Merge branch '4.0-dev' into j4/prepared/Form/1

.appveyor.yml

@@ -15,12 +15,14 @@ environment:
   matrix:
   - php_ver_target: 7.2
     DLLVersion: "5.3.0"
+    WINCACHE: "2.0.0.8"
   - php_ver_target: 7.3
+    WINCACHE: "2.0.0.8"
 
 init:
   - SET PATH=C:\Program Files\OpenSSL;C:\tools\php;%PATH%
   - SET COMPOSER_NO_INTERACTION=1
-  - SET PHP=1 # This var relates to caching the php  install
+  - SET PHP=1 # This var relates to caching the php install
   - SET ANSICON=121x90 (121x90)
 services:
   - mssql2014
@@ -52,10 +54,11 @@ install:
             $source = "https://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($env:DLLVersion)/php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
             $destination = "c:\tools\php\ext\php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
             Invoke-WebRequest $source -OutFile $destination
-            #appveyor-retry appveyor DownloadFile http://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($env:DLLVersion)/php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
+            #appveyor-retry appveyor DownloadFile https://windows.php.net/downloads/pecl/releases/pdo_sqlsrv/$($env:DLLVersion)/php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
             7z x -y php_pdo_sqlsrv-$($env:DLLVersion)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
             Remove-Item c:\tools\php\ext* -include .zip
-            cd c:\tools\php}
+            cd c:\tools\php
+        }
     - IF %PHP%==1 copy php.ini-production php.ini /Y
     - IF %PHP%==1 echo date.timezone="UTC" >> php.ini
     - IF %PHP%==1 echo extension_dir=ext >> php.ini
@@ -80,18 +83,19 @@ install:
     - IF %PHP%==1 echo extension=php_curl.dll >> php.ini
     # Get the Wincache DLLs
     - ps: >-
-        If ($env:PHP -eq "1") {
-          $wincache = "2.0.0.8"
+        If ($env:PHP -eq "1" -and $env:WINCACHE) {
           cd c:\tools\php\ext
-          $source = "http://windows.php.net/downloads/pecl/releases/wincache/$($wincache)/php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
-          $destination = "c:\tools\php\ext\php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+          $source = "https://windows.php.net/downloads/pecl/releases/wincache/$($env:WINCACHE)/php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
+          $destination = "c:\tools\php\ext\php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip"
           Invoke-WebRequest $source -OutFile $destination
-          #appveyor-retry appveyor DownloadFile http://windows.php.net/downloads/pecl/releases/wincache/$($wincache)/php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
-          7z x -y php_wincache-$($wincache)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
+          #appveyor-retry appveyor DownloadFile https://windows.php.net/downloads/pecl/releases/wincache/$($env:WINCACHE)/php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip
+          7z x -y php_wincache-$($env:WINCACHE)-$($env:php_ver_target)-nts-$($env:VC)-$($env:PHPBuild).zip > $null
           Remove-Item C:\tools\php\ext* -include .zip
-          cd c:\tools\php}
-    - IF %PHP%==1 echo extension=php_wincache.dll >> php.ini
-    - IF %PHP%==1 echo wincache.enablecli = 1 >> php.ini
+          cd c:\tools\php
+          Add-Content php.ini "`nextension=php_wincache.dll"
+          Add-Content php.ini "`wincache.enablecli = 1"
+          Add-Content php.ini "`n"
+        }
     - IF %PHP%==1 echo zend_extension=php_opcache.dll >> php.ini
     - IF %PHP%==1 echo opcache.enable_cli=1 >> php.ini
     - IF %PHP%==1 echo extension=php_ldap.dll >> php.ini

.drone.yml

@@ -40,6 +40,34 @@ steps:
     commands:
       - npm ci --unsafe-perm
 
+  - name: publish-diff
+    image: joomlaprojects/docker-images:patchtester
+    depends_on: [ npm ]
+    environment:
+      CMP_ARCHIVE_NAME: "build"
+      CMP_MASTER_FOLDER: "/reference"
+      CMP_SLAVE_FOLDER: "." # The directory the current repo is in
+      FTP_USERNAME:
+        from_secret: ftpusername
+      FTP_PASSWORD:
+        from_secret: ftppassword
+      FTP_HOSTNAME: ci.joomla.org
+      FTP_PORT: "21"
+      FTP_DEST_DIR: /artifacts
+      FTP_VERIFY: "false"
+      FTP_SECURE: "true"
+      BRANCH_NAME: "4.0-dev" # Current branch to check against (from repo joomla/joomla-cms)
+      DRONE_PULL_REQUEST: DRONE_PULL_REQUEST
+    commands:
+      - export PULL_ID=$DRONE_PULL_REQUEST
+      - /bin/compare.sh
+    volumes:
+      - name: reference
+        path: /reference
+    when:
+      branch:
+      - 4.0-dev
+
   - name: rebuild-cache
     image: drillster/drone-volume-cache
     depends_on: [ npm ]
@@ -197,7 +225,7 @@ steps:
       PLUGIN_SECURE: false
       PLUGIN_EXCLUDE: ^\.git/$
     commands:
-      - export PLUGIN_DEST_DIR=$PLUGIN_DEST_DIR/$DRONE_REPO/$DRONE_BRANCH/$DRONE_PULL_REQUEST_$DRONE_BUILD_NUMBER/system-tests
+      - export PLUGIN_DEST_DIR=$PLUGIN_DEST_DIR/$DRONE_REPO/$DRONE_BRANCH/$DRONE_PULL_REQUEST/system-tests/$DRONE_BUILD_NUMBER
       - echo https://ci.joomla.org:444$PLUGIN_DEST_DIR
       - /bin/upload.sh
     when:
@@ -234,6 +262,9 @@ volumes:
 - name: cache
   host:
     path: /tmp/cache
+- name: reference
+  host:
+    path: /tmp/reference
 
 services:
   - name: mysql
@@ -270,6 +301,6 @@ services:
 
 ---
 kind: signature
-hmac: 9462caf361ab517c63d66d10ba0c934ead624ecf116828ab71ddc889f1b0a137
+hmac: f17f253b02d7a16535d706a31f99d678dcdc595d5bc2ca1e8c2889c3eae2a51b
 
 ...

.github/FUNDING.yml

@@ -0,0 +1 @@
+custom: https://community.joomla.org/sponsorship-campaigns.html

SECURITY.md → .github/SECURITY.md

@@ -9,9 +9,7 @@ This document outlines security procedures and policies for the `Joomla! Project
 
 ## Reporting a Bug
 
-The `Joomla` team and community take all security bugs in `Joomla` seriously.
-
-The Joomla! Project takes security vulnerabilities very seriously. As such, the Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
+The `Joomla` team and community take all security bugs in `Joomla` seriously. The Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
 
 If you find a possible vulnerability, please report it to the JSST using the [online form](https://developer.joomla.org/security/contact-the-team.html) or via email at security@joomla.org 
 
@@ -25,7 +23,7 @@ Thank you for improving the security of `Joomla`.
 
 ## Response Handling
 
-The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:
+The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. We have established the following guidelines for responding to issue reports:
 
 * Within 24 hours every report gets acknowledged
 * Within 7 days every report gets a further response stating either

administrator/components/com_actionlogs/Field/LogcreatorField.php

@@ -58,12 +58,12 @@ protected function getOptions()
 			// Construct the query
 			$query = $db->getQuery(true)
 				->select($db->quoteName('u.id', 'value'))
-				->select($db->quoteName('u.name', 'text'))
+				->select($db->quoteName('u.username', 'text'))
 				->from($db->quoteName('#__users', 'u'))
 				->join('INNER', $db->quoteName('#__action_logs', 'c') . ' ON ' . $db->quoteName('c.user_id') . ' = ' . $db->quoteName('u.id'))
 				->group($db->quoteName('u.id'))
-				->group($db->quoteName('u.name'))
-				->order($db->quoteName('u.name'));
+				->group($db->quoteName('u.username'))
+				->order($db->quoteName('u.username'));
 
 			// Setup the query
 			$db->setQuery($query);

administrator/components/com_actionlogs/Helper/ActionlogsHelper.php

@@ -26,6 +26,14 @@
  */
 class ActionlogsHelper
 {
+	/**
+	 * Array of characters starting a formula
+	 *
+	 * @var    array
+	 * @since  3.9.7
+	 */
+	private static $characters = array('=', '+', '-', '@');
+
 	/**
 	 * Method to convert logs objects array to an iterable type for use with a CSV export
 	 *
@@ -49,6 +57,8 @@ public static function getCsvData($data): Generator
 			);
 		}
 
+		$disabledText = Text::_('COM_ACTIONLOGS_DISABLED');
+
 		// Header row
 		yield ['Id', 'Message', 'Date', 'Extension', 'User', 'Ip'];
 
@@ -58,14 +68,14 @@ public static function getCsvData($data): Generator
 
 			static::loadTranslationFiles($extension);
 
-			yield [
+			yield array(
 				'id'         => $log->id,
-				'message'    => strip_tags(static::getHumanReadableLogMessage($log, false)),
+				'message'    => self::escapeCsvFormula(strip_tags(static::getHumanReadableLogMessage($log, false))),
 				'date'       => (new Date($log->log_date, new \DateTimeZone('UTC')))->format('Y-m-d H:i:s T'),
-				'extension'  => Text::_($extension),
-				'name'       => $log->name,
-				'ip_address' => Text::_($log->ip_address),
-			];
+				'extension'  => self::escapeCsvFormula(Text::_($extension)),
+				'name'       => self::escapeCsvFormula($log->name),
+				'ip_address' => self::escapeCsvFormula($log->ip_address === 'COM_ACTIONLOGS_DISABLED' ? $disabledText : $log->ip_address)
+			);
 		}
 	}
 
@@ -196,7 +206,7 @@ public static function getHumanReadableLogMessage($log, $generateLinks = true)
 			$messageData['type'] = Text::_($messageData['type']);
 		}
 
-		$linkMode = Factory::getApplication()->get('force_ssl', 0) >= 1 ? 1 : -1;
+		$linkMode = Factory::getApplication()->get('force_ssl', 0) >= 1 ? Route::TLS_FORCE : Route::TLS_IGNORE;
 
 		foreach ($messageData as $key => $value)
 		{
@@ -330,4 +340,28 @@ public static function loadActionLogPluginsLanguage()
 		// Load com_privacy too.
 		$lang->load('com_privacy', JPATH_ADMINISTRATOR, null, false, true);
 	}
+
+	/**
+	 * Escapes potential characters that start a formula in a CSV value to prevent injection attacks
+	 *
+	 * @param   mixed  $value  csv field value
+	 *
+	 * @return  mixed
+	 *
+	 * @since   3.9.7
+	 */
+	protected static function escapeCsvFormula($value)
+	{
+		if ($value == '')
+		{
+			return $value;
+		}
+
+		if (in_array($value[0], self::$characters, true))
+		{
+			$value = ' ' . $value;
+		}
+
+		return $value;
+	}
 }

administrator/components/com_actionlogs/View/Actionlogs/HtmlView.php

@@ -101,7 +101,7 @@ public function display($tpl = null)
 		$params              = ComponentHelper::getParams('com_actionlogs');
 		$this->showIpColumn  = (bool) $params->get('ip_logging', 0);
 
-		if (count($errors = $this->get('Errors')))
+		if (count($errors = $model->getErrors()))
 		{
 			throw new GenericDataException(implode("\n", $errors), 500);
 		}

administrator/components/com_actionlogs/tmpl/actionlogs/default.php

@@ -9,7 +9,6 @@
 
 defined('_JEXEC') or die;
 
-use Joomla\CMS\Factory;
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Layout\LayoutHelper;
@@ -22,13 +21,13 @@
 $listOrder  = $this->escape($this->state->get('list.ordering'));
 $listDirn   = $this->escape($this->state->get('list.direction'));
 
-Factory::getDocument()->addScriptDeclaration('
+$this->document->addScriptDeclaration('
 	Joomla.submitbutton = function(task)
 	{
 		if (task == "actionlogs.exportLogs")
 		{
 			Joomla.submitform(task, document.getElementById("exportForm"));
-			
+
 			return;
 		}
 

administrator/components/com_admin/Model/SysinfoModel.php

@@ -530,7 +530,7 @@ public function getDirectory($public = false)
 
 		foreach ($admin_langs as $folder)
 		{
-			if (!$folder->isDir() || $folder->isDot())
+			if ($folder->isDot() || !$folder->isDir())
 			{
 				continue;
 			}
@@ -546,7 +546,7 @@ public function getDirectory($public = false)
 
 		foreach ($manifests as $folder)
 		{
-			if (!$folder->isDir() || $folder->isDot())
+			if ($folder->isDot() || !$folder->isDir())
 			{
 				continue;
 			}
@@ -569,7 +569,7 @@ public function getDirectory($public = false)
 
 		foreach ($image_folders as $folder)
 		{
-			if (!$folder->isDir() || $folder->isDot())
+			if ($folder->isDot() || !$folder->isDir())
 			{
 				continue;
 			}
@@ -587,7 +587,7 @@ public function getDirectory($public = false)
 
 		foreach ($site_langs as $folder)
 		{
-			if (!$folder->isDir() || $folder->isDot())
+			if ($folder->isDot() || !$folder->isDir())
 			{
 				continue;
 			}
@@ -605,7 +605,7 @@ public function getDirectory($public = false)
 
 		foreach ($plugin_groups as $folder)
 		{
-			if (!$folder->isDir() || $folder->isDot())
+			if ($folder->isDot() || !$folder->isDir())
 			{
 				continue;
 			}

administrator/components/com_admin/script.php

@@ -784,6 +784,7 @@ public function deleteUnexistingFiles()
 			'/administrator/components/com_contact/models/forms/fields/mail.xml',
 			'/administrator/components/com_contact/models/forms/filter_contacts.xml',
 			'/administrator/components/com_contact/tables/contact.php',
+			'/administrator/components/com_contact/tmpl/contacts/default_batch.php',
 			'/administrator/components/com_contact/views/contact/tmpl/edit.php',
 			'/administrator/components/com_contact/views/contact/tmpl/edit_associations.php',
 			'/administrator/components/com_contact/views/contact/tmpl/edit_metadata.php',

administrator/components/com_admin/sql/updates/mysql/3.9.10-2019-07-09.sql

@@ -0,0 +1 @@
+ALTER TABLE `#__template_styles` MODIFY `home` char(7) NOT NULL DEFAULT '0';

administrator/components/com_admin/sql/updates/mysql/3.9.7-2019-04-23.sql

@@ -0,0 +1 @@
+ALTER TABLE `#__session` ADD INDEX `client_id_guest` (`client_id`, `guest`);

administrator/components/com_admin/sql/updates/mysql/3.9.7-2019-04-26.sql

@@ -0,0 +1 @@
+UPDATE `#__content_types` SET `content_history_options` = REPLACE(`content_history_options`, '\"ignoreChanges\":[\"modified_by\", \"modified\", \"checked_out\", \"checked_out_time\", \"version\", \"hits\"]', '\"ignoreChanges\":[\"modified_by\", \"modified\", \"checked_out\", \"checked_out_time\", \"version\", \"hits\", \"ordering\"]');

administrator/components/com_admin/sql/updates/mysql/3.9.7-2019-05-16.sql

@@ -0,0 +1 @@
+# Query removed, see https://github.com/joomla/joomla-cms/pull/25177

administrator/components/com_admin/sql/updates/mysql/3.9.8-2019-06-11.sql

@@ -0,0 +1 @@
+UPDATE #__users SET params = REPLACE(params, '",,"', '","');

administrator/components/com_admin/sql/updates/mysql/3.9.8-2019-06-15.sql

@@ -0,0 +1,4 @@
+ALTER TABLE `#__template_styles` DROP INDEX `idx_home`;
+# Query removed, see https://github.com/joomla/joomla-cms/pull/25484
+ALTER TABLE `#__template_styles` ADD INDEX `idx_client_id` (`client_id`);
+ALTER TABLE `#__template_styles` ADD INDEX `idx_client_id_home` (`client_id`, `home`);