diff --git a/composer.json b/composer.json
index 9d9b7bf4df6c8ab04751b19182b30e82cc1c088a..8f9c1781aee3522bbe59aaeffe67bd6f856ab1fc 100644
--- a/composer.json
+++ b/composer.json
@@ -107,7 +107,7 @@
"drupal/config_update": "^1.5",
"drupal/console": "^1",
"drupal/content_access": "1.0-alpha1",
- "drupal/core": "8.6.13",
+ "drupal/core": "^8.6",
"drupal/crop": "2.0-rc1",
"drupal/ctools": "3.0",
"drupal/ctools_views": "3.0",
diff --git a/composer.lock b/composer.lock
index 529515edf1cea6afeceb8449a6240383bd9d5a54..e7d86359a61c562b2ee6eb10f3b7277212f6fe70 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
- "content-hash": "83c37b3e20a43996d81b885e3e5e498c",
+ "content-hash": "d57a48dd84079ed2212fe2b3563de84d",
"packages": [
{
"name": "alchemy/zippy",
@@ -2645,16 +2645,16 @@
},
{
"name": "drupal/core",
- "version": "8.6.13",
+ "version": "8.6.15",
"source": {
"type": "git",
"url": "https://github.com/drupal/core.git",
- "reference": "8d5b80030ac3f13df2d66aeef0ea388fd9a90632"
+ "reference": "936456cdeac25c6bbd2f55b0d587239c6a81ba86"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/drupal/core/zipball/8d5b80030ac3f13df2d66aeef0ea388fd9a90632",
- "reference": "8d5b80030ac3f13df2d66aeef0ea388fd9a90632",
+ "url": "https://api.github.com/repos/drupal/core/zipball/936456cdeac25c6bbd2f55b0d587239c6a81ba86",
+ "reference": "936456cdeac25c6bbd2f55b0d587239c6a81ba86",
"shasum": ""
},
"require": {
@@ -2685,9 +2685,9 @@
"symfony-cmf/routing": "^1.4",
"symfony/class-loader": "~3.4.0",
"symfony/console": "~3.4.0",
- "symfony/dependency-injection": "~3.4.0",
+ "symfony/dependency-injection": "~3.4.26",
"symfony/event-dispatcher": "~3.4.0",
- "symfony/http-foundation": "~3.4.14",
+ "symfony/http-foundation": "~3.4.26",
"symfony/http-kernel": "~3.4.14",
"symfony/polyfill-iconv": "^1.0",
"symfony/process": "~3.4.0",
@@ -2883,7 +2883,7 @@
"GPL-2.0-or-later"
],
"description": "Drupal is an open source content management platform powering millions of websites and applications.",
- "time": "2019-03-20T06:01:19+00:00"
+ "time": "2019-04-17T20:00:11+00:00"
},
{
"name": "drupal/crop",
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index f562679b8e65553f12318b32f25cba9c310308ba..9b5c6855df7544df0dc95cb7ffe603742ce82b90 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -2736,17 +2736,17 @@
},
{
"name": "drupal/core",
- "version": "8.6.13",
- "version_normalized": "8.6.13.0",
+ "version": "8.6.15",
+ "version_normalized": "8.6.15.0",
"source": {
"type": "git",
"url": "https://github.com/drupal/core.git",
- "reference": "8d5b80030ac3f13df2d66aeef0ea388fd9a90632"
+ "reference": "936456cdeac25c6bbd2f55b0d587239c6a81ba86"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/drupal/core/zipball/8d5b80030ac3f13df2d66aeef0ea388fd9a90632",
- "reference": "8d5b80030ac3f13df2d66aeef0ea388fd9a90632",
+ "url": "https://api.github.com/repos/drupal/core/zipball/936456cdeac25c6bbd2f55b0d587239c6a81ba86",
+ "reference": "936456cdeac25c6bbd2f55b0d587239c6a81ba86",
"shasum": ""
},
"require": {
@@ -2777,9 +2777,9 @@
"symfony-cmf/routing": "^1.4",
"symfony/class-loader": "~3.4.0",
"symfony/console": "~3.4.0",
- "symfony/dependency-injection": "~3.4.0",
+ "symfony/dependency-injection": "~3.4.26",
"symfony/event-dispatcher": "~3.4.0",
- "symfony/http-foundation": "~3.4.14",
+ "symfony/http-foundation": "~3.4.26",
"symfony/http-kernel": "~3.4.14",
"symfony/polyfill-iconv": "^1.0",
"symfony/process": "~3.4.0",
@@ -2919,7 +2919,7 @@
"symfony/debug": "^3.4.0",
"symfony/phpunit-bridge": "^3.4.3"
},
- "time": "2019-03-20T06:01:19+00:00",
+ "time": "2019-04-17T20:00:11+00:00",
"type": "drupal-core",
"extra": {
"merge-plugin": {
diff --git a/web/core/assets/vendor/jquery/jquery-extend-3.4.0.js b/web/core/assets/vendor/jquery/jquery-extend-3.4.0.js
new file mode 100644
index 0000000000000000000000000000000000000000..763cde72058f6a8c7d81903c9e6170fa34ea796f
--- /dev/null
+++ b/web/core/assets/vendor/jquery/jquery-extend-3.4.0.js
@@ -0,0 +1,111 @@
+/**
+ * For jQuery versions less than 3.4.0, this replaces the jQuery.extend
+ * function with the one from jQuery 3.4.0, slightly modified (documented
+ * below) to be compatible with older jQuery versions.
+ *
+ * This provides the Object.prototype pollution vulnerability fix to Drupal
+ * installations running older jQuery versions, including the version (3.2.1)
+ * shipped with Drupal core.
+ *
+ * @see https://github.com/jquery/jquery/pull/4333
+ */
+
+(function (jQuery) {
+
+// Do not override jQuery.extend() if the jQuery version is already >=3.4.0.
+var versionParts = jQuery.fn.jquery.split('.');
+var majorVersion = parseInt(versionParts[0]);
+var minorVersion = parseInt(versionParts[1]);
+var patchVersion = parseInt(versionParts[2]);
+var isPreReleaseVersion = (patchVersion.toString() !== versionParts[2]);
+if (
+ (majorVersion > 3) ||
+ (majorVersion === 3 && minorVersion > 4) ||
+ (majorVersion === 3 && minorVersion === 4 && patchVersion > 0) ||
+ (majorVersion === 3 && minorVersion === 4 && patchVersion === 0 && !isPreReleaseVersion)
+) {
+ return;
+}
+
+/**
+ * This is almost verbatim copied from jQuery 3.4.0.
+ *
+ * Only one minor change has been made:
+ * - The call to isFunction() is changed to jQuery.isFunction().
+ *
+ * The above change ensures compatibility with older jQuery versions,
+ * including 3.2.1 which is shipped with Drupal core.
+ */
+jQuery.extend = jQuery.fn.extend = function() {
+ var options, name, src, copy, copyIsArray, clone,
+ target = arguments[ 0 ] || {},
+ i = 1,
+ length = arguments.length,
+ deep = false;
+
+ // Handle a deep copy situation
+ if ( typeof target === "boolean" ) {
+ deep = target;
+
+ // Skip the boolean and the target
+ target = arguments[ i ] || {};
+ i++;
+ }
+
+ // Handle case when target is a string or something (possible in deep copy)
+ if ( typeof target !== "object" && !jQuery.isFunction( target ) ) {
+ target = {};
+ }
+
+ // Extend jQuery itself if only one argument is passed
+ if ( i === length ) {
+ target = this;
+ i--;
+ }
+
+ for ( ; i < length; i++ ) {
+
+ // Only deal with non-null/undefined values
+ if ( ( options = arguments[ i ] ) != null ) {
+
+ // Extend the base object
+ for ( name in options ) {
+ copy = options[ name ];
+
+ // Prevent Object.prototype pollution
+ // Prevent never-ending loop
+ if ( name === "__proto__" || target === copy ) {
+ continue;
+ }
+
+ // Recurse if we're merging plain objects or arrays
+ if ( deep && copy && ( jQuery.isPlainObject( copy ) ||
+ ( copyIsArray = Array.isArray( copy ) ) ) ) {
+ src = target[ name ];
+
+ // Ensure proper type for the source value
+ if ( copyIsArray && !Array.isArray( src ) ) {
+ clone = [];
+ } else if ( !copyIsArray && !jQuery.isPlainObject( src ) ) {
+ clone = {};
+ } else {
+ clone = src;
+ }
+ copyIsArray = false;
+
+ // Never move original objects, clone them
+ target[ name ] = jQuery.extend( deep, clone, copy );
+
+ // Don't bring in undefined values
+ } else if ( copy !== undefined ) {
+ target[ name ] = copy;
+ }
+ }
+ }
+ }
+
+ // Return the modified object
+ return target;
+};
+
+})(jQuery);
diff --git a/web/core/composer.json b/web/core/composer.json
index bbd9faa42e53e7788da4b97f1813e7211ce749d6..64629c276086fb962c987c44c34cc7458bbc94fd 100644
--- a/web/core/composer.json
+++ b/web/core/composer.json
@@ -20,9 +20,9 @@
"php": "^5.5.9|>=7.0.8",
"symfony/class-loader": "~3.4.0",
"symfony/console": "~3.4.0",
- "symfony/dependency-injection": "~3.4.0",
+ "symfony/dependency-injection": "~3.4.26",
"symfony/event-dispatcher": "~3.4.0",
- "symfony/http-foundation": "~3.4.14",
+ "symfony/http-foundation": "~3.4.26",
"symfony/http-kernel": "~3.4.14",
"symfony/routing": "~3.4.0",
"symfony/serializer": "~3.4.0",
diff --git a/web/core/core.libraries.yml b/web/core/core.libraries.yml
index 918a36afd309cc9772aedb0c1f6b33cf1d56c186..bf23ec9918a0df9f94a66ee38c270de542eaed53 100644
--- a/web/core/core.libraries.yml
+++ b/web/core/core.libraries.yml
@@ -348,6 +348,9 @@ jquery:
gpl-compatible: true
js:
assets/vendor/jquery/jquery.min.js: { minified: true, weight: -20 }
+ # This includes a security fix, so assign a weight that makes this load as
+ # soon after jquery.min.js is loaded as possible.
+ assets/vendor/jquery/jquery-extend-3.4.0.js: { weight: -19 }
jquery.cookie:
remote: https://github.com/carhartl/jquery-cookie
diff --git a/web/core/lib/Drupal.php b/web/core/lib/Drupal.php
index 68380b051c712919d9e23cacd495fcbeeb883c06..86099e1283e443b27a83971f5080ad2a7b8d30c0 100644
--- a/web/core/lib/Drupal.php
+++ b/web/core/lib/Drupal.php
@@ -82,7 +82,7 @@ class Drupal {
/**
* The current system version.
*/
- const VERSION = '8.6.13';
+ const VERSION = '8.6.15';
/**
* Core API compatibility.
diff --git a/web/core/lib/Drupal/Core/Session/SessionManager.php b/web/core/lib/Drupal/Core/Session/SessionManager.php
index 79813986786bc1567d495d1cc0ba2f63151c2eea..431959e99510d3b81c91a9457d9bb95d1a563ccc 100644
--- a/web/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/web/core/lib/Drupal/Core/Session/SessionManager.php
@@ -216,7 +216,9 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
throw new \InvalidArgumentException('The optional parameters $destroy and $lifetime of SessionManager::regenerate() are not supported currently');
}
- if ($this->isStarted()) {
+ // Only migrate the session if the session is really started and not only
+ // lazy started.
+ if ($this->started) {
$old_session_id = $this->getId();
// Save and close the old session. Call the parent method to avoid issue
// with session destruction due to the session being considered obsolete.
@@ -340,4 +342,19 @@ protected function migrateStoredSession($old_session_id) {
->execute();
}
+ /**
+ * Checks if the session is started.
+ *
+ * Beginning with symfony/http-foundation 3.4.24, the session will no longer
+ * save unless this method returns true. The parent method returns true if
+ * $this->started is true, but we need the session to also save if we lazy
+ * started, so we override isStarted() here.
+ *
+ * @return bool
+ * True if started, false otherwise
+ */
+ public function isStarted() {
+ return parent::isStarted() || $this->startedLazy;
+ }
+
}
diff --git a/web/core/modules/system/system.post_update.php b/web/core/modules/system/system.post_update.php
index ba8e798ca1536532aed80516aad10466852e7dd0..23875811e9356f8cee60c704b7f13127a463d59d 100644
--- a/web/core/modules/system/system.post_update.php
+++ b/web/core/modules/system/system.post_update.php
@@ -90,6 +90,13 @@ function system_post_update_field_formatter_entity_schema() {
// Empty post-update hook.
}
+/**
+ * Clear the library cache and ensure aggregate files are regenerated.
+ */
+function system_post_update_fix_jquery_extend() {
+ // Empty post-update hook.
+}
+
/**
* Change plugin IDs of actions.
*/