From 0a95b8440ece777e8b0c18914358bcc0d23fd6f9 Mon Sep 17 00:00:00 2001 From: Pantheon Automation Date: Wed, 16 Nov 2016 12:26:40 -0800 Subject: [PATCH] Update to Drupal 8.2.3. For more information, see https://www.drupal.org/project/drupal/releases/8.2.3 --- core/CHANGELOG.txt | 4 + core/lib/Drupal.php | 2 +- .../lib/Drupal/Core/Database/Query/Select.php | 17 ++- .../Core/Render/Element/MachineName.php | 6 + core/misc/machine-name.js | 3 + .../system/src/MachineNameController.php | 26 +++- core/modules/system/system.install | 16 +++ .../MachineNameControllerTest.php | 48 ++++++- .../Plugin/views/filter/TaxonomyIndexTid.php | 2 +- .../views/relationship/NodeTermData.php | 2 +- core/modules/taxonomy/src/TermStorage.php | 8 +- core/modules/taxonomy/src/TermViewsData.php | 2 +- .../src/Tests/TaxonomyQueryAlterTest.php | 119 ++++++++++++++++++ core/modules/taxonomy/taxonomy.module | 2 +- .../taxonomy_test/taxonomy_test.info.yml | 8 ++ .../taxonomy_test/taxonomy_test.module | 38 ++++++ .../user/src/Form/UserPasswordForm.php | 1 + .../user/src/Tests/UserPasswordResetTest.php | 3 + .../Core/Render/Element/MachineNameTest.php | 8 +- 19 files changed, 300 insertions(+), 15 deletions(-) create mode 100644 core/modules/taxonomy/src/Tests/TaxonomyQueryAlterTest.php create mode 100644 core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.info.yml create mode 100644 core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.module diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt index 56b804d3c..2b424d27c 100644 --- a/core/CHANGELOG.txt +++ b/core/CHANGELOG.txt @@ -1,3 +1,7 @@ +Drupal 8.2.3, 2016-11-16 +------------------------ +- Fixed security issues. See SA-CORE-2016-005. + Drupal 8.2.0, 2016-10-05 ------------------------ - Updated the git repository configuration to not normalize line endings for diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php index 092266182..0d961c12f 100644 --- a/core/lib/Drupal.php +++ b/core/lib/Drupal.php @@ -81,7 +81,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.2.2'; + const VERSION = '8.2.3'; /** * Core API compatibility. diff --git a/core/lib/Drupal/Core/Database/Query/Select.php b/core/lib/Drupal/Core/Database/Query/Select.php index b7db60579..04efcf4ea 100644 --- a/core/lib/Drupal/Core/Database/Query/Select.php +++ b/core/lib/Drupal/Core/Database/Query/Select.php @@ -5,7 +5,6 @@ namespace Drupal\Core\Database\Query; use Drupal\Core\Database\Database; use Drupal\Core\Database\Connection; - /** * Query builder for SELECT statements. * @@ -456,6 +455,22 @@ class Select extends Query implements SelectInterface { // Modules may alter all queries or only those having a particular tag. if (isset($this->alterTags)) { + // Many contrib modules as well as Entity Reference in core assume that + // query tags used for access-checking purposes follow the pattern + // $entity_type . '_access'. But this is not the case for taxonomy terms, + // since the core Taxonomy module used to add term_access instead of + // taxonomy_term_access to its queries. Provide backwards compatibility + // by adding both tags here instead of attempting to fix all contrib + // modules in a coordinated effort. + // TODO: + // - Extract this mechanism into a hook as part of a public (non-security) + // issue. + // - Emit E_USER_DEPRECATED if term_access is used. + // https://www.drupal.org/node/2575081 + $term_access_tags = array('term_access' => 1, 'taxonomy_term_access' => 1); + if (array_intersect_key($this->alterTags, $term_access_tags)) { + $this->alterTags += $term_access_tags; + } $hooks = array('query'); foreach ($this->alterTags as $tag => $value) { $hooks[] = 'query_' . $tag; diff --git a/core/lib/Drupal/Core/Render/Element/MachineName.php b/core/lib/Drupal/Core/Render/Element/MachineName.php index c92d0e081..6cf455942 100644 --- a/core/lib/Drupal/Core/Render/Element/MachineName.php +++ b/core/lib/Drupal/Core/Render/Element/MachineName.php @@ -190,6 +190,7 @@ class MachineName extends Textfield { $element['#attached']['library'][] = 'core/drupal.machine-name'; $options = [ 'replace_pattern', + 'replace_token', 'replace', 'maxlength', 'target', @@ -198,6 +199,11 @@ class MachineName extends Textfield { 'field_suffix', 'suffix', ]; + + /** @var \Drupal\Core\Access\CsrfTokenGenerator $token_generator */ + $token_generator = \Drupal::service('csrf_token'); + $element['#machine_name']['replace_token'] = $token_generator->get($element['#machine_name']['replace_pattern']); + $element['#attached']['drupalSettings']['machineName']['#' . $source['#id']] = array_intersect_key($element['#machine_name'], array_flip($options)); $element['#attached']['drupalSettings']['langcode'] = $language->getId(); diff --git a/core/misc/machine-name.js b/core/misc/machine-name.js index bbad2e39d..7f3c59d69 100644 --- a/core/misc/machine-name.js +++ b/core/misc/machine-name.js @@ -186,6 +186,8 @@ * @param {string} settings.replace_pattern * A regular expression (without modifiers) matching disallowed characters * in the machine name; e.g., '[^a-z0-9]+'. + * @param {string} settings.replace_token + * A token to validate the regular expression. * @param {string} settings.replace * A character to replace disallowed characters with; e.g., '_' or '-'. * @param {number} settings.maxlength @@ -199,6 +201,7 @@ text: source, langcode: drupalSettings.langcode, replace_pattern: settings.replace_pattern, + replace_token: settings.replace_token, replace: settings.replace, lowercase: true }); diff --git a/core/modules/system/src/MachineNameController.php b/core/modules/system/src/MachineNameController.php index 7331eb39d..239e5b3ec 100644 --- a/core/modules/system/src/MachineNameController.php +++ b/core/modules/system/src/MachineNameController.php @@ -4,7 +4,9 @@ namespace Drupal\system; use Drupal\Component\Transliteration\TransliterationInterface; use Drupal\Component\Utility\Unicode; +use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\DependencyInjection\ContainerInjectionInterface; +use Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException; use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\DependencyInjection\ContainerInterface; @@ -21,14 +23,24 @@ class MachineNameController implements ContainerInjectionInterface { */ protected $transliteration; + /** + * The token generator. + * + * @var \Drupal\Core\Access\CsrfTokenGenerator + */ + protected $tokenGenerator; + /** * Constructs a MachineNameController object. * * @param \Drupal\Component\Transliteration\TransliterationInterface $transliteration * The transliteration helper. + * @param \Drupal\Core\Access\CsrfTokenGenerator $token_generator + * The token generator. */ - public function __construct(TransliterationInterface $transliteration) { + public function __construct(TransliterationInterface $transliteration, CsrfTokenGenerator $token_generator) { $this->transliteration = $transliteration; + $this->tokenGenerator = $token_generator; } /** @@ -36,7 +48,8 @@ class MachineNameController implements ContainerInjectionInterface { */ public static function create(ContainerInterface $container) { return new static( - $container->get('transliteration') + $container->get('transliteration'), + $container->get('csrf_token') ); } @@ -54,6 +67,7 @@ class MachineNameController implements ContainerInjectionInterface { $text = $request->query->get('text'); $langcode = $request->query->get('langcode'); $replace_pattern = $request->query->get('replace_pattern'); + $replace_token = $request->query->get('replace_token'); $replace = $request->query->get('replace'); $lowercase = $request->query->get('lowercase'); @@ -61,7 +75,15 @@ class MachineNameController implements ContainerInjectionInterface { if ($lowercase) { $transliterated = Unicode::strtolower($transliterated); } + if (isset($replace_pattern) && isset($replace)) { + if (!isset($replace_token)) { + throw new AccessDeniedException("Missing 'replace_token' query parameter."); + } + elseif (!$this->tokenGenerator->validate($replace_token, $replace_pattern)) { + throw new AccessDeniedException("Invalid 'replace_token' query parameter."); + } + // Quote the pattern delimiter and remove null characters to avoid the e // or other modifiers being injected. $transliterated = preg_replace('@' . strtr($replace_pattern, ['@' => '\@', chr(0) => '']) . '@', $replace, $transliterated); diff --git a/core/modules/system/system.install b/core/modules/system/system.install index cbdafbc9f..7db1eaeb0 100644 --- a/core/modules/system/system.install +++ b/core/modules/system/system.install @@ -1730,3 +1730,19 @@ function system_update_8201() { /** * @} End of "addtogroup updates-8.2.0". */ + +/** + * @addtogroup updates-8.2.3 + * @{ + */ + +/** + * Clear caches due to behavior change in MachineName element. + */ +function system_update_8202() { + // Empty update to cause a cache rebuild. +} + +/** + * @} End of "addtogroup updates-8.2.3". + */ diff --git a/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php b/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php index 73f4ef3de..dbd1f1a3b 100644 --- a/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php +++ b/core/modules/system/tests/src/Unit/Transliteration/MachineNameControllerTest.php @@ -2,9 +2,12 @@ namespace Drupal\Tests\system\Unit\Transliteration; +use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Tests\UnitTestCase; use Drupal\Component\Transliteration\PhpTransliteration; use Drupal\system\MachineNameController; +use Prophecy\Argument; +use Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException; use Symfony\Component\HttpFoundation\Request; /** @@ -21,10 +24,22 @@ class MachineNameControllerTest extends UnitTestCase { */ protected $machineNameController; + /** + * The CSRF token generator. + * + * @var \Drupal\Core\Access\CsrfTokenGenerator + */ + protected $tokenGenerator; + protected function setUp() { parent::setUp(); // Create the machine name controller. - $this->machineNameController = new MachineNameController(new PhpTransliteration()); + $this->tokenGenerator = $this->prophesize(CsrfTokenGenerator::class); + $this->tokenGenerator->validate(Argument::cetera())->will(function ($args) { + return $args[0] === 'token-' . $args[1]; + }); + + $this->machineNameController = new MachineNameController(new PhpTransliteration(), $this->tokenGenerator->reveal()); } /** @@ -38,7 +53,7 @@ class MachineNameControllerTest extends UnitTestCase { * - The expected content of the JSONresponse. */ public function providerTestMachineNameController() { - return array( + $valid_data = array( array(array('text' => 'Bob', 'langcode' => 'en'), '"Bob"'), array(array('text' => 'Bob', 'langcode' => 'en', 'lowercase' => TRUE), '"bob"'), array(array('text' => 'Bob', 'langcode' => 'en', 'replace' => 'Alice', 'replace_pattern' => 'Bob'), '"Alice"'), @@ -53,6 +68,15 @@ class MachineNameControllerTest extends UnitTestCase { array(array('text' => 'Bob', 'langcode' => 'en', 'lowercase' => TRUE, 'replace' => 'fail()', 'replace_pattern' => ".*@e\0"), '"bob"'), array(array('text' => 'Bob@e', 'langcode' => 'en', 'lowercase' => TRUE, 'replace' => 'fail()', 'replace_pattern' => ".*@e\0"), '"fail()"'), ); + + $valid_data = array_map(function ($data) { + if (isset($data[0]['replace_pattern'])) { + $data[0]['replace_token'] = 'token-' . $data[0]['replace_pattern']; + } + return $data; + }, $valid_data); + + return $valid_data; } /** @@ -73,4 +97,24 @@ class MachineNameControllerTest extends UnitTestCase { $this->assertEquals($expected_content, $json->getContent()); } + /** + * Tests the pattern validation. + */ + public function testMachineNameControllerWithInvalidReplacePattern() { + $request = Request::create('', 'GET', ['text' => 'Bob', 'langcode' => 'en', 'replace' => 'Alice', 'replace_pattern' => 'Bob', 'replace_token' => 'invalid']); + + $this->setExpectedException(AccessDeniedException::class, "Invalid 'replace_token' query parameter."); + $this->machineNameController->transliterate($request); + } + + /** + * Tests the pattern validation with a missing token. + */ + public function testMachineNameControllerWithMissingToken() { + $request = Request::create('', 'GET', ['text' => 'Bob', 'langcode' => 'en', 'replace' => 'Alice', 'replace_pattern' => 'Bob']); + + $this->setExpectedException(AccessDeniedException::class, "Missing 'replace_token' query parameter."); + $this->machineNameController->transliterate($request); + } + } diff --git a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php index 0158881f5..d769bb04d 100644 --- a/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php +++ b/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php @@ -192,7 +192,7 @@ class TaxonomyIndexTid extends ManyToOne { // https://www.drupal.org/node/1821274. ->sort('weight') ->sort('name') - ->addTag('term_access'); + ->addTag('taxonomy_term_access'); if ($this->options['limit']) { $query->condition('vid', $vocabulary->id()); } diff --git a/core/modules/taxonomy/src/Plugin/views/relationship/NodeTermData.php b/core/modules/taxonomy/src/Plugin/views/relationship/NodeTermData.php index 40c8fc73a..b1c72e4bd 100644 --- a/core/modules/taxonomy/src/Plugin/views/relationship/NodeTermData.php +++ b/core/modules/taxonomy/src/Plugin/views/relationship/NodeTermData.php @@ -132,7 +132,7 @@ class NodeTermData extends RelationshipPluginBase { $query = db_select('taxonomy_term_field_data', 'td'); $query->addJoin($def['type'], 'taxonomy_index', 'tn', 'tn.tid = td.tid'); $query->condition('td.vid', array_filter($this->options['vids']), 'IN'); - $query->addTag('term_access'); + $query->addTag('taxonomy_term_access'); $query->fields('td'); $query->fields('tn', array('nid')); $def['table formula'] = $query; diff --git a/core/modules/taxonomy/src/TermStorage.php b/core/modules/taxonomy/src/TermStorage.php index ffbf1da86..bc44c226f 100644 --- a/core/modules/taxonomy/src/TermStorage.php +++ b/core/modules/taxonomy/src/TermStorage.php @@ -126,7 +126,7 @@ class TermStorage extends SqlContentEntityStorage implements TermStorageInterfac $query->addField('t', 'tid'); $query->condition('h.tid', $tid); $query->condition('t.default_langcode', 1); - $query->addTag('term_access'); + $query->addTag('taxonomy_term_access'); $query->orderBy('t.weight'); $query->orderBy('t.name'); if ($ids = $query->execute()->fetchCol()) { @@ -178,7 +178,7 @@ class TermStorage extends SqlContentEntityStorage implements TermStorageInterfac $query->condition('t.vid', $vid); } $query->condition('t.default_langcode', 1); - $query->addTag('term_access'); + $query->addTag('taxonomy_term_access'); $query->orderBy('t.weight'); $query->orderBy('t.name'); if ($ids = $query->execute()->fetchCol()) { @@ -204,7 +204,7 @@ class TermStorage extends SqlContentEntityStorage implements TermStorageInterfac $query = $this->database->select('taxonomy_term_field_data', 't'); $query->join('taxonomy_term_hierarchy', 'h', 'h.tid = t.tid'); $result = $query - ->addTag('term_access') + ->addTag('taxonomy_term_access') ->fields('t') ->fields('h', array('parent')) ->condition('t.vid', $vid) @@ -320,7 +320,7 @@ class TermStorage extends SqlContentEntityStorage implements TermStorageInterfac $query->orderby('td.weight'); $query->orderby('td.name'); $query->condition('tn.nid', $nids, 'IN'); - $query->addTag('term_access'); + $query->addTag('taxonomy_term_access'); if (!empty($vocabs)) { $query->condition('td.vid', $vocabs, 'IN'); } diff --git a/core/modules/taxonomy/src/TermViewsData.php b/core/modules/taxonomy/src/TermViewsData.php index 00bc5899b..89b2b55ef 100644 --- a/core/modules/taxonomy/src/TermViewsData.php +++ b/core/modules/taxonomy/src/TermViewsData.php @@ -16,7 +16,7 @@ class TermViewsData extends EntityViewsData { $data = parent::getViewsData(); $data['taxonomy_term_field_data']['table']['base']['help'] = $this->t('Taxonomy terms are attached to nodes.'); - $data['taxonomy_term_field_data']['table']['base']['access query tag'] = 'term_access'; + $data['taxonomy_term_field_data']['table']['base']['access query tag'] = 'taxonomy_term_access'; $data['taxonomy_term_field_data']['table']['wizard_id'] = 'taxonomy_term'; $data['taxonomy_term_field_data']['table']['join'] = array( diff --git a/core/modules/taxonomy/src/Tests/TaxonomyQueryAlterTest.php b/core/modules/taxonomy/src/Tests/TaxonomyQueryAlterTest.php new file mode 100644 index 000000000..543910b0b --- /dev/null +++ b/core/modules/taxonomy/src/Tests/TaxonomyQueryAlterTest.php @@ -0,0 +1,119 @@ +createVocabulary(); + $terms = array(); + for ($i = 0; $i < 5; $i++) { + $terms[$i] = $this->createTerm($vocabulary); + } + + // Set up hierarchy. Term 2 is a child of 1. + $terms[2]->parent = $terms[1]->id(); + $terms[2]->save(); + + $term_storage = \Drupal::entityManager()->getStorage('taxonomy_term'); + + $this->setupQueryTagTestHooks(); + $loaded_term = $term_storage->load($terms[0]->id()); + $this->assertEqual($loaded_term->id(), $terms[0]->id(), 'First term was loaded'); + $this->assertQueryTagTestResult(1, 0, 'TermStorage::load()'); + + $this->setupQueryTagTestHooks(); + $loaded_terms = $term_storage->loadTree($vocabulary->id()); + $this->assertEqual(count($loaded_terms), count($terms), 'All terms were loaded'); + $this->assertQueryTagTestResult(1, 1, 'TermStorage::loadTree()'); + + $this->setupQueryTagTestHooks(); + $loaded_terms = $term_storage->loadParents($terms[2]->id()); + $this->assertEqual(count($loaded_terms), 1, 'All parent terms were loaded'); + $this->assertQueryTagTestResult(2, 1, 'TermStorage::loadParents()'); + + $this->setupQueryTagTestHooks(); + $loaded_terms = $term_storage->loadChildren($terms[1]->id()); + $this->assertEqual(count($loaded_terms), 1, 'All child terms were loaded'); + $this->assertQueryTagTestResult(2, 1, 'TermStorage::loadChildren()'); + + $this->setupQueryTagTestHooks(); + $query = db_select('taxonomy_term_data', 't'); + $query->addField('t', 'tid'); + $query->addTag('taxonomy_term_access'); + $tids = $query->execute()->fetchCol(); + $this->assertEqual(count($tids), count($terms), 'All term IDs were retrieved'); + $this->assertQueryTagTestResult(1, 1, 'custom db_select() with taxonomy_term_access tag (preferred)'); + + $this->setupQueryTagTestHooks(); + $query = db_select('taxonomy_term_data', 't'); + $query->addField('t', 'tid'); + $query->addTag('term_access'); + $tids = $query->execute()->fetchCol(); + $this->assertEqual(count($tids), count($terms), 'All term IDs were retrieved'); + $this->assertQueryTagTestResult(1, 1, 'custom db_select() with term_access tag (deprecated)'); + + $this->setupQueryTagTestHooks(); + $query = \Drupal::entityQuery('taxonomy_term'); + $query->addTag('taxonomy_term_access'); + $result = $query->execute(); + $this->assertEqual(count($result), count($terms), 'All term IDs were retrieved'); + $this->assertQueryTagTestResult(1, 1, 'custom EntityFieldQuery with taxonomy_term_access tag (preferred)'); + + $this->setupQueryTagTestHooks(); + $query = \Drupal::entityQuery('taxonomy_term'); + $query->addTag('term_access'); + $result = $query->execute(); + $this->assertEqual(count($result), count($terms), 'All term IDs were retrieved'); + $this->assertQueryTagTestResult(1, 1, 'custom EntityFieldQuery with term_access tag (deprecated)'); + } + + /** + * Sets up the hooks in the test module. + */ + protected function setupQueryTagTestHooks() { + taxonomy_terms_static_reset(); + \Drupal::state()->set('taxonomy_test_query_alter', 0); + \Drupal::state()->set('taxonomy_test_query_term_access_alter', 0); + \Drupal::state()->set('taxonomy_test_query_taxonomy_term_access_alter', 0); + } + + /** + * Verifies invocation of the hooks in the test module. + * + * @param int $expected_generic_invocations + * The number of times the generic query_alter hook is expected to have + * been invoked. + * @param int $expected_specific_invocations + * The number of times the tag-specific query_alter hooks are expected to + * have been invoked. + * @param string $method + * A string describing the invoked function which generated the query. + */ + protected function assertQueryTagTestResult($expected_generic_invocations, $expected_specific_invocations, $method) { + $this->assertIdentical($expected_generic_invocations, \Drupal::state()->get('taxonomy_test_query_alter'), 'hook_query_alter() invoked when executing ' . $method); + $this->assertIdentical($expected_specific_invocations, \Drupal::state()->get('taxonomy_test_query_term_access_alter'), 'Deprecated hook_query_term_access_alter() invoked when executing ' . $method); + $this->assertIdentical($expected_specific_invocations, \Drupal::state()->get('taxonomy_test_query_taxonomy_term_access_alter'), 'Preferred hook_query_taxonomy_term_access_alter() invoked when executing ' . $method); + } + +} diff --git a/core/modules/taxonomy/taxonomy.module b/core/modules/taxonomy/taxonomy.module index 7a1ca6521..80884329b 100644 --- a/core/modules/taxonomy/taxonomy.module +++ b/core/modules/taxonomy/taxonomy.module @@ -7,8 +7,8 @@ use Drupal\Component\Utility\Tags; use Drupal\Component\Utility\Unicode; -use Drupal\Core\Entity\Sql\SqlContentEntityStorage; use Drupal\Core\Entity\EntityInterface; +use Drupal\Core\Entity\Sql\SqlContentEntityStorage; use Drupal\Core\Render\Element; use Drupal\Core\Routing\RouteMatchInterface; use Drupal\Core\Url; diff --git a/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.info.yml b/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.info.yml new file mode 100644 index 000000000..5bc019776 --- /dev/null +++ b/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.info.yml @@ -0,0 +1,8 @@ +name: 'Taxonomy test' +type: module +description: 'Provides test hook implementations for taxonomy tests' +package: Testing +version: VERSION +core: 8.x +dependencies: + - taxonomy diff --git a/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.module b/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.module new file mode 100644 index 000000000..8e08c130a --- /dev/null +++ b/core/modules/taxonomy/tests/modules/taxonomy_test/taxonomy_test.module @@ -0,0 +1,38 @@ +get(__FUNCTION__); + if (isset($value)) { + \Drupal::state()->set(__FUNCTION__, ++$value); + } +} + +/** + * Implements hook_query_TAG_alter(). + */ +function taxonomy_test_query_term_access_alter(AlterableInterface $query) { + $value = \Drupal::state()->get(__FUNCTION__); + if (isset($value)) { + \Drupal::state()->set(__FUNCTION__, ++$value); + } +} + +/** + * Implements hook_query_TAG_alter(). + */ +function taxonomy_test_query_taxonomy_term_access_alter(AlterableInterface $query) { + $value = \Drupal::state()->get(__FUNCTION__); + if (isset($value)) { + \Drupal::state()->set(__FUNCTION__, ++$value); + } +} diff --git a/core/modules/user/src/Form/UserPasswordForm.php b/core/modules/user/src/Form/UserPasswordForm.php index 83d8e0af4..a89549a0e 100644 --- a/core/modules/user/src/Form/UserPasswordForm.php +++ b/core/modules/user/src/Form/UserPasswordForm.php @@ -99,6 +99,7 @@ class UserPasswordForm extends FormBase { } $form['actions'] = array('#type' => 'actions'); $form['actions']['submit'] = array('#type' => 'submit', '#value' => $this->t('Submit')); + $form['#cache']['contexts'][] = 'url.query_args'; return $form; } diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php index c012e9f8d..f3463bf1d 100644 --- a/core/modules/user/src/Tests/UserPasswordResetTest.php +++ b/core/modules/user/src/Tests/UserPasswordResetTest.php @@ -292,6 +292,9 @@ class UserPasswordResetTest extends PageCacheTagsTestBase { unset($edit['pass']); $this->drupalGet('user/password', array('query' => array('name' => $edit['name']))); $this->assertFieldByName('name', $edit['name'], 'User name found.'); + // Ensure the name field value is not cached. + $this->drupalGet('user/password'); + $this->assertNoFieldByName('name', $edit['name'], 'User name not found.'); } /** diff --git a/core/tests/Drupal/Tests/Core/Render/Element/MachineNameTest.php b/core/tests/Drupal/Tests/Core/Render/Element/MachineNameTest.php index d5340cb26..0dcdc5829 100644 --- a/core/tests/Drupal/Tests/Core/Render/Element/MachineNameTest.php +++ b/core/tests/Drupal/Tests/Core/Render/Element/MachineNameTest.php @@ -2,6 +2,7 @@ namespace Drupal\Tests\Core\Render\Element; +use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\Form\FormState; use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Language\LanguageInterface; @@ -78,8 +79,12 @@ class MachineNameTest extends UnitTestCase { $language_manager = $this->prophesize(LanguageManagerInterface::class); $language_manager->getCurrentLanguage()->willReturn($language); + $csrf_token = $this->prophesize(CsrfTokenGenerator::class); + $csrf_token->get('[^a-z0-9_]+')->willReturn('tis-a-fine-token'); + $container = $this->prophesize(ContainerInterface::class); $container->get('language_manager')->willReturn($language_manager->reveal()); + $container->get('csrf_token')->willReturn($csrf_token->reveal()); \Drupal::setContainer($container->reveal()); $element = MachineName::processMachineName($element, $form_state, $complete_form); @@ -93,7 +98,8 @@ class MachineNameTest extends UnitTestCase { 'label', 'field_prefix', 'field_suffix', - 'suffix' + 'suffix', + 'replace_token', ]; $this->assertEmpty(array_diff_key($settings, array_flip($allowed_options))); foreach ($allowed_options as $key) {