Update Drupal core to 8.2.7

web/core/CHANGELOG.txt

@@ -1,3 +1,7 @@
+Drupal 8.2.7, 2017-03-15
+------------------------
+- Fixed security issues. See SA-CORE-2017-001.
+
 Drupal 8.2.3, 2016-11-16
 ------------------------
 - Fixed security issues. See SA-CORE-2016-005.

web/core/composer.json

@@ -40,7 +40,7 @@
         "jcalderonzumba/gastonjs": "~1.0.2",
         "jcalderonzumba/mink-phantomjs-driver": "~0.3.1",
         "mikey179/vfsStream": "~1.2",
-        "phpunit/phpunit": "~4.8",
+        "phpunit/phpunit": ">=4.8.28 <5",
         "symfony/css-selector": "~2.8"
     },
     "replace": {

web/core/lib/Drupal.php

@@ -81,7 +81,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.2.6';
+  const VERSION = '8.2.7';
 
   /**
    * Core API compatibility.

web/core/modules/editor/editor.module

@@ -519,8 +519,8 @@ function editor_file_download($uri) {
   if ($file->isPermanent()) {
     $referencing_entity_is_accessible = FALSE;
     $references = empty($usage_list['editor']) ? [] : $usage_list['editor'];
-    foreach ($references as $entity_type => $entity_ids) {
-      $referencing_entities = entity_load_multiple($entity_type, $entity_ids);
+    foreach ($references as $entity_type => $entity_ids_usage_count) {
+      $referencing_entities = entity_load_multiple($entity_type, array_keys($entity_ids_usage_count));
       /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */
       foreach ($referencing_entities as $referencing_entity) {
         if ($referencing_entity->access('view', NULL, TRUE)->isAllowed()) {

web/core/modules/editor/src/Tests/EditorPrivateFileReferenceFilterTest.php

@@ -68,9 +68,18 @@ class EditorPrivateFileReferenceFilterTest extends BrowserTestBase {
     $file->setPermanent();
     $file->save();
 
+    // Create some nodes to ensure file usage count does not match the ID's
+    // of the nodes we are going to check.
+    for ($i = 0; $i < 5; $i++) {
+      $this->drupalCreateNode([
+        'type' => 'page',
+        'uid' => $author->id(),
+      ]);
+    }
+
     // Create a node with its body field properly pointing to the just-created
     // file.
-    $node = $this->drupalCreateNode([
+    $published_node = $this->drupalCreateNode([
       'type' => 'page',
       'body' => [
         'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
@@ -79,19 +88,44 @@ class EditorPrivateFileReferenceFilterTest extends BrowserTestBase {
       'uid' => $author->id(),
     ]);
 
+    // Create an unpublished node with its body field properly pointing to the
+    // just-created file.
+    $unpublished_node = $this->drupalCreateNode([
+      'type' => 'page',
+      'status' => NODE_NOT_PUBLISHED,
+      'body' => [
+        'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
+        'format' => 'private_images',
+      ],
+      'uid' => $author->id(),
+    ]);
+
     // Do the actual test. The image should be visible for anonymous users,
-    // because they can view the referencing entity.
-    $this->drupalGet($node->toUrl());
+    // because they can view the published node. Even though they can't view
+    // the unpublished node.
+    $this->drupalGet($published_node->toUrl());
     $this->assertSession()->statusCodeEquals(200);
+    $this->drupalGet($unpublished_node->toUrl());
+    $this->assertSession()->statusCodeEquals(403);
     $this->drupalGet($src);
     $this->assertSession()->statusCodeEquals(200);
 
+    // When the published node is also unpublished, the image should also
+    // become inaccessible to anonymous users.
+    $published_node->setPublished(FALSE)->save();
+
+    $this->drupalGet($published_node->toUrl());
+    $this->assertSession()->statusCodeEquals(403);
+    $this->drupalGet($src);
+    $this->assertSession()->statusCodeEquals(403);
+
     // Disallow anonymous users to view the entity, which then should also
     // disallow them to view the image.
+    $published_node->setPublished(TRUE)->save();
     Role::load(RoleInterface::ANONYMOUS_ID)
       ->revokePermission('access content')
       ->save();
-    $this->drupalGet($node->toUrl());
+    $this->drupalGet($published_node->toUrl());
     $this->assertSession()->statusCodeEquals(403);
     $this->drupalGet($src);
     $this->assertSession()->statusCodeEquals(403);

web/core/modules/search/search.routing.yml

@@ -37,6 +37,7 @@ entity.search_page.enable:
     op: 'enable'
   requirements:
     _entity_access: 'search_page.update'
+    _csrf_token: 'TRUE'
 
 entity.search_page.disable:
   path: '/admin/config/search/pages/manage/{search_page}/disable'
@@ -45,6 +46,7 @@ entity.search_page.disable:
     op: 'disable'
   requirements:
     _entity_access: 'search_page.disable'
+    _csrf_token: 'TRUE'
 
 entity.search_page.set_default:
   path: '/admin/config/search/pages/manage/{search_page}/set-default'
@@ -52,6 +54,7 @@ entity.search_page.set_default:
     _controller: '\Drupal\search\Controller\SearchController::setAsDefault'
   requirements:
     _entity_access: 'search_page.update'
+    _csrf_token: 'TRUE'
 
 entity.search_page.delete_form:
   path: '/admin/config/search/pages/manage/{search_page}/delete'

web/core/modules/search/src/Form/SearchBlockForm.php

@@ -75,6 +75,16 @@ class SearchBlockForm extends FormBase {
   public function buildForm(array $form, FormStateInterface $form_state) {
     // Set up the form to submit using GET to the correct search page.
     $entity_id = $this->searchPageRepository->getDefaultSearchPage();
+
+    $form = [];
+
+    // SearchPageRepository::getDefaultSearchPage() depends on search.settings.
+    // The dependency needs to be added before the conditional return, otherwise
+    // the block would get cached without the necessary cacheablity metadata in
+    // case there is no default search page and would not be invalidated if that
+    // changes.
+    $this->renderer->addCacheableDependency($form, $this->configFactory->get('search.settings'));
+
     if (!$entity_id) {
       $form['message'] = array(
         '#markup' => $this->t('Search is currently disabled'),
@@ -103,9 +113,6 @@ class SearchBlockForm extends FormBase {
       '#name' => '',
     );
 
-    // SearchPageRepository::getDefaultSearchPage() depends on search.settings.
-    $this->renderer->addCacheableDependency($form, $this->configFactory->get('search.settings'));
-
     return $form;
   }
 

web/core/modules/search/src/Tests/SearchConfigSettingsFormTest.php

@@ -154,8 +154,7 @@ class SearchConfigSettingsFormTest extends SearchTestBase {
 
     // Test each plugin if it's enabled as the only search plugin.
     foreach ($entities as $entity_id => $entity) {
-      // Set this as default.
-      $this->drupalGet("admin/config/search/pages/manage/$entity_id/set-default");
+      $this->setDefaultThroughUi($entity_id);
 
       // Run a search from the correct search URL.
       $info = $plugin_info[$entity_id];
@@ -187,13 +186,16 @@ class SearchConfigSettingsFormTest extends SearchTestBase {
       $entity->disable()->save();
     }
 
+    // Set the node search as default.
+    $this->setDefaultThroughUi('node_search');
+
     // Test with all search plugins enabled. When you go to the search
     // page or run search, all plugins should be shown.
     foreach ($entities as $entity) {
       $entity->enable()->save();
     }
-    // Set the node search as default.
-    $this->drupalGet('admin/config/search/pages/manage/node_search/set-default');
+
+    \Drupal::service('router.builder')->rebuild();
 
     $paths = array(
       array('path' => 'search/node', 'options' => array('query' => array('keys' => 'pizza'))),
@@ -316,6 +318,19 @@ class SearchConfigSettingsFormTest extends SearchTestBase {
     $this->verifySearchPageOperations($first_id, FALSE, FALSE, FALSE, FALSE);
   }
 
+  /**
+   * Tests that the enable/disable/default routes are protected from CSRF.
+   */
+  public function testRouteProtection() {
+    // Ensure that the enable and disable routes are protected.
+    $this->drupalGet('admin/config/search/pages/manage/node_search/enable');
+    $this->assertResponse(403);
+    $this->drupalGet('admin/config/search/pages/manage/node_search/disable');
+    $this->assertResponse(403);
+    $this->drupalGet('admin/config/search/pages/manage/node_search/set-default');
+    $this->assertResponse(403);
+  }
+
   /**
    * Checks that the search page operations match expectations.
    *
@@ -373,4 +388,17 @@ class SearchConfigSettingsFormTest extends SearchTestBase {
     $this->assertIdentical($search_page_repository->getDefaultSearchPage(), $expected, $message, $group);
   }
 
+  /**
+   * Sets a search page as the default in the UI.
+   *
+   * @param string $entity_id
+   *   The search page entity ID to enable.
+   */
+  protected function setDefaultThroughUi($entity_id) {
+    $this->drupalGet('admin/config/search/pages');
+    preg_match('|href="([^"]+' . $entity_id . '/set-default[^"]+)"|', $this->getRawContent(), $matches);
+
+    $this->drupalGet($this->getAbsoluteUrl($matches[1]));
+  }
+
 }

web/core/modules/simpletest/src/WebTestBase.php

@@ -1301,7 +1301,7 @@ abstract class WebTestBase extends TestBase {
     }
 
     if ($path instanceof Url) {
-      $path = $path->toString();
+      $path = $path->setAbsolute()->toString(TRUE)->getGeneratedUrl();
     }
 
     $verbose = 'GET request to: ' . $path .
@@ -2588,7 +2588,7 @@ abstract class WebTestBase extends TestBase {
       $url_options = $path->getOptions();
       $options = $url_options + $options;
       $path->setOptions($options);
-      return $path->setAbsolute()->toString();
+      return $path->setAbsolute()->toString(TRUE)->getGeneratedUrl();
     }
     // The URL generator service is not necessarily available yet; e.g., in
     // interactive installer tests.