Merge branch 'develop'

www7/includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.42');
+define('VERSION', '7.43');
 
 /**
  * Core API compatibility.

www7/includes/common.inc

@@ -688,6 +688,13 @@ function drupal_goto($path = '', array $options = array(), $http_response_code =
     $options['fragment'] = $destination['fragment'];
   }
 
+  // In some cases modules call drupal_goto(current_path()). We need to ensure
+  // that such a redirect is not to an external URL.
+  if ($path === current_path() && empty($options['external']) && url_is_external($path)) {
+    // Force url() to generate a non-external URL.
+    $options['external'] = FALSE;
+  }
+
   drupal_alter('drupal_goto', $path, $options, $http_response_code);
 
   // The 'Location' HTTP header must be absolute.
@@ -2220,20 +2227,8 @@ function url($path = NULL, array $options = array()) {
     'prefix' => ''
   );
 
-  // A duplicate of the code from url_is_external() to avoid needing another
-  // function call, since performance inside url() is critical.
   if (!isset($options['external'])) {
-    // Return an external link if $path contains an allowed absolute URL. Avoid
-    // calling drupal_strip_dangerous_protocols() if there is any slash (/),
-    // hash (#) or question_mark (?) before the colon (:) occurrence - if any -
-    // as this would clearly mean it is not a URL. If the path starts with 2
-    // slashes then it is always considered an external URL without an explicit
-    // protocol part.
-    $colonpos = strpos($path, ':');
-    $options['external'] = (strpos($path, '//') === 0)
-      || ($colonpos !== FALSE
-        && !preg_match('![/?#]!', substr($path, 0, $colonpos))
-        && drupal_strip_dangerous_protocols($path) == $path);
+    $options['external'] = url_is_external($path);
   }
 
   // Preserve the original path before altering or aliasing.
@@ -2353,12 +2348,18 @@ function url($path = NULL, array $options = array()) {
  */
 function url_is_external($path) {
   $colonpos = strpos($path, ':');
-  // Avoid calling drupal_strip_dangerous_protocols() if there is any slash (/),
-  // hash (#) or question_mark (?) before the colon (:) occurrence - if any - as
-  // this would clearly mean it is not a URL. If the path starts with 2 slashes
-  // then it is always considered an external URL without an explicit protocol
-  // part.
+  // Some browsers treat \ as / so normalize to forward slashes.
+  $path = str_replace('\\', '/', $path);
+  // If the path starts with 2 slashes then it is always considered an external
+  // URL without an explicit protocol part.
   return (strpos($path, '//') === 0)
+    // Leading control characters may be ignored or mishandled by browsers, so
+    // assume such a path may lead to an external location. The \p{C} character
+    // class matches all UTF-8 control, unassigned, and private characters.
+    || (preg_match('/^\p{C}/u', $path) !== 0)
+    // Avoid calling drupal_strip_dangerous_protocols() if there is any slash
+    // (/), hash (#) or question_mark (?) before the colon (:) occurrence - if
+    // any - as this would clearly mean it is not a URL.
     || ($colonpos !== FALSE
       && !preg_match('![/?#]!', substr($path, 0, $colonpos))
       && drupal_strip_dangerous_protocols($path) == $path);

www7/includes/path.inc

@@ -347,7 +347,8 @@ function drupal_match_path($path, $patterns) {
  * drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL) makes this function available.
  *
  * @return
- *   The current Drupal URL path.
+ *   The current Drupal URL path. The path is untrusted user input and must be
+ *   treated as such.
  *
  * @see request_path()
  */

www7/includes/xmlrpcs.inc

@@ -264,6 +264,10 @@ function xmlrpc_server_call($xmlrpc_server, $methodname, $args) {
  */
 function xmlrpc_server_multicall($methodcalls) {
   // See http://www.xmlrpc.com/discuss/msgReader$1208
+  // To avoid multicall expansion attacks, limit the number of duplicate method
+  // calls allowed with a default of 1. Set to -1 for unlimited.
+  $duplicate_method_limit = variable_get('xmlrpc_multicall_duplicate_method_limit', 1);
+  $method_count = array();
   $return = array();
   $xmlrpc_server = xmlrpc_server_get();
   foreach ($methodcalls as $call) {
@@ -273,10 +277,14 @@ function xmlrpc_server_multicall($methodcalls) {
       $ok = FALSE;
     }
     $method = $call['methodName'];
+    $method_count[$method] = isset($method_count[$method]) ? $method_count[$method] + 1 : 1;
     $params = $call['params'];
     if ($method == 'system.multicall') {
       $result = xmlrpc_error(-32600, t('Recursive calls to system.multicall are forbidden.'));
     }
+    elseif ($duplicate_method_limit > 0 && $method_count[$method] > $duplicate_method_limit) {
+      $result = xmlrpc_error(-156579, t('Too many duplicate method calls in system.multicall.'));
+    }
     elseif ($ok) {
       $result = xmlrpc_server_call($xmlrpc_server, $method, $params);
     }

www7/modules/aggregator/aggregator.info

@@ -7,8 +7,8 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/aggregator/tests/aggregator_test.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/block/block.info

@@ -6,8 +6,8 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/block/tests/block_test.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/block/tests/themes/block_test_theme/block_test_theme.info

@@ -13,8 +13,8 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/blog/blog.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/book/book.info

@@ -7,8 +7,8 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/color/color.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/comment/comment.info

@@ -9,8 +9,8 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/contact/contact.info

@@ -6,8 +6,8 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/contextual/contextual.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/dashboard/dashboard.info

@@ -7,8 +7,8 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/dblog/dblog.info

@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/field.info

@@ -11,8 +11,8 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/field_sql_storage/field_sql_storage.info

@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/list/list.info

@@ -7,8 +7,8 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/list/tests/list_test.info

@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/number/number.info

@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = number.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/options/options.info

@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = options.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/modules/text/text.info

@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = text.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field/tests/field_test.info

@@ -6,8 +6,8 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/field_ui/field_ui.info

@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"
 

www7/modules/file/file.info

@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test
 
-; Information added by Drupal.org packaging script on 2016-02-03
-version = "7.42"
+; Information added by Drupal.org packaging script on 2016-02-24
+version = "7.43"
 project = "drupal"
-datestamp = "1454517955"
+datestamp = "1456343506"