Merge branch 'staging' into content.edit.view.security

joomla · Aug 8, 2019 · ad148a7 · ad148a7
2 parents 7500347 + 8756a48
commit ad148a7
Show file tree

Hide file tree

Showing 4,949 changed files with 91,787 additions and 40,915 deletions.
diff --git a/.appveyor.yml b/.appveyor.yml
@@ -2,17 +2,37 @@ build: false
 platform:
   - x64
 clone_folder: C:\projects\joomla-cms
+
+branches:
+  except:
+    - /l10n_*/
+
 ## Build matrix for lowest and highest possible targets
 environment:
+  DLLVersion: "5.6.1"
+  PHPBuild: "x64"
+  VC: "vc15"
   matrix:
   - php_ver_target: 5.6
+    PHPBuild: "x86"
+    VC: "vc11"
+    WINCACHE: "1.3.7.12"
   - php_ver_target: 7.0
+    DLLVersion: "5.3.0"
+    VC: "vc14"
+    WINCACHE: "2.0.0.8"
   - php_ver_target: 7.1
+    DLLVersion: "5.3.0"
+    VC: "vc14"
+    WINCACHE: "2.0.0.8"
+  - php_ver_target: 7.2
+    DLLVersion: "5.3.0"
+  - php_ver_target: 7.3
 
 init:
   - SET PATH=C:\Program Files\OpenSSL;C:\tools\php;%PATH%
   - SET COMPOSER_NO_INTERACTION=1
-  - SET PHP=1 # This var relates to caching the php  install
+  - SET PHP=1 # This var relates to caching the php install
   - SET ANSICON=121x90 (121x90)
 services:
   - mssql2014
@@ -26,33 +46,39 @@ install:
     - ps: >-
         If ($env:php_ver_target -eq "5.6") {
           appveyor-retry cinst --params '""/InstallDir:C:\tools\php""' --ignore-checksums -y --forcex86 php --version ((choco search php --exact --all-versions -r | select-string -pattern $env:php_ver_target | sort { [version]($_ -split '\|' | select -last 1) } -Descending | Select-Object -first 1) -replace '[php|]','')
-          $VC = "vc11"
-          $PHPBuild = "x86"
         } Else {
           appveyor-retry cinst --params '""/InstallDir:C:\tools\php""' --ignore-checksums -y php --version ((choco search php --exact --all-versions -r | select-string -pattern $env:php_ver_target | sort { [version]($_ -split '\|' | select -last 1) } -Descending | Select-Object -first 1) -replace '[php|]','')
-          $VC = "vc14"
-          $PHPBuild = "x64"
         }
     - appveyor-retry cinst -y sqlite
     - cd C:\tools\php
     # Get the MSSQL DLL's
     - ps: >-
         If ($env:PHP -eq "1") {
           If ($env:php_ver_target -eq "5.6") {
-            appveyor-retry appveyor DownloadFile https://cdn.joomla.org/ci/php-sqlsrv.zip
+            $source = "https://cdn.joomla.org/ci/php-sqlsrv.zip"
+            $destination = "c:\tools\php\php-sqlsrv.zip"
+            Invoke-WebRequest $source -OutFile $destination
+            #appveyor-retry appveyor DownloadFile https://cdn.joomla.org/ci/php-sqlsrv.zip
             7z x -y php-sqlsrv.zip > $null
             copy SQLSRV\php_sqlsrv_56_nts.dll ext\php_sqlsrv_nts.dll
             copy SQLSRV\php_pdo_sqlsrv_56_nts.dll ext\php_pdo_sqlsrv_nts.dll
             Remove-Item C:\tools\php\* -include .zip
           } Else {
-            $DLLVersion = "4.1.6.1"
             cd c:\tools\php\ext
-            appveyor-retry appveyor DownloadFile http://windows.php.net/downloads/pecl/releases/sqlsrv/$($DLLVersion)/php_sqlsrv-$($DLLVersion)-$($env:php_ver_target)-nts-vc14-x64.zip
-            7z x -y php_sqlsrv-$($DLLVersion)-$($env:php_ver_target)-nts-vc14-x64.zip > $null
-            appveyor-retry appveyor DownloadFile http://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($DLLVersion)/php_pdo_sqlsrv-$($DLLVersion)-$($env:php_ver_target)-nts-vc14-x64.zip
-            7z x -y php_pdo_sqlsrv-$($DLLVersion)-$($env:php_ver_target)-nts-vc14-x64.zip > $null
+            $source = "https://windows.php.net/downloads/pecl/releases/sqlsrv/$($env:DLLVersion)/php_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+            $destination = "c:\tools\php\ext\php_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+            Invoke-WebRequest $source -OutFile $destination
+            #appveyor-retry appveyor DownloadFile https://windows.php.net/downloads/pecl/releases/sqlsrv/$($env:DLLVersion)/php_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
+            7z x -y php_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
+            $source = "https://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($env:DLLVersion)/php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+            $destination = "c:\tools\php\ext\php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+            Invoke-WebRequest $source -OutFile $destination
+            #appveyor-retry appveyor DownloadFile https://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($env:DLLVersion)/php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
+            7z x -y php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
             Remove-Item c:\tools\php\ext* -include .zip
-            cd c:\tools\php}}
+            cd c:\tools\php
+          }
+        }
     - IF %PHP%==1 copy php.ini-production php.ini /Y
     - IF %PHP%==1 echo date.timezone="UTC" >> php.ini
     - IF %PHP%==1 echo extension_dir=ext >> php.ini
@@ -80,15 +106,19 @@ install:
     - IF %PHP%==1 echo extension=php_curl.dll >> php.ini
     # Get the Wincache DLLs
     - ps: >-
-        If ($env:PHP -eq "1") {
-          If ($env:php_ver_target -eq "5.6") {$wincache = "1.3.7.12"} Else {$wincache = "2.0.0.8"}
+        If ($env:PHP -eq "1" -and $env:WINCACHE) {
           cd c:\tools\php\ext
-          appveyor-retry appveyor DownloadFile http://windows.php.net/downloads/pecl/releases/wincache/$($wincache)/php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($VC)-$($PHPBuild).zip
-          7z x -y php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($VC)-$($PHPBuild).zip > $null
+          $source = "https://windows.php.net/downloads/pecl/releases/wincache/$($env:WINCACHE)/php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+          $destination = "c:\tools\php\ext\php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+          Invoke-WebRequest $source -OutFile $destination
+          #appveyor-retry appveyor DownloadFile https://windows.php.net/downloads/pecl/releases/wincache/$($env:WINCACHE)/php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
+          7z x -y php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
           Remove-Item C:\tools\php\ext* -include .zip
-          cd c:\tools\php}
-    - IF %PHP%==1 echo extension=php_wincache.dll >> php.ini
-    - IF %PHP%==1 echo wincache.enablecli = 1 >> php.ini
+          cd c:\tools\php
+          Add-Content php.ini "`nextension=php_wincache.dll"
+          Add-Content php.ini "`wincache.enablecli = 1"
+          Add-Content php.ini "`n"
+        }
     - IF %PHP%==1 echo zend_extension=php_opcache.dll >> php.ini
     - IF %PHP%==1 echo opcache.enable_cli=1 >> php.ini
     - IF %PHP%==1 echo extension=php_ldap.dll >> php.ini
@@ -118,4 +148,4 @@ before_test:
 
 test_script:
   - cd C:\projects\joomla-cms
-  - libraries/vendor/bin/phpunit -c appveyor-phpunit.xml
+  - ps: If ($env:php_ver_target -eq "5.6") {libraries/vendor/bin/phpunit -c appveyor-phpunit.xml --exclude-group not-on-windows } Else {libraries/vendor/bin/phpunit -c appveyor-phpunit.xml}
diff --git a/.drone.yml b/.drone.yml
@@ -1,21 +1,33 @@
-pipeline:
-  clone:
-    image: plugins/git
-    depth: 1
+---
+kind: pipeline
+name: default
 
-  phpcs:
+clone:
+  depth: 42
+
+steps:
+  - name: phpcs
     image: joomlaprojects/docker-phpcs
     commands:
       - echo $(date)
-      - /root/.composer/vendor/bin/phpcs --report=full --extensions=php -p --standard=build/phpcs/Joomla .
+      - /root/.composer/vendor/bin/phpcs --report=full --encoding=utf-8 --extensions=php -p --standard=build/phpcs/Joomla .
       - echo $(date)
 
-  javascript:
+  - name: restore-cache
+    image: drillster/drone-volume-cache
+    settings:
+      restore: true
+      mount:
+        - ./tests/javascript/node_modules
+      cache_key: [ DRONE_REPO_NAMESPACE, DRONE_REPO_NAME, DRONE_BRANCH, DRONE_STAGE_NUMBER ]
+    volumes:
+      - name: cache
+        path: /cache
+
+  - name: javascript
     image: joomlaprojects/docker-systemtests:latest
     commands:
       - echo $(date)
-      - apt-get install nodejs npm
-      - ln -s /usr/bin/nodejs /usr/bin/node
       - export DISPLAY=:0
       - Xvfb -screen 0 1024x768x24 -ac +extension GLX +render -noreset > /dev/null 2>&1 &
       - sleep 3
@@ -26,3 +38,40 @@ pipeline:
       - tests/javascript/node_modules/karma/bin/karma start karma.conf.js --single-run
       - echo $(date)
 
+  - name: rebuild-cache
+    image: drillster/drone-volume-cache
+    settings:
+       rebuild: true
+       mount:
+        - ./tests/javascript/node_modules
+       cache_key: [ DRONE_REPO_NAMESPACE, DRONE_REPO_NAME, DRONE_BRANCH, DRONE_STAGE_NUMBER ]
+    volumes:
+      - name: cache
+        path: /cache
+
+  - name: analysis3x
+    image: rips/rips-cli:1.2.1
+    when:
+      branch: staging
+    commands:
+      - export RIPS_BASE_URI='https://api.rips.joomla.org'
+      - if [ $DRONE_REPO_NAMESPACE != 'joomla' ]; then echo "The analysis check only run on the main repos"; exit 0; fi
+      - rips-cli rips:scan:start -a 1 -t 1 -p $(pwd) -t 1 -R -k -T $DRONE_REPO_NAMESPACE-$DRONE_BRANCH ||  { echo "Please contact the security team at security@joomla.org"; exit 1; }
+    environment:
+      RIPS_USERNAME:
+        from_secret: RIPS_USERNAME
+      RIPS_PASSWORD:
+        from_secret: RIPS_PASSWORD
+
+volumes:
+- name: cache
+  host:
+    path: /tmp/cache
+
+branches:
+  exclude: [ l10n_* ]
+---
+kind: signature
+hmac: e3e6739c960a689e78ec07c0ea193818796cdcf3c3dab9781f7f07b7e3e6b674
+
+...
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,12 @@
+# EditorConfig is awesome: http://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,53 @@
+# Custom Fields
+administrator/components/com_fields/*  @laoneo
+components/com_fields/*  @laoneo
+plugins/content/fields/*  @laoneo
+plugins/editors-xtd/fields/*  @laoneo
+plugins/fields/*  @laoneo
+plugins/systems/fields/*  @laoneo
+
+# Smart Search
+#administrator/components/com_finder/*
+#components/com_finder/*
+#modules/mod_finder/*
+#plugins/content/finder/*
+#plugins/finder/*
+
+# CodeMirror
+media/editors/codemirror/*  @okonomiyaki3000
+plugins/editors/codemirror/*  @okonomiyaki3000
+
+# Statistics Server
+plugins/system/stats/*  @mbabker @wilsonge
+
+# Release Tools
+build.xml  @wilsonge
+build/build.php  @rdeutz @wilsonge
+build/bump.php  @rdeutz @wilsonge
+build/deleted_file_check.php  @rdeutz @wilsonge
+
+# Core/Extension Install/Update Tools
+administrator/components/com_joomlaupdate/*  @rdeutz @wilsonge @zero-24
+libraries/src/Installer/*  @rdeutz @wilsonge @zero-24
+libraries/src/Updater/*  @rdeutz @wilsonge @zero-24
+
+# Automated Testing
+build/jenkins/*  @rdeutz
+build/travis/*  @rdeutz
+tests/codeception/*  @rdeutz
+tests/javascript/*  @wilsonge @rdeutz
+tests/unit/*  @rdeutz
+.appveyor.yml  @rdeutz
+.drone.yml  @rdeutz
+.hound.yml  @wilsonge
+.travis.yml  @rdeutz
+appveyor-phpunit.xml  @rdeutz
+codeception.yml  @rdeutz
+karma.conf.js  @wilsonge @rdeutz
+phpunit.xml.dist  @rdeutz
+RoboFile.dist.ini  @rdeutz
+RoboFile.php  @rdeutz
+travis-phpunit.xml  @rdeutz
+
+# Core JS
+media/*/js/*  @wilsonge
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -19,6 +19,6 @@ There are other branches available which serve specific purposes.
 
 | Branch | Purpose |
 | ------ | ------- |
-| staging | Current codebase. Branch for the next minor Joomla version. New backward compatible features go into this branch. |
-| 3.9-dev | Branch for the next minor Joomla version. The 3.9.0 release will only include compatibility features for 4.0. Commits to staging will be applied to this branch as well. |
+| staging | Current codebase. Branch for the next minor Joomla version. New backward compatible features go into this branch. The 3.9.0 release will include the Privacy Tools Suite features. |
+| 3.10-dev | Branch for the next minor Joomla version. The 3.10.0 release will only include compatibility features for 4.0. Commits to staging will be applied to this branch as well. |
 | 4.0-dev | Branch for the next major Joomla version. New features go into this branch. Commits to staging will be applied to this branch as well. |
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+custom: https://community.joomla.org/sponsorship-campaigns.html
diff --git a/.github/ISSUE_TEMPLATE/Bug_report.md b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a report to help us improve
+
+---
+
+### Steps to reproduce the issue
+
+
+
+### Expected result
+
+
+
+### Actual result
+
+
+
+### System information (as much as possible)
+
+
+
+### Additional comments
diff --git a/.github/ISSUE_TEMPLATE/Custom.md b/.github/ISSUE_TEMPLATE/Custom.md
@@ -0,0 +1,16 @@
+---
+name: Fix this template
+about: Suggest a fix it
+
+---
+
+### What needs to be fixed
+
+
+### Why this should be fixed
+
+
+### How would you fix it
+
+
+### Side Effects expected
diff --git a/.github/ISSUE_TEMPLATE/Feature_request.md b/.github/ISSUE_TEMPLATE/Feature_request.md
@@ -0,0 +1,15 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+
+---
+
+### Is your feature request related to a problem? Please describe.
+
+
+
+### Describe the solution you'd like
+
+
+
+### Additional context
diff --git a/.github/ISSUE_TEMPLATE/Security.md b/.github/ISSUE_TEMPLATE/Security.md
@@ -0,0 +1,11 @@
+---
+name: Security
+about: Report a security issue
+
+---
+
+Security issues should **NOT** be reported on this repository.
+
+If you believe you have found a security issue, please contact the Joomla Security Strike Team via email at security@joomla.org or through the contact form at https://developer.joomla.org/security/contact-the-team.html.
+
+Please see https://developer.joomla.org/security.html for more information on how the Joomla project responds to security issues.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,37 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and policies for the `Joomla! Project`.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Response Handling](#response-handling)
+  * [Security Announcement Policy](#security-announcement-policy)
+  * [Further Details on the Joomla! Security Policies](https://security.joomla.org)
+
+## Reporting a Bug
+
+The `Joomla` team and community take all security bugs in `Joomla` seriously. The Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
+
+If you find a possible vulnerability, please report it to the JSST using the [online form](https://developer.joomla.org/security/contact-the-team.html) or via email at security@joomla.org 
+
+We maintain a list of [GPG keys and addresses](https://developer.joomla.org/security/gpg-keys.html) for the security@joomla.org address and members of the JSST to allow signed and encrypted communications.
+
+To report an issue in a Joomla! extension, please submit it to the [Vulnerable Extensions List.](https://vel.joomla.org/submit-vel)
+
+For support with a site which has been attacked, please visit the [Joomla! Forum.](https://forum.joomla.org/viewforum.php?f=714)
+
+Thank you for improving the security of `Joomla`.
+
+## Response Handling
+
+The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. We have established the following guidelines for responding to issue reports:
+
+* Within 24 hours every report gets acknowledged
+* Within 7 days every report gets a further response stating either
+    * the issue is closed (and why)
+    * the issue is still under investigation; if needed, additional information will be requested
+* Within 21 days every report must be resolved unless there are exceptional circumstances requiring additional time
+
+## Security Announcement Policy
+* Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
+* All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.
+* The `Joomla! Project` will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST. You can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names. If you do not specify then we will use the contact name associated with the email address the report was received from. You can also request a pseudonym or having your name withheld.