager: Flash files (\"swf\" file extension and \"application/x-shockwave-flash\" MIME Type) are not allowed to be uploaded</li><li>Articles > Show Email: The option to show an email icon with articles is disabled by default</li></ul><p>We have created a <a href=\"https://docs.joomla.org/Special:MyLanguage/J3.x:Joomla_3.8.8_notes_about_the_changed_default_settings\">dedicated documentation page</a> explaining these changes.</p>"
 COM_CPANEL_MSG_UPDATEDEFAULTSETTINGS_TITLE="Updated site security recommendations"
+COM_CPANEL_MSG_ADDNOSNIFF_BODY="<p>Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.</p><p>The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.</p><p><strong>Changes for .htaccess</strong><br />Add the following lines before "_QQ_"## Mod_rewrite in use."_QQ_":</p><pre>&lt;IfModule mod_headers.c&gt;\nHeader always set X-Content-Type-Options "_QQ_"nosniff"_QQ_"\n&lt;/IfModule&gt;</pre><p><strong>Changes for web.config</strong><br />Add the following lines right after "_QQ_"&lt;/rewrite&gt;"_QQ_":</p><pre>&lt;httpProtocol&gt;\n  &lt;customHeaders&gt;\n    &lt;add name="_QQ_"X-Content-Type-Options"_QQ_" value="_QQ_"nosniff"_QQ_" /&gt;\n  &lt;/customHeaders&gt\n&lt;/httpProtocol&gt;</pre>"
+COM_CPANEL_MSG_ADDNOSNIFF_TITLE=".htaccess & web.config security Update"
 COM_CPANEL_WELCOME_BEGINNERS_MESSAGE="<p>Community resources are available for new users.</p><ul><li><a href="_QQ_"https://docs.joomla.org/Special:MyLanguage/Portal:Beginners"_QQ_">Joomla! Beginners Guide</a></li><li><a href="_QQ_"https://forum.joomla.org/viewforum.php?f=706"_QQ_">New to Joomla! Forum</a></li></ul>"
 COM_CPANEL_WELCOME_BEGINNERS_TITLE="Welcome to Joomla!"
 COM_CPANEL_XML_DESCRIPTION="Control Panel component"

administrator/manifests/files/joomla.xml

@@ -6,7 +6,7 @@
 	<authorUrl>www.joomla.org</authorUrl>
 	<copyright>(C) 2005 - 2019 Open Source Matters. All rights reserved</copyright>
 	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
-	<version>3.9.3-dev</version>
+	<version>3.9.3</version>
 	<creationDate>February 2019</creationDate>
 	<description>FILES_JOOMLA_XML_DESCRIPTION</description>
 

administrator/modules/mod_menu/mod_menu.xml

@@ -94,6 +94,7 @@
 					size="30"
 					default=""
 					showon="menutype:*"
+					validate="url"
 				/>
 			</fieldset>
 

composer.json

@@ -45,7 +45,8 @@
         "symfony/polyfill-php73": "~1.9",
         "symfony/yaml": "2.*",
         "simplepie/simplepie": "1.3.1",
-        "google/recaptcha": "^1.1"
+        "google/recaptcha": "^1.1",
+        "typo3/phar-stream-wrapper": "^2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^4.8.35",

htaccess.txt

@@ -21,6 +21,11 @@
   IndexIgnore *
 </IfModule>
 
+## Suppress mime type detection in browsers for unknown types
+<IfModule mod_headers.c>
+Header always set X-Content-Type-Options "nosniff"
+</IfModule>
+
 ## Can be commented out if causes errors, see notes above.
 Options +FollowSymlinks
 Options -Indexes

libraries/cms.php

@@ -42,6 +42,18 @@
 // Register the class aliases for Framework classes that have replaced their Platform equivilents
 require_once JPATH_LIBRARIES . '/classmap.php';
 
+// Suppress phar stream wrapper for non .phar files
+$behavior = new \TYPO3\PharStreamWrapper\Behavior;
+\TYPO3\PharStreamWrapper\Manager::initialize(
+	$behavior->withAssertion(new \TYPO3\PharStreamWrapper\Interceptor\PharExtensionInterceptor)
+);
+
+if (in_array('phar', stream_get_wrappers()))
+{
+	stream_wrapper_unregister('phar');
+	stream_wrapper_register('phar', 'TYPO3\\PharStreamWrapper\\PharStreamWrapper');
+}
+
 // Define the Joomla version if not already defined.
 if (!defined('JVERSION'))
 {

libraries/src/Help/Help.php

@@ -187,7 +187,7 @@ public static function createSiteList($pathToXml)
 			$option['text']  = 'English (GB) help.joomla.org';
 			$option['value'] = 'http://help.joomla.org';
 
-			$list[] = $option;
+			$list[] = (object) $option;
 		}
 		else
 		{
@@ -198,7 +198,7 @@ public static function createSiteList($pathToXml)
 				$option['text']  = (string) $site;
 				$option['value'] = (string) $site->attributes()->url;
 
-				$list[] = $option;
+				$list[] = (object) $option;
 			}
 		}
 

libraries/src/Toolbar/Button/HelpButton.php

@@ -82,7 +82,7 @@ protected function _getCommand($ref, $com, $override, $component)
 	{
 		// Get Help URL
 		$url = Help::createUrl($ref, $com, $override, $component);
-		$url = json_encode(htmlspecialchars($url, ENT_QUOTES));
+		$url = json_encode(htmlspecialchars($url, ENT_QUOTES), JSON_HEX_APOS);
 		$url = substr($url, 1, -1);
 		$cmd = "Joomla.popupWindow('$url', '" . \JText::_('JHELP', true) . "', 700, 500, 1)";