Quantcast
Channel: Issues for Drupal core
Viewing all 300222 articles
Browse latest View live

Log completely unusable when an entry has corrupt serialized data (D7)

$
0
0

If an entry in the dblog has corrupt serialized data, the dblog page (/admin/reports/dblog) will throw an exception and will not load.

If unserialize fails, then a boolean is sent to t() leading to a fatal exception.
$output = t($event->message, unserialize($event->variables));


Warning: gzinflate(): data error in drupal_serve_page_from_cache() (line 1617 of /includes/bootstrap.inc).

$
0
0

Problem/Motivation

For Drupal web services returning an empty page body with HTTP headers, a PHP warning is triggered on every request: Warning: gzinflate(): data error in drupal_serve_page_from_cache() (line 1637 of includes/bootstrap.inc).

Proposed resolution

The body is only gzipped in drupal_page_set_cache() if it is not empty, so do not attempt to gunzip the cache body when the body is empty.

Remaining tasks

The patch needs review(s).

User interface changes

No UI change.

API changes

No API change; this is only a bug fix.

Data model changes

No data model changes.

Url class generates duplicate query arguments in some situations

$
0
0

Generating a URL with query string parameters that are numeric results in duplicated items in the query string.

Add the following code to a THEMENAME_preprocess_node() function:

  $query['foo'][] = 'bar';
  $query['foo'][] = 'baz';
  $url = Url::fromUri('https://google.com', ['query' => $query]);
  $variables['test'] = [
      '#type' => 'link',
      '#title' => 'foo',
    ] + $url->toRenderArray();

And the following to your theme's node.html.twig file:

Test link is {{ test }}.

The result is:

https://google.com/?foo[0]=bar&foo[1]=baz&foo[2]=bar&foo[3]=baz

PHP 7.4 notice for /modules/system/system.admin.inc

$
0
0

Problem/Motivation

Notice: Trying to access array offset on value of type bool in system_modules() (line 889 of /modules/system/system.admin.inc).

Drupal 7.73
Nginx 1.19.4
PHP 7.4.11

Available Twig tokens in Header, Footer, No results behavior not displayed

$
0
0

When Use replacement tokens from the first row is selected in Configure Header: Global: Text area (or in Configure Footer or in Configure No results behavior since they appear to use the same code), the only available replacement tokens displayed are for the contextual filter defined for the view.

The replacement tokens from the fields defined in that view are not displayed as available tokens, although if you copy a token shown from the rewrite results of the last field, it does appear to work. So the issue with the list of available tokens displayed in the Configure Header modal.

As an aside, is there a reason why global tokens are enclosed in square brackets, like [view:title], while field replacement tokens are displayed using Twig syntax, like {{ title }}?

Hide the "Only For Testing" package by default on the modules admin page

$
0
0

Problem/Motivation

There are a couple of test modules in D7 that cannot be hidden.

Some were added in #3255068: [D7 PHP 8.1] system_modules(): Deprecated function: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated and another will probably be added in #3182785: PHP 7.4 notice for /modules/system/system.admin.inc.

These test modules show up in the modules admin UI but normal sites will never need to enable them.

Steps to reproduce

Look at the modules admin page at /admin/modules and note the Testing fieldset.

Proposed resolution

Collapse the Testing package fieldset by default to hide the test modules.

Remaining tasks

Patch etc..

User interface changes

The Testing package fieldset will be collapsed by default on the modules admin page.

API changes

None.

Data model changes

None.

Release notes snippet

This probably doesn't need a CR?

Backport Make core aware of Nginx and PHP-FPM to D7

D7 backport: Fix htaccess files for PHP 8


Change the method Drupal\Core\DrupalKernel::handle() to make it work for the Swoole module

$
0
0

Problem/Motivation

The method Drupal\Core\DrupalKernel::handle() does more then only handle the user request. When Drupal is run with Apache or NginX this is not a problem. The Swoole module boot Drupal core, keeps it in memory and then feeds it requests at supersonic speeds. The more that is preloaded, the less that has to be done when the user request is to be executed. The Swoole module requires that the site_path is set in advance. The Swoole module wants to skip calling: static::bootEnvironment();, $this->initializeSettings($request); and $this->boot(); on every user request. It is just not needed and slows down the handling of a user request. The problem is that the Swoole module now needs to call the method Drupal\Core\DrupalKernel::handleException() directly and the method is protected.

Proposed resolution

Change the method Drupal\Core\DrupalKernel::handle() to make it work with the Swoole module.

Remaining tasks

TBD

User interface changes

None

API changes

See proposed solution.

Data model changes

None

Release notes snippet

TBD

Cron CSRF vulnerability

$
0
0

Note: this issue has been reviewed by the Drupal security team and it was decided that this can be handled as public security improvement.

Problem/Motivation

In Drupal 7 and 8 cron is vulnerable to CSRF attacks. Cron doesn't have csrf protection so sites can be affected via GET requests and no tokens are checked.

Mitigation

The vulnerability may be mitigated because running cron is task generally considered safe. Protecting cron runs was considered more of a hardening issue than an actual security fix.
However, depending on the type of the CSRF attack (and the site) this could lead to a Denial of Service attack.

Proposed resolution

Use csrf token protection or add a confirmation form to cron.

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue categoryBug because it exposes cron to CSRF vulnerability.
Issue priorityMajor because, although it is a security improvement, protecting cron runs was considered more of a hardening issue than an actual security fix.
Prioritized changesThe main goal of this issue is security improvement, and therefore a prioritized change.
DisruptionNone.

Backport DatabaseSchema_pgsql::queryTableInformation() improvements

$
0
0

Problem/Motivation

Improve pgsql driver performance with optimizations from #1079762: DatabaseSchema_pgsql::queryTableInformation() is slow. See the parent issue for more details.

Proposed resolution

Bring in the improvements and changes from Drupal 8 which include:

  • Temporary table fix
  • Change from information_schema to custom query

Remaining tasks

  • Write patch - DONE
  • Review patch

User interface changes

None

API changes

A protected method is added, but this is backwards-compatible with the driver class.

Data model changes

None.

Editing a comment still changes creation date

$
0
0

Whenever a comment is edited, the "created" timestamp still gets changed in two ways:

a) admin edit
While #1005004: Editing a comment destroys its creation date makes sure it isn't completely overwritten, it still gets rounded down to the full minute.
This is because the "Authored on" field in the Admin section only takes H:i(hh:mm), and this value gets saved to the record, whether it has been changed or not. This won't be a big thing in most cases, but we never know - it's simply not correct.
Probably the "Authored on" field should take H:i:s(hh:mm:ss), which seems the cleanest way and is consistent to the node edit form.

b) user edit
The second part of #714958: Comment timestamp lost when edited by administrator wasn't fixed either:

When a non-admin edits a comment, the "created" date is always set to now.

For non-admins the "Administration" section stays hidden. However, the "Authored on" field is fed with an empty string, which upon saving is automatically replaced by now().
Instead, the created date should be given, if existing (it obviously doesn't exist for new, unsaved comments).

EDIT (@diqidoq): fixd for D8, but not for D7, please read comments #97/#98 why this issue isn't fixed yet. Any thoughts on this are much appreciated.

Replace REQUEST_TIME in plugins and classes with direct container access

$
0
0

Problem/Motivation

core/modules/aggregator/src/Controller/AggregatorController.php
core/modules/content_translation/src/Controller/ContentTranslationController.php
core/modules/toolbar/src/Controller/ToolbarController.php
core/modules/user/src/Controller/UserController.php
core/modules/comment/src/CommentForm.php
core/modules/migrate_drupal_ui/src/Form/ReviewForm.php
core/modules/locale/src/Form/TranslationStatusForm.php
core/modules/system/src/Form/DateFormatDeleteForm.php
core/modules/system/src/Form/DateFormatEditForm.php
core/modules/views/src/Plugin/views/argument/Date.php
core/modules/views/src/Plugin/views/cache/Time.php
core/modules/views/src/Plugin/views/field/Date.php
core/modules/history/src/Plugin/views/filter/HistoryUserTimestamp.php
core/modules/aggregator/src/Plugin/aggregator/processor/DefaultProcessor.php
core/modules/aggregator/src/FeedStorage.php
core/modules/content_translation/src/ContentTranslationHandler.php
core/modules/system/src/DateFormatListBuilder.php

Proposed resolution

Basic recipe

- add use
- add protected variable
- update constructor w/ BC
- update create
- replaces usages w/ $this->time->getRequestTime()

Eg,

diff --git a/core/modules/aggregator/src/Controller/AggregatorController.php b/core/modules/aggregator/src/Controller/AggregatorController.php
index 5beb15441c..44b05f2748 100644
--- a/core/modules/aggregator/src/Controller/AggregatorController.php
+++ b/core/modules/aggregator/src/Controller/AggregatorController.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\aggregator\Controller;
 
+use Drupal\Component\Datetime\TimeInterface;
 use Drupal\Component\Utility\Xss;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Datetime\DateFormatterInterface;
@@ -21,14 +22,24 @@ class AggregatorController extends ControllerBase {
    */
   protected $dateFormatter;
 
+  /**
+   * The time service.
+   *
+   * @var \Drupal\Component\Datetime\TimeInterface
+   */
+  protected $time;
+
   /**
    * Constructs a \Drupal\aggregator\Controller\AggregatorController object.
    *
    * @param \Drupal\Core\Datetime\DateFormatterInterface $date_formatter
    *   The date formatter service.
+   * @param \Drupal\Component\Datetime\TimeInterface $time
+   *   The time service.
    */
-  public function __construct(DateFormatterInterface $date_formatter) {
+  public function __construct(DateFormatterInterface $date_formatter, TimeInterface $time = NULL) {
     $this->dateFormatter = $date_formatter;
+    $this->time = $time ?: \Drupal::service('datetime.time');
   }
 
   /**
@@ -36,7 +47,8 @@ public function __construct(DateFormatterInterface $date_formatter) {
    */
   public static function create(ContainerInterface $container) {
     return new static(
-      $container->get('date.formatter')
+      $container->get('date.formatter'),
+      $container->get('datetime.time')
     );
   }
 
@@ -120,12 +132,12 @@ public function adminOverview() {
       $last_checked = $feed->getLastCheckedTime();
       $refresh_rate = $feed->getRefreshRate();
 
-      $row[] = ($last_checked ? $this->t('@time ago', ['@time' => $this->dateFormatter->formatInterval(REQUEST_TIME - $last_checked)]) : $this->t('never'));
+      $row[] = ($last_checked ? $this->t('@time ago', ['@time' => $this->dateFormatter->formatInterval($this->time->getRequestTime() - $last_checked)]) : $this->t('never'));
       if (!$last_checked && $refresh_rate) {
         $next_update = $this->t('imminently');
       }
       elseif ($last_checked && $refresh_rate) {
-        $next_update = $next = $this->t('%time left', ['%time' => $this->dateFormatter->formatInterval($last_checked + $refresh_rate - REQUEST_TIME)]);
+        $next_update = $next = $this->t('%time left', ['%time' => $this->dateFormatter->formatInterval($last_checked + $refresh_rate - $this->time->getRequestTime())]);
       }
       else {
         $next_update = $this->t('never');

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Move views-element-container to twig template

$
0
0

Problem/Motivation

Views module is adding an extra <div> element for no apparent reason when rendering a view block or EVA attachment. As if having the wrapper from both the block and views-view templates wasn't enough, there is a third coming through via the Views element pre-render callback, which sets #theme_wrappers container.

<?php
  if (empty($view->display_handler->getPluginDefinition()['returns_response'])) {
    $element['#attributes']['class'][] = 'views-element-container';
    $element['#theme_wrappers'] = array('container');
  }
<div class="block block-blah-blah">
  <div class="views-element-container">
    <div class="view view-name blah-blah">
      ...
    </div> 
  </div>
</div>

Proposed resolution

Remove it:

<div class="block block-blah-blah">
  <div class="view view-name blah-blah">
    ...
  </div> 
</div>

Remaining tasks

TBD

User interface changes

None.

API changes

None.

Data model changes

None.

Database::tableExists optimization for PostgreSQL

$
0
0

Database::tableExists appears to be called repeatedly during normal use of a Drupal site. In PostgreSQL, this is implemented by querying the information_schema.tables view, which in our PostgreSQL 9.2 environment completes in the low-single-digit milliseconds; e.g.:

LOG:  duration: 5.150 ms  statement: SELECT 1 FROM information_schema.tables WHERE (table_catalog = 'drupal') AND  (table_schema = 'public') AND (table_name = 'node');

An equivalent query using the pg_tables view (see attached schema.inc.patch) is typically several times faster, however:

LOG:  duration: 0.966 ms  statement: SELECT 1 FROM pg_tables WHERE  (schemaname = 'public') AND (tablename = 'node');

(Note that in PostgreSQL, the information_schema.tables view essentiallydefines table_catalog as current_database(), so it should be unnecessary to specify it)

While several milliseconds would normally be unnoticeable to a user, I recently encountered a case where the performance of Database::tableExists significantly impacted the performance of the Tripal module during an operation where Drupal nodes are created for records in an external Chado schema. During this operation, which can take hours depending on the number of records in the Chado schema, roughly a third of the total run time was spent in Database::tableExists.

There is precedent for this optimization: the MySQL version of Database::tableExists has been overridden as well to bypass MySQL's relatively-slow information_schema.


fopen() error in stream_wrappers.inc on PHP 8

$
0
0

Problem/Motivation

Upon update to php 8, the site started throwing an error on line 408. I'm sure this is related to PHP 8 not being very happy about potential null values. The following change stopped the error.

diff --git a/docroot/includes/stream_wrappers.inc b/docroot/includes/stream_wrappers.inc
index 31101674..f67ab42e 100644
--- a/docroot/includes/stream_wrappers.inc
+++ b/docroot/includes/stream_wrappers.inc
@@ -405,7 +405,11 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
   public function stream_open($uri, $mode, $options, &$opened_path) {
     $this->uri = $uri;
     $path = $this->getLocalPath();
-    $this->handle = ($options & STREAM_REPORT_ERRORS) ? fopen($path, $mode) : @fopen($path, $mode);
+    if ($path){
+      $this->handle = ($options & STREAM_REPORT_ERRORS) ? fopen($path, $mode) : @fopen($path, $mode);
+    } else {
+      return FALSE;
+    }
 
     if ((bool) $this->handle && $options & STREAM_USE_PATH) {
       $opened_path = $path;

Move QuickEditImageController from image to quickedit

$
0
0

Problem/Motivation

#3227033: [PP-3] Remove quickedit from core is trying to remove quickedit from core. Before we can do that, we need all of its parts moved under the quickedit module, instead of having integrations sprinkled throughout the rest of core. \Drupal\image\Controller\QuickEditImageController needs to move from image to quickedit and be refactored.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

image/quickedit.inPlaceEditor.image is deprecated and all usages have been removed. Any references to image/quickedit.inPlaceEditor.image needs to be updated to reference quickedit/quickedit.inPlaceEditor.image.

[META] Make Drupal 7 core compatible with PHP 8.1

Disable Big Pipe cause 500 error

$
0
0

Hello,
On a D9.3.13 website, I can't disable big pipe module without getting 500 error on pages only I'm connected. Anonymous doesn't seem to be affected.

Are you aware of this ?
What the way to disable big pipe without getting this error ? ( clearing cache doesn't change anything). The purpose is to verify if big pipe play well with lazyloading on chrome.

Thanks

Query string duplications

$
0
0

Problem/Motivation

Checking D7 Link #2333119: Output broken when using array parameters in query on D8 there are some issues with array query parameters.

- '?a[]=0&b[]=0&b[]=1'
- '?a[0]=0&b[0]=0&b[1]=1',

their link when viewing are rendered (URL encoding removed for readability) with duplicated content.

a[0]=0&a[1]=0&b[0]=0&b[1]=1&b[2]=0&b[3]=1

The title rendering is unreadable including for other tests (which is probably a different issue?)

- '?filter[a][b]=c',
- '?a[b[c]]=d',

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Viewing all 300222 articles
Browse latest View live


Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>