Update to Drupal 8.6.15. For more information, see https://www.drupal…

….org/project/drupal/releases/8.6.15

core/assets/vendor/jquery/jquery-extend-3.4.0.js

@@ -0,0 +1,111 @@
+/**
+ * For jQuery versions less than 3.4.0, this replaces the jQuery.extend
+ * function with the one from jQuery 3.4.0, slightly modified (documented
+ * below) to be compatible with older jQuery versions.
+ *
+ * This provides the Object.prototype pollution vulnerability fix to Drupal
+ * installations running older jQuery versions, including the version (3.2.1)
+ * shipped with Drupal core.
+ *
+ * @see https://github.com/jquery/jquery/pull/4333
+ */
+
+(function (jQuery) {
+
+// Do not override jQuery.extend() if the jQuery version is already >=3.4.0.
+var versionParts = jQuery.fn.jquery.split('.');
+var majorVersion = parseInt(versionParts[0]);
+var minorVersion = parseInt(versionParts[1]);
+var patchVersion = parseInt(versionParts[2]);
+var isPreReleaseVersion = (patchVersion.toString() !== versionParts[2]);
+if (
+  (majorVersion > 3) ||
+  (majorVersion === 3 && minorVersion > 4) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion > 0) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion === 0 && !isPreReleaseVersion)
+) {
+  return;
+}
+
+/**
+ * This is almost verbatim copied from jQuery 3.4.0.
+ *
+ * Only one minor change has been made:
+ * - The call to isFunction() is changed to jQuery.isFunction().
+ *
+ * The above change ensures compatibility with older jQuery versions,
+ * including 3.2.1 which is shipped with Drupal core.
+ */
+jQuery.extend = jQuery.fn.extend = function() {
+  var options, name, src, copy, copyIsArray, clone,
+    target = arguments[ 0 ] || {},
+    i = 1,
+    length = arguments.length,
+    deep = false;
+
+  // Handle a deep copy situation
+  if ( typeof target === "boolean" ) {
+    deep = target;
+
+    // Skip the boolean and the target
+    target = arguments[ i ] || {};
+    i++;
+  }
+
+  // Handle case when target is a string or something (possible in deep copy)
+  if ( typeof target !== "object" && !jQuery.isFunction( target ) ) {
+    target = {};
+  }
+
+  // Extend jQuery itself if only one argument is passed
+  if ( i === length ) {
+    target = this;
+    i--;
+  }
+
+  for ( ; i < length; i++ ) {
+
+    // Only deal with non-null/undefined values
+    if ( ( options = arguments[ i ] ) != null ) {
+
+      // Extend the base object
+      for ( name in options ) {
+        copy = options[ name ];
+
+        // Prevent Object.prototype pollution
+        // Prevent never-ending loop
+        if ( name === "__proto__" || target === copy ) {
+          continue;
+        }
+
+        // Recurse if we're merging plain objects or arrays
+        if ( deep && copy && ( jQuery.isPlainObject( copy ) ||
+          ( copyIsArray = Array.isArray( copy ) ) ) ) {
+          src = target[ name ];
+
+          // Ensure proper type for the source value
+          if ( copyIsArray && !Array.isArray( src ) ) {
+            clone = [];
+          } else if ( !copyIsArray && !jQuery.isPlainObject( src ) ) {
+            clone = {};
+          } else {
+            clone = src;
+          }
+          copyIsArray = false;
+
+          // Never move original objects, clone them
+          target[ name ] = jQuery.extend( deep, clone, copy );
+
+          // Don't bring in undefined values
+        } else if ( copy !== undefined ) {
+          target[ name ] = copy;
+        }
+      }
+    }
+  }
+
+  // Return the modified object
+  return target;
+};
+
+})(jQuery);

core/composer.json

@@ -20,9 +20,9 @@
         "php": "^5.5.9|>=7.0.8",
         "symfony/class-loader": "~3.4.0",
         "symfony/console": "~3.4.0",
-        "symfony/dependency-injection": "~3.4.0",
+        "symfony/dependency-injection": "~3.4.26",
         "symfony/event-dispatcher": "~3.4.0",
-        "symfony/http-foundation": "~3.4.14",
+        "symfony/http-foundation": "~3.4.26",
         "symfony/http-kernel": "~3.4.14",
         "symfony/routing": "~3.4.0",
         "symfony/serializer": "~3.4.0",

core/core.libraries.yml

@@ -348,6 +348,9 @@ jquery:
     gpl-compatible: true
   js:
     assets/vendor/jquery/jquery.min.js: { minified: true, weight: -20 }
+    # This includes a security fix, so assign a weight that makes this load as
+    # soon after jquery.min.js is loaded as possible.
+    assets/vendor/jquery/jquery-extend-3.4.0.js: { weight: -19 }
 
 jquery.cookie:
   remote: https://github.com/carhartl/jquery-cookie

core/lib/Drupal.php

@@ -82,7 +82,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.6.14';
+  const VERSION = '8.6.15';
 
   /**
    * Core API compatibility.

core/modules/system/system.post_update.php

@@ -90,6 +90,13 @@ function system_post_update_field_formatter_entity_schema() {
   // Empty post-update hook.
 }
 
+/**
+ * Clear the library cache and ensure aggregate files are regenerated.
+ */
+function system_post_update_fix_jquery_extend() {
+  // Empty post-update hook.
+}
+
 /**
  * Change plugin IDs of actions.
  */

vendor/composer/installed.json

@@ -1525,17 +1525,17 @@
     },
     {
         "name": "symfony/dependency-injection",
-        "version": "v3.4.15",
-        "version_normalized": "3.4.15.0",
+        "version": "v3.4.26",
+        "version_normalized": "3.4.26.0",
         "source": {
             "type": "git",
             "url": "https://github.com/symfony/dependency-injection.git",
-            "reference": "09d7df7bf06c1393b6afc85875993cbdbdf897a0"
+            "reference": "dee85a9148399cdb2731603802842bcfd8afe5ab"
         },
         "dist": {
             "type": "zip",
-            "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/09d7df7bf06c1393b6afc85875993cbdbdf897a0",
-            "reference": "09d7df7bf06c1393b6afc85875993cbdbdf897a0",
+            "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/dee85a9148399cdb2731603802842bcfd8afe5ab",
+            "reference": "dee85a9148399cdb2731603802842bcfd8afe5ab",
             "shasum": ""
         },
         "require": {
@@ -1563,7 +1563,7 @@
             "symfony/proxy-manager-bridge": "Generate service proxies to lazy load them",
             "symfony/yaml": ""
         },
-        "time": "2018-08-08T11:42:34+00:00",
+        "time": "2019-04-16T11:13:42+00:00",
         "type": "library",
         "extra": {
             "branch-alias": {
@@ -1663,17 +1663,17 @@
     },
     {
         "name": "symfony/http-foundation",
-        "version": "v3.4.15",
-        "version_normalized": "3.4.15.0",
+        "version": "v3.4.26",
+        "version_normalized": "3.4.26.0",
         "source": {
             "type": "git",
             "url": "https://github.com/symfony/http-foundation.git",
-            "reference": "2fb33cb6eefe6e790e4023f7c534a9e4214252fc"
+            "reference": "90454ad44c95d75faf3507d56388056001b74baf"
         },
         "dist": {
             "type": "zip",
-            "url": "https://api.github.com/repos/symfony/http-foundation/zipball/2fb33cb6eefe6e790e4023f7c534a9e4214252fc",
-            "reference": "2fb33cb6eefe6e790e4023f7c534a9e4214252fc",
+            "url": "https://api.github.com/repos/symfony/http-foundation/zipball/90454ad44c95d75faf3507d56388056001b74baf",
+            "reference": "90454ad44c95d75faf3507d56388056001b74baf",
             "shasum": ""
         },
         "require": {
@@ -1684,7 +1684,7 @@
         "require-dev": {
             "symfony/expression-language": "~2.8|~3.0|~4.0"
         },
-        "time": "2018-08-27T17:45:33+00:00",
+        "time": "2019-04-17T14:51:18+00:00",
         "type": "library",
         "extra": {
             "branch-alias": {

vendor/symfony/dependency-injection/Argument/BoundArgument.php

@@ -33,7 +33,7 @@ public function __construct($value)
      */
     public function getValues()
     {
-        return array($this->value, $this->identifier, $this->used);
+        return [$this->value, $this->identifier, $this->used];
     }
 
     /**

vendor/symfony/dependency-injection/Argument/ServiceClosureArgument.php

@@ -25,7 +25,7 @@ class ServiceClosureArgument implements ArgumentInterface
 
     public function __construct(Reference $reference)
     {
-        $this->values = array($reference);
+        $this->values = [$reference];
     }
 
     /**
@@ -41,7 +41,7 @@ public function getValues()
      */
     public function setValues(array $values)
     {
-        if (array(0) !== array_keys($values) || !($values[0] instanceof Reference || null === $values[0])) {
+        if ([0] !== array_keys($values) || !($values[0] instanceof Reference || null === $values[0])) {
             throw new InvalidArgumentException('A ServiceClosureArgument must hold one and only one Reference.');
         }
 

vendor/symfony/dependency-injection/Argument/TaggedIteratorArgument.php

@@ -25,7 +25,7 @@ class TaggedIteratorArgument extends IteratorArgument
      */
     public function __construct($tag)
     {
-        parent::__construct(array());
+        parent::__construct([]);
 
         $this->tag = (string) $tag;
     }

vendor/symfony/dependency-injection/ChildDefinition.php

@@ -71,7 +71,7 @@ public function setParent($parent)
      */
     public function getArgument($index)
     {
-        if (array_key_exists('index_'.$index, $this->arguments)) {
+        if (\array_key_exists('index_'.$index, $this->arguments)) {
             return $this->arguments['index_'.$index];
         }
 

vendor/symfony/dependency-injection/Compiler/AnalyzeServiceReferencesPass.php

@@ -37,6 +37,7 @@ class AnalyzeServiceReferencesPass extends AbstractRecursivePass implements Repe
     private $hasProxyDumper;
     private $lazy;
     private $expressionLanguage;
+    private $byConstructor;
 
     /**
      * @param bool $onlyConstructorArguments Sets this Service Reference pass to ignore method calls
@@ -64,6 +65,7 @@ public function process(ContainerBuilder $container)
         $this->graph = $container->getCompiler()->getServiceReferenceGraph();
         $this->graph->clear();
         $this->lazy = false;
+        $this->byConstructor = false;
 
         foreach ($container->getAliases() as $id => $alias) {
             $targetId = $this->getDefinitionId((string) $alias);
@@ -85,7 +87,7 @@ protected function processValue($value, $isRoot = false)
             return $value;
         }
         if ($value instanceof Expression) {
-            $this->getExpressionLanguage()->compile((string) $value, array('this' => 'container'));
+            $this->getExpressionLanguage()->compile((string) $value, ['this' => 'container']);
 
             return $value;
         }
@@ -100,7 +102,8 @@ protected function processValue($value, $isRoot = false)
                 $targetDefinition,
                 $value,
                 $this->lazy || ($this->hasProxyDumper && $targetDefinition && $targetDefinition->isLazy()),
-                ContainerInterface::IGNORE_ON_UNINITIALIZED_REFERENCE === $value->getInvalidBehavior()
+                ContainerInterface::IGNORE_ON_UNINITIALIZED_REFERENCE === $value->getInvalidBehavior(),
+                $this->byConstructor
             );
 
             return $value;
@@ -113,11 +116,16 @@ protected function processValue($value, $isRoot = false)
                 return $value;
             }
             $this->currentDefinition = $value;
+        } elseif ($this->currentDefinition === $value) {
+            return $value;
         }
         $this->lazy = false;
 
+        $byConstructor = $this->byConstructor;
+        $this->byConstructor = true;
         $this->processValue($value->getFactory());
         $this->processValue($value->getArguments());
+        $this->byConstructor = $byConstructor;
 
         if (!$this->onlyConstructorArguments) {
             $this->processValue($value->getProperties());