civicrm release-5.57.1

f0c754fd · Kevin Cristiano · 5a06868a · f0c754fd · f0c754fd · f0c754fd
Verified Commit f0c754fd authored 2 years ago by Kevin Cristiano
--- a/civicrm.php
+++ b/civicrm.php
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: CiviCRM
 * Description: CiviCRM - Growing and Sustaining Relationships
- * Version: 5.57.0
+ * Version: 5.57.1
 * Requires at least: 4.9
 * Requires PHP:      7.2
 * Author: CiviCRM LLC
@@ -36,7 +36,7 @@ if (!defined('ABSPATH')) {
 }
 // Set version here: changing it forces Javascript and CSS to reload.
-define('CIVICRM_PLUGIN_VERSION', '5.57.0');
+define('CIVICRM_PLUGIN_VERSION', '5.57.1');
 // Store reference to this file.
 if (!defined('CIVICRM_PLUGIN_FILE')) {

--- a/civicrm/CRM/Financial/BAO/Order.php
+++ b/civicrm/CRM/Financial/BAO/Order.php
@@ -1246,7 +1246,7 @@ class CRM_Financial_BAO_Order {
        $lineItemTitle .= ' ' . CRM_Utils_String::ellipsify($description, 30);
      }
    }
-    return $lineItemTitle;
+    return $lineItemTitle ?? '';
  }
 }
--- a/civicrm/CRM/Utils/Check/Component/Security.php
+++ b/civicrm/CRM/Utils/Check/Component/Security.php
@@ -210,11 +210,11 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
    if (!$found) {
      $messages[] = new CRM_Utils_Check_Message(
        __FUNCTION__,
-        ts('Some components and extensions may need to generate cryptographic signatures. Please configure <a %1>CIVICRM_SIGN_KEYS</a>. ',
+        ts('The system requires a cryptographic signing key. Please configure <a %1>CIVICRM_SIGN_KEYS</a>. ',
          [1 => 'href="https://docs.civicrm.org/sysadmin/en/latest/setup/secret-keys/" target="_blank"']
        ),
-        ts('Signing Key Recommended'),
+        ts('Signing Key Required'),
-        \Psr\Log\LogLevel::NOTICE,
+        \Psr\Log\LogLevel::ERROR,
        'fa-lock'
      );
    }

--- a/civicrm/CRM/Utils/Hook/Joomla.php
+++ b/civicrm/CRM/Utils/Hook/Joomla.php
@@ -73,6 +73,9 @@ class CRM_Utils_Hook_Joomla extends CRM_Utils_Hook {
        if (version_compare(JVERSION, '3.0', 'lt')) {
          $app = JCli::getInstance();
        }
+        elseif (version_compare(JVERSION, '4.0', 'lt')) {
+          $app = JApplicationCli::getInstance();
+        }
        else {
          $app = \Joomla\CMS\Factory::getApplication();
        }

--- a/civicrm/Civi/Core/AssetBuilder.php
+++ b/civicrm/Civi/Core/AssetBuilder.php
@@ -138,9 +138,14 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
    }
    else {
      return \CRM_Utils_System::url('civicrm/asset/builder', [
+        // The 'an' and 'ad' provide hints for cache lifespan and debugging/inspection.
        'an' => $name,
-        'ap' => $this->encode($params),
        'ad' => $this->digest($name, $params),
+        'aj' => \Civi::service('crypto.jwt')->encode([
+          'asset' => [$name, $params],
+          'exp' => 86400 * (floor(\CRM_Utils_Time::time() / 86400) + 2),
+          // Caching-friendly TTL -- We want the URL to be stable for a decent amount of time.
+        ], ['SIGN', 'WEAK_SIGN']),
      ], TRUE, NULL, FALSE);
    }
  }
@@ -281,7 +286,6 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
   * @return string
   */
  protected function digest($name, $params) {
-    // WISHLIST: For secure digest, generate+persist privatekey & call hash_hmac.
    ksort($params);
    $digest = md5(
      $name .
@@ -292,40 +296,6 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
    return $digest;
  }
-  /**
-   * Encode $params in a format that's optimized for shorter URLs.
-   *
-   * @param array $params
-   * @return string
-   */
-  protected function encode($params) {
-    if (empty($params)) {
-      return '';
-    }
-    $str = json_encode($params);
-    if (function_exists('gzdeflate')) {
-      $str = gzdeflate($str);
-    }
-    return base64_encode($str);
-  }
-  /**
-   * @param string $str
-   * @return array
-   */
-  protected function decode($str) {
-    if ($str === NULL || $str === FALSE || $str === '') {
-      return [];
-    }
-    $str = base64_decode($str);
-    if (function_exists('gzdeflate')) {
-      $str = gzinflate($str);
-    }
-    return json_decode($str, TRUE);
-  }
  /**
   * @return bool
   */
@@ -372,16 +342,9 @@ class AssetBuilder extends \Civi\Core\Service\AutoService {
      /** @var Assetbuilder $assets */
      $assets = \Civi::service('asset_builder');
-      $expectDigest = $assets->digest($get['an'], $assets->decode($get['ap']));
+      $obj = \Civi::service('crypto.jwt')->decode($get['aj'], ['SIGN', 'WEAK_SIGN']);
-      if ($expectDigest !== $get['ad']) {
+      $arr = json_decode(json_encode($obj), TRUE);
-        return [
+      return $assets->render($arr['asset'][0], $arr['asset'][1]);
-          'statusCode' => 500,
-          'mimeType' => 'text/plain',
-          'content' => 'Invalid digest',
-        ];
-      }
-      return $assets->render($get['an'], $assets->decode($get['ap']));
    }
    catch (UnknownAssetException $e) {
      return [

--- a/civicrm/Civi/Crypto/CryptoRegistry.php
+++ b/civicrm/Civi/Crypto/CryptoRegistry.php
@@ -84,6 +84,31 @@ class CryptoRegistry {
        $registry->addSymmetricKey($registry->parseKey($keyExpr) + $key);
      }
    }
+    else {
+      // If you are upgrading an old site that does not have a signing key, then there is a status-check advising you to fix it.
+      // But apparently the current site hasn't fixed it yet. The UI+AssetBuilder need to work long enough for sysadmin to discover/resolve.
+      // This fallback is sufficient for short-term usage in limited scenarios (AssetBuilder=>OK; AuthX=>No).
+      // In a properly configured system, the WEAK_SIGN key is strictly unavailable - s.t. a normal site never uses WEAK_SIGN.
+      $registry->addSymmetricKey([
+        'tags' => ['WEAK_SIGN'],
+        'suite' => 'jwt-hs256',
+        'key' => hash_hkdf('sha256',
+          json_encode([
+            // DSN's and site-keys should usually be sufficient, but it's not strongly guaranteed,
+            // so we'll toss in more spaghetti. (At a minimum, this should mitigate bots/crawlers.)
+            \CRM_Utils_Constant::value('CIVICRM_DSN'),
+            \CRM_Utils_Constant::value('CIVICRM_UF_DSN'),
+            \CRM_Utils_Constant::value('CIVICRM_SITE_KEY') ?: $GLOBALS['civicrm_root'],
+            \CRM_Utils_Constant::value('CIVICRM_UF_BASEURL'),
+            \CRM_Utils_Constant::value('CIVICRM_DB_CACHE_PASSWORD'),
+            \CRM_Utils_System::getSiteID(),
+            \CRM_Utils_System::version(),
+            \CRM_Core_Config::singleton()->userSystem->getVersion(),
+            $_SERVER['HTTP_HOST'] ?? '',
+          ])
+        ),
+      ]);
+    }
    //if (isset($_COOKIE['CIVICRM_FORM_KEY'])) {
    //  $crypto->addSymmetricKey([
@@ -243,14 +268,15 @@ class CryptoRegistry {
  /**
   * Find all the keys that apply to a tag.
   *
-   * @param string $keyTag
+   * @param string|string[] $keyTag
   *
   * @return array
   *   List of keys, indexed by id, ordered by weight.
   */
  public function findKeysByTag($keyTag) {
+    $keyTag = (array) $keyTag;
    $keys = array_filter($this->keys, function ($key) use ($keyTag) {
-      return in_array($keyTag, $key['tags'] ?? []);
+      return !empty(array_intersect($keyTag, $key['tags'] ?? []));
    });
    uasort($keys, function($a, $b) {
      return ($a['weight'] ?? 0) - ($b['weight'] ?? 0);

--- a/civicrm/civicrm-version.php
+++ b/civicrm/civicrm-version.php
 <?php
 /** @deprecated */
 function civicrmVersion( ) {
-  return array( 'version'  => '5.57.0',
+  return array( 'version'  => '5.57.1',
                'cms'      => 'Wordpress',
                'revision' => '' );
 }

--- a/civicrm/ext/afform/admin/info.xml
+++ b/civicrm/ext/afform/admin/info.xml
@@ -13,7 +13,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-01-09</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>beta</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/afform/core/info.xml
+++ b/civicrm/ext/afform/core/info.xml
@@ -13,7 +13,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-01-09</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>beta</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/afform/html/info.xml
+++ b/civicrm/ext/afform/html/info.xml
@@ -13,7 +13,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-01-09</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>alpha</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/afform/mock/info.xml
+++ b/civicrm/ext/afform/mock/info.xml
@@ -12,7 +12,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-01-09</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <tags>
    <tag>mgmt:hidden</tag>
  </tags>

--- a/civicrm/ext/authx/info.xml
+++ b/civicrm/ext/authx/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2021-02-11</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>stable</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/civicrm_admin_ui/info.xml
+++ b/civicrm/ext/civicrm_admin_ui/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2022-01-02</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>alpha</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/civigrant/info.xml
+++ b/civicrm/ext/civigrant/info.xml
@@ -13,7 +13,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2021-11-11</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>stable</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/civiimport/info.xml
+++ b/civicrm/ext/civiimport/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2022-08-11</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>alpha</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/ckeditor4/info.xml
+++ b/civicrm/ext/ckeditor4/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">https://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2021-05-23</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>stable</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/contributioncancelactions/info.xml
+++ b/civicrm/ext/contributioncancelactions/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-10-12</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>stable</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/elavon/info.xml
+++ b/civicrm/ext/elavon/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2022-08-05</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <develStage>stable</develStage>
  <compatibility>
    <ver>5.57</ver>

--- a/civicrm/ext/eventcart/info.xml
+++ b/civicrm/ext/eventcart/info.xml
@@ -13,7 +13,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-08-03</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <tags>
    <tag>mgmt:hidden</tag>
  </tags>

--- a/civicrm/ext/ewaysingle/info.xml
+++ b/civicrm/ext/ewaysingle/info.xml
@@ -15,7 +15,7 @@
    <url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
  </urls>
  <releaseDate>2020-10-07</releaseDate>
-  <version>5.57.0</version>
+  <version>5.57.1</version>
  <tags>
    <tag>mgmt:hidden</tag>
  </tags>