Merge commit 'c49eef93f50c665a3d7a6b2aa6387ccd46e059f5' into temp

* commit 'c49eef93f50c665a3d7a6b2aa6387ccd46e059f5':
  Removed invalid constructor call
  Fixed wrong old-style constructor usage
  EZP-31040: Remote Code Execution in file uploads
  Show images after used url_prefix (ezsystems#1453)
  improve php 7 bc doc (ezsystems#1452)
  Fix notice when checking for anonymous  classes in autoload generator (ezsystems#1450)
  Do not support literal HTML in the Administration Interface (ezsystems#1408)
  Fix transformURI() on ignoreIndexDir & ! htmlEscape (ezsystems#1449)
  Make autoloads ignore anonymous classes (ezsystems#1448)
  Update php7.md
  Fixing search in media lib which used to loose context (ezsystems#1433)
  [Travis] Add testing for PHP 7.2 and 7.3 (ezsystems#1446)
  EZP-30834: remove strtotime function from the trashed-days option (ezsystems#1441)
  Fix instances of count() that would cause a warning in 7.2
  Updated dbupdate scripts so they will no longer fail when there are multiple users with the same e-mail (ezsystems#1445)

.travis.yml

@@ -32,9 +32,11 @@ matrix:
       env: DB="postgresql" DB_USER="postgres"
     - php: 7.1
       env: DB="mysql" DB_USER="root"
-# Will need to update phpunit for this: https://travis-ci.org/ezsystems/ezpublish-legacy/jobs/279543965#L625
-#    - php: 7.2
-#      env: DB="postgresql" DB_USER="postgres"
+    - php: 7.2
+      env: DB="postgresql" DB_USER="postgres"
+    - php: 7.3
+      env: DB="mysql" DB_USER="root"
+
 
 before_script:
   - if [ $DB == "mysql" ]; then mysql -e "CREATE DATABASE IF NOT EXISTS $DB_NAME;" -u$DB_USER ; fi

autoload/ezp_kernel.php

@@ -176,6 +176,7 @@
       'eZExtensionPackageHandler'                          => 'kernel/classes/packagehandlers/ezextension/ezextensionpackagehandler.php',
       'eZFSFileHandler'                                    => 'kernel/classes/clusterfilehandlers/ezfsfilehandler.php',
       'eZFile'                                             => 'lib/ezfile/classes/ezfile.php',
+      'eZFileExtensionBlackListValidator'                  => 'lib/ezutils/classes/ezfileextensionblacklistvalidator.php',
       'eZFileHandler'                                      => 'lib/ezfile/classes/ezfilehandler.php',
       'eZFilePackageHandler'                               => 'kernel/classes/packagehandlers/ezfile/ezfilepackagehandler.php',
       'eZFilePassthroughHandler'                           => 'kernel/classes/binaryhandlers/ezfilepassthrough/ezfilepassthroughhandler.php',

bin/php/trashpurge.php

@@ -47,7 +47,7 @@
     $purgeHandler->run(
         $options['iteration-limit'] ? (int)$options['iteration-limit'] : null,
         $options['iteration-sleep'] ? (int)$options['iteration-sleep'] : null,
-        $options['trashed-days']    ? strtotime( "-{$options['trashed-days']} days" ) : null
+        $options['trashed-days']    ? (int)$options['trashed-days'] : null
     )
 )
 {

composer.json

@@ -61,7 +61,7 @@
         "zetacomponents/webdav": "~1.1"
     },
     "require-dev": {
-        "phpunit/phpunit": "3.7.*",
+        "phpunit/phpunit": "4.8.36",
         "zetacomponents/php-generator": "~1.1"
     },
     "autoload": {

design/admin/templates/content/datatype/view/ezxmltags/literal.tpl

@@ -0,0 +1 @@
+{* Do not output literal HTML in the Administration Interface *}<pre{if ne($classification|trim,'')} class="{$classification|wash}"{/if}>{$content|wash(xhtml)}</pre>

doc/bc/5.90/php7.md

@@ -1,13 +1,19 @@
 # PHP 7 support
 
+## PHP 7.0 support
 
 For the [2017.10 release](https://github.com/ezsystems/ezpublish-legacy/releases/tag/v2017.10.0),
-eZ Publish recived changes to switch to PHP 5 style constuctors all over the code base.
+eZ Publish received changes all over the code base, switching object constructor methods to PHP 5 style.
 
-Reason is to reach full PHP 7 support by avoiding deprecation warnings for still using PHP 4
+The reason is to achieve full PHP 7.0 support by avoiding the deprecation warnings when using PHP 4
 style constructors.
 
-Here is an example of how you might need to adapt for this change in your code:
+Care has been taken to keep around compatibility functions in all known cases to avoid fatal errors
+for custom extensions, however to avoid warnings you might need to adapt your code as well.
+
+Common cases are classes extending `eZPersistentObject` or `eZDataType`.
+
+Here is an example of how you should adapt your code for the constructor change:
 
 ```diff
 diff --git a/classes/ezfindresultnode.php b/classes/ezfindresultnode.php
@@ -25,29 +31,44 @@ index fafca310..b6462159 100644
              $this->ContentObjectID = $rows['id'];
 ```
 
-Other more common examples are classes extending `eZPersistentObject` or `eZDataType`.
+For best results you should also consider changing your own code to use PHP 5 style constructors.
+In the example above that would mean renaming `function eZFindResultNode` to `function __construct` and,
+if you think that other code might exist which extends the `eZFindResultNode` class, add back a courtesy 
+`eZFindResultNode` function that does nothing but call `__construct`
+
+Further reading:
+- http://php.net/manual/en/language.oop5.decon.php
+- https://www.php.net/manual/en/migration70.incompatible.php
+- https://www.php.net/manual/en/migration71.incompatible.php
+
+## PHP 7.2 support
+
+Starting with the 2019.03 release, issues happening on PHP 7.2 and PHP 7.3 have been fixed, but in your own code you'll
+also need to handle some of those.
 
-You should also consider changing your own code to use PHP 5 style constructor while doing this,
-in example above that would imply changing `function eZFindResultNode` to `function __construct`.
+Most notable is the `Warn when counting non-countable types` change, added in PHP 7.2.
 
-Further reading: http://php.net/manual/en/language.oop5.decon.phpi
+To handle this across all supported PHP versions, we introduced use of [symfony/polyfill-php73](https://github.com/symfony/polyfill-php73)
+package, witch backports PHP 7.3's function [is_countable](https://www.php.net/is_countable).
 
+Here is an example of changes you might need to apply in your own code to work around that:
 
-Note: You should also increase requriment for ezplublish-legacy once the above changes are done like following example:
 ```diff
-diff --git a/composer.json b/composer.json
-index de225eb1..d0389c6d 100644
---- a/composer.json
-+++ b/composer.json
-@@ -11,7 +11,8 @@
-     ],
-     "minimum-stability": "dev",
-     "require": {
--        "ezsystems/ezpublish-legacy-installer": "*"
-+        "ezsystems/ezpublish-legacy-installer": "*",
-+        "ezsystems/ezpublish-legacy": ">=2017.10"
-     },
-     "extra": {
-         "ezpublish-legacy-extension-name": "ezfind"
+diff --git a/kernel/common/eztemplatedesignresource.php b/kernel/common/eztemplatedesignresource.php
+index b0fc28faa9a..9b8ca2a8d94 100644
+--- a/kernel/common/eztemplatedesignresource.php
++++ b/kernel/common/eztemplatedesignresource.php
+@@ -86,7 +86,7 @@ function templateNodeTransformation( $functionName, &$node,
+                 $matchCount = 0;
+                 foreach ( $customMatchList as $customMatch )
+                 {
+-                    $matchConditionCount = count( $customMatch['conditions'] );
++                    $matchConditionCount = is_countable( $customMatch['conditions'] ) ? count( $customMatch['conditions'] ) : 0;
+                     $code = '';
+                     if ( $matchCount > 0 )
+                     {
 ```
 
+Further reading:
+- https://www.php.net/manual/en/migration72.incompatible.php
+- https://www.php.net/manual/en/migration73.incompatible.php

extension/ezjscore/classes/ezjscajaxcontent.php

@@ -478,6 +478,10 @@ function ( &$element, $key )
                                     (string)$element, 'UTF-8'
                                 );
                             }
+                            if( $key === 'url' )
+                            {
+                                eZURI::transformURI( $element, true );
+                            }
                         }
                     );
 

extension/ezoe/design/standard/javascript/ezoe/popup_utils.js

@@ -843,7 +843,7 @@ var eZOEPopupUtils = {
                    {
                        tag = document.createElement("span");
                        tag.className = 'image_preview';
-                       var previewUrl = ed.settings.ez_root_url + encodeURI( n.data_map[ n.image_attributes[imageIndex] ].content[eZOEPopupUtils.settings.browseImageAlias].url )
+                       var previewUrl = encodeURI( n.data_map[ n.image_attributes[imageIndex] ].content[eZOEPopupUtils.settings.browseImageAlias].url )
                        tag.innerHTML += ' <a href="#">' + ed.getLang('preview.preview_desc')  + '<img src="' + previewUrl + '" /></a>';
                        td.appendChild( tag );
                        hasImage = true;

extension/ezoe/design/standard/templates/ezoe/tag_embed_images.tpl

@@ -55,7 +55,7 @@ tinyMCEPopup.onInit.add( eZOEPopupUtils.BIND( eZOEPopupUtils.init, window, {
         else
         {
            var imageAtr   = eZOEPopupUtils.embedObject['data_map'][ imageAttributes[0] ], imageSizeObj = imageAtr['content'][ args['alt'] ];
-           args['src']    = ed.settings.ez_root_url + imageSizeObj['url'];
+           args['src']    = imageSizeObj['url'];
            args['title']  = eZOEPopupUtils.safeHtml( imageAtr['alternative_text'] || eZOEPopupUtils.embedObject['name'] );
            args['width']  = imageSizeObj['width'];
            args['height'] = imageSizeObj['height'];
@@ -153,7 +153,7 @@ function loadImageSize( e, el )
     }
     else if ( attribObj[size] )
     {
-        previewImageNode.attr( 'src', eds.ez_root_url + attribObj[size]['url'] );
+        previewImageNode.attr( 'src', attribObj[size]['url'] );
         tinyMCEPopup.resizeToInnerSize();
     }
     else
@@ -165,7 +165,7 @@ function loadImageSize( e, el )
             {
                 var size = jQuery('#embed_size_source').val(), imageAttributes = eZOEPopupUtils.embedObject['image_attributes'];
                 eZOEPopupUtils.embedObject['data_map'][ imageAttributes[0] ]['content'][ size ] = data['content']['data_map'][ imageAttributes[0] ]['content'][ size ];
-                previewImageNode.attr( 'src', eds.ez_root_url + eZOEPopupUtils.embedObject['data_map'][ imageAttributes[0] ]['content'][ size ]['url'] );
+                previewImageNode.attr( 'src', eZOEPopupUtils.embedObject['data_map'][ imageAttributes[0] ]['content'][ size ]['url'] );
             }
         });
     }

extension/ezoe/ezxmltext/handlers/input/ezoexmlinput.php

@@ -1208,7 +1208,8 @@ function inputTagXML( &$tag, $currentSectionLevel, $tdSectionLevel = null )
                             if ( $content->hasAttribute( $size ) )
                             {
                                 $imageAlias  = $content->imageAlias( $size );
-                                $srcString   = $URL . '/' . $imageAlias['url'];
+                                eZURI::transformURI( $imageAlias['url'], true );
+                                $srcString   = $imageAlias['url'];
                                 $imageWidth  = $imageAlias['width'];
                                 $imageHeight = $imageAlias['height'];
                                 break;

kernel/classes/datatypes/ezbinaryfile/ezbinaryfiletype.php

@@ -27,6 +27,7 @@ public function __construct()
     {
         parent::__construct( self::DATA_TYPE_STRING, ezpI18n::tr( 'kernel/classes/datatypes', "File", 'Datatype name' ),
                            array( 'serialize_supported' => true ) );
+        $this->FileExtensionBlackListValidator = new eZFileExtensionBlackListValidator();
     }
 
     /*!
@@ -246,16 +247,38 @@ function validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute
         $httpFileName = $base . "_data_binaryfilename_" . $contentObjectAttribute->attribute( "id" );
         $maxSize = 1024 * 1024 * $classAttribute->attribute( self::MAX_FILESIZE_FIELD );
 
-        if ( $contentObjectAttribute->validateIsRequired() )
+        $contentObjectAttributeID = $contentObjectAttribute->attribute( 'id' );
+        $version = $contentObjectAttribute->attribute( 'version' );
+        $binary = eZBinaryFile::fetch( $contentObjectAttributeID, $version );
+        $extensionsBlackList = implode(', ', $this->FileExtensionBlackListValidator->extensionsBlackList() );
+        if ( $binary === null )
         {
-            $contentObjectAttributeID = $contentObjectAttribute->attribute( "id" );
-            $version = $contentObjectAttribute->attribute( "version" );
-            $binary = eZBinaryFile::fetch( $contentObjectAttributeID, $version );
-            if ( $binary === null )
+            if ( $contentObjectAttribute->validateIsRequired() )
             {
                 $mustUpload = true;
             }
         }
+        else
+        {
+            $state = $this->FileExtensionBlackListValidator->validate( $binary->attribute( 'filename' ) );
+            if ( $state === eZInputValidator::STATE_INVALID || $state === eZInputValidator::STATE_INTERMEDIATE )
+            {
+                $contentObjectAttribute->setValidationError( ezpI18n::tr( 'kernel/classes/datatypes',
+                    "A valid file is required. The following file extensions are blacklisted: $extensionsBlackList" ) );
+                return eZInputValidator::STATE_INVALID;
+            }
+        }
+
+        if ( isset( $_FILES[$httpFileName] ) && $_FILES[$httpFileName]['tmp_name'] !== '')
+        {
+            $state = $this->FileExtensionBlackListValidator->validate( $_FILES[$httpFileName]['name'] );
+            if ( $state === eZInputValidator::STATE_INVALID || $state === eZInputValidator::STATE_INTERMEDIATE )
+            {
+                $contentObjectAttribute->setValidationError( ezpI18n::tr( 'kernel/classes/datatypes',
+                    "A valid file is required. The following file extensions are blacklisted: $extensionsBlackList" ) );
+                return eZInputValidator::STATE_INVALID;
+            }
+        }
 
         $canFetchResult = eZHTTPFile::canFetch( $httpFileName, $maxSize );
         if ( $mustUpload && $canFetchResult == eZHTTPFile::UPLOADEDFILE_DOES_NOT_EXIST )
@@ -290,6 +313,11 @@ function fetchObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute )
             return false;
         }
 
+        if ( $this->validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute ) !== eZInputValidator::STATE_ACCEPTED )
+        {
+            return false;
+        }
+
         if ( !eZHTTPFile::canFetch( $base . "_data_binaryfilename_" . $contentObjectAttribute->attribute( "id" ) ) )
             return false;
 
@@ -765,6 +793,10 @@ private function isDeletingFile( eZHTTPTool $http, eZContentObjectAttribute $con
 
         return $isDeletingFile;
     }
+
+    /// \privatesection
+    /// The file extension blacklist validator
+    private $FileExtensionBlackListValidator;
 }
 
 eZDataType::register( eZBinaryFileType::DATA_TYPE_STRING, "eZBinaryFileType" );

kernel/classes/datatypes/ezimage/ezimagetype.php

@@ -27,6 +27,7 @@ public function __construct()
     {
         parent::__construct( self::DATA_TYPE_STRING, ezpI18n::tr( 'kernel/classes/datatypes', "Image", 'Datatype name' ),
                            array( 'serialize_supported' => true ) );
+        $this->FileExtensionBlackListValidator = new eZFileExtensionBlackListValidator();
     }
 
     function initializeObjectAttribute( $contentObjectAttribute, $currentVersion, $originalContentObjectAttribute )
@@ -210,16 +211,25 @@ function validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute
         $maxSize = 1024 * 1024 * $classAttribute->attribute( self::FILESIZE_FIELD );
         $mustUpload = false;
 
+        $tmpImgObj = $contentObjectAttribute->attribute( 'content' );
+        $original = $tmpImgObj->attribute( 'original' );
         if( $contentObjectAttribute->validateIsRequired() )
         {
-            $tmpImgObj = $contentObjectAttribute->attribute( 'content' );
-            $original = $tmpImgObj->attribute( 'original' );
             if ( !$original['is_valid'] )
             {
                 $mustUpload = true;
             }
         }
 
+        $extensionsBlackList = implode(', ', $this->FileExtensionBlackListValidator->extensionsBlackList() );
+        $state = $this->FileExtensionBlackListValidator->validate( $original['filename'] );
+        if ( $state === eZInputValidator::STATE_INVALID || $state === eZInputValidator::STATE_INTERMEDIATE )
+        {
+            $contentObjectAttribute->setValidationError( ezpI18n::tr( 'kernel/classes/datatypes',
+                "A valid file is required. The following file extensions are blacklisted: $extensionsBlackList" ) );
+            return eZInputValidator::STATE_INVALID;
+        }
+
         $canFetchResult = eZHTTPFile::canFetch( $httpFileName, $maxSize );
         if ( isset( $_FILES[$httpFileName] ) and  $_FILES[$httpFileName]["tmp_name"] != "" )
         {
@@ -231,6 +241,14 @@ function validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute
                 return eZInputValidator::STATE_INVALID;
              }
 
+             $state = $this->FileExtensionBlackListValidator->validate( $_FILES[$httpFileName]['name'] );
+             if ( $state === eZInputValidator::STATE_INVALID || $state === eZInputValidator::STATE_INTERMEDIATE )
+             {
+                 $contentObjectAttribute->setValidationError( ezpI18n::tr( 'kernel/classes/datatypes',
+                     "A valid file is required. The following file extensions are on the blacklist: $extensionsBlackList" ) );
+                 return eZInputValidator::STATE_INVALID;
+             }
+
              if ( !self::validateImageFileExtension( $_FILES[$httpFileName]['name'] ) )
              {
                  $contentObjectAttribute->setValidationError( ezpI18n::tr( 'kernel/classes/datatypes',
@@ -652,6 +670,10 @@ function postStore( $objectAttribute )
             eZImageFile::appendFilepath( $objectAttributeId, $url, true );
         }
     }
+
+    /// \privatesection
+    /// The file extension blacklist validator
+    private $FileExtensionBlackListValidator;
 }
 
 eZDataType::register( eZImageType::DATA_TYPE_STRING, "eZImageType" );