Merge branch 'staging' into labelTag

.drone.yml

@@ -1,16 +1,30 @@
-pipeline:
-  clone:
-    image: plugins/git
-    depth: 1
+---
+kind: pipeline
+name: default
 
-  phpcs:
+clone:
+  depth: 42
+
+steps:
+  - name: phpcs
     image: joomlaprojects/docker-phpcs
     commands:
       - echo $(date)
       - /root/.composer/vendor/bin/phpcs --report=full --encoding=utf-8 --extensions=php -p --standard=build/phpcs/Joomla .
       - echo $(date)
 
-  javascript:
+  - name: restore-cache
+    image: drillster/drone-volume-cache
+    settings:
+      restore: true
+      mount:
+        - ./tests/javascript/node_modules
+      cache_key: [ DRONE_REPO_NAMESPACE, DRONE_REPO_NAME, DRONE_BRANCH, DRONE_STAGE_NUMBER ]
+    volumes:
+      - name: cache
+        path: /cache
+
+  - name: javascript
     image: joomlaprojects/docker-systemtests:latest
     commands:
       - echo $(date)
@@ -26,29 +40,40 @@ pipeline:
       - tests/javascript/node_modules/karma/bin/karma start karma.conf.js --single-run
       - echo $(date)
 
-  analysis3x:
+  - name: rebuild-cache
+    image: drillster/drone-volume-cache
+    settings:
+       rebuild: true
+       mount:
+        - ./tests/javascript/node_modules
+       cache_key: [ DRONE_REPO_NAMESPACE, DRONE_REPO_NAME, DRONE_BRANCH, DRONE_STAGE_NUMBER ]
+    volumes:
+      - name: cache
+        path: /cache
+
+  - name: analysis3x
     image: rips/rips-cli:1.2.1
-    secrets:  [rips_username, rips_password]
     when:
       branch: staging
     commands:
       - export RIPS_BASE_URI='https://api.rips.joomla.org'
-      - export RIPS_USERNAME=$RIPS_USERNAME
-      - export RIPS_PASSWORD=$RIPS_PASSWORD
-      - if [ $DRONE_REPO_OWNER != 'joomla' ]; then echo "The analysis check only run on the main repos"; exit 0; fi
-      - rips-cli rips:scan:start -a 1 -t 1 -p $(pwd) -t 1 -R -k -T $DRONE_REPO_OWNER-$DRONE_BRANCH ||  { echo "Please contact the security team at security@joomla.org"; exit 1; }
+      - if [ $DRONE_REPO_NAMESPACE != 'joomla' ]; then echo "The analysis check only run on the main repos"; exit 0; fi
+      - rips-cli rips:scan:start -a 1 -t 1 -p $(pwd) -t 1 -R -k -T $DRONE_REPO_NAMESPACE-$DRONE_BRANCH ||  { echo "Please contact the security team at security@joomla.org"; exit 1; }
+    environment:
+      RIPS_USERNAME:
+        from_secret: RIPS_USERNAME
+      RIPS_PASSWORD:
+        from_secret: RIPS_PASSWORD
 
-  analysis4x:
-    image: rips/rips-cli:1.2.1
-    secrets:  [rips_username, rips_password]
-    when:
-      branch: 4.0-dev
-    commands:
-      - export RIPS_BASE_URI='https://api.rips.joomla.org'
-      - export RIPS_USERNAME=$RIPS_USERNAME
-      - export RIPS_PASSWORD=$RIPS_PASSWORD
-      - if [ $DRONE_REPO_OWNER != 'joomla' ]; then echo "The analysis check only run on the main repos"; exit 0; fi
-      - rips-cli rips:scan:start -a 3 -t 1 -p $(pwd) -t 1 -R -k -T $DRONE_REPO_OWNER-$DRONE_BRANCH ||  { echo "Please contact the security team at security@joomla.org"; exit 1; }
+volumes:
+- name: cache
+  host:
+    path: /tmp/cache
 
 branches:
   exclude: [ l10n_* ]
+---
+kind: signature
+hmac: f8aa0f7552eb7c32c5585668552afffadd07a23cbbc9c1bb41bfad4df6679b3c
+
+...

.gitignore

@@ -184,6 +184,9 @@ Desktop.ini
 /libraries/vendor/symfony/polyfill-util/LegacyTestListener.php
 /libraries/vendor/symfony/polyfill-util/TestListener.php
 /libraries/vendor/symfony/polyfill-util/TestListenerTrait.php
+/libraries/vendor/symfony/polyfill-util/TestListenerForV5.php
+/libraries/vendor/symfony/polyfill-util/TestListenerForV6.php
+/libraries/vendor/symfony/polyfill-util/TestListenerForV7.php
 /libraries/vendor/symfony/yaml/Tests
 /libraries/vendor/symfony/yaml/.gitignore
 /libraries/vendor/symfony/yaml/CHANGELOG.md

administrator/components/com_banners/models/tracks.php

@@ -228,7 +228,7 @@ public function delete()
 				$query->where('track_date <= ' . $db->quote($end));
 			}
 
-			$where = '1';
+			$where = '1 = 1';
 
 			// Filter by client
 			$clientId = $this->getState('filter.client_id');

administrator/components/com_content/models/article.php

@@ -371,6 +371,7 @@ public function getItem($pk = null)
 	public function getForm($data = array(), $loadData = true)
 	{
 		$app = JFactory::getApplication();
+		$user = JFactory::getUser();
 
 		// Get the form.
 		$form = $this->loadForm('com_content.article', 'article', array('control' => 'jform', 'load_data' => $loadData));
@@ -402,10 +403,14 @@ public function getForm($data = array(), $loadData = true)
 				$form->setFieldAttribute('catid', 'action', 'core.edit.own');
 			}
 			else
-			// Existing record. We can't edit the category in frontend.
+			// Existing record. We can't edit the category in frontend if not edit.state.
 			{
-				$form->setFieldAttribute('catid', 'readonly', 'true');
-				$form->setFieldAttribute('catid', 'filter', 'unset');
+				if ($id != 0 && (!$user->authorise('core.edit.state', 'com_content.article.' . (int) $id))
+					|| ($id == 0 && !$user->authorise('core.edit.state', 'com_content')))
+				{
+					$form->setFieldAttribute('catid', 'readonly', 'true');
+					$form->setFieldAttribute('catid', 'filter', 'unset');
+				}
 			}
 		}
 		else
@@ -414,8 +419,6 @@ public function getForm($data = array(), $loadData = true)
 			$form->setFieldAttribute('catid', 'action', 'core.create');
 		}
 
-		$user = JFactory::getUser();
-
 		// Check for existing article.
 		// Modify the form based on Edit State access controls.
 		if ($id != 0 && (!$user->authorise('core.edit.state', 'com_content.article.' . (int) $id))

administrator/components/com_fields/models/field.php

@@ -343,34 +343,6 @@ public function getItem($pk = null)
 
 			$db->setQuery($query);
 			$result->assigned_cat_ids = $db->loadColumn() ?: array(0);
-
-			// Convert the created and modified dates to local user time for
-			// display in the form.
-			$tz = new DateTimeZone(JFactory::getApplication()->get('offset'));
-
-			if ((int) $result->created_time)
-			{
-				$date = new JDate($result->created_time);
-				$date->setTimezone($tz);
-
-				$result->created_time = $date->toSql(true);
-			}
-			else
-			{
-				$result->created_time = null;
-			}
-
-			if ((int) $result->modified_time)
-			{
-				$date = new JDate($result->modified_time);
-				$date->setTimezone($tz);
-
-				$result->modified_time = $date->toSql(true);
-			}
-			else
-			{
-				$result->modified_time = null;
-			}
 		}
 
 		return $result;

administrator/components/com_fields/models/group.php

@@ -325,31 +325,6 @@ public function getItem($pk = null)
 			{
 				$item->params = new Registry($item->params);
 			}
-
-			// Convert the created and modified dates to local user time for display in the form.
-			$tz = new DateTimeZone(JFactory::getApplication()->get('offset'));
-
-			if ((int) $item->created)
-			{
-				$date = new JDate($item->created);
-				$date->setTimezone($tz);
-				$item->created = $date->toSql(true);
-			}
-			else
-			{
-				$item->created = null;
-			}
-
-			if ((int) $item->modified)
-			{
-				$date = new JDate($item->modified);
-				$date->setTimezone($tz);
-				$item->modified = $date->toSql(true);
-			}
-			else
-			{
-				$item->modified = null;
-			}
 		}
 
 		return $item;

administrator/components/com_finder/models/maps.php

@@ -398,8 +398,7 @@ public function purge()
 		$db->execute();
 
 		$query->clear()
-			->delete($db->quoteName('#__finder_taxonomy_map'))
-			->where('1');
+			->delete($db->quoteName('#__finder_taxonomy_map'));
 		$db->setQuery($query);
 		$db->execute();
 

administrator/components/com_media/controllers/file.json.php

@@ -93,7 +93,8 @@ public function upload()
 
 			$filepath = JPath::clean($files['final']);
 
-			if (!$mediaHelper->canUpload($file, 'com_media'))
+			if (!$mediaHelper->canUpload($file, 'com_media')
+				|| strpos(realpath($fileparts['dirname']), JPath::clean(COM_MEDIA_BASE)) !== 0)
 			{
 				try
 				{

administrator/components/com_media/controllers/file.php

@@ -114,6 +114,13 @@ public function upload()
 			// We need a url safe name
 			$fileparts = pathinfo(COM_MEDIA_BASE . '/' . $this->folder . '/' . $file['name']);
 
+			if (strpos(realpath($fileparts['dirname']), JPath::clean(COM_MEDIA_BASE)) !== 0)
+			{
+				JError::raiseWarning(100, JText::_('COM_MEDIA_ERROR_WARNINVALID_FOLDER'));
+
+				return false;
+			}
+
 			// Transform filename to punycode, check extension and transform it to lowercase
 			$fileparts['filename'] = JStringPunycode::toPunycode($fileparts['filename']);
 			$tempExt = !empty($fileparts['extension']) ? strtolower($fileparts['extension']) : '';
@@ -274,6 +281,17 @@ public function delete()
 		$ret = true;
 
 		$safePaths = array_intersect($paths, array_map(array('JFile', 'makeSafe'), $paths));
+
+		foreach ($safePaths as $key => $path)
+		{
+			$fullPath = implode(DIRECTORY_SEPARATOR, array(COM_MEDIA_BASE, $folder, $path));
+
+			if (strpos(realpath($fullPath), JPath::clean(COM_MEDIA_BASE)) !== 0)
+			{
+				unset($safePaths[$key]);
+			}
+		}
+
 		$unsafePaths = array_diff($paths, $safePaths);
 
 		foreach ($unsafePaths as $path)

administrator/components/com_media/controllers/folder.php

@@ -87,6 +87,14 @@ public function delete()
 		foreach ($safePaths as $path)
 		{
 			$fullPath = JPath::clean(implode(DIRECTORY_SEPARATOR, array(COM_MEDIA_BASE, $folder, $path)));
+
+			if (strpos(realpath($fullPath), JPath::clean(COM_MEDIA_BASE)) !== 0)
+			{
+				JError::raiseWarning(100, JText::_('COM_MEDIA_ERROR_WARNINVALID_FOLDER'));
+
+				continue;
+			}
+
 			$object_file = new JObject(array('filepath' => $fullPath));
 
 			if (is_file($object_file->filepath))
@@ -190,6 +198,14 @@ public function create()
 
 			$path = JPath::clean(COM_MEDIA_BASE . '/' . $parent . '/' . $folder);
 
+			if (strpos(realpath(COM_MEDIA_BASE . '/' . $parent), JPath::clean(COM_MEDIA_BASE)) !== 0)
+			{
+				$app = JFactory::getApplication();
+				$app->enqueueMessage(JText::_('COM_MEDIA_ERROR_WARNINVALID_FOLDER'));
+
+				return false;
+			}
+
 			if (!is_dir($path) && !is_file($path))
 			{
 				// Trigger the onContentBeforeSave event.

administrator/components/com_media/models/list.php

@@ -113,6 +113,12 @@ public function getList()
 		$basePath  = COM_MEDIA_BASE . ((strlen($current) > 0) ? '/' . $current : '');
 		$mediaBase = str_replace(DIRECTORY_SEPARATOR, '/', COM_MEDIA_BASE . '/');
 
+		// Reset base path
+		if (strpos(realpath($basePath), JPath::clean(COM_MEDIA_BASE)) !== 0)
+		{
+			$basePath = COM_MEDIA_BASE;
+		}
+
 		$images  = array ();
 		$folders = array ();
 		$docs    = array ();

administrator/components/com_templates/models/template.php

@@ -330,8 +330,8 @@ protected function fixTemplateName()
 
 		foreach ($files as $file)
 		{
-			$newFile = str_replace($oldName, $newName, $file);
-			$result = JFile::move($file, $newFile) && $result;
+			$newFile = '/' . str_replace($oldName, $newName, basename($file));
+			$result  = JFile::move($file, dirname($file) . $newFile) && $result;
 		}
 
 		// Edit XML file

administrator/components/com_users/models/forms/note.xml

@@ -75,6 +75,7 @@
 			description="COM_USERS_FIELD_REVIEW_TIME_DESC"
 			default="NOW"
 			translateformat="true"
+			filter="user_utc"
 		/>
 
 		<field

administrator/components/com_users/views/debuggroup/view.html.php

@@ -92,7 +92,7 @@ protected function addToolbar()
 	{
 		$canDo = JHelperContent::getActions('com_users');
 
-		JToolbarHelper::title(JText::sprintf('COM_USERS_VIEW_DEBUG_GROUP_TITLE', $this->group->id, $this->group->title), 'users groups');
+		JToolbarHelper::title(JText::sprintf('COM_USERS_VIEW_DEBUG_GROUP_TITLE', $this->group->id, $this->escape($this->group->title)), 'users groups');
 		JToolbarHelper::cancel('group.cancel', 'JTOOLBAR_CLOSE');
 
 		if ($canDo->get('core.admin') || $canDo->get('core.options'))

administrator/components/com_users/views/debuguser/view.html.php

@@ -92,7 +92,7 @@ protected function addToolbar()
 	{
 		$canDo = JHelperContent::getActions('com_users');
 
-		JToolbarHelper::title(JText::sprintf('COM_USERS_VIEW_DEBUG_USER_TITLE', $this->user->id, $this->user->name), 'users user');
+		JToolbarHelper::title(JText::sprintf('COM_USERS_VIEW_DEBUG_USER_TITLE', $this->user->id, $this->escape($this->user->name)), 'users user');
 		JToolbarHelper::cancel('user.cancel', 'JTOOLBAR_CLOSE');
 
 		if ($canDo->get('core.admin') || $canDo->get('core.options'))

administrator/language/en-GB/en-GB.com_languages.ini

@@ -40,7 +40,7 @@ COM_LANGUAGES_OVERRIDE_FIELD_SEARCHTYPE_TEXT="Value"
 COM_LANGUAGES_OVERRIDE_FIRST_SELECT_MESSAGE="To create a new override, please first select a language and client."
 COM_LANGUAGES_OVERRIDE_SELECT_LANGUAGE="- Select Language & Client -"
 COM_LANGUAGES_FIELD_PUBLISHED_DESC="Whether this content language is published or not. If published, it will display as a choice in the Language Switcher module in Frontend."
-COM_LANGUAGES_FIELD_LANG_CODE_DESC="This Language Code will be appended to the site URL. When SEF is enabled, you will get http://example.com/en/. If SEF is disabled the suffix &amp;lang=en will be appended at the end of the URL. Note <em>the Language Code must be unique among all the languages</em>."
+COM_LANGUAGES_FIELD_LANG_CODE_DESC="This Language Code will be appended to the site URL. When SEF is enabled, you will get https://example.com/en/. If SEF is disabled the suffix &amp;lang=en will be appended at the end of the URL. Note <em>the Language Code must be unique among all the languages</em>."
 COM_LANGUAGES_FIELD_LANG_CODE_LABEL="URL Language Code"
 COM_LANGUAGES_FIELD_SITE_NAME_DESC="Enter a custom site name for this content language. If the site name is set to display, this custom site name will be used instead of the Global Configuration setting."
 COM_LANGUAGES_FIELD_SITE_NAME_LABEL="Custom Site Name"

administrator/language/en-GB/en-GB.com_media.ini

@@ -45,6 +45,7 @@ COM_MEDIA_ERROR_WARNFILETOOLARGE="This file is too large to upload."
 COM_MEDIA_ERROR_WARNFILETYPE="This file type is not supported."
 COM_MEDIA_ERROR_WARNIEXSS="Possible IE XSS Attack found."
 COM_MEDIA_ERROR_WARNINVALID_IMG="Not a valid image."
+COM_MEDIA_ERROR_WARNINVALID_FOLDER="Invalid folder provided."
 COM_MEDIA_ERROR_WARNINVALID_MIME="Illegal or invalid mime type detected."
 COM_MEDIA_ERROR_WARNNOTADMIN="Uploaded file is not an image file and you are not a manager or higher."
 COM_MEDIA_ERROR_WARNNOTEMPTY="Not empty!"

administrator/language/en-GB/en-GB.com_modules.ini

@@ -43,6 +43,7 @@ COM_MODULES_FIELD_CLIENT_ID_DESC="The location of the module, Frontend or Backen
 COM_MODULES_FIELD_CLIENT_ID_LABEL="Module Location"
 COM_MODULES_FIELD_CONTENT_DESC="Text"
 COM_MODULES_FIELD_CONTENT_LABEL="Text"
+COM_MODULES_FIELD_CONTENT_TOO_LARGE="The content exceeds allowed limits"
 COM_MODULES_FIELD_MODULE_DESC="Module type."
 COM_MODULES_FIELD_MODULE_LABEL="Module Type"
 COM_MODULES_FIELD_MODULECLASS_SFX_DESC="A suffix to be applied to the CSS class of the module. This allows for individual module styling."

administrator/language/en-GB/en-GB.plg_authentication_ldap.ini

@@ -12,8 +12,12 @@ PLG_LDAP_FIELD_EMAIL_DESC="LDAP attribute which has the User's email address."
 PLG_LDAP_FIELD_EMAIL_LABEL="Map: Email"
 PLG_LDAP_FIELD_FULLNAME_DESC="LDAP attribute which has the User's full name."
 PLG_LDAP_FIELD_FULLNAME_LABEL="Map: Full Name"
+PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_DESC="When enabled ignore the server certificate, this is useful when running for example Samba 4 with a self-signed certificate."
+PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_LABEL="Ignore Certificate"
 PLG_LDAP_FIELD_HOST_DESC="Eg: openldap.example.com."
 PLG_LDAP_FIELD_HOST_LABEL="Host"
+PLG_LDAP_FIELD_LDAPDEBUG_DESC="Enables debug hardcoded to level 7"
+PLG_LDAP_FIELD_LDAPDEBUG_LABEL="Debug"
 PLG_LDAP_FIELD_NEGOCIATE_DESC="Negotiate TLS encryption with the LDAP server. This requires all traffic to and from the LDAP server to be encrypted."
 PLG_LDAP_FIELD_NEGOCIATE_LABEL="Negotiate TLS"
 PLG_LDAP_FIELD_PASSWORD_DESC="The Connect Password is the password of an administrative account. This is used in Authenticate then Bind and Authenticated Compare authorisation methods."

administrator/language/en-GB/en-GB.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metafile version="3.8" client="administrator">
 	<name>English (en-GB)</name>
-	<version>3.9.5</version>
-	<creationDate>April 2019</creationDate>
+	<version>3.9.7</version>
+	<creationDate>May 2019</creationDate>
 	<author>Joomla! Project</author>
 	<authorEmail>admin@joomla.org</authorEmail>
 	<authorUrl>www.joomla.org</authorUrl>