From 6c486e929672787f23621245f69cfeb35aefce2f Mon Sep 17 00:00:00 2001 From: Rob Davies Date: Thu, 20 Apr 2017 11:41:23 +0100 Subject: [PATCH] Core update 8.3.1 --- web/composer.lock | 10 +- web/core/CHANGELOG.txt | 4 + web/core/lib/Drupal.php | 2 +- .../Entity/EntityAccessControlHandler.php | 13 ++ web/vendor/composer/installed.json | 132 +++++++++--------- 5 files changed, 89 insertions(+), 72 deletions(-) diff --git a/web/composer.lock b/web/composer.lock index 91d15090b..fcc11480e 100644 --- a/web/composer.lock +++ b/web/composer.lock @@ -880,16 +880,16 @@ }, { "name": "drupal/core", - "version": "8.3.0", + "version": "8.3.1", "source": { "type": "git", "url": "https://github.com/drupal-composer/drupal-core.git", - "reference": "e503a252ec5c2811abed6af0c7b70afda8e93a3f" + "reference": "53326f9503e5e9e406fab22e4fbae6ddb706f7be" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/drupal-composer/drupal-core/zipball/e503a252ec5c2811abed6af0c7b70afda8e93a3f", - "reference": "e503a252ec5c2811abed6af0c7b70afda8e93a3f", + "url": "https://api.github.com/repos/drupal-composer/drupal-core/zipball/53326f9503e5e9e406fab22e4fbae6ddb706f7be", + "reference": "53326f9503e5e9e406fab22e4fbae6ddb706f7be", "shasum": "" }, "require": { @@ -1058,7 +1058,7 @@ "GPL-2.0+" ], "description": "Drupal is an open source content management platform powering millions of websites and applications.", - "time": "2017-04-06T00:12:44+00:00" + "time": "2017-04-19T16:07:22+00:00" }, { "name": "easyrdf/easyrdf", diff --git a/web/core/CHANGELOG.txt b/web/core/CHANGELOG.txt index 10e824f9e..0436c10b0 100644 --- a/web/core/CHANGELOG.txt +++ b/web/core/CHANGELOG.txt @@ -1,3 +1,7 @@ +Drupal 8.3.1, 2017-04-19 +------------------------ +- Fixed security issues. See SA-CORE-2017-002. + Drupal 8.3.0, 2017-04-05 ------------------------ - Added modules: diff --git a/web/core/lib/Drupal.php b/web/core/lib/Drupal.php index f15548071..defdbffb5 100644 --- a/web/core/lib/Drupal.php +++ b/web/core/lib/Drupal.php @@ -81,7 +81,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.3.0'; + const VERSION = '8.3.1'; /** * Core API compatibility. diff --git a/web/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/web/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php index d1d43ee90..3b16d1cdd 100644 --- a/web/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php +++ b/web/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php @@ -303,6 +303,19 @@ class EntityAccessControlHandler extends EntityHandlerBase implements EntityAcce // Get the default access restriction that lives within this field. $default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed(); + // Explicitly disallow changing the entity ID and entity UUID. + if ($operation === 'edit') { + if ($field_definition->getName() === $this->entityType->getKey('id')) { + return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE; + } + elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) { + // UUIDs can be set when creating an entity. + if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) { + return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE; + } + } + } + // Get the default access restriction as specified by the access control // handler. $entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items); diff --git a/web/vendor/composer/installed.json b/web/vendor/composer/installed.json index d9034186b..4e9422b53 100644 --- a/web/vendor/composer/installed.json +++ b/web/vendor/composer/installed.json @@ -4304,18 +4304,76 @@ ] }, { - "name": "drupal/core", - "version": "8.3.0", - "version_normalized": "8.3.0.0", + "name": "symfony/dom-crawler", + "version": "v3.0.9", + "version_normalized": "3.0.9.0", "source": { "type": "git", - "url": "https://github.com/drupal-composer/drupal-core.git", - "reference": "e503a252ec5c2811abed6af0c7b70afda8e93a3f" + "url": "https://github.com/symfony/dom-crawler.git", + "reference": "dff8fecf1f56990d88058e3a1885c2a5f1b8e970" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/drupal-composer/drupal-core/zipball/e503a252ec5c2811abed6af0c7b70afda8e93a3f", - "reference": "e503a252ec5c2811abed6af0c7b70afda8e93a3f", + "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/dff8fecf1f56990d88058e3a1885c2a5f1b8e970", + "reference": "dff8fecf1f56990d88058e3a1885c2a5f1b8e970", + "shasum": "" + }, + "require": { + "php": ">=5.5.9", + "symfony/polyfill-mbstring": "~1.0" + }, + "require-dev": { + "symfony/css-selector": "~2.8|~3.0" + }, + "suggest": { + "symfony/css-selector": "" + }, + "time": "2016-07-30T07:22:48+00:00", + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "3.0-dev" + } + }, + "installation-source": "dist", + "autoload": { + "psr-4": { + "Symfony\\Component\\DomCrawler\\": "" + }, + "exclude-from-classmap": [ + "/Tests/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony DomCrawler Component", + "homepage": "https://symfony.com" + }, + { + "name": "drupal/core", + "version": "8.3.1", + "version_normalized": "8.3.1.0", + "source": { + "type": "git", + "url": "https://github.com/drupal-composer/drupal-core.git", + "reference": "53326f9503e5e9e406fab22e4fbae6ddb706f7be" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/drupal-composer/drupal-core/zipball/53326f9503e5e9e406fab22e4fbae6ddb706f7be", + "reference": "53326f9503e5e9e406fab22e4fbae6ddb706f7be", "shasum": "" }, "require": { @@ -4462,7 +4520,7 @@ "symfony/browser-kit": ">=2.8.13 <3.0", "symfony/css-selector": "~2.8" }, - "time": "2017-04-06T00:12:44+00:00", + "time": "2017-04-19T16:07:22+00:00", "type": "drupal-core", "installation-source": "dist", "autoload": { @@ -4486,63 +4544,5 @@ "GPL-2.0+" ], "description": "Drupal is an open source content management platform powering millions of websites and applications." - }, - { - "name": "symfony/dom-crawler", - "version": "v3.0.9", - "version_normalized": "3.0.9.0", - "source": { - "type": "git", - "url": "https://github.com/symfony/dom-crawler.git", - "reference": "dff8fecf1f56990d88058e3a1885c2a5f1b8e970" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/dff8fecf1f56990d88058e3a1885c2a5f1b8e970", - "reference": "dff8fecf1f56990d88058e3a1885c2a5f1b8e970", - "shasum": "" - }, - "require": { - "php": ">=5.5.9", - "symfony/polyfill-mbstring": "~1.0" - }, - "require-dev": { - "symfony/css-selector": "~2.8|~3.0" - }, - "suggest": { - "symfony/css-selector": "" - }, - "time": "2016-07-30T07:22:48+00:00", - "type": "library", - "extra": { - "branch-alias": { - "dev-master": "3.0-dev" - } - }, - "installation-source": "dist", - "autoload": { - "psr-4": { - "Symfony\\Component\\DomCrawler\\": "" - }, - "exclude-from-classmap": [ - "/Tests/" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Fabien Potencier", - "email": "fabien@symfony.com" - }, - { - "name": "Symfony Community", - "homepage": "https://symfony.com/contributors" - } - ], - "description": "Symfony DomCrawler Component", - "homepage": "https://symfony.com" } ]