From 441c49c36856c9af1451463efb5c8bcdbf1f4a7f Mon Sep 17 00:00:00 2001 From: Dave Long Date: Tue, 18 Feb 2025 22:40:55 +0000 Subject: [PATCH 1/4] SA-CORE-2025-001 by larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, catch --- core/lib/Drupal/Core/DrupalKernel.php | 1 + .../DefaultExceptionHtmlSubscriber.php | 15 ++++----------- .../ExceptionLoggingSubscriberTest.php | 5 +---- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php index 9978040a588..99b26c0e544 100644 --- a/core/lib/Drupal/Core/DrupalKernel.php +++ b/core/lib/Drupal/Core/DrupalKernel.php @@ -779,6 +779,7 @@ class DrupalKernel implements DrupalKernelInterface, TerminableInterface { if ($e instanceof HttpExceptionInterface) { $response = new Response($e->getMessage(), $e->getStatusCode()); $response->headers->add($e->getHeaders()); + $response->headers->set('Content-Type', 'text/plain'); return $response; } diff --git a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php index 4642d434fcf..67ab669bade 100644 --- a/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php +++ b/core/lib/Drupal/Core/EventSubscriber/DefaultExceptionHtmlSubscriber.php @@ -87,21 +87,14 @@ class DefaultExceptionHtmlSubscriber extends HttpExceptionSubscriberBase { * The event to process. */ public function on4xx(ExceptionEvent $event) { - if (($exception = $event->getThrowable()) && $exception instanceof HttpExceptionInterface) { + // Avoid making a subrequest for 400 errors because the same conditions that + // caused the 400 error could also happen in the subrequest. This allows 400 + // exceptions to fall through to FinalExceptionSubscriber::on4xx. + if (($exception = $event->getThrowable()) && $exception instanceof HttpExceptionInterface && $exception->getStatusCode() > 400) { $this->makeSubrequest($event, '/system/4xx', $exception->getStatusCode()); } } - /** - * Handles a 400 error for HTML. - * - * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event - * The event to process. - */ - public function on400(ExceptionEvent $event): void { - throw $event->getThrowable(); - } - /** * Handles a 401 error for HTML. * diff --git a/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php b/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php index 77507fbf8c4..4b11967a333 100644 --- a/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php +++ b/core/tests/Drupal/KernelTests/Core/EventSubscriber/ExceptionLoggingSubscriberTest.php @@ -9,7 +9,6 @@ use Drupal\Core\Logger\RfcLogLevel; use Drupal\KernelTests\KernelTestBase; use Symfony\Component\ErrorHandler\BufferingLogger; use Symfony\Component\HttpFoundation\Request; -use Symfony\Component\HttpKernel\Exception\HttpException; /** * Tests that HTTP exceptions are logged correctly. @@ -64,9 +63,7 @@ class ExceptionLoggingSubscriberTest extends KernelTestBase { public static function exceptionDataProvider(): array { return [ - // When a BadRequestException is thrown, DefaultHttpExceptionSubscriber - // will rethrow the exception. - [400, 'client error', RfcLogLevel::WARNING, HttpException::class], + [400, 'client error', RfcLogLevel::WARNING], [401, 'client error', RfcLogLevel::WARNING], [403, 'access denied', RfcLogLevel::WARNING], [404, 'page not found', RfcLogLevel::WARNING], From 9ba2ef3b66d6b2ce99b507c752002c2a4d37e9f0 Mon Sep 17 00:00:00 2001 From: Dave Long Date: Tue, 18 Feb 2025 22:40:55 +0000 Subject: [PATCH 2/4] SA-CORE-2025-002 by jeff cardwell, benjifisher, poker10, mingsong --- core/lib/Drupal/Core/Field/FieldUpdateActionBase.php | 2 +- .../src/FunctionalJavascript/ExposedFilterAJAXTest.php | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/core/lib/Drupal/Core/Field/FieldUpdateActionBase.php b/core/lib/Drupal/Core/Field/FieldUpdateActionBase.php index ed184e9eb3f..a5a0f71b202 100644 --- a/core/lib/Drupal/Core/Field/FieldUpdateActionBase.php +++ b/core/lib/Drupal/Core/Field/FieldUpdateActionBase.php @@ -53,7 +53,7 @@ abstract class FieldUpdateActionBase extends ActionBase { $result = $object->access('update', $account, TRUE); foreach ($this->getFieldsToUpdate() as $field => $value) { - $result->andIf($object->{$field}->access('edit', $account, TRUE)); + $result = $result->andIf($object->{$field}->access('edit', $account, TRUE)); } return $return_as_object ? $result : $result->isAllowed(); diff --git a/core/modules/views/tests/src/FunctionalJavascript/ExposedFilterAJAXTest.php b/core/modules/views/tests/src/FunctionalJavascript/ExposedFilterAJAXTest.php index 6d61ecef80a..af7cad9e287 100644 --- a/core/modules/views/tests/src/FunctionalJavascript/ExposedFilterAJAXTest.php +++ b/core/modules/views/tests/src/FunctionalJavascript/ExposedFilterAJAXTest.php @@ -78,6 +78,14 @@ class ExposedFilterAJAXTest extends WebDriverTestBase { * Tests if exposed filtering via AJAX works for the "Content" View. */ public function testExposedFiltering(): void { + // Create an account that can update the sticky flag. + $user = $this->drupalCreateUser([ + 'access content overview', + 'administer nodes', + 'edit any page content', + ]); + $this->drupalLogin($user); + // Visit the View page. $this->drupalGet('admin/content'); From dd4e04c26b1de42a66287aefc8c1173b49f27ce7 Mon Sep 17 00:00:00 2001 From: Dave Long Date: Tue, 18 Feb 2025 22:40:55 +0000 Subject: [PATCH 3/4] SA-CORE-2025-003 by shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, longwave --- core/modules/views/src/DisplayPluginCollection.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/modules/views/src/DisplayPluginCollection.php b/core/modules/views/src/DisplayPluginCollection.php index 74b69103d66..41eb2dc76e6 100644 --- a/core/modules/views/src/DisplayPluginCollection.php +++ b/core/modules/views/src/DisplayPluginCollection.php @@ -5,6 +5,7 @@ namespace Drupal\views; use Drupal\Component\Plugin\Exception\PluginException; use Drupal\Component\Plugin\PluginManagerInterface; use Drupal\Core\Plugin\DefaultLazyPluginCollection; +use Drupal\views\Plugin\views\display\DisplayPluginInterface; /** * A class which wraps the displays of a view so you can lazy-initialize them. @@ -59,7 +60,9 @@ class DisplayPluginCollection extends DefaultLazyPluginCollection { */ public function clear() { foreach (array_filter($this->pluginInstances) as $display) { - $display->destroy(); + if ($display instanceof DisplayPluginInterface) { + $display->destroy(); + } } parent::clear(); From 1d937cf1b3dc72cc871440008434ec4f81ba0969 Mon Sep 17 00:00:00 2001 From: Dave Long Date: Tue, 18 Feb 2025 22:41:05 +0000 Subject: [PATCH 4/4] Drupal 10.4.3 --- composer.lock | 6 +++--- composer/Metapackage/CoreRecommended/composer.json | 2 +- composer/Metapackage/PinnedDevDependencies/composer.json | 2 +- core/lib/Drupal.php | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index f23c1050972..601bdce4cd1 100644 --- a/composer.lock +++ b/composer.lock @@ -492,7 +492,7 @@ }, { "name": "drupal/core", - "version": "10.4.2", + "version": "10.4.3", "dist": { "type": "path", "url": "core", @@ -653,7 +653,7 @@ }, { "name": "drupal/core-project-message", - "version": "10.4.2", + "version": "10.4.3", "dist": { "type": "path", "url": "composer/Plugin/ProjectMessage", @@ -686,7 +686,7 @@ }, { "name": "drupal/core-vendor-hardening", - "version": "10.4.2", + "version": "10.4.3", "dist": { "type": "path", "url": "composer/Plugin/VendorHardening", diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json index 7fed88a0830..7fd9e959417 100644 --- a/composer/Metapackage/CoreRecommended/composer.json +++ b/composer/Metapackage/CoreRecommended/composer.json @@ -7,7 +7,7 @@ "webflo/drupal-core-strict": "*" }, "require": { - "drupal/core": "10.4.2", + "drupal/core": "10.4.3", "asm89/stack-cors": "~v2.2.0", "composer/semver": "~3.4.3", "doctrine/annotations": "~1.14.4", diff --git a/composer/Metapackage/PinnedDevDependencies/composer.json b/composer/Metapackage/PinnedDevDependencies/composer.json index 6b96f16e1c9..241b74687c0 100644 --- a/composer/Metapackage/PinnedDevDependencies/composer.json +++ b/composer/Metapackage/PinnedDevDependencies/composer.json @@ -7,7 +7,7 @@ "webflo/drupal-core-require-dev": "*" }, "require": { - "drupal/core": "10.4.2", + "drupal/core": "10.4.3", "behat/mink": "v1.12.0", "behat/mink-browserkit-driver": "v2.2.0", "brick/math": "0.12.1", diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php index 82ceba55eb6..3eea5787fb5 100644 --- a/core/lib/Drupal.php +++ b/core/lib/Drupal.php @@ -75,7 +75,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '10.4.2'; + const VERSION = '10.4.3'; /** * Core API compatibility.