Skip to content

Commit

Permalink
1522269622: Proposed release for 7.x-1.14.5 (#65)
Browse files Browse the repository at this point in the history
* SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm, mlhess, larowlan, pwolanin, alexpott, dsnopek, Pere Orga, cashwilliams, dawehner, tim.plunkett, drumm

* Drupal 7.58

* 7.x-1.14.5 release
  • Loading branch information
dafeder authored and janette committed Mar 29, 2018
1 parent a84394c commit cce3e9b
Show file tree
Hide file tree
Showing 27 changed files with 230 additions and 42 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@

Drupal 7.58, 2018-03-28
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-002.

Drupal 7.57, 2018-02-21
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-001.
Expand Down
6 changes: 5 additions & 1 deletion includes/bootstrap.inc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '7.57');
define('VERSION', '7.58');

/**
* Core API compatibility.
Expand Down Expand Up @@ -2657,6 +2657,10 @@ function _drupal_bootstrap_configuration() {
timer_start('page');
// Initialize the configuration, including variables from settings.php.
drupal_settings_initialize();

// Sanitize unsafe keys from the request.
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
DrupalRequestSanitizer::sanitize();
}

/**
Expand Down
82 changes: 82 additions & 0 deletions includes/request-sanitizer.inc
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
<?php

/**
* @file
* Contains code for sanitizing user input from the request.
*/

/**
* Sanitizes user input from the request.
*/
class DrupalRequestSanitizer {

/**
* Tracks whether the request was already sanitized.
*/
protected static $sanitized = FALSE;

/**
* Modifies the request to strip dangerous keys from user input.
*/
public static function sanitize() {
if (!self::$sanitized) {
$whitelist = variable_get('sanitize_input_whitelist', array());
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);

// Process query string parameters.
$get_sanitized_keys = array();
$_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
if ($log_sanitized_keys && $get_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array('@keys' => implode(', ', $get_sanitized_keys))), E_USER_NOTICE);
}

// Process request body parameters.
$post_sanitized_keys = array();
$_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
if ($log_sanitized_keys && $post_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array('@keys' => implode(', ', $post_sanitized_keys))), E_USER_NOTICE);
}

// Process cookie parameters.
$cookie_sanitized_keys = array();
$_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
if ($log_sanitized_keys && $cookie_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array('@keys' => implode(', ', $cookie_sanitized_keys))), E_USER_NOTICE);
}

$request_sanitized_keys = array();
$_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);

self::$sanitized = TRUE;
}
}

/**
* Strips dangerous keys from the provided input.
*
* @param mixed $input
* The input to sanitize.
* @param string[] $whitelist
* An array of keys to whitelist as safe.
* @param string[] $sanitized_keys
* An array of keys that have been removed.
*
* @return mixed
* The sanitized input.
*/
protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
if (is_array($input)) {
foreach ($input as $key => $value) {
if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
unset($input[$key]);
$sanitized_keys[] = $key;
}
else {
$input[$key] = self::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
}
}
}
return $input;
}

}
5 changes: 5 additions & 0 deletions profiles/dkan/CHANGELOG.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
7.x-1.14.5
----------
- #2435 Update Drupal core to 7.58
- #2412 Update installation instructions

7.x-1.14.4
----------
- #2404 Avoid undefined offset on nuboot_radix/includes/panel.inc line 45
Expand Down
1 change: 1 addition & 0 deletions profiles/dkan/dkan.info
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,4 @@ dependencies[] = dkan_datastore
dependencies[] = dkan_datastore_api
dependencies[] = open_data_schema_map_dkan
dependencies[] = visualization_entity_charts_dkan
version = 7.x-1.14.5
1 change: 1 addition & 0 deletions profiles/dkan/docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ This is the central site for technical/developer documentation of DKAN. DKAN is
:maxdepth: 1

introduction/index
installation/index
components/index
community/index
admin/index
Expand Down
Original file line number Diff line number Diff line change
@@ -1,24 +1,17 @@
Installation
============

This document contains instructions for installing the DKAN open data
publishing software on your webserver. If you’re not comfortable
installing and maintaining server software, you may wish to Deploy a
Ready-to-Run DKAN Instance instead.
Installation Basics
===================

Please note that we are in the process of revamping our installation and
upgrade guide. The instructions here will work, but please bear with us
as we develop better documentation and processes.
.. note:: This page is essentially legacy documentation, but still provides some useful information for alternative methods of downloading and working with DKAN. For a more robust local development for working on DKAN core, see :doc:`local-dev`. For the most up-to-date documentation on managing website projects with DKAN, see `DKAN Starter documentation <https://dkan-starter.readthedocs.io>`_.

Before getting started, it's recommended that you familiarize yourself
with:

- `Drush, the command line tool <http://docs.drush.org/en/master/>`__
- `Drush, the command line tool <http://docs.drush.org/en/master/>`_
- `Drupal's installation
process <https://www.drupal.org/documentation/install>`__
- `Drupal's upgrade process <https://www.drupal.org/upgrade>`__
process <https://www.drupal.org/documentation/install>`_
- `Drupal's upgrade process <https://www.drupal.org/upgrade>`_
- `Drupal profiles and
distributions <https://www.drupal.org/node/1089736#distributions-vs-installation-profiles>`__
distributions <https://www.drupal.org/node/1089736#distributions-vs-installation-profiles>`_

What you will find in the main `DKAN
Repository <https://github.com/GetDKAN/dkan>`__ is a Drupal
Expand Down Expand Up @@ -87,7 +80,7 @@ if you want to do this with git instead:

::

$ git clone --branch master https://github.com/nuams/dkan-drops-7.git dkan
$ git clone --branch master https://github.com/GetDKAN/dkan-drops-7.git dkan

Build your own
~~~~~~~~~~~~~~
Expand Down Expand Up @@ -213,7 +206,7 @@ Grab Development version

::

$ git clone --branch 7.x-1.x https://github.com/nuams/dkan.git
$ git clone --branch 7.x-1.x https://github.com/GetDKAN/dkan.git
$ cd dkan

Build dkan
Expand Down
18 changes: 18 additions & 0 deletions profiles/dkan/docs/installation/index.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Installation
===============

This document contains instructions for installing the DKAN open data
publishing software on your webserver. If you’re not comfortable
installing and maintaining server software, you may wish to
:doc:`use web-based tools to deploy to Pantheon <../introduction/get-dkan>`
instead.

Please note that we are in the process of revamping our installation and
upgrade guide. The instructions here will work, but please bear with us
as we develop better documentation and processes.

.. toctree::
:maxdepth: 1

basic
local-dev
69 changes: 69 additions & 0 deletions profiles/dkan/docs/installation/local-dev.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
Local Development Environment
=============================

For testing out DKAN locally and doing feature work directly on the software (as opposed to working on a particular, customized website), using a standardized, `docker <https://www.docker.com/>`_-based local environment is recommended. This will ensure you have the same setup as DKAN's core developers, and that your environment is very close to that of our continuous integration tools.

These instructions are geared toward people who want to contribute improvements or fixes to DKAN core. Once you have a working local copy, please make contributions using the `standard fork and pull-request workflow in Gitihub <https://help.github.com/categories/collaborating-with-issues-and-pull-requests/>`_.

We use a `Docker Compose <https://docs.docker.com/compose/>`_ stack very similar to the model used by `Docksal <https://docksal.io/>`_, but leveraging the power of the `Ahoy <http://www.ahoycli.com/>`_ CLI automation tool.

Requirements
------------

To get started working on DKAN core with our toolset you will need the following:

* A Linux or Mac computer (Windows support coming soon)
* `Git <https://git-scm.com/downloads>`_
* `Docker CE <https://www.docker.com/community-edition#/download>`_ (reccomended version: 17.12.1-ce)
* `Docker Compose <https://docs.docker.com/compose/install/>`_ (reccomended version: 1.19.0)
* `Ruby <https://www.ruby-lang.org/en/documentation/installation/>`_ (recommended version: 2.3.3p222)
* `Ahoy <http://www.ahoycli.com/en/latest/#installation>`_ (current scripts *require* Ahoy 1.1 and are incompatible with Ahoy 2.x)

Installing DKAN
---------------

First we need to clone the DKAN repo. If you plan to make and contribute changes, using your own fork in place of the main DKAN URL in the example below is recommended.

.. code-block:: bash
git clone https://github.com/GetDKAN/dkan.git
cd dkan
bash dkan-init.sh dkan
The last line in this sequence runs a script that moves the DKAN profile files into a subdirectory of your project root, and adds an Ahoy configuration file to the root.

.. code-block:: bash
export AHOY_CMD_PROXY=DOCKER
This line can either be executed directly in your command prompt (in which case it will need to be re-entered every time you open a new shell) or added to your shell configuration file (usually ``$HOME/.bashrc`` or ``$HOME/.bash_profile``). What this does is tell Ahoy to execute all commands in the CLI container in Docker, rather than in your local Mac or Linux environment. (Ahoy can be run without docker, but this is not recommended for this project and usually only done in the context of a CI tool like `ProboCI <https://probo.ci>`_.)

.. tip:: If you add the ``AHOY_CMD_PROXY`` environment variable to your ``.bashrc`` or similar file, don't forget to either close and re-open your terminal, or run ``source ~/.bashrc`` before proceeding.

.. code-block:: bash
ahoy docker up
ahoy dkan drupal-rebuild
These two commands will fire up your project's Docker containers and run a basic Drupal installation. If this completes without errors you are probably clear to proceed, but you can check your installation by running `ahoy docker url` and testing the URL this produces in your browser. You will notice that your project root now contains a ``/docroot`` folder, where the full Drupal codebase lives.

.. code-block:: bash
ahoy dkan remake
ahoy dkan reinstall
Finally, these two commands will build DKAN from your drupal-org.make file, create symlinks so that your `/dkan` folder is available to drupal under `/docroot/profiles/dkan`, and re-run the full Drupal installation process using the DKAN profile. Each of these commands will take several minutes to complete.

Once they do, you can find the URL for your site by typing ``ahoy docker url`` (or ``ahoy docker surl`` for an HTTPS version). Your initial login will be "admin"/"admin".

Basic Usage
-----------

We are in the process of both overhauling and better-documenting many of these tools. More details on these tools are available in the `DKAN Starter documentation <https://dkan-starter.readthedocs.io>`_. Some basic tips:

* Typing ``ahoy`` anywhere within your project will give you a list of available commands.
* To route Drush commands through the docker container, add ``ahoy`` before any command. For instance, to clear the cache, type ``ahoy drush cc all``.
* Use ``ahoy docker up`` and ``ahoy docker stop`` to start and stop the project's Docker containers. Use ``ahoy docker ps`` to see their current state.
* If you want to restore your database to a "clean" state, typing ``ahoy dkan reinstall`` and chosing "y" at the prompt will restore a backup made at the moment the reinstall command was last completed.
* Run ``ahoy dkan remake`` to apply any changes made to the DKAN make files (`drupal-org.make <https://github.com/GetDKAN/dkan/blob/7.x-1.x/drupal-org.make>`_ and `drupal-org-core.make <https://github.com/GetDKAN/dkan/blob/7.x-1.x/drupal-org-core.make>`_).
* If you need direct command-line access to the CLI container, type ``ahoy docker exec bash`` (or replace ``bash`` with any other command as needed).
41 changes: 19 additions & 22 deletions profiles/dkan/docs/introduction/get-dkan.md
Original file line number Diff line number Diff line change
@@ -1,33 +1,13 @@
# Get DKAN

DKAN is open source and flexible: You can download it for free and run it on your own server or choose from one of our hosting partners below. Visit getdkan.org for more information.
DKAN is open source and flexible: you can download it for free and run it on your own server or choose from one of our hosting partners below. Visit getdkan.org for more information.

## Download and run DKAN on your server

DKAN is based on the open source </a><a href="http://drupal.org">Drupal</a> content and application framework and runs almost anywhere Drupal is supported. Users unfamiliar with Drupal may be more comfortable trying one of the hosted options listed below, or contacting us to obtain a private demonstration instance. There is extensive information on how to install DKAN on your own in the [the developers/installation](/dkan-documentation/dkan-developers/installation) section of this site.
DKAN is based on the open source </a><a href="https://drupal.org">Drupal</a> content and application framework and runs almost anywhere Drupal is supported. Users unfamiliar with Drupal may be more comfortable trying one of the hosted options listed below, or contacting us to obtain a private demonstration instance. There is extensive information on how to install DKAN on your own in the [installation](../installation/index.rst) section of this site.

## Hosting Partners

DKAN is open source and flexible: you can download it for free and run it on your own server (see [installation instructions](installation.rst)) or choose from one of our hosting partners below.

### Acquia

**[Click here](https://insight.acquia.com/free?distro=dkantestdrive)** to install DKAN on Acquia for free.

[Acquia](http://acquia.com) offers a number of [hosting tools](http://www.acquia.com/products-services/acquia-cloud#Overview) built specifically for best maintaining Drupal sites. These include integrations with 3rd party systems like New Relic and Blaze Meter as well as reports on module updates, performance, and security reviews. Most importantly, Acquia offers a dashboard that makes it easy to move code (hosted by git), media files, and the database between development, testing, and production environments:

![Acquia Dashboard screenshot](../images/acquia-dashboard.png)

These tools allow a single site builder or team of developers to follow best practices, scale up if needed, and follow a rigorous QA process all without ever touching a server.

#### Single-click Installation

Acquia offers a "single-click" installation of DKAN. While this is labelled as a "Test drive," the environment offers the same dashboard tools as a full, paid account. [Visit Acquia's website for complete instructions](https://docs.acquia.com/cloud/free/aws-testdrive/dkan).

#### Maintaining a DKAN Site on Acquia

Updates to DKAN are released frequently. Acquia will not push these updates to your instance automatically, but you can keep your codebase up-to-date using your own workflow, or following our general [Upgrade Instructions](../development/maintaining.md).

### Pantheon

**[Click here](https://dashboard.getpantheon.com/products/dkan/spinup)** to install DKAN on Pantheon for free.
Expand Down Expand Up @@ -70,3 +50,20 @@ An error like the following is often seen at the end of the install process on P

This will hopefully be fixed on future releases. However, the resulting site should still be fully installed and functional.

### Acquia

**[Click here](https://insight.acquia.com/free?distro=dkantestdrive)** to install DKAN on Acquia for free.

[Acquia](https://acquia.com) offers a number of [hosting tools](https://www.acquia.com/products-services/acquia-cloud#Overview) built specifically for best maintaining Drupal sites. These include integrations with 3rd party systems like New Relic and Blaze Meter as well as reports on module updates, performance, and security reviews. Most importantly, Acquia offers a dashboard that makes it easy to move code (hosted by git), media files, and the database between development, testing, and production environments:

![Acquia Dashboard screenshot](../images/acquia-dashboard.png)

These tools allow a single site builder or team of developers to follow best practices, scale up if needed, and follow a rigorous QA process all without ever touching a server.

#### Single-click Installation

Acquia offers a "single-click" installation of DKAN. While this is labelled as a "Test drive," the environment offers the same dashboard tools as a full, paid account. [Visit Acquia's website for complete instructions](https://docs.acquia.com/cloud/free/aws-testdrive/dkan).

#### Maintaining a DKAN Site on Acquia

Updates to DKAN are released frequently. Acquia will not push these updates to your instance automatically, but you can keep your codebase up-to-date using your own workflow, or following our general [Upgrade Instructions](../development/maintaining.md).
1 change: 0 additions & 1 deletion profiles/dkan/docs/introduction/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,5 @@ DKAN is a Drupal-based open data portal based on CKAN, the first widely adopted
catalog-features
dkan-ckan
get-dkan
installation
maintaining
dkan-sites
2 changes: 1 addition & 1 deletion profiles/dkan/drupal-org-core.make
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ core: 7.x
projects:
drupal:
type: core
version: '7.57'
version: '7.58'
# Use vocabulary machine name for permissions, see http://drupal.org/node/995156
patch:
995156: 'http://drupal.org/files/issues/995156-5_portable_taxonomy_permissions.patch'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ features[variable][] = panelizer_node:data_dashboard_default
features[views_view][] = data_dashboards
features[views_view][] = front_page_dashboards_list
features_exclude[dependencies][dkan_topics] = dkan_topics
version = 7.x-1.14.5
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,4 @@ features_exclude[dependencies][image] = image
features_exclude[dependencies][strongarm] = strongarm
features_exclude[dependencies][taxonomy] = taxonomy
no autodetect = 1
version = 7.x-1.14.5
1 change: 1 addition & 0 deletions profiles/dkan/modules/dkan/dkan_dataset/dkan_dataset.info
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ features[ctools][] = views:views_default:3.0
features[features_api][] = api:2
features[variable][] = pathauto_node_dataset_pattern
features[variable][] = pathauto_node_resource_pattern
version = 7.x-1.14.5
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,4 @@ features[views_view][] = datasets
files[] = includes/Datastore.inc
files[] = includes/DkanDatastore.inc
files[] = includes/DkanDatastoreFastImport.inc
version = 7.x-1.14.5
3 changes: 2 additions & 1 deletion profiles/dkan/modules/dkan/dkan_fixtures/dkan_fixtures.info
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name = DKAN Fixtures
name = DKAN Fixtures
description = Saves DKAN API endpoints to local files to be used as fixtures
core = 7.x
package = DKAN
Expand All @@ -14,3 +14,4 @@ files[] = includes/page.inc
files[] = includes/panelized_node.inc
files[] = includes/resource.inc
files[] = includes/visualization_entity.inc
version = 7.x-1.14.5
1 change: 1 addition & 0 deletions profiles/dkan/modules/dkan/dkan_harvest/dkan_harvest.info
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,4 @@ files[] = includes/HarvestItem.php
files[] = includes/HarvestCache.php
files[] = includes/HarvestMigrateSQLMap.php
files[] = includes/HarvestMigrateSourceList.php
version = 7.x-1.14.5
1 change: 1 addition & 0 deletions profiles/dkan/modules/dkan/dkan_ipe/dkan_ipe.info
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ dependencies[] = panels
dependencies[] = strongarm
features[features_api][] = api:2
project path = profiles/dkan/modules/dkan
version = 7.x-1.14.5
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ files[] = dkan_migrate_base_group.inc
files[] = dkan_migrate_base_dataset.inc
files[] = dkan_migrate_base_resource.inc
files[] = dkan_migrate_base_data_json.inc
version = 7.x-1.14.5
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ features[roles_permissions][] = editor
features[roles_permissions][] = site manager
features_exclude[dependencies][features] = features
project path = profiles/dkan/modules/dkan
version = 7.x-1.14.5
Loading

0 comments on commit cce3e9b

Please sign in to comment.