Merge pull request #31611 from bembelimen/4.1-dev

Merge 4.0-dev into 4.1-dev

.appveyor.yml

@@ -70,8 +70,8 @@ install:
     - IF %PHP%==1 echo zend_extension=php_opcache.dll >> php.ini
     - IF %PHP%==1 echo opcache.enable_cli=1 >> php.ini
     - IF %PHP%==1 echo extension=php_ldap.dll >> php.ini
-    - IF %PHP%==1 echo @php %%~dp0composer.phar %%* > composer.bat
-    - IF %PHP%==1 php -r "readfile('https://getcomposer.org/composer-1.phar');" > composer.phar
+    - IF %PHP%==1 echo @php %%~dp0composer-1.phar %%* > composer.bat
+    - IF %PHP%==1 appveyor-retry appveyor DownloadFile https://getcomposer.org/composer-1.phar
     - cd C:\projects\joomla-cms
     - appveyor-retry composer install --no-progress --profile
 before_test:

.drone.yml

@@ -269,6 +269,6 @@ steps:
 
 ---
 kind: signature
-hmac: 5692462a9c53cd5937db302a216ba95f3367ff58c2269565a215587198352276
+hmac: 71729a12ae3556e03f924ac95c8a5cd14bb6a3c2d20ef6768fdd1e853397fd22
 
 ...

README.md

@@ -1,4 +1,4 @@
-Joomla! CMS™ [![Analytics](https://ga-beacon.appspot.com/UA-544070-3/joomla-cms/readme)](https://github.com/igrigorik/ga-beacon) [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
+Joomla! CMS™ [![Analytics](https://ga-beacon.appspot.com/UA-544070-3/joomla-cms/readme)](https://github.com/igrigorik/ga-beacon) 
 ====================
 
 Build Status

administrator/components/com_actionlogs/src/Helper/ActionlogsHelper.php

@@ -210,6 +210,9 @@ public static function getHumanReadableLogMessage($log, $generateLinks = true)
 
 		foreach ($messageData as $key => $value)
 		{
+			// Escape any markup in the values to prevent XSS attacks
+			$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
+
 			// Convert relative url to absolute url so that it is clickable in action logs notification email
 			if ($generateLinks && StringHelper::strpos($value, 'index.php?') === 0)
 			{

administrator/components/com_admin/postinstall/htaccesssvg.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * @package     Joomla.Administrator
+ * @subpackage  com_admin
+ *
+ * @copyright   Copyright (C) 2005 - 2020 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ *
+ * This file contains post-installation message handling for notifying users of a change
+ * in the default .htaccess file regarding hardening against XSS in SVG's
+ */
+
+defined('_JEXEC') or die;
+
+/**
+ * Notifies users of a change in the default .htaccess file regarding hardening against XSS in SVG's
+ *
+ * This check returns true regardless of condition.
+ *
+ * @return  boolean
+ *
+ * @since   3.9.21
+ */
+function admin_postinstall_htaccesssvg_condition()
+{
+	return true;
+}

administrator/components/com_admin/script.php

@@ -102,10 +102,6 @@ public function update($installer)
 		$this->clearStatsCache();
 		$this->convertTablesToUtf8mb4(true);
 		$this->cleanJoomlaCache();
-
-		// VERY IMPORTANT! THIS METHOD SHOULD BE CALLED LAST, SINCE IT COULD
-		// LOGOUT ALL THE USERS
-		$this->flushSessions();
 	}
 
 	/**
@@ -476,9 +472,6 @@ protected function updateManifestCaches()
 	public function deleteUnexistingFiles()
 	{
 		$files = array(
-			// Joomla 3.10.0
-			'/libraries/joomla/base/adapter.php',
-			'/libraries/joomla/base/adapterinstance.php',
 			// Joomla 4.0 Beta 1
 			'/administrator/components/com_actionlogs/actionlogs.php',
 			'/administrator/components/com_actionlogs/controller.php',
@@ -6312,66 +6305,6 @@ public function updateAssets($installer)
 		return true;
 	}
 
-	/**
-	 * If we migrated the session from the previous system, flush all the active sessions.
-	 * Otherwise users will be logged in, but not able to do anything since they don't have
-	 * a valid session
-	 *
-	 * @return  boolean
-	 */
-	public function flushSessions()
-	{
-		/**
-		 * The session may have not been started yet (e.g. CLI-based Joomla! update scripts). Let's make sure we do
-		 * have a valid session.
-		 */
-		$session = Factory::getSession();
-
-		/**
-		 * Restarting the Session require a new login for the current user so lets check if we have an active session
-		 * and only restart it if not.
-		 * For B/C reasons we need to use getState as isActive is not available in 2.5
-		 */
-		if ($session->getState() !== 'active')
-		{
-			$session->restart();
-		}
-
-		// If $_SESSION['__default'] is no longer set we do not have a migrated session, therefore we can quit.
-		if (!isset($_SESSION['__default']))
-		{
-			return true;
-		}
-
-		$db = Factory::getDbo();
-
-		try
-		{
-			switch ($db->getServerType())
-			{
-				// MySQL database, use TRUNCATE (faster, more resilient)
-				case 'mysql':
-					$db->truncateTable('#__session');
-					break;
-
-				// Non-MySQL databases, use a simple DELETE FROM query
-				default:
-					$query = $db->getQuery(true)
-						->delete($db->quoteName('#__session'));
-					$db->setQuery($query)->execute();
-					break;
-			}
-		}
-		catch (Exception $e)
-		{
-			echo Text::sprintf('JLIB_DATABASE_ERROR_FUNCTION_FAILED', $e->getCode(), $e->getMessage()) . '<br>';
-
-			return false;
-		}
-
-		return true;
-	}
-
 	/**
 	 * Converts the site's database tables to support UTF-8 Multibyte.
 	 *

administrator/components/com_admin/sql/updates/mysql/3.9.21-2020-08-02.sql

@@ -0,0 +1,3 @@
+INSERT INTO `#__postinstall_messages` (`extension_id`, `title_key`, `description_key`, `action_key`, `language_extension`, `language_client_id`, `type`, `action_file`, `action`, `condition_file`, `condition_method`, `version_introduced`, `enabled`)
+VALUES
+(700, 'COM_CPANEL_MSG_HTACCESSSVG_TITLE', 'COM_CPANEL_MSG_HTACCESSSVG_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/htaccesssvg.php', 'admin_postinstall_htaccesssvg_condition', '3.9.21', 1);

administrator/components/com_admin/sql/updates/postgresql/3.9.21-2020-08-02.sql

@@ -0,0 +1,3 @@
+INSERT INTO "#__postinstall_messages" ("extension_id", "title_key", "description_key", "action_key", "language_extension", "language_client_id", "type", "action_file", "action", "condition_file", "condition_method", "version_introduced", "enabled")
+VALUES
+(700, 'COM_CPANEL_MSG_HTACCESSSVG_TITLE', 'COM_CPANEL_MSG_HTACCESSSVG_BODY', '', 'com_cpanel', 1, 'message', '', '', 'admin://components/com_admin/postinstall/htaccesssvg.php', 'admin_postinstall_htaccesssvg_condition', '3.9.21', 1);

administrator/components/com_categories/forms/category.xml

@@ -279,10 +279,10 @@
 				validate="options"
 				>
 				<option value="">JGLOBAL_USE_GLOBAL</option>
-				<option value="index, follow">JGLOBAL_INDEX_FOLLOW</option>
-				<option value="noindex, follow">JGLOBAL_NOINDEX_FOLLOW</option>
-				<option value="index, nofollow">JGLOBAL_INDEX_NOFOLLOW</option>
-				<option value="noindex, nofollow">JGLOBAL_NOINDEX_NOFOLLOW</option>
+				<option value="index, follow"></option>
+				<option value="noindex, follow"></option>
+				<option value="index, nofollow"></option>
+				<option value="noindex, nofollow"></option>
 			</field>
 		</fieldset>
 	</fields>

administrator/components/com_config/forms/application.xml

@@ -639,10 +639,10 @@
 			default=""
 			validate="options"
 			>
-			<option value="">JGLOBAL_INDEX_FOLLOW</option>
-			<option value="noindex, follow">JGLOBAL_NOINDEX_FOLLOW</option>
-			<option value="index, nofollow">JGLOBAL_INDEX_NOFOLLOW</option>
-			<option value="noindex, nofollow">JGLOBAL_NOINDEX_NOFOLLOW</option>
+			<option value="">index, follow</option>
+			<option value="noindex, follow"></option>
+			<option value="index, nofollow"></option>
+			<option value="noindex, nofollow"></option>
 		</field>
 
 		<field

administrator/components/com_contact/forms/contact.xml

@@ -855,10 +855,10 @@
 				validate="options"
 				>
 				<option value="">JGLOBAL_USE_GLOBAL</option>
-				<option value="index, follow">JGLOBAL_INDEX_FOLLOW</option>
-				<option value="noindex, follow">JGLOBAL_NOINDEX_FOLLOW</option>
-				<option value="index, nofollow">JGLOBAL_INDEX_NOFOLLOW</option>
-				<option value="noindex, nofollow">JGLOBAL_NOINDEX_NOFOLLOW</option>
+				<option value="index, follow" />
+				<option value="noindex, follow" />
+				<option value="index, nofollow" />
+				<option value="noindex, nofollow" />
 			</field>
 
 			<field

administrator/components/com_contact/src/Model/ContactsModel.php

@@ -14,6 +14,7 @@
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Associations;
 use Joomla\CMS\MVC\Model\ListModel;
+use Joomla\CMS\Table\Table;
 use Joomla\Database\ParameterType;
 use Joomla\Utilities\ArrayHelper;
 
@@ -256,19 +257,6 @@ protected function getListQuery()
 			$query->where('(' . $db->quoteName('a.published') . ' = 0 OR ' . $db->quoteName('a.published') . ' = 1)');
 		}
 
-		// Filter by a single or group of categories.
-		$categoryId = $this->getState('filter.category_id');
-
-		if (is_numeric($categoryId))
-		{
-			$query->where($db->quoteName('a.catid') . ' = :catid');
-			$query->bind(':catid', $categoryId, ParameterType::INTEGER);
-		}
-		elseif (is_array($categoryId))
-		{
-			$query->whereIn($db->quoteName('a.catid'), ArrayHelper::toInteger($categoryId));
-		}
-
 		// Filter by search in name.
 		$search = $this->getState('filter.search');
 
@@ -343,8 +331,37 @@ protected function getListQuery()
 				->bind(':tag', $tag, ParameterType::INTEGER);
 		}
 
-		// Filter on the level.
-		if ($level = $this->getState('filter.level'))
+		// Filter by categories and by level
+		$categoryId = $this->getState('filter.category_id', array());
+		$level = $this->getState('filter.level');
+
+		if (!is_array($categoryId))
+		{
+			$categoryId = $categoryId ? array($categoryId) : array();
+		}
+
+		// Case: Using both categories filter and by level filter
+		if (count($categoryId))
+		{
+			$categoryId = ArrayHelper::toInteger($categoryId);
+			$categoryTable = Table::getInstance('Category', 'JTable');
+			$subCatItemsWhere = array();
+
+			// TODO: Convert to prepared statement
+			foreach ($categoryId as $filter_catid)
+			{
+				$categoryTable->load($filter_catid);
+				$subCatItemsWhere[] = '(' .
+					($level ? 'c.level <= ' . ((int) $level + (int) $categoryTable->level - 1) . ' AND ' : '') .
+					'c.lft >= ' . (int) $categoryTable->lft . ' AND ' .
+					'c.rgt <= ' . (int) $categoryTable->rgt . ')';
+			}
+
+			$query->where('(' . implode(' OR ', $subCatItemsWhere) . ')');
+		}
+
+		// Case: Using only the by level filter
+		elseif ($level)
 		{
 			$query->where($db->quoteName('c.level') . ' <= :level');
 			$query->bind(':level', $level, ParameterType::INTEGER);

administrator/components/com_content/forms/article.xml

@@ -912,10 +912,10 @@
 				validate="options"
 				>
 				<option value="">JGLOBAL_USE_GLOBAL</option>
-				<option value="index, follow">JGLOBAL_INDEX_FOLLOW</option>
-				<option value="noindex, follow">JGLOBAL_NOINDEX_FOLLOW</option>
-				<option value="index, nofollow">JGLOBAL_INDEX_NOFOLLOW</option>
-				<option value="noindex, nofollow">JGLOBAL_NOINDEX_NOFOLLOW</option>
+				<option value="index, follow" />
+				<option value="noindex, follow" />
+				<option value="index, nofollow" />
+				<option value="noindex, nofollow" />
 			</field>
 
 			<field

administrator/components/com_content/src/Model/ArticleModel.php

@@ -298,7 +298,7 @@ protected function batchMove($value, $pks, $contexts)
 	 */
 	protected function canDelete($record)
 	{
-		if (empty($record->id) || ($record->state != -2 && !Factory::getApplication()->isClient('api')))
+		if (empty($record->id) || ($record->state != -2))
 		{
 			return false;
 		}

administrator/components/com_joomlaupdate/src/Model/UpdateModel.php

@@ -959,6 +959,9 @@ public function cleanUp()
 
 		// Unset the update filename from the session.
 		Factory::getApplication()->setUserState('com_joomlaupdate.file', null);
+
+		// Trigger event after joomla update.
+		Factory::getApplication()->triggerEvent('onJoomlaAfterUpdate');
 	}
 
 	/**

administrator/components/com_languages/src/Model/LanguageModel.php

@@ -217,6 +217,14 @@ public function save($data)
 		$data['sef'] = str_replace($spaces, '', $data['sef']);
 		$data['sef'] = ApplicationHelper::stringURLSafe($data['sef']);
 
+		// Prevent saving an empty url language code
+		if ($data['sef'] === '')
+		{
+			$this->setError(JText::_('COM_LANGUAGES_ERROR_SEF'));
+
+			return false;
+		}
+
 		// Bind the data.
 		if (!$table->bind($data))
 		{

administrator/components/com_media/config.xml

@@ -29,6 +29,7 @@
 			description="COM_MEDIA_FIELD_PATH_FILE_FOLDER_DESC"
 			size="50"
 			default="images"
+			validate="filePath"
 		/>
 
 		<field
@@ -38,6 +39,7 @@
 			description="COM_MEDIA_FIELD_PATH_IMAGE_FOLDER_DESC"
 			size="50"
 			default="images"
+			validate="filePath"
 		/>
 
 		<field

administrator/components/com_media/resources/scripts/components/toolbar/toolbar.vue

@@ -42,7 +42,7 @@
         v-if="isGridView"
         type="button"
         class="media-toolbar-icon media-toolbar-decrease-grid-size"
-        :class="{disabled: isGridSize('xs')}"
+        :class="{disabled: isGridSize('sm')}"
         :aria-label="translate('COM_MEDIA_DECREASE_GRID')"
         @click.stop.prevent="decreaseGridSize()"
       >
@@ -127,7 +127,7 @@ export default {
       }
     },
     decreaseGridSize() {
-      if (!this.isGridSize('xs')) {
+      if (!this.isGridSize('sm')) {
         this.$store.commit(types.DECREASE_GRID_SIZE);
       }
     },

administrator/components/com_media/resources/scripts/store/mutations.es6.js

@@ -8,7 +8,7 @@ const nodePath = require('path');
 // and it will receive the state as the first argument.
 
 // The grid item sizes
-const gridItemSizes = ['xs', 'sm', 'md', 'lg', 'xl'];
+const gridItemSizes = ['sm', 'md', 'lg', 'xl'];
 
 export default {