diff --git a/civicrm.php b/civicrm.php
index 4df8a16b0eb8272f852198559ae74839e1b602cd..bed16d7e846bacafcb852e8882fad89cad595f0d 100644
--- a/civicrm.php
+++ b/civicrm.php
@@ -2,7 +2,7 @@
/*
Plugin Name: CiviCRM
Description: CiviCRM - Growing and Sustaining Relationships
-Version: 5.10.2
+Version: 5.10.3
Author: CiviCRM LLC
Author URI: https://civicrm.org/
Plugin URI: https://wiki.civicrm.org/confluence/display/CRMDOC/Installing+CiviCRM+for+WordPress
diff --git a/civicrm/CRM/Batch/BAO/Batch.php b/civicrm/CRM/Batch/BAO/Batch.php
index 2e4775cb422df461211372e7ea218b2e71c0733c..21d61188a1826089604da2bfa96a147079798d26 100644
--- a/civicrm/CRM/Batch/BAO/Batch.php
+++ b/civicrm/CRM/Batch/BAO/Batch.php
@@ -333,7 +333,8 @@ class CRM_Batch_BAO_Batch extends CRM_Batch_DAO_Batch {
$activityParams = array('source_record_id' => $values['id'], 'activity_type_id' => $aid);
$exportActivity = CRM_Activity_BAO_Activity::retrieve($activityParams, $val);
$fid = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_EntityFile', $exportActivity->id, 'file_id', 'entity_id');
- $tokens = array_merge(array('eid' => $exportActivity->id, 'fid' => $fid), $tokens);
+ $fileHash = CRM_Core_BAO_File::generateFileHash($exportActivity->id, $fid);
+ $tokens = array_merge(array('eid' => $exportActivity->id, 'fid' => $fid, 'fcs' => $fileHash), $tokens);
}
$values['action'] = CRM_Core_Action::formLink(
$newLinks,
@@ -486,7 +487,7 @@ class CRM_Batch_BAO_Batch extends CRM_Batch_DAO_Batch {
'download' => array(
'name' => ts('Download'),
'url' => 'civicrm/file',
- 'qs' => 'reset=1&id=%%fid%%&eid=%%eid%%',
+ 'qs' => 'reset=1&id=%%fid%%&eid=%%eid%%&fcs=%%fcs%%',
'title' => ts('Download Batch'),
),
);
diff --git a/civicrm/CRM/Campaign/Selector/Search.php b/civicrm/CRM/Campaign/Selector/Search.php
index 94a5cb5731267ee54df265817afea77465c9ac59..3332f86b1df97bd443dc9a1ea1e74fad850bee18 100644
--- a/civicrm/CRM/Campaign/Selector/Search.php
+++ b/civicrm/CRM/Campaign/Selector/Search.php
@@ -282,12 +282,12 @@ class CRM_Campaign_Selector_Search extends CRM_Core_Selector_Base implements CRM
);
list($select, $from) = explode(' FROM ', $sql);
$selectSQL = "
- SELECT '$cacheKey', contact_a.id, contact_a.display_name
+ SELECT %1, contact_a.id, contact_a.display_name
FROM {$from}
";
try {
- Civi::service('prevnext')->fillWithSql($cacheKey, $selectSQL);
+ Civi::service('prevnext')->fillWithSql($cacheKey, $selectSQL, [1 => [$cacheKey, 'String']]);
}
catch (CRM_Core_Exception $e) {
// Heavy handed, no? Seems like this merits an explanation.
diff --git a/civicrm/CRM/Contact/BAO/Contact/Utils.php b/civicrm/CRM/Contact/BAO/Contact/Utils.php
index 7a81cb029eb43c2228ae43e013be75ab61c3d663..db4114aa0d9630b928a5cb73d1592c6056a96879 100644
--- a/civicrm/CRM/Contact/BAO/Contact/Utils.php
+++ b/civicrm/CRM/Contact/BAO/Contact/Utils.php
@@ -229,7 +229,7 @@ WHERE id IN ( $idString )
$check = self::generateChecksum($contactID, $inputTS, $inputLF);
- if ($check != $inputCheck) {
+ if (!hash_equals($check, $inputCheck)) {
return FALSE;
}
diff --git a/civicrm/CRM/Contact/BAO/Query.php b/civicrm/CRM/Contact/BAO/Query.php
index 92c47c34bff0c7352c8eeac0ddb31501b660b11a..a935ca96d2c6e1937f4416580822d6eff073520f 100644
--- a/civicrm/CRM/Contact/BAO/Query.php
+++ b/civicrm/CRM/Contact/BAO/Query.php
@@ -2972,7 +2972,7 @@ class CRM_Contact_BAO_Query {
$smartGroupIDs[] = $id;
}
else {
- $regularGroupIDs[] = $id;
+ $regularGroupIDs[] = trim($id);
}
}
@@ -3011,7 +3011,10 @@ class CRM_Contact_BAO_Query {
if (count($regularGroupIDs) > 1) {
$op = strpos($op, 'IN') ? $op : ($op == '!=') ? 'NOT IN' : 'IN';
}
- $groupIds = implode(',', (array) $regularGroupIDs);
+ $groupIds = CRM_Utils_Type::validate(
+ implode(',', (array) $regularGroupIDs),
+ 'CommaSeparatedIntegers'
+ );
$gcTable = "`civicrm_group_contact-" . uniqid() . "`";
$joinClause = array("contact_a.id = {$gcTable}.contact_id");
@@ -3173,12 +3176,13 @@ WHERE $smartGroupClause
$op = "LIKE";
$value = "%{$value}%";
+ $escapedValue = CRM_Utils_Type::escape("%{$value}%", 'String');
$useAllTagTypes = $this->getWhereValues('all_tag_types', $grouping);
$tagTypesText = $this->getWhereValues('tag_types_text', $grouping);
- $etTable = "`civicrm_entity_tag-" . $value . "`";
- $tTable = "`civicrm_tag-" . $value . "`";
+ $etTable = "`civicrm_entity_tag-" . uniqid() . "`";
+ $tTable = "`civicrm_tag-" . uniqid() . "`";
if ($useAllTagTypes[2]) {
$this->_tables[$etTable] = $this->_whereTables[$etTable]
@@ -3186,8 +3190,8 @@ WHERE $smartGroupClause
LEFT JOIN civicrm_tag {$tTable} ON ( {$etTable}.tag_id = {$tTable}.id )";
// search tag in cases
- $etCaseTable = "`civicrm_entity_case_tag-" . $value . "`";
- $tCaseTable = "`civicrm_case_tag-" . $value . "`";
+ $etCaseTable = "`civicrm_entity_case_tag-" . uniqid() . "`";
+ $tCaseTable = "`civicrm_case_tag-" . uniqid() . "`";
$this->_tables[$etCaseTable] = $this->_whereTables[$etCaseTable]
= " LEFT JOIN civicrm_case_contact ON civicrm_case_contact.contact_id = contact_a.id
LEFT JOIN civicrm_case
@@ -3196,8 +3200,8 @@ WHERE $smartGroupClause
LEFT JOIN civicrm_entity_tag {$etCaseTable} ON ( {$etCaseTable}.entity_table = 'civicrm_case' AND {$etCaseTable}.entity_id = civicrm_case.id )
LEFT JOIN civicrm_tag {$tCaseTable} ON ( {$etCaseTable}.tag_id = {$tCaseTable}.id )";
// search tag in activities
- $etActTable = "`civicrm_entity_act_tag-" . $value . "`";
- $tActTable = "`civicrm_act_tag-" . $value . "`";
+ $etActTable = "`civicrm_entity_act_tag-" . uniqid() . "`";
+ $tActTable = "`civicrm_act_tag-" . uniqid() . "`";
$activityContacts = CRM_Activity_BAO_ActivityContact::buildOptions('record_type_id', 'validate');
$targetID = CRM_Utils_Array::key('Activity Targets', $activityContacts);
@@ -3210,12 +3214,12 @@ WHERE $smartGroupClause
LEFT JOIN civicrm_entity_tag as {$etActTable} ON ( {$etActTable}.entity_table = 'civicrm_activity' AND {$etActTable}.entity_id = civicrm_activity.id )
LEFT JOIN civicrm_tag {$tActTable} ON ( {$etActTable}.tag_id = {$tActTable}.id )";
- $this->_where[$grouping][] = "({$tTable}.name $op '" . $value . "' OR {$tCaseTable}.name $op '" . $value . "' OR {$tActTable}.name $op '" . $value . "')";
+ $this->_where[$grouping][] = "({$tTable}.name $op '" . $escapedValue . "' OR {$tCaseTable}.name $op '" . $escapedValue . "' OR {$tActTable}.name $op '" . $escapedValue . "')";
$this->_qill[$grouping][] = ts('Tag %1 %2', array(1 => $tagTypesText[2], 2 => $op)) . ' ' . $value;
}
else {
- $etTable = "`civicrm_entity_tag-" . $value . "`";
- $tTable = "`civicrm_tag-" . $value . "`";
+ $etTable = "`civicrm_entity_tag-" . uniqid() . "`";
+ $tTable = "`civicrm_tag-" . uniqid() . "`";
$this->_tables[$etTable] = $this->_whereTables[$etTable] = " LEFT JOIN civicrm_entity_tag {$etTable} ON ( {$etTable}.entity_id = contact_a.id AND
{$etTable}.entity_table = 'civicrm_contact' )
LEFT JOIN civicrm_tag {$tTable} ON ( {$etTable}.tag_id = {$tTable}.id ) ";
@@ -3243,20 +3247,25 @@ WHERE $smartGroupClause
if (count($value) > 1) {
$this->_useDistinct = TRUE;
}
- $value = implode(',', (array) $value);
}
+ // implode array, then remove all spaces and validate CommaSeparatedIntegers
+ $value = CRM_Utils_Type::validate(
+ str_replace(' ', '', implode(',', (array) $value)),
+ 'CommaSeparatedIntegers'
+ );
+
$useAllTagTypes = $this->getWhereValues('all_tag_types', $grouping);
$tagTypesText = $this->getWhereValues('tag_types_text', $grouping);
- $etTable = "`civicrm_entity_tag-" . $value . "`";
+ $etTable = "`civicrm_entity_tag-" . uniqid() . "`";
if ($useAllTagTypes[2]) {
$this->_tables[$etTable] = $this->_whereTables[$etTable]
= " LEFT JOIN civicrm_entity_tag {$etTable} ON ( {$etTable}.entity_id = contact_a.id AND {$etTable}.entity_table = 'civicrm_contact') ";
// search tag in cases
- $etCaseTable = "`civicrm_entity_case_tag-" . $value . "`";
+ $etCaseTable = "`civicrm_entity_case_tag-" . uniqid() . "`";
$activityContacts = CRM_Activity_BAO_ActivityContact::buildOptions('record_type_id', 'validate');
$targetID = CRM_Utils_Array::key('Activity Targets', $activityContacts);
@@ -3267,7 +3276,7 @@ WHERE $smartGroupClause
AND civicrm_case.is_deleted = 0 )
LEFT JOIN civicrm_entity_tag {$etCaseTable} ON ( {$etCaseTable}.entity_table = 'civicrm_case' AND {$etCaseTable}.entity_id = civicrm_case.id ) ";
// search tag in activities
- $etActTable = "`civicrm_entity_act_tag-" . $value . "`";
+ $etActTable = "`civicrm_entity_act_tag-" . uniqid() . "`";
$this->_tables[$etActTable] = $this->_whereTables[$etActTable]
= " LEFT JOIN civicrm_activity_contact
ON ( civicrm_activity_contact.contact_id = contact_a.id AND civicrm_activity_contact.record_type_id = {$targetID} )
diff --git a/civicrm/CRM/Contact/Selector.php b/civicrm/CRM/Contact/Selector.php
index 12f73b41d112f28ab0e993ea9c24fcec49740fa6..26e15333f773dcd7a0211855e948205655d3ce13 100644
--- a/civicrm/CRM/Contact/Selector.php
+++ b/civicrm/CRM/Contact/Selector.php
@@ -1041,11 +1041,11 @@ class CRM_Contact_Selector extends CRM_Core_Selector_Base implements CRM_Core_Se
// the other alternative of running the FULL query will just be incredibly inefficient
// and slow things down way too much on large data sets / complex queries
- $selectSQL = "SELECT DISTINCT '$cacheKey', contact_a.id, contact_a.sort_name";
+ $selectSQL = "SELECT DISTINCT %1, contact_a.id, contact_a.sort_name";
$sql = str_ireplace(array("SELECT contact_a.id as contact_id", "SELECT contact_a.id as id"), $selectSQL, $sql);
try {
- Civi::service('prevnext')->fillWithSql($cacheKey, $sql);
+ Civi::service('prevnext')->fillWithSql($cacheKey, $sql, [1 => [$cacheKey, 'String']]);
}
catch (CRM_Core_Exception $e) {
if ($coreSearch) {
diff --git a/civicrm/CRM/Contribute/Form/Task/Invoice.php b/civicrm/CRM/Contribute/Form/Task/Invoice.php
index d6e4758d4b7efea07f5f9f3650e31ce783d1e426..865f91b5a1ef7e513daac8a74cd2c69b6fb737c4 100644
--- a/civicrm/CRM/Contribute/Form/Task/Invoice.php
+++ b/civicrm/CRM/Contribute/Form/Task/Invoice.php
@@ -298,7 +298,13 @@ class CRM_Contribute_Form_Task_Invoice extends CRM_Contribute_Form_Task {
$invoiceDate = date("F j, Y");
$dueDate = date('F j, Y', strtotime($contributionReceiveDate . "+" . $prefixValue['due_date'] . "" . $prefixValue['due_date_period']));
- $lineItem = CRM_Price_BAO_LineItem::getLineItemsByContributionID($contribID);
+ if ($input['component'] == 'contribute') {
+ $lineItem = CRM_Price_BAO_LineItem::getLineItemsByContributionID($contribID);
+ }
+ else {
+ $eid = $contribution->_relatedObjects['participant']->id;
+ $lineItem = CRM_Price_BAO_LineItem::getLineItems($eid, 'participant', NULL, TRUE, FALSE, TRUE);
+ }
$resultPayments = civicrm_api3('Payment', 'get', array(
'sequential' => 1,
diff --git a/civicrm/CRM/Core/BAO/CustomField.php b/civicrm/CRM/Core/BAO/CustomField.php
index 8e08547b326f7eda789fed26ce63adc2d9c1185d..f110870e632be12749c08f176ba6654f8ed82d46 100644
--- a/civicrm/CRM/Core/BAO/CustomField.php
+++ b/civicrm/CRM/Core/BAO/CustomField.php
@@ -1494,9 +1494,10 @@ class CRM_Core_BAO_CustomField extends CRM_Core_DAO_CustomField {
'entity_id',
'file_id'
);
- list($path) = CRM_Core_BAO_File::path($fileID, $entityId, NULL, NULL);
+ list($path) = CRM_Core_BAO_File::path($fileID, $entityId);
+ $fileHash = CRM_Core_BAO_File::generateFileHash($entityId, $fileID);
$url = CRM_Utils_System::url('civicrm/file',
- "reset=1&id=$fileID&eid=$contactID",
+ "reset=1&id=$fileID&eid=$entityId&fcs=$fileHash",
$absolute, NULL, TRUE, TRUE
);
$result['file_url'] = CRM_Utils_File::getFileURL($path, $fileType, $url);
@@ -1507,8 +1508,9 @@ class CRM_Core_BAO_CustomField extends CRM_Core_DAO_CustomField {
$fileID,
'uri'
);
+ $fileHash = CRM_Core_BAO_File::generateFileHash($contactID, $fileID);
$url = CRM_Utils_System::url('civicrm/file',
- "reset=1&id=$fileID&eid=$contactID",
+ "reset=1&id=$fileID&eid=$contactID&fcs=$fileHash",
$absolute, NULL, TRUE, TRUE
);
$result['file_url'] = CRM_Utils_File::getFileURL($uri, $fileType, $url);
diff --git a/civicrm/CRM/Core/BAO/CustomGroup.php b/civicrm/CRM/Core/BAO/CustomGroup.php
index 84c46f02c68faef0b33cddf0c576b26b900aa726..df5d09adaf051f8bf34fc06cb281a4a4bc3a59f3 100644
--- a/civicrm/CRM/Core/BAO/CustomGroup.php
+++ b/civicrm/CRM/Core/BAO/CustomGroup.php
@@ -875,17 +875,18 @@ ORDER BY civicrm_custom_group.weight,
if ($fileDAO->find(TRUE)) {
$entityIDName = "{$table}_entity_id";
+ $fileHash = CRM_Core_BAO_File::generateFileHash($dao->$entityIDName, $fileDAO->id);
$customValue['id'] = $dao->$idName;
$customValue['data'] = $fileDAO->uri;
$customValue['fid'] = $fileDAO->id;
- $customValue['fileURL'] = CRM_Utils_System::url('civicrm/file', "reset=1&id={$fileDAO->id}&eid={$dao->$entityIDName}");
+ $customValue['fileURL'] = CRM_Utils_System::url('civicrm/file', "reset=1&id={$fileDAO->id}&eid={$dao->$entityIDName}&fcs=$fileHash");
$customValue['displayURL'] = NULL;
$deleteExtra = ts('Are you sure you want to delete attached file.');
$deleteURL = array(
CRM_Core_Action::DELETE => array(
'name' => ts('Delete Attached File'),
'url' => 'civicrm/file',
- 'qs' => 'reset=1&id=%%id%%&eid=%%eid%%&fid=%%fid%%&action=delete',
+ 'qs' => 'reset=1&id=%%id%%&eid=%%eid%%&fid=%%fid%%&action=delete&fcs=%%fcs%%',
'extra' => 'onclick = "if (confirm( \'' . $deleteExtra
. '\' ) ) this.href+=\'&confirmed=1\'; else return false;"',
),
@@ -896,6 +897,7 @@ ORDER BY civicrm_custom_group.weight,
'id' => $fileDAO->id,
'eid' => $dao->$entityIDName,
'fid' => $fieldID,
+ 'fcs' => $fileHash,
),
ts('more'),
FALSE,
@@ -919,7 +921,7 @@ ORDER BY civicrm_custom_group.weight,
);
$customValue['imageURL'] = str_replace('persist/contribute', 'custom', $config->imageUploadURL) .
$fileDAO->uri;
- list($path) = CRM_Core_BAO_File::path($fileDAO->id, $entityId, NULL, NULL);
+ list($path) = CRM_Core_BAO_File::path($fileDAO->id, $entityId);
if ($path && file_exists($path)) {
list($imageWidth, $imageHeight) = getimagesize($path);
list($imageThumbWidth, $imageThumbHeight) = CRM_Contact_BAO_Contact::getThumbSize($imageWidth, $imageHeight);
diff --git a/civicrm/CRM/Core/BAO/File.php b/civicrm/CRM/Core/BAO/File.php
index ccbc7532729783f2c36f8d73e1bdd5b1c19b75f7..5e1a32def07ba55d2a1b3ae07758d6dbc1f6eb71 100644
--- a/civicrm/CRM/Core/BAO/File.php
+++ b/civicrm/CRM/Core/BAO/File.php
@@ -71,15 +71,11 @@ class CRM_Core_BAO_File extends CRM_Core_DAO_File {
/**
* @param int $fileID
* @param int $entityID
- * @param null $entityTable
*
* @return array
*/
- public static function path($fileID, $entityID, $entityTable = NULL) {
+ public static function path($fileID, $entityID) {
$entityFileDAO = new CRM_Core_DAO_EntityFile();
- if ($entityTable) {
- $entityFileDAO->entity_table = $entityTable;
- }
$entityFileDAO->entity_id = $entityID;
$entityFileDAO->file_id = $fileID;
@@ -337,6 +333,7 @@ class CRM_Core_BAO_File extends CRM_Core_DAO_File {
$dao = CRM_Core_DAO::executeQuery($sql, $params);
$results = array();
while ($dao->fetch()) {
+ $fileHash = self::generateFileHash($dao->entity_id, $dao->cfID);
$result['fileID'] = $dao->cfID;
$result['entityID'] = $dao->cefID;
$result['mime_type'] = $dao->mime_type;
@@ -344,7 +341,7 @@ class CRM_Core_BAO_File extends CRM_Core_DAO_File {
$result['description'] = $dao->description;
$result['cleanName'] = CRM_Utils_File::cleanFileName($dao->uri);
$result['fullPath'] = $config->customFileUploadDir . DIRECTORY_SEPARATOR . $dao->uri;
- $result['url'] = CRM_Utils_System::url('civicrm/file', "reset=1&id={$dao->cfID}&eid={$dao->entity_id}");
+ $result['url'] = CRM_Utils_System::url('civicrm/file', "reset=1&id={$dao->cfID}&eid={$dao->entity_id}&fcs={$fileHash}");
$result['href'] = "<a href=\"{$result['url']}\">{$result['cleanName']}</a>";
$result['tag'] = CRM_Core_BAO_EntityTag::getTag($dao->cfID, 'civicrm_file');
$result['icon'] = CRM_Utils_File::getIconFromMimeType($dao->mime_type);
@@ -770,4 +767,56 @@ AND CEF.entity_id = %2";
return NULL;
}
+ /**
+ * Generates an access-token for downloading a specific file.
+ *
+ * @param int $entityId entity id the file is attached to
+ * @param int $fileId file ID
+ * @return string
+ */
+ public static function generateFileHash($entityId = NULL, $fileId = NULL, $genTs = NULL, $life = NULL) {
+ // Use multiple (but stable) inputs for hash information.
+ $siteKey = CRM_Utils_Constant::value('CIVICRM_SITE_KEY');
+ if (!$siteKey) {
+ throw new \CRM_Core_Exception("Cannot generate file access token. Please set CIVICRM_SITE_KEY.");
+ }
+
+ if (!$genTs) {
+ $genTs = time();
+ }
+ if (!$life) {
+ $days = Civi::settings()->get('checksum_timeout');
+ $life = 24 * $days;
+ }
+ // Trim 8 chars off the string, make it slightly easier to find
+ // but reveals less information from the hash.
+ $cs = hash_hmac('sha256', "entity={$entityId}&file={$fileId}&life={$life}", $siteKey);
+ return "{$cs}_{$genTs}_{$life}";
+ }
+
+ /**
+ * Validate a file access token.
+ *
+ * @param string $hash
+ * @param int $entityId Entity Id the file is attached to
+ * @param int $fileId File Id
+ * @return bool
+ */
+ public static function validateFileHash($hash, $entityId, $fileId) {
+ $input = CRM_Utils_System::explode('_', $hash, 3);
+ $inputTs = CRM_Utils_Array::value(1, $input);
+ $inputLF = CRM_Utils_Array::value(2, $input);
+ $testHash = CRM_Core_BAO_File::generateFileHash($entityId, $fileId, $inputTs, $inputLF);
+ if (hash_equals($testHash, $hash)) {
+ $now = time();
+ if ($inputTs + ($inputLF * 60 * 60) >= $now) {
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
+ }
+ return FALSE;
+ }
+
}
diff --git a/civicrm/CRM/Core/Form/Renderer.php b/civicrm/CRM/Core/Form/Renderer.php
index 230cfa142fd4167d376762db1dbe9946304e70fa..82847220267918fede00c27adff8e6d09021bde6 100644
--- a/civicrm/CRM/Core/Form/Renderer.php
+++ b/civicrm/CRM/Core/Form/Renderer.php
@@ -248,6 +248,14 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
$params = $field->getAttribute('data-api-params');
$params = $params ? json_decode($params, TRUE) : array();
$result = civicrm_api3($entity, 'getlist', array('id' => $val) + $params);
+ // Purify label output of entityreference fields
+ if (!empty($result['values'])) {
+ foreach ($result['values'] as &$res) {
+ if (!empty($res['label'])) {
+ $res['label'] = CRM_Utils_String::purifyHTML($res['label']);
+ }
+ }
+ }
if ($field->isFrozen()) {
// Prevent js from treating frozen entityRef as a "live" field
$field->removeAttribute('class');
@@ -299,7 +307,7 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
foreach (explode(',', $val) as $item) {
$match = CRM_Utils_Array::findInTree($item, $params['data']);
if (isset($match['text']) && strlen($match['text'])) {
- $display[] = $match['text'];
+ $display[] = CRM_Utils_String::purifyHTML($match['text']);
}
}
$el['html'] = implode('; ', $display) . '<input type="hidden" value="' . $field->getValue() . '" name="' . $field->getAttribute('name') . '">';
@@ -327,7 +335,7 @@ class CRM_Core_Form_Renderer extends HTML_QuickForm_Renderer_ArraySmarty {
// Format contact as link
if ($entity == 'contact' && CRM_Contact_BAO_Contact_Permission::allow($val['id'], CRM_Core_Permission::VIEW)) {
$url = CRM_Utils_System::url("civicrm/contact/view", array('reset' => 1, 'cid' => $val['id']));
- $val['label'] = '<a class="view-' . $entity . ' no-popup" href="' . $url . '" title="' . ts('View Contact') . '">' . $val['label'] . '</a>';
+ $val['label'] = '<a class="view-' . $entity . ' no-popup" href="' . $url . '" title="' . ts('View Contact') . '">' . CRM_Utils_String::purifyHTML($val['label']) . '</a>';
}
$display[] = $val['label'];
}
diff --git a/civicrm/CRM/Core/Page/File.php b/civicrm/CRM/Core/Page/File.php
index e2266039e77f896fa77fe0214d70c0159d90c3c5..76d65e0a2f4c28dcad1fa1ce499dea9f683df9f5 100644
--- a/civicrm/CRM/Core/Page/File.php
+++ b/civicrm/CRM/Core/Page/File.php
@@ -38,23 +38,21 @@ class CRM_Core_Page_File extends CRM_Core_Page {
* Run page.
*/
public function run() {
- $fileName = CRM_Utils_Request::retrieve('filename', 'String', $this);
- $path = CRM_Core_Config::singleton()->customFileUploadDir . $fileName;
- $mimeType = CRM_Utils_Request::retrieve('mime-type', 'String', $this);
$action = CRM_Utils_Request::retrieve('action', 'String', $this);
$download = CRM_Utils_Request::retrieve('download', 'Integer', $this, FALSE, 1);
$disposition = $download == 0 ? 'inline' : 'download';
- // if we are not providing essential parameter needed for file preview then
- if (empty($fileName) && empty($mimeType)) {
- $eid = CRM_Utils_Request::retrieve('eid', 'Positive', $this, TRUE);
- $fid = CRM_Utils_Request::retrieve('fid', 'Positive', $this, FALSE);
- $id = CRM_Utils_Request::retrieve('id', 'Positive', $this, TRUE);
- $quest = CRM_Utils_Request::retrieve('quest', 'String', $this);
-
- list($path, $mimeType) = CRM_Core_BAO_File::path($id, $eid, NULL, $quest);
+ $entityId = CRM_Utils_Request::retrieve('eid', 'Positive', $this, TRUE); // Entity ID (e.g. Contact ID)
+ $fieldId = CRM_Utils_Request::retrieve('fid', 'Positive', $this, FALSE); // Field ID
+ $fileId = CRM_Utils_Request::retrieve('id', 'Positive', $this, TRUE); // File ID
+ $hash = CRM_Utils_Request::retrieve('fcs', 'Alphanumeric', $this);
+ if (!CRM_Core_BAO_File::validateFileHash($hash, $entityId, $fileId)) {
+ CRM_Core_Error::statusBounce('URL for file is not valid');
}
+ list($path, $mimeType) = CRM_Core_BAO_File::path($fileId, $entityId);
+ $mimeType = CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE);
+
if (!$path) {
CRM_Core_Error::statusBounce('Could not retrieve the file');
}
@@ -66,7 +64,7 @@ class CRM_Core_Page_File extends CRM_Core_Page {
if ($action & CRM_Core_Action::DELETE) {
if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
- CRM_Core_BAO_File::deleteFileReferences($id, $eid, $fid);
+ CRM_Core_BAO_File::deleteFileReferences($fileId, $entityId, $fieldId);
CRM_Core_Session::setStatus(ts('The attached file has been deleted.'), ts('Complete'), 'success');
$session = CRM_Core_Session::singleton();
diff --git a/civicrm/CRM/Core/PrevNextCache/Interface.php b/civicrm/CRM/Core/PrevNextCache/Interface.php
index 33ce6dab7538595a1048b6168b6ba451a93b1c22..6c355050e7577fdb4c6c2e1cd67a4b4464eb5efa 100644
--- a/civicrm/CRM/Core/PrevNextCache/Interface.php
+++ b/civicrm/CRM/Core/PrevNextCache/Interface.php
@@ -40,9 +40,14 @@ interface CRM_Core_PrevNextCache_Interface {
* @param string $sql
* A SQL query. The query *MUST* be a SELECT statement which yields
* the following columns (in order): cacheKey, entity_id1, data
+ * @param array $sqlParams
+ * An array of parameters to be used with $sql.
+ * Use the same interpolation format as CRM_Core_DAO (composeQuery/executeQuery).
+ * Ex: [1 => ['foo', 'String']]
* @return bool
+ * @see CRM_Core_DAO::composeQuery
*/
- public function fillWithSql($cacheKey, $sql);
+ public function fillWithSql($cacheKey, $sql, $sqlParams = []);
/**
* Store the contents of an array in the cache.
diff --git a/civicrm/CRM/Core/PrevNextCache/Redis.php b/civicrm/CRM/Core/PrevNextCache/Redis.php
index ff4a0f3d6d686afce38a457036e48999946d1e43..99986f4d714423fdf6ebaa545833479697953bab 100644
--- a/civicrm/CRM/Core/PrevNextCache/Redis.php
+++ b/civicrm/CRM/Core/PrevNextCache/Redis.php
@@ -61,8 +61,8 @@ class CRM_Core_PrevNextCache_Redis implements CRM_Core_PrevNextCache_Interface {
$this->prefix .= \CRM_Utils_Cache::DELIMITER . 'prevnext' . \CRM_Utils_Cache::DELIMITER;
}
- public function fillWithSql($cacheKey, $sql) {
- $dao = CRM_Core_DAO::executeQuery($sql, [], FALSE, NULL, FALSE, TRUE, TRUE);
+ public function fillWithSql($cacheKey, $sql, $sqlParams = []) {
+ $dao = CRM_Core_DAO::executeQuery($sql, $sqlParams, FALSE, NULL, FALSE, TRUE, TRUE);
if (is_a($dao, 'DB_Error')) {
throw new CRM_Core_Exception($dao->message);
}
diff --git a/civicrm/CRM/Core/PrevNextCache/Sql.php b/civicrm/CRM/Core/PrevNextCache/Sql.php
index 953dee024303dfb4462795b2c6ea9d1dd842f225..efa1756a0219b7e932d01a79b453b676bca95ab4 100644
--- a/civicrm/CRM/Core/PrevNextCache/Sql.php
+++ b/civicrm/CRM/Core/PrevNextCache/Sql.php
@@ -38,14 +38,19 @@ class CRM_Core_PrevNextCache_Sql implements CRM_Core_PrevNextCache_Interface {
* @param string $sql
* A SQL query. The query *MUST* be a SELECT statement which yields
* the following columns (in order): cacheKey, entity_id1, data
+ * @param array $sqlParams
+ * An array of parameters to be used with $sql.
+ * Use the same interpolation format as CRM_Core_DAO (composeQuery/executeQuery).
+ * Ex: [1 => ['foo', 'String']]
* @return bool
* @throws CRM_Core_Exception
+ * @see CRM_Core_DAO::composeQuery
*/
- public function fillWithSql($cacheKey, $sql) {
+ public function fillWithSql($cacheKey, $sql, $sqlParams = []) {
$insertSQL = "
INSERT INTO civicrm_prevnext_cache (cacheKey, entity_id1, data)
";
- $result = CRM_Core_DAO::executeQuery($insertSQL . $sql, [], FALSE, NULL, FALSE, TRUE, TRUE);
+ $result = CRM_Core_DAO::executeQuery($insertSQL . $sql, $sqlParams, FALSE, NULL, FALSE, TRUE, TRUE);
if (is_a($result, 'DB_Error')) {
throw new CRM_Core_Exception($result->message);
}
diff --git a/civicrm/CRM/PCP/Page/PCPInfo.php b/civicrm/CRM/PCP/Page/PCPInfo.php
index bd51d17df227f5e3200f9f8428cb7f6b388933f4..3a3c2b34bf91169341d663e5416ea08b4b869cd5 100644
--- a/civicrm/CRM/PCP/Page/PCPInfo.php
+++ b/civicrm/CRM/PCP/Page/PCPInfo.php
@@ -202,8 +202,9 @@ class CRM_PCP_Page_PCPInfo extends CRM_Core_Page {
if (!empty($entityFile)) {
$fileInfo = reset($entityFile);
$fileId = $fileInfo['fileID'];
+ $fileHash = CRM_Core_BAO_File::generateFileHash($this->_id, $fileId);
$image = '<img src="' . CRM_Utils_System::url('civicrm/file',
- "reset=1&id=$fileId&eid={$this->_id}"
+ "reset=1&id=$fileId&eid={$this->_id}&fcs={$fileHash}"
) . '" />';
$this->assign('image', $image);
}
diff --git a/civicrm/CRM/Profile/Form.php b/civicrm/CRM/Profile/Form.php
index 7dfdbdd10f40906cb709eddbf2ec98e5712140ca..330b50890a0d3232eb4d985aa93acf6925af920d 100644
--- a/civicrm/CRM/Profile/Form.php
+++ b/civicrm/CRM/Profile/Form.php
@@ -511,8 +511,9 @@ class CRM_Profile_Form extends CRM_Core_Form {
$deleteExtra = ts("Are you sure you want to delete attached file?");
$fileId = $url['file_id'];
+ $fileHash = CRM_Core_BAO_File::generateFileHash($entityId, $fileId);
$deleteURL = CRM_Utils_System::url('civicrm/file',
- "reset=1&id={$fileId}&eid=$entityId&fid={$key}&action=delete"
+ "reset=1&id={$fileId}&eid=$entityId&fid={$key}&action=delete&fcs={$fileHash}"
);
$text = ts("Delete Attached File");
$customFiles[$field['name']]['deleteURL'] = "<a href=\"{$deleteURL}\" onclick = \"if (confirm( ' $deleteExtra ' )) this.href+='&confirmed=1'; else return false;\">$text</a>";
@@ -551,8 +552,9 @@ class CRM_Profile_Form extends CRM_Core_Form {
$deleteExtra = ts("Are you sure you want to delete attached file?");
$fileId = $url['file_id'];
+ $fileHash = CRM_Core_BAO_File::generateFileHash($entityId, $fileId); /* fieldId=$customFieldID */
$deleteURL = CRM_Utils_System::url('civicrm/file',
- "reset=1&id={$fileId}&eid=$entityId&fid={$customFieldID}&action=delete"
+ "reset=1&id={$fileId}&eid=$entityId&fid={$customFieldID}&action=delete&fcs={$fileHash}"
);
$text = ts("Delete Attached File");
$customFiles[$field['name']]['deleteURL'] = "<a href=\"{$deleteURL}\" onclick = \"if (confirm( ' $deleteExtra ' )) this.href+='&confirmed=1'; else return false;\">$text</a>";
diff --git a/civicrm/CRM/SMS/Form/Schedule.php b/civicrm/CRM/SMS/Form/Schedule.php
index 1858e2a749ae3b03907c22382e40b8b8ef13aeaf..f4ddf7d868f1c2870561b3e4cdf12eeb02e0db27 100644
--- a/civicrm/CRM/SMS/Form/Schedule.php
+++ b/civicrm/CRM/SMS/Form/Schedule.php
@@ -152,7 +152,7 @@ class CRM_SMS_Form_Schedule extends CRM_Core_Form {
CRM_Core_Error::fatal(ts('Could not find a mailing id'));
}
- $send_option = $this->controller->exportValue($this->_name, 'send_option');
+ $params['send_option'] = $this->controller->exportValue($this->_name, 'send_option');
if (isset($params['send_option']) && $params['send_option'] == 'send_immediate') {
$params['scheduled_date'] = date('YmdHis');
}
diff --git a/civicrm/CRM/Upgrade/Incremental/sql/5.10.3.mysql.tpl b/civicrm/CRM/Upgrade/Incremental/sql/5.10.3.mysql.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..0a028ff53f23708da1a3a46dc50c576f922fc66d
--- /dev/null
+++ b/civicrm/CRM/Upgrade/Incremental/sql/5.10.3.mysql.tpl
@@ -0,0 +1 @@
+{* file to handle db changes in 5.10.3 during upgrade *}
diff --git a/civicrm/CRM/Utils/Money.php b/civicrm/CRM/Utils/Money.php
index f8afa6cf5c9cde3b681c7fd8e4b3898a1913c9ad..6f95398353c35d77237f909bb1234016438b9fd4 100644
--- a/civicrm/CRM/Utils/Money.php
+++ b/civicrm/CRM/Utils/Money.php
@@ -95,6 +95,13 @@ class CRM_Utils_Money {
if (!$currency) {
$currency = $config->defaultCurrency;
}
+
+ // ensure $currency is a valid currency code
+ // for backwards-compatibility, also accept one space instead of a currency
+ if ($currency != ' ' && !array_key_exists($currency, self::$_currencySymbols)) {
+ throw new CRM_Core_Exception("Invalid currency \"{$currency}\"");
+ }
+
$amount = self::formatNumericByFormat($amount, $valueFormat);
// If it contains tags, means that HTML was passed and the
// amount is already converted properly,
diff --git a/civicrm/CRM/Utils/System/WordPress.php b/civicrm/CRM/Utils/System/WordPress.php
index bb0fa46b3de0137d243d3631d8b807343729db61..7dd040872e2ea92afec149003e37f2efde01f522 100644
--- a/civicrm/CRM/Utils/System/WordPress.php
+++ b/civicrm/CRM/Utils/System/WordPress.php
@@ -815,13 +815,11 @@ class CRM_Utils_System_WordPress extends CRM_Utils_System_Base {
$contactCreated = 0;
$contactMatching = 0;
- // previously used $wpdb - which means WordPress *must* be bootstrapped
- $wpUsers = get_users(array(
- 'blog_id' => get_current_blog_id(),
- 'number' => -1,
- ));
+ global $wpdb;
+ $wpUserIds = $wpdb->get_col("SELECT $wpdb->users.ID FROM $wpdb->users");
- foreach ($wpUsers as $wpUserData) {
+ foreach ($wpUserIds as $wpUserId) {
+ $wpUserData = get_userdata($wpUserId);
$contactCount++;
if ($match = CRM_Core_BAO_UFMatch::synchronizeUFMatch($wpUserData,
$wpUserData->$id,
diff --git a/civicrm/api/v3/Attachment.php b/civicrm/api/v3/Attachment.php
index e9bc6cad95e313a38d884a18997e3e4eebff2679..a96a35886dbb01f392df9f541924ce6a33b7cfc0 100644
--- a/civicrm/api/v3/Attachment.php
+++ b/civicrm/api/v3/Attachment.php
@@ -435,8 +435,9 @@ function _civicrm_api3_attachment_format_result($fileDao, $entityFileDao, $retur
'icon' => CRM_Utils_File::getIconFromMimeType($fileDao->mime_type),
'created_id' => $fileDao->created_id,
);
+ $fileHash = CRM_Core_BAO_File::generateFileHash($result['entity_id'], $result['id']);
$result['url'] = CRM_Utils_System::url(
- 'civicrm/file', 'reset=1&id=' . $result['id'] . '&eid=' . $result['entity_id'],
+ 'civicrm/file', 'reset=1&id=' . $result['id'] . '&eid=' . $result['entity_id'] . '&fcs=' . $fileHash,
TRUE,
NULL,
FALSE,
diff --git a/civicrm/bower_components/jquery-ui/.bower.json b/civicrm/bower_components/jquery-ui/.bower.json
index d28097dd886aa3254e1ae3f4b4c31a9a08723e8e..a37977e293dab1139234c1e11ff472e0011d1161 100644
--- a/civicrm/bower_components/jquery-ui/.bower.json
+++ b/civicrm/bower_components/jquery-ui/.bower.json
@@ -17,6 +17,6 @@
"commit": "44ecf3794cc56b65954cc19737234a3119d036cc"
},
"_source": "https://github.com/components/jqueryui.git",
- "_target": "~1.12",
+ "_target": ">=1.9",
"_originalSource": "jquery-ui"
}
\ No newline at end of file
diff --git a/civicrm/civicrm-version.php b/civicrm/civicrm-version.php
index 189e1e947d0d27e4b32b5771f434456dfaac12c8..1dc0bd6c970d5ddb00d5e7193621bcc228ea7fe0 100644
--- a/civicrm/civicrm-version.php
+++ b/civicrm/civicrm-version.php
@@ -1,7 +1,7 @@
<?php
/** @deprecated */
function civicrmVersion( ) {
- return array( 'version' => '5.10.2',
+ return array( 'version' => '5.10.3',
'cms' => 'Wordpress',
'revision' => '' );
}
diff --git a/civicrm/js/Common.js b/civicrm/js/Common.js
index 985e7d616ccb76c2b00e8e7ece334ce64aa42167..ec037469e2097fd79e4fcd37e81ca7d14a4bbb5f 100644
--- a/civicrm/js/Common.js
+++ b/civicrm/js/Common.js
@@ -1545,4 +1545,11 @@ if (!CRM.vars) CRM.vars = {};
return (yiq >= 128) ? 'black' : 'white';
};
+ // CVE-2015-9251 - Prevent auto-execution of scripts when no explicit dataType was provided
+ $.ajaxPrefilter(function(s) {
+ if (s.crossDomain) {
+ s.contents.script = false;
+ }
+ });
+
})(jQuery, _);
diff --git a/civicrm/release-notes/5.10.3.md b/civicrm/release-notes/5.10.3.md
new file mode 100644
index 0000000000000000000000000000000000000000..175c792ff8194984c0b0ef38c59ee2d1de7f65c3
--- /dev/null
+++ b/civicrm/release-notes/5.10.3.md
@@ -0,0 +1,64 @@
+# CiviCRM 5.10.3
+
+Released February 20, 2019
+
+- **[Synopsis](#synopsis)**
+- **[Security advisories](#security)**
+- **[Bugs resolved](#bugs)**
+- **[Feedback](#feedback)**
+
+## <a name="synopsis"></a>Synopsis
+
+| *Does this version...?* | |
+|:--------------------------------------------------------------- |:-------:|
+| **Fix security vulnerabilities?** | **yes** |
+| Change the database schema? | no |
+| Alter the API? | no |
+| Require attention to configuration options? | no |
+| Fix problems installing or upgrading to a previous version? | no |
+| Introduce features? | no |
+| **Fix bugs?** | **yes** |
+
+## <a name="security"></a>Security advisories
+- **[CIVI-SA-2019-01](https://civicrm.org/advisory/civi-sa-2019-01-weak-access-control-for-file-attachments)**:
+ Weak access-control for file attachments
+- **[CIVI-SA-2019-02](https://civicrm.org/advisory/civi-sa-2019-02-sqli-in-prevnext-cache)**:
+ SQL Injection in "PrevNext" Cache
+- **[CIVI-SA-2019-03](https://civicrm.org/advisory/civi-sa-2019-03-xss-in-logging-details-report)**:
+ Cross-Site Scripting in "Logging Details" Report
+- **[CIVI-SA-2019-04](https://civicrm.org/advisory/civi-sa-2019-04-sqli-in-group-tag-filters)**:
+ SQL Injection in Group and Tag Filters
+- **[CIVI-SA-2019-05](https://civicrm.org/advisory/civi-sa-2019-05-xss-in-new-pledge-form)**:
+ Cross-Site Scripting in "New Pledge" Form
+- **[CIVI-SA-2019-06](https://civicrm.org/advisory/civi-sa-2019-06-xss-in-contact-entity-reference-fields)**:
+ Cross-Site Scripting in Contact Reference Fields
+- **[CIVI-SA-2019-07](https://civicrm.org/advisory/civi-sa-2019-07-limit-cross-domain-execution-by-jquery)**:
+ Limit Cross-Domain Execution by jQuery
+
+## <a name="bugs"></a>Bugs resolved
+
+### Core CiviCRM
+
+- **[dev/core#695](https://lab.civicrm.org/dev/core/issues/695) Custom Search
+ results selection failure and
+ [dev/core#679](https://lab.civicrm.org/dev/core/issues/679) Groups and Tags
+ affect search results when using Search Builder
+ ([13533](https://github.com/civicrm/civicrm-core/pull/13533))**
+
+ This resolves some search regressions introduced in 5.9.0 relating to caching
+ and custom searches.
+
+- **[dev/core#737](https://lab.civicrm.org/dev/core/issues/737) Mass SMS not
+ sent when send time is set to immediately
+ ([13641](https://github.com/civicrm/civicrm-core/pull/13641))**
+
+ This resolves an issue where if you selected to send a Bulk SMS immediately
+ it would not be sent because the scheduled date was set to NULL rather than
+ the current date and time.
+
+## <a name="feedback"></a>Feedback
+
+Security release notes are edited by Seamus Lee and Tim Otten, and release
+notes generally are edited by Andrew Hunt. If you'd like to provide
+feedback on them, please login to https://chat.civicrm.org/civicrm and
+contact `@agh1`.
diff --git a/civicrm/sql/civicrm_data.mysql b/civicrm/sql/civicrm_data.mysql
index 71ac9abc01f49f92f18ebc3f349e616fa3fbe8cf..127546d2c896a623adf4c63ad5f9c4112e9590f4 100644
--- a/civicrm/sql/civicrm_data.mysql
+++ b/civicrm/sql/civicrm_data.mysql
@@ -24043,4 +24043,4 @@ INSERT INTO `civicrm_report_instance`
( `domain_id`, `title`, `report_id`, `description`, `permission`, `form_values`)
VALUES
( @domainID, 'Survey Details', 'survey/detail', 'Detailed report for canvassing, phone-banking, walk lists or other surveys.', 'access CiviReport', 'a:39:{s:6:"fields";a:2:{s:9:"sort_name";s:1:"1";s:6:"result";s:1:"1";}s:22:"assignee_contact_id_op";s:2:"eq";s:25:"assignee_contact_id_value";s:0:"";s:12:"sort_name_op";s:3:"has";s:15:"sort_name_value";s:0:"";s:17:"street_number_min";s:0:"";s:17:"street_number_max";s:0:"";s:16:"street_number_op";s:3:"lte";s:19:"street_number_value";s:0:"";s:14:"street_name_op";s:3:"has";s:17:"street_name_value";s:0:"";s:15:"postal_code_min";s:0:"";s:15:"postal_code_max";s:0:"";s:14:"postal_code_op";s:3:"lte";s:17:"postal_code_value";s:0:"";s:7:"city_op";s:3:"has";s:10:"city_value";s:0:"";s:20:"state_province_id_op";s:2:"in";s:23:"state_province_id_value";a:0:{}s:13:"country_id_op";s:2:"in";s:16:"country_id_value";a:0:{}s:12:"survey_id_op";s:2:"in";s:15:"survey_id_value";a:0:{}s:12:"status_id_op";s:2:"eq";s:15:"status_id_value";s:1:"1";s:11:"custom_1_op";s:2:"in";s:14:"custom_1_value";a:0:{}s:11:"custom_2_op";s:2:"in";s:14:"custom_2_value";a:0:{}s:17:"custom_3_relative";s:1:"0";s:13:"custom_3_from";s:0:"";s:11:"custom_3_to";s:0:"";s:11:"description";s:75:"Detailed report for canvassing, phone-banking, walk lists or other surveys.";s:13:"email_subject";s:0:"";s:8:"email_to";s:0:"";s:8:"email_cc";s:0:"";s:10:"permission";s:17:"access CiviReport";s:6:"groups";s:0:"";s:9:"domain_id";i:1;}');
-UPDATE civicrm_domain SET version = '5.10.2';
+UPDATE civicrm_domain SET version = '5.10.3';
diff --git a/civicrm/sql/civicrm_generated.mysql b/civicrm/sql/civicrm_generated.mysql
index 48cbdc92a31d7fcd07a11699b287811c12517791..554f0fd6be29752bbf44f58bb9aea584859edf01 100644
--- a/civicrm/sql/civicrm_generated.mysql
+++ b/civicrm/sql/civicrm_generated.mysql
@@ -399,7 +399,7 @@ UNLOCK TABLES;
LOCK TABLES `civicrm_domain` WRITE;
/*!40000 ALTER TABLE `civicrm_domain` DISABLE KEYS */;
-INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `config_backend`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,NULL,'5.10.2',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
+INSERT INTO `civicrm_domain` (`id`, `name`, `description`, `config_backend`, `version`, `contact_id`, `locales`, `locale_custom_strings`) VALUES (1,'Default Domain Name',NULL,NULL,'5.10.3',1,NULL,'a:1:{s:5:\"en_US\";a:0:{}}');
/*!40000 ALTER TABLE `civicrm_domain` ENABLE KEYS */;
UNLOCK TABLES;
diff --git a/civicrm/templates/CRM/Logging/ReportDetail.tpl b/civicrm/templates/CRM/Logging/ReportDetail.tpl
index 1cd5ed2a64ac3f2c6f8dbe1ccae5be23e8baac9d..0c23360c848e630c50645695b3db43359fdd68f0 100644
--- a/civicrm/templates/CRM/Logging/ReportDetail.tpl
+++ b/civicrm/templates/CRM/Logging/ReportDetail.tpl
@@ -35,7 +35,7 @@
</dl>
</div>
{/if}
- <p>{ts 1=$whom_url 2=$whom_name 3=$who_url 4=$who_name 5=$log_date}Change to <a href='%1'>%2</a> made by <a href='%3'>%4</a> on %5:{/ts}</p>
+ <p>{ts 1=$whom_url 2=$whom_name|escape 3=$who_url 4=$who_name|escape 5=$log_date}Change to <a href='%1'>%2</a> made by <a href='%3'>%4</a> on %5:{/ts}</p>
{if $layout eq 'overlay'}
{include file="CRM/Report/Form/Layout/Overlay.tpl"}
{else}
diff --git a/civicrm/vendor/autoload.php b/civicrm/vendor/autoload.php
index cd0eaf2ddcefd8decc053670f730892ad793466a..0a099a095ae431a24801d9b6e1c1531baa12515e 100644
--- a/civicrm/vendor/autoload.php
+++ b/civicrm/vendor/autoload.php
@@ -4,4 +4,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
-return ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091::getLoader();
+return ComposerAutoloaderInitebbfd5c6742662296f73aa7fff5d3c56::getLoader();
diff --git a/civicrm/vendor/composer/autoload_real.php b/civicrm/vendor/composer/autoload_real.php
index 410673afc8a689200c7f72f3ca292efa004b0acc..e8dd42fac15c891f43bb16ed87b53bb30ea9793d 100644
--- a/civicrm/vendor/composer/autoload_real.php
+++ b/civicrm/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091
+class ComposerAutoloaderInitebbfd5c6742662296f73aa7fff5d3c56
{
private static $loader;
@@ -19,9 +19,9 @@ class ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091
return self::$loader;
}
- spl_autoload_register(array('ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInitebbfd5c6742662296f73aa7fff5d3c56', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
- spl_autoload_unregister(array('ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInitebbfd5c6742662296f73aa7fff5d3c56', 'loadClassLoader'));
$includePaths = require __DIR__ . '/include_paths.php';
$includePaths[] = get_include_path();
@@ -31,7 +31,7 @@ class ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091
if ($useStaticLoader) {
require_once __DIR__ . '/autoload_static.php';
- call_user_func(\Composer\Autoload\ComposerStaticInit5e718c4122bc7ae544699b96c7638091::getInitializer($loader));
+ call_user_func(\Composer\Autoload\ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::getInitializer($loader));
} else {
$map = require __DIR__ . '/autoload_namespaces.php';
foreach ($map as $namespace => $path) {
@@ -52,19 +52,19 @@ class ComposerAutoloaderInit5e718c4122bc7ae544699b96c7638091
$loader->register(true);
if ($useStaticLoader) {
- $includeFiles = Composer\Autoload\ComposerStaticInit5e718c4122bc7ae544699b96c7638091::$files;
+ $includeFiles = Composer\Autoload\ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::$files;
} else {
$includeFiles = require __DIR__ . '/autoload_files.php';
}
foreach ($includeFiles as $fileIdentifier => $file) {
- composerRequire5e718c4122bc7ae544699b96c7638091($fileIdentifier, $file);
+ composerRequireebbfd5c6742662296f73aa7fff5d3c56($fileIdentifier, $file);
}
return $loader;
}
}
-function composerRequire5e718c4122bc7ae544699b96c7638091($fileIdentifier, $file)
+function composerRequireebbfd5c6742662296f73aa7fff5d3c56($fileIdentifier, $file)
{
if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
require $file;
diff --git a/civicrm/vendor/composer/autoload_static.php b/civicrm/vendor/composer/autoload_static.php
index c492da9f5019a9babe52a80e0962fce3c6234382..04e9a27292d8d16a874ddc46c70f7bbbbc6951c9 100644
--- a/civicrm/vendor/composer/autoload_static.php
+++ b/civicrm/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
namespace Composer\Autoload;
-class ComposerStaticInit5e718c4122bc7ae544699b96c7638091
+class ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56
{
public static $files = array (
'320cde22f66dd4f5d3fd621d3e88b98f' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
@@ -397,10 +397,10 @@ class ComposerStaticInit5e718c4122bc7ae544699b96c7638091
public static function getInitializer(ClassLoader $loader)
{
return \Closure::bind(function () use ($loader) {
- $loader->prefixLengthsPsr4 = ComposerStaticInit5e718c4122bc7ae544699b96c7638091::$prefixLengthsPsr4;
- $loader->prefixDirsPsr4 = ComposerStaticInit5e718c4122bc7ae544699b96c7638091::$prefixDirsPsr4;
- $loader->prefixesPsr0 = ComposerStaticInit5e718c4122bc7ae544699b96c7638091::$prefixesPsr0;
- $loader->classMap = ComposerStaticInit5e718c4122bc7ae544699b96c7638091::$classMap;
+ $loader->prefixLengthsPsr4 = ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::$prefixLengthsPsr4;
+ $loader->prefixDirsPsr4 = ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::$prefixDirsPsr4;
+ $loader->prefixesPsr0 = ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::$prefixesPsr0;
+ $loader->classMap = ComposerStaticInitebbfd5c6742662296f73aa7fff5d3c56::$classMap;
}, null, ClassLoader::class);
}
diff --git a/civicrm/xml/version.xml b/civicrm/xml/version.xml
index f57a6e688e5f2e8920a5f562398fd3a83bcd479c..d3ad50fc923276f0a74f2f7dae30d6e8dac08514 100644
--- a/civicrm/xml/version.xml
+++ b/civicrm/xml/version.xml
@@ -1,4 +1,4 @@
<?xml version="1.0" encoding="iso-8859-1" ?>
<version>
- <version_no>5.10.2</version_no>
+ <version_no>5.10.3</version_no>
</version>