Update Drupal

frontend/drupal/CHANGELOG.txt

@@ -1,3 +1,36 @@
+Drupal 7.87, 2022-01-19
+-----------------------
+- Fix regression caused by jQuery UI position() backport
+
+Drupal 7.86, 2022-01-18
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2022-001
+   - SA-CORE-2022-002
+
+Drupal 7.85, 2022-01-12
+-----------------------
+- Fix session cookies for sites with different base_urls but a shared domain
+
+Drupal 7.84, 2021-12-13
+-----------------------
+- Hotfix for session cookie domain on www subdomains
+
+Drupal 7.83, 2021-12-01
+-----------------------
+- Initial support for PHP 8.1
+- The has_js cookie has been removed (but can be re-enabled)
+- The leading www. is no longer stripped from cookie domain by default
+- The user entity now has a "changed" property
+- Introduced a skip_permissions_hardening setting
+- Changes to the password reset process to avoid email and username enumeration
+- Various bug fixes, optimizations and improvements
+
+Drupal 7.82, 2021-07-21
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2021-004
+
 Drupal 7.81, 2021-06-02
 -----------------------
 - Block Google FLoC by default

frontend/drupal/includes/authorize.inc

@@ -104,11 +104,6 @@ function authorize_filetransfer_form($form, &$form_state) {
     // Start non-JS code.
     if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default']) && $form_state['values']['connection_settings']['authorize_filetransfer_default'] == $name) {
 
-      // If the user switches from JS to non-JS, Drupal (and Batch API) will
-      // barf. This is a known bug: http://drupal.org/node/229825.
-      setcookie('has_js', '', time() - 3600, '/');
-      unset($_COOKIE['has_js']);
-
       // Change the submit button to the submit_process one.
       $form['submit_process']['#attributes'] = array();
       unset($form['submit_connection']);

frontend/drupal/includes/batch.inc

@@ -72,7 +72,9 @@ function _batch_page() {
   $output = NULL;
   switch ($op) {
     case 'start':
-      $output = _batch_start();
+      // Display the full progress page on startup and on each additional
+      // non-JavaScript iteration.
+      $output = _batch_progress_page();
       break;
 
     case 'do':
@@ -82,7 +84,7 @@ function _batch_page() {
 
     case 'do_nojs':
       // Non-JavaScript-based progress page.
-      $output = _batch_progress_page_nojs();
+      $output = _batch_progress_page();
       break;
 
     case 'finished':
@@ -93,69 +95,12 @@ function _batch_page() {
   return $output;
 }
 
-/**
- * Initializes the batch processing.
- *
- * JavaScript-enabled clients are identified by the 'has_js' cookie set in
- * drupal.js. If no JavaScript-enabled page has been visited during the current
- * user's browser session, the non-JavaScript version is returned.
- */
-function _batch_start() {
-  if (isset($_COOKIE['has_js']) && $_COOKIE['has_js']) {
-    return _batch_progress_page_js();
-  }
-  else {
-    return _batch_progress_page_nojs();
-  }
-}
-
-/**
- * Outputs a batch processing page with JavaScript support.
- *
- * This initializes the batch and error messages. Note that in JavaScript-based
- * processing, the batch processing page is displayed only once and updated via
- * AHAH requests, so only the first batch set gets to define the page title.
- * Titles specified by subsequent batch sets are not displayed.
- *
- * @see batch_set()
- * @see _batch_do()
- */
-function _batch_progress_page_js() {
-  $batch = batch_get();
-
-  $current_set = _batch_current_set();
-  drupal_set_title($current_set['title'], PASS_THROUGH);
-
-  // Merge required query parameters for batch processing into those provided by
-  // batch_set() or hook_batch_alter().
-  $batch['url_options']['query']['id'] = $batch['id'];
-
-  $js_setting = array(
-    'batch' => array(
-      'errorMessage' => $current_set['error_message'] . '<br />' . $batch['error_message'],
-      'initMessage' => $current_set['init_message'],
-      'uri' => url($batch['url'], $batch['url_options']),
-    ),
-  );
-  drupal_add_js($js_setting, 'setting');
-  drupal_add_library('system', 'drupal.batch');
-
-  return '<div id="progress"></div>';
-}
-
 /**
  * Does one execution pass with JavaScript and returns progress to the browser.
  *
- * @see _batch_progress_page_js()
  * @see _batch_process()
  */
 function _batch_do() {
-  // HTTP POST required.
-  if ($_SERVER['REQUEST_METHOD'] != 'POST') {
-    drupal_set_message(t('HTTP POST is required.'), 'error');
-    drupal_set_title(t('Error'));
-    return '';
-  }
 
   // Perform actual processing.
   list($percentage, $message) = _batch_process();
@@ -164,11 +109,11 @@ function _batch_do() {
 }
 
 /**
- * Outputs a batch processing page without JavaScript support.
+ * Outputs a batch processing page.
  *
  * @see _batch_process()
  */
-function _batch_progress_page_nojs() {
+function _batch_progress_page() {
   $batch = &batch_get();
 
   $current_set = _batch_current_set();
@@ -216,6 +161,9 @@ function _batch_progress_page_nojs() {
 
   $url = url($batch['url'], $batch['url_options']);
   $element = array(
+    // Redirect through a 'Refresh' meta tag if JavaScript is disabled.
+    '#prefix' => '<noscript>',
+    '#suffix' => '</noscript>',
     '#tag' => 'meta',
     '#attributes' => array(
       'http-equiv' => 'Refresh',
@@ -224,6 +172,17 @@ function _batch_progress_page_nojs() {
   );
   drupal_add_html_head($element, 'batch_progress_meta_refresh');
 
+  // Adds JavaScript code and settings for clients where JavaScript is enabled.
+  $js_setting = array(
+    'batch' => array(
+      'errorMessage' => $current_set['error_message'] . '<br />' . $batch['error_message'],
+      'initMessage' => $current_set['init_message'],
+      'uri' => $url,
+    ),
+  );
+  drupal_add_js($js_setting, 'setting');
+  drupal_add_library('system', 'drupal.batch');
+
   return theme('progress_bar', array('percent' => $percentage, 'message' => $message));
 }
 

frontend/drupal/includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.81');
+define('VERSION', '7.87');
 
 /**
  * Core API compatibility.
@@ -359,6 +359,7 @@ abstract class DrupalCacheArray implements ArrayAccess {
   /**
    * Implements ArrayAccess::offsetExists().
    */
+  #[\ReturnTypeWillChange]
   public function offsetExists($offset) {
     return $this->offsetGet($offset) !== NULL;
   }
@@ -366,6 +367,7 @@ abstract class DrupalCacheArray implements ArrayAccess {
   /**
    * Implements ArrayAccess::offsetGet().
    */
+  #[\ReturnTypeWillChange]
   public function offsetGet($offset) {
     if (isset($this->storage[$offset]) || array_key_exists($offset, $this->storage)) {
       return $this->storage[$offset];
@@ -378,6 +380,7 @@ abstract class DrupalCacheArray implements ArrayAccess {
   /**
    * Implements ArrayAccess::offsetSet().
    */
+  #[\ReturnTypeWillChange]
   public function offsetSet($offset, $value) {
     $this->storage[$offset] = $value;
   }
@@ -385,6 +388,7 @@ abstract class DrupalCacheArray implements ArrayAccess {
   /**
    * Implements ArrayAccess::offsetUnset().
    */
+  #[\ReturnTypeWillChange]
   public function offsetUnset($offset) {
     unset($this->storage[$offset]);
   }
@@ -803,14 +807,17 @@ function drupal_settings_initialize() {
     // HTTP_HOST can be modified by a visitor, but we already sanitized it
     // in drupal_settings_initialize().
     if (!empty($_SERVER['HTTP_HOST'])) {
-      $cookie_domain = $_SERVER['HTTP_HOST'];
-      // Strip leading periods, www., and port numbers from cookie domain.
-      $cookie_domain = ltrim($cookie_domain, '.');
-      if (strpos($cookie_domain, 'www.') === 0) {
-        $cookie_domain = substr($cookie_domain, 4);
-      }
-      $cookie_domain = explode(':', $cookie_domain);
-      $cookie_domain = '.' . $cookie_domain[0];
+      $cookie_domain = _drupal_get_cookie_domain($_SERVER['HTTP_HOST']);
+    }
+
+    // Drupal 7.83 included a security improvement whereby www. is no longer
+    // stripped from the cookie domain. However, this can cause problems with
+    // existing session cookies where some users are left unable to login. In
+    // order to avoid that, prepend a leading dot to the session_name that was
+    // derived from the base_url when a www. subdomain is in use.
+    // @see https://www.drupal.org/project/drupal/issues/2522002
+    if (strpos($session_name, 'www.') === 0) {
+      $session_name = '.' . $session_name;
     }
   }
   // Per RFC 2109, cookie domains must contain at least one dot other than the
@@ -831,6 +838,24 @@ function drupal_settings_initialize() {
   session_name($prefix . substr(hash('sha256', $session_name), 0, 32));
 }
 
+/**
+ * Derive the cookie domain to use for session cookies.
+ *
+ * @param $host
+ *   The value of the HTTP host name.
+ *
+ * @return
+ *   The string to use as a cookie domain.
+ */
+function _drupal_get_cookie_domain($host) {
+  $cookie_domain = $host;
+  // Strip leading periods and port numbers from cookie domain.
+  $cookie_domain = ltrim($cookie_domain, '.');
+  $cookie_domain = explode(':', $cookie_domain);
+  $cookie_domain = '.' . $cookie_domain[0];
+  return $cookie_domain;
+}
+
 /**
  * Returns and optionally sets the filename for a system resource.
  *
@@ -1157,6 +1182,31 @@ function _drupal_trigger_error_with_delayed_logging($error_msg, $error_type = E_
   $delay_logging = FALSE;
 }
 
+/**
+ * Invoke trigger_error() using a fatal error that will terminate the request.
+ *
+ * Normally, Drupal's error handler does not terminate script execution on
+ * user-level errors, even if the error is of type E_USER_ERROR. This function
+ * triggers an error of type E_USER_ERROR that is explicitly forced to be a
+ * fatal error which terminates script execution.
+ *
+ * @param string $error_msg
+ *   The error message to trigger. As with trigger_error() itself, this is
+ *   limited to 1024 bytes; additional characters beyond that will be removed.
+ *
+ * @see _drupal_error_handler_real()
+ */
+function drupal_trigger_fatal_error($error_msg) {
+  $fatal_error = &drupal_static(__FUNCTION__, FALSE);
+  $fatal_error = TRUE;
+  trigger_error($error_msg, E_USER_ERROR);
+  $fatal_error = FALSE;
+  // The standard Drupal error handler should have treated this as a fatal
+  // error and already ended the page request. But in case another error
+  // handler is being used, terminate execution explicitly here also.
+  exit;
+}
+
 /**
  * Writes the file scan cache to the persistent cache.
  *
@@ -2265,7 +2315,7 @@ function drupal_random_bytes($count)  {
   // $random_state does not use drupal_static as it stores random bytes.
   static $random_state, $bytes, $has_openssl;
 
-  $missing_bytes = $count - strlen($bytes);
+  $missing_bytes = $count - strlen((string) $bytes);
 
   if ($missing_bytes > 0) {
     // PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes()

frontend/drupal/includes/common.inc

@@ -633,7 +633,7 @@ function drupal_parse_url($url) {
  *   The Drupal path to encode.
  */
 function drupal_encode_path($path) {
-  return str_replace('%2F', '/', rawurlencode($path));
+  return str_replace('%2F', '/', rawurlencode((string) $path));
 }
 
 /**
@@ -943,7 +943,7 @@ function drupal_http_request($url, array $options = array()) {
   // or PUT request. Some non-standard servers get confused by Content-Length in
   // at least HEAD/GET requests, and Squid always requires Content-Length in
   // POST/PUT requests.
-  $content_length = strlen($options['data']);
+  $content_length = strlen((string) $options['data']);
   if ($content_length > 0 || $options['method'] == 'POST' || $options['method'] == 'PUT') {
     $options['headers']['Content-Length'] = $content_length;
   }
@@ -1019,7 +1019,7 @@ function drupal_http_request($url, array $options = array()) {
   $result->headers = array();
 
   // Parse the response headers.
-  while ($line = trim(array_shift($response))) {
+  while ($line = trim((string) array_shift($response))) {
     list($name, $value) = explode(':', $line, 2);
     $name = strtolower($name);
     if (isset($result->headers[$name]) && $name == 'set-cookie') {
@@ -1916,7 +1916,7 @@ function format_plural($count, $singular, $plural, array $args = array(), array
  */
 function parse_size($size) {
   $unit = preg_replace('/[^bkmgtpezy]/i', '', $size); // Remove the non-unit characters from the size.
-  $size = preg_replace('/[^0-9\.]/', '', $size); // Remove the non-numeric characters from the size.
+  $size = (float) preg_replace('/[^0-9\.]/', '', $size); // Remove the non-numeric characters from the size.
   if ($unit) {
     // Find the position of the unit in the ordered string which is the power of magnitude to multiply a kilobyte by.
     return round($size * pow(DRUPAL_KILOBYTE, stripos('bkmgtpezy', $unit[0])));
@@ -1995,7 +1995,7 @@ function format_interval($interval, $granularity = 2, $langcode = NULL) {
     $key = explode('|', $key);
     if ($interval >= $value) {
       $output .= ($output ? ' ' : '') . format_plural(floor($interval / $value), $key[0], $key[1], array(), array('langcode' => $langcode));
-      $interval %= $value;
+      $interval = (int) $interval % $value;
       $granularity--;
     }
 
@@ -2308,7 +2308,7 @@ function url($path = NULL, array $options = array()) {
   // Strip leading slashes from internal paths to prevent them becoming external
   // URLs without protocol. /example.com should not be turned into
   // //example.com.
-  $path = ltrim($path, '/');
+  $path = ltrim((string) $path, '/');
 
   global $base_url, $base_secure_url, $base_insecure_url;
 
@@ -2346,7 +2346,7 @@ function url($path = NULL, array $options = array()) {
   }
 
   $base = $options['absolute'] ? $options['base_url'] . '/' : base_path();
-  $prefix = empty($path) ? rtrim($options['prefix'], '/') : $options['prefix'];
+  $prefix = empty($path) ? rtrim((string) $options['prefix'], '/') : $options['prefix'];
 
   // With Clean URLs.
   if (!empty($GLOBALS['conf']['clean_url'])) {
@@ -2390,6 +2390,7 @@ function url($path = NULL, array $options = array()) {
  *   Boolean TRUE or FALSE, where TRUE indicates an external path.
  */
 function url_is_external($path) {
+  $path = (string) $path;
   $colonpos = strpos($path, ':');
   // Some browsers treat \ as / so normalize to forward slashes.
   $path = str_replace('\\', '/', $path);
@@ -2944,12 +2945,12 @@ function base_path() {
 }
 
 /**
- * Adds a LINK tag with a distinct 'rel' attribute to the page's HEAD.
+ * Adds a LINK tag with distinct attributes to the page's HEAD.
  *
  * This function can be called as long the HTML header hasn't been sent, which
  * on normal pages is up through the preprocess step of theme('html'). Adding
- * a link will overwrite a prior link with the exact same 'rel' and 'href'
- * attributes.
+ * a link will overwrite a prior link with the exact same 'rel', 'href' and
+ * 'hreflang' attributes.
  *
  * @param $attributes
  *   Associative array of element attributes including 'href' and 'rel'.
@@ -2965,12 +2966,12 @@ function drupal_add_html_head_link($attributes, $header = FALSE) {
 
   if ($header) {
     // Also add a HTTP header "Link:".
-    $href = '<' . check_plain($attributes['href']) . '>;';
+    $href = '<' . $attributes['href'] . '>;';
     unset($attributes['href']);
     $element['#attached']['drupal_add_http_header'][] = array('Link',  $href . drupal_http_header_attributes($attributes), TRUE);
   }
 
-  drupal_add_html_head($element, 'drupal_add_html_head_link:' . $attributes['rel'] . ':' . $href);
+  drupal_add_html_head($element, 'drupal_add_html_head_link:' . $attributes['rel'] . ':' . (isset($attributes['hreflang']) ? "{$attributes['hreflang']}:" : '') . $href);
 }
 
 /**
@@ -4342,6 +4343,7 @@ function drupal_add_js($data = NULL, $options = NULL) {
           'data' => array(
             array('basePath' => base_path()),
             array('pathPrefix' => empty($prefix) ? '' : $prefix),
+            array('setHasJsCookie' => variable_get('set_has_js_cookie', FALSE) ? 1 : 0),
           ),
           'type' => 'setting',
           'scope' => 'header',
@@ -6641,7 +6643,7 @@ function drupal_sort_title($a, $b) {
  * Checks if the key is a property.
  */
 function element_property($key) {
-  return $key[0] == '#';
+  return $key !== '' && is_string($key) && $key[0] == '#';
 }
 
 /**

frontend/drupal/includes/database/database.inc

@@ -1924,6 +1924,11 @@ class DatabaseTransactionOutOfOrderException extends Exception { }
  */
 class InvalidMergeQueryException extends Exception {}
 
+/**
+ * Exception thrown if an invalid query condition is specified.
+ */
+class InvalidQueryConditionOperatorException extends Exception {}
+
 /**
  * Exception thrown if an insert query specifies a field twice.
  *
@@ -2257,6 +2262,7 @@ class DatabaseStatementBase extends PDOStatement implements DatabaseStatementInt
     $this->setFetchMode(PDO::FETCH_OBJ);
   }
 
+  #[\ReturnTypeWillChange]
   public function execute($args = array(), $options = array()) {
     if (isset($options['fetch'])) {
       if (is_string($options['fetch'])) {
@@ -2394,23 +2400,27 @@ class DatabaseStatementEmpty implements Iterator, DatabaseStatementInterface {
   }
 
   /* Implementations of Iterator. */
-
+  #[\ReturnTypeWillChange]
   public function current() {
     return NULL;
   }
 
+  #[\ReturnTypeWillChange]
   public function key() {
     return NULL;
   }
 
+  #[\ReturnTypeWillChange]
   public function rewind() {
     // Nothing to do: our DatabaseStatement can't be rewound.
   }
 
+  #[\ReturnTypeWillChange]
   public function next() {
     // Do nothing, since this is an always-empty implementation.
   }
 
+  #[\ReturnTypeWillChange]
   public function valid() {
     return FALSE;
   }

frontend/drupal/includes/database/mysql/database.inc

@@ -332,6 +332,11 @@ class DatabaseConnection_mysql extends DatabaseConnection {
       PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => TRUE,
       // Because MySQL's prepared statements skip the query cache, because it's dumb.
       PDO::ATTR_EMULATE_PREPARES => TRUE,
+      // Convert numeric values to strings when fetching. In PHP 8.1,
+      // PDO::ATTR_EMULATE_PREPARES now behaves the same way as non emulated
+      // prepares and returns integers. See https://externals.io/message/113294
+      // for further discussion.
+      PDO::ATTR_STRINGIFY_FETCHES => TRUE,
     );
     if (defined('PDO::MYSQL_ATTR_MULTI_STATEMENTS')) {
       // An added connection option in PHP 5.5.21+ to optionally limit SQL to a

frontend/drupal/includes/database/prefetch.inc

@@ -268,6 +268,7 @@ class DatabaseStatementPrefetch implements Iterator, DatabaseStatementInterface
    * @return
    *  The current row formatted as requested.
    */
+  #[\ReturnTypeWillChange]
   public function current() {
     if (isset($this->currentRow)) {
       switch ($this->fetchStyle) {
@@ -320,14 +321,17 @@ class DatabaseStatementPrefetch implements Iterator, DatabaseStatementInterface
 
   /* Implementations of Iterator. */
 
+  #[\ReturnTypeWillChange]
   public function key() {
     return $this->currentKey;
   }
 
+  #[\ReturnTypeWillChange]
   public function rewind() {
     // Nothing to do: our DatabaseStatement can't be rewound.
   }
 
+  #[\ReturnTypeWillChange]
   public function next() {
     if (!empty($this->data)) {
       $this->currentRow = reset($this->data);
@@ -339,6 +343,7 @@ class DatabaseStatementPrefetch implements Iterator, DatabaseStatementInterface
     }
   }
 
+  #[\ReturnTypeWillChange]
   public function valid() {
     return isset($this->currentRow);
   }

frontend/drupal/includes/database/query.inc

@@ -871,8 +871,14 @@ class DeleteQuery extends Query implements QueryConditionInterface {
     $query = $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} ';
 
     if (count($this->condition)) {
-
-      $this->condition->compile($this->connection, $this);
+      try {
+        $this->condition->compile($this->connection, $this);
+      }
+      // PHP does not allow exceptions to be thrown in __toString(), so trigger
+      // a fatal error instead.
+      catch (InvalidQueryConditionOperatorException $e) {
+        drupal_trigger_fatal_error($e->getMessage());
+      }
       $query .= "\nWHERE " . $this->condition;
     }
 
@@ -1204,7 +1210,14 @@ class UpdateQuery extends Query implements QueryConditionInterface {
     $query = $comments . 'UPDATE {' . $this->connection->escapeTable($this->table) . '} SET ' . implode(', ', $update_fields);
 
     if (count($this->condition)) {
-      $this->condition->compile($this->connection, $this);
+      try {
+        $this->condition->compile($this->connection, $this);
+      }
+      // PHP does not allow exceptions to be thrown in __toString(), so trigger
+      // a fatal error instead.
+      catch (InvalidQueryConditionOperatorException $e) {
+        drupal_trigger_fatal_error($e->getMessage());
+      }
       // There is an implicit string cast on $this->condition.
       $query .= "\nWHERE " . $this->condition;
     }
@@ -1697,6 +1710,7 @@ class DatabaseCondition implements QueryConditionInterface, Countable {
    * size of its conditional array minus one, because one element is the
    * conjunction.
    */
+  #[\ReturnTypeWillChange]
   public function count() {
     return count($this->conditions) - 1;
   }
@@ -1789,6 +1803,8 @@ class DatabaseCondition implements QueryConditionInterface, Countable {
 
   /**
    * Implements QueryConditionInterface::compile().
+   *
+   * @throws InvalidQueryConditionOperatorException
    */
   public function compile(DatabaseConnection $connection, QueryPlaceholderInterface $queryPlaceholder) {
     // Re-compile if this condition changed or if we are compiled against a
@@ -1819,6 +1835,12 @@ class DatabaseCondition implements QueryConditionInterface, Countable {
             $arguments += $condition['field']->arguments();
           }
           else {
+            // If the operator contains an invalid character, throw an
+            // exception to protect against SQL injection attempts.
+            if (stripos($condition['operator'], 'UNION') !== FALSE || strpbrk($condition['operator'], '[-\'"();') !== FALSE) {
+              throw new InvalidQueryConditionOperatorException('Invalid characters in query operator: ' . $condition['operator']);
+            }
+
             // For simplicity, we treat all operators as the same data structure.
             // In the typical degenerate case, this won't get changed.
             $operator_defaults = array(

frontend/drupal/includes/database/select.inc

@@ -1504,7 +1504,14 @@ class SelectQuery extends Query implements SelectQueryInterface {
     // the query will be executed, it will be recompiled using the proper
     // placeholder generator anyway.
     if (!$this->compiled()) {
-      $this->compile($this->connection, $this);
+      try {
+        $this->compile($this->connection, $this);
+      }
+      // PHP does not allow exceptions to be thrown in __toString(), so trigger
+      // a fatal error instead.
+      catch (InvalidQueryConditionOperatorException $e) {
+        drupal_trigger_fatal_error($e->getMessage());
+      }
     }
 
     // Create a sanitized comment string to prepend to the query.

frontend/drupal/includes/database/sqlite/schema.inc

@@ -433,7 +433,7 @@ class DatabaseSchema_sqlite extends DatabaseSchema {
           'type' => $type,
           'size' => $size,
           'not null' => !empty($row->notnull),
-          'default' => trim($row->dflt_value, "'"),
+          'default' => trim((string) $row->dflt_value, "'"),
         );
         if ($length) {
           $schema['fields'][$row->name]['length'] = $length;

frontend/drupal/includes/errors.inc

@@ -59,7 +59,8 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line) {
       require_once DRUPAL_ROOT . '/includes/common.inc';
     }
 
-    // We treat recoverable errors as fatal.
+    // We treat recoverable errors as fatal, and also allow fatal errors to be
+    // explicitly triggered by drupal_trigger_fatal_error().
     _drupal_log_error(array(
       '%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
       // The standard PHP error handler considers that the error messages
@@ -69,7 +70,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line) {
       '%file' => $caller['file'],
       '%line' => $caller['line'],
       'severity_level' => $severity_level,
-    ), $error_level == E_RECOVERABLE_ERROR);
+    ), $error_level == E_RECOVERABLE_ERROR || drupal_static('drupal_trigger_fatal_error'));
   }
 }
 
@@ -266,7 +267,7 @@ function _drupal_log_error($error, $fatal = FALSE) {
 function _drupal_get_last_caller($backtrace) {
   // Errors that occur inside PHP internal functions do not generate
   // information about file and line. Ignore black listed functions.
-  $blacklist = array('debug', '_drupal_error_handler', '_drupal_exception_handler');
+  $blacklist = array('debug', '_drupal_error_handler', '_drupal_exception_handler', 'drupal_trigger_fatal_error');
   while (($backtrace && !isset($backtrace[0]['line'])) ||
          (isset($backtrace[1]['function']) && in_array($backtrace[1]['function'], $blacklist))) {
     array_shift($backtrace);

frontend/drupal/includes/file.inc

@@ -197,7 +197,7 @@ function file_stream_wrapper_get_class($scheme) {
  * @see file_uri_target()
  */
 function file_uri_scheme($uri) {
-  $position = strpos($uri, '://');
+  $position = strpos((string) $uri, '://');
   return $position ? substr($uri, 0, $position) : FALSE;
 }
 
@@ -437,10 +437,10 @@ function file_prepare_directory(&$directory, $options = FILE_MODIFY_PERMISSIONS)
 
   // Check if directory exists.
   if (!is_dir($directory)) {
-    // Let mkdir() recursively create directories and use the default directory
-    // permissions.
-    if (($options & FILE_CREATE_DIRECTORY) && @drupal_mkdir($directory, NULL, TRUE)) {
-      return drupal_chmod($directory);
+    // Let drupal_mkdir() recursively create directories and use the default
+    // directory permissions.
+    if ($options & FILE_CREATE_DIRECTORY) {
+      return @drupal_mkdir($directory, NULL, TRUE);
     }
     return FALSE;
   }
@@ -2481,19 +2481,21 @@ function drupal_basename($uri, $suffix = NULL) {
 }
 
 /**
- * Creates a directory using Drupal's default mode.
+ * Creates a directory, optionally creating missing components in the path to
+ * the directory.
  *
- * PHP's mkdir() does not respect Drupal's default permissions mode. If a mode
- * is not provided, this function will make sure that Drupal's is used.
- *
- * Compatibility: normal paths and stream wrappers.
+ * When PHP's mkdir() creates a directory, the requested mode is affected by the
+ * process's umask. This function overrides the umask and sets the mode
+ * explicitly for all directory components created.
  *
  * @param $uri
  *   A URI or pathname.
  * @param $mode
- *   By default the Drupal mode is used.
+ *   Mode given to created directories. Defaults to the directory mode
+ *   configured in the Drupal installation. It must have a leading zero.
  * @param $recursive
- *   Default to FALSE.
+ *   Create directories recursively, defaults to FALSE. Cannot work with a mode
+ *   which denies writing or execution to the owner of the process.
  * @param $context
  *   Refer to http://php.net/manual/ref.stream.php
  *
@@ -2509,7 +2511,71 @@ function drupal_mkdir($uri, $mode = NULL, $recursive = FALSE, $context = NULL) {
     $mode = variable_get('file_chmod_directory', 0775);
   }
 
-  if (!isset($context)) {
+  // If the URI has a scheme, don't override the umask - schemes can handle this
+  // issue in their own implementation.
+  if (file_uri_scheme($uri)) {
+    return _drupal_mkdir_call($uri, $mode, $recursive, $context);
+  }
+
+  // If recursive, create each missing component of the parent directory
+  // individually and set the mode explicitly to override the umask.
+  if ($recursive) {
+    // Ensure the path is using DIRECTORY_SEPARATOR, and trim off any trailing
+    // slashes because they can throw off the loop when creating the parent
+    // directories.
+    $uri = rtrim(str_replace('/', DIRECTORY_SEPARATOR, $uri), DIRECTORY_SEPARATOR);
+    // Determine the components of the path.
+    $components = explode(DIRECTORY_SEPARATOR, $uri);
+    // If the filepath is absolute the first component will be empty as there
+    // will be nothing before the first slash.
+    if ($components[0] == '') {
+      $recursive_path = DIRECTORY_SEPARATOR;
+      // Get rid of the empty first component.
+      array_shift($components);
+    }
+    else {
+      $recursive_path = '';
+    }
+    // Don't handle the top-level directory in this loop.
+    array_pop($components);
+    // Create each component if necessary.
+    foreach ($components as $component) {
+      $recursive_path .= $component;
+
+      if (!file_exists($recursive_path)) {
+        $success = _drupal_mkdir_call($recursive_path, $mode, FALSE, $context);
+        // If the operation failed, check again if the directory was created
+        // by another process/server, only report a failure if not.
+        if (!$success && !file_exists($recursive_path)) {
+          return FALSE;
+        }
+        // Not necessary to use self::chmod() as there is no scheme.
+        if (!chmod($recursive_path, $mode)) {
+          return FALSE;
+        }
+      }
+
+      $recursive_path .= DIRECTORY_SEPARATOR;
+    }
+  }
+
+  // Do not check if the top-level directory already exists, as this condition
+  // must cause this function to fail.
+  if (!_drupal_mkdir_call($uri, $mode, FALSE, $context)) {
+    return FALSE;
+  }
+  // Not necessary to use drupal_chmod() as there is no scheme.
+  return chmod($uri, $mode);
+}
+
+/**
+ * Helper function. Ensures we don't pass a NULL as a context resource to
+ * mkdir().
+ *
+ * @see drupal_mkdir()
+ */
+function _drupal_mkdir_call($uri, $mode, $recursive, $context) {
+  if (is_null($context)) {
     return mkdir($uri, $mode, $recursive);
   }
   else {

frontend/drupal/includes/filetransfer/filetransfer.inc

@@ -364,7 +364,7 @@ class FileTransferException extends Exception {
   public $arguments;
 
   function __construct($message, $code = 0, $arguments = array()) {
-    parent::__construct($message, $code);
+    parent::__construct($message, (int) $code);
     $this->arguments = $arguments;
   }
 }
@@ -409,11 +409,13 @@ class SkipDotsRecursiveDirectoryIterator extends RecursiveDirectoryIterator {
     $this->skipdots();
   }
 
+  #[\ReturnTypeWillChange]
   function rewind() {
     parent::rewind();
     $this->skipdots();
   }
 
+  #[\ReturnTypeWillChange]
   function next() {
     parent::next();
     $this->skipdots();

frontend/drupal/includes/form.inc

@@ -1393,7 +1393,10 @@ function _form_validate(&$elements, &$form_state, $form_id = NULL) {
         // identical to the empty option's value, we reset the element's value
         // to NULL to trigger the regular #required handling below.
         // @see form_process_select()
-        elseif ($elements['#type'] == 'select' && !$elements['#multiple'] && $elements['#required'] && !isset($elements['#default_value']) && $elements['#value'] === $elements['#empty_value']) {
+        elseif ($elements['#type'] == 'select' && $elements['#required']
+        && (!array_key_exists('#multiple', $elements) || !$elements['#multiple'])
+        && !isset($elements['#default_value'])
+        && $elements['#value'] === $elements['#empty_value']) {
           $elements['#value'] = NULL;
           form_set_value($elements, NULL, $form_state);
         }

frontend/drupal/includes/install.core.inc

@@ -1505,8 +1505,19 @@ function install_configure_form($form, &$form_state, &$install_state) {
   // especially out of place on the last page of the installer, where it would
   // distract from the message that the Drupal installation has completed
   // successfully.)
-  if (empty($_POST) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST|FILE_READABLE|FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) {
-    drupal_set_message(st('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the <a href="@handbook_url">online handbook</a>.', array('%dir' => $settings_dir, '%file' => $settings_file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'warning');
+
+  $skip_permissions_hardening = variable_get('skip_permissions_hardening', FALSE);
+  // Allow system administrators to ignore permissions hardening for the site
+  // directory. This allows additional files in the site directory to be
+  // updated when they are managed in a version control system.
+  if (!$skip_permissions_hardening) {
+    if (empty($_POST) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST | FILE_READABLE | FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) {
+      drupal_set_message(st('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the <a href="@handbook_url">online handbook</a>.', array(
+        '%dir' => $settings_dir,
+        '%file' => $settings_file,
+        '@handbook_url' => 'http://drupal.org/server-permissions'
+      )), 'warning');
+    }
   }
 
   drupal_add_js(drupal_get_path('module', 'system') . '/system.js');

frontend/drupal/includes/install.inc

@@ -830,11 +830,14 @@ function drupal_uninstall_modules($module_list = array(), $uninstall_dependents
  *   An optional bitmask created from various FILE_* constants.
  * @param $type
  *   The type of file. Can be file (default), dir, or link.
+ * @param bool $autofix
+ *   (optional) Determines whether to attempt fixing the permissions according
+ *   to the provided $mask. Defaults to TRUE.
  *
  * @return
  *   TRUE on success or FALSE on failure. A message is set for the latter.
  */
-function drupal_verify_install_file($file, $mask = NULL, $type = 'file') {
+function drupal_verify_install_file($file, $mask = NULL, $type = 'file', $autofix = TRUE) {
   $return = TRUE;
   // Check for files that shouldn't be there.
   if (isset($mask) && ($mask & FILE_NOT_EXIST) && file_exists($file)) {
@@ -856,7 +859,7 @@ function drupal_verify_install_file($file, $mask = NULL, $type = 'file') {
         switch ($current_mask) {
           case FILE_EXIST:
             if (!file_exists($file)) {
-              if ($type == 'dir') {
+              if ($type == 'dir' && $autofix) {
                 drupal_install_mkdir($file, $mask);
               }
               if (!file_exists($file)) {
@@ -865,32 +868,32 @@ function drupal_verify_install_file($file, $mask = NULL, $type = 'file') {
             }
             break;
           case FILE_READABLE:
-            if (!is_readable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (!is_readable($file)) {
               $return = FALSE;
             }
             break;
           case FILE_WRITABLE:
-            if (!is_writable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (!is_writable($file)) {
               $return = FALSE;
             }
             break;
           case FILE_EXECUTABLE:
-            if (!is_executable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (!is_executable($file)) {
               $return = FALSE;
             }
             break;
           case FILE_NOT_READABLE:
-            if (is_readable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (is_readable($file)) {
               $return = FALSE;
             }
             break;
           case FILE_NOT_WRITABLE:
-            if (is_writable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (is_writable($file)) {
               $return = FALSE;
             }
             break;
           case FILE_NOT_EXECUTABLE:
-            if (is_executable($file) && !drupal_install_fix_file($file, $mask)) {
+            if (is_executable($file)) {
               $return = FALSE;
             }
             break;
@@ -898,6 +901,9 @@ function drupal_verify_install_file($file, $mask = NULL, $type = 'file') {
       }
     }
   }
+  if (!$return && $autofix) {
+    return drupal_install_fix_file($file, $mask);
+  }
   return $return;
 }
 

frontend/drupal/includes/iso.inc

@@ -327,7 +327,7 @@ function _locale_get_predefined_list() {
     'da' => array('Danish', 'Dansk'),
     'de' => array('German', 'Deutsch'),
     'dv' => array('Maldivian'),
-    'dz' => array('Bhutani'),
+    'dz' => array('Dzongkha', 'རྫོང་ཁ'),
     'ee' => array('Ewe', 'Ɛʋɛ'),
     'el' => array('Greek', 'Ελληνικά'),
     'en' => array('English'),

frontend/drupal/includes/menu.inc

@@ -3203,7 +3203,7 @@ function menu_link_save(&$item, $existing_item = array(), $parent_candidates = a
         'external' => $item['external'],
         'has_children' => $item['has_children'],
         'expanded' => $item['expanded'],
-        'weight' => $item['weight'],
+        'weight' => (int) $item['weight'],
         'module' => $item['module'],
         'link_title' => $item['link_title'],
         'options' => serialize($item['options']),
@@ -3267,7 +3267,7 @@ function menu_link_save(&$item, $existing_item = array(), $parent_candidates = a
         'external' => $item['external'],
         'has_children' => $item['has_children'],
         'expanded' => $item['expanded'],
-        'weight' => $item['weight'],
+        'weight' => (int) $item['weight'],
         'depth' => $item['depth'],
         'p1' => $item['p1'],
         'p2' => $item['p2'],
@@ -3906,7 +3906,7 @@ function _menu_router_save($menu, $masks) {
       'type' => $item['type'],
       'description' => $item['description'],
       'position' => $item['position'],
-      'weight' => $item['weight'],
+      'weight' => (int) $item['weight'],
       'include_file' => $item['include file'],
     ));
 

frontend/drupal/includes/session.inc

@@ -106,7 +106,7 @@ function _drupal_session_read($sid) {
   // active user.
   if ($user && $user->uid > 0 && $user->status == 1) {
     // This is done to unserialize the data member of $user.
-    $user->data = unserialize($user->data);
+    $user->data = unserialize((string) $user->data);
 
     // Add roles element to $user.
     $user->roles = array();

frontend/drupal/includes/stream_wrappers.inc

@@ -784,10 +784,10 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
       $localpath = $this->getLocalPath($uri);
     }
     if ($options & STREAM_REPORT_ERRORS) {
-      return mkdir($localpath, $mode, $recursive);
+      return drupal_mkdir($localpath, $mode, $recursive);
     }
     else {
-      return @mkdir($localpath, $mode, $recursive);
+      return @drupal_mkdir($localpath, $mode, $recursive);
     }
   }
 

frontend/drupal/includes/unicode.inc

@@ -589,6 +589,7 @@ function drupal_ucfirst($text) {
  */
 function drupal_substr($text, $start, $length = NULL) {
   global $multibyte;
+  $text = (string) $text;
   if ($multibyte == UNICODE_MULTIBYTE) {
     return $length === NULL ? mb_substr($text, $start) : mb_substr($text, $start, $length);
   }

frontend/drupal/misc/batch.js

@@ -7,6 +7,9 @@ Drupal.behaviors.batch = {
   attach: function (context, settings) {
     $('#progress', context).once('batch', function () {
       var holder = $(this);
+      // Remove HTML from no-js progress bar. The JS progress bar is created
+      // later on.
+      holder.empty();
 
       // Success: redirect to the summary.
       var updateCallback = function (progress, status, pb) {

frontend/drupal/misc/drupal.js

@@ -588,8 +588,12 @@ Drupal.ajaxError = function (xmlhttp, uri, customMessage) {
 // Class indicating that JS is enabled; used for styling purpose.
 $('html').addClass('js');
 
-// 'js enabled' cookie.
-document.cookie = 'has_js=1; path=/';
+$(function () {
+  if (Drupal.settings.setHasJsCookie === 1) {
+    // 'js enabled' cookie.
+    document.cookie = 'has_js=1; path=/; SameSite=Lax';
+  }
+});
 
 /**
  * Additions to jQuery.support.

frontend/drupal/misc/ui/jquery.ui.datepicker-1.13.0-backport.js

@@ -0,0 +1,36 @@
+/**
+ * Backport of security fixes from:
+ * https://github.com/jquery/jquery-ui/pull/1953
+ * https://github.com/jquery/jquery-ui/pull/1954
+ */
+
+(function ($, Drupal) {
+
+  // No backport is needed if we're already on jQuery UI 1.13 or higher.
+  var versionParts = $.ui.datepicker.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+  if ( (majorVersion > 1) || (majorVersion === 1 && minorVersion >= 13) ) {
+    return;
+  }
+
+  var fnOriginalGet = $.datepicker._get;
+  $.extend($.datepicker, {
+
+    _get: function( inst, name ) {
+      var val = fnOriginalGet.call(this, inst, name);
+
+      // @see https://github.com/jquery/jquery-ui/pull/1954
+      if (name === 'altField') {
+        val = $(document).find(val);
+      }
+      // @see https://github.com/jquery/jquery-ui/pull/1953
+      else if ($.inArray(name, ['appendText', 'buttonText', 'prevText', 'currentText', 'nextText', 'closeText']) !== -1) {
+        val = Drupal.checkPlain(val);
+      }
+
+      return val;
+    }
+
+  })
+})(jQuery, Drupal);

frontend/drupal/misc/ui/jquery.ui.dialog-1.13.0-backport.js

@@ -0,0 +1,58 @@
+/**
+ * Backport of security fixes from:
+ * https://bugs.jqueryui.com/ticket/6016
+ * https://github.com/jquery/jquery-ui/pull/1635/files
+ */
+
+(function ($) {
+
+  // Parts of this backport differ by jQuery version.
+  var versionParts = $.ui.dialog.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+
+  if (majorVersion === 1 && minorVersion < 13) {
+    var _originalSetOption = $.ui.dialog.prototype._setOption;
+    var _originalCreateTitlebar = $.ui.dialog.prototype._createTitlebar;
+
+    $.extend($.ui.dialog.prototype, {
+
+      _createTitlebar: function () {
+        if (this.options.closeText) {
+          this.options.closeText = Drupal.checkPlain(this.options.closeText);
+        }
+        _originalCreateTitlebar.apply(this, arguments);
+      },
+
+      _setOption: function (key, value) {
+        if (key === 'title' || key == 'closeText') {
+          if (value) {
+            value = Drupal.checkPlain(value);
+          }
+        }
+        _originalSetOption.apply(this, [key, value]);
+      }
+    });
+
+    if (majorVersion === 1 && minorVersion < 10) {
+      var _originalCreate = $.ui.dialog.prototype._create;
+
+      $.extend($.ui.dialog.prototype, {
+
+        _create: function () {
+          if (!this.options.title) {
+            var defaultTitle = this.element.attr('title');
+            // .attr() might return a DOMElement
+            if (typeof defaultTitle !== "string") {
+              defaultTitle = "";
+            }
+            this.options.title = defaultTitle;
+          }
+          this.options.title = Drupal.checkPlain(this.options.title);
+          _originalCreate.apply(this, arguments);
+        },
+      });
+    }
+  }
+
+})(jQuery);

frontend/drupal/misc/ui/jquery.ui.position-1.13.0-backport.js

@@ -0,0 +1,33 @@
+/**
+ * Backport of security fix from:
+ * https://github.com/jquery/jquery-ui/pull/1955/files
+ */
+
+(function ($) {
+
+  // No backport is needed if we're already on jQuery UI 1.13 or higher.
+  var versionParts = $.ui.version.split('.');
+  var majorVersion = parseInt(versionParts[0]);
+  var minorVersion = parseInt(versionParts[1]);
+  if ( (majorVersion > 1) || (majorVersion === 1 && minorVersion >= 13) ) {
+    return;
+  }
+
+  var fnOriginalPosition = $.fn.position;
+  $.fn.extend({
+    'position': function (options) {
+      if (typeof options === 'undefined') {
+        return fnOriginalPosition.call(this);
+      }
+
+      // Make sure string options are treated as CSS selectors
+      var target = typeof options.of === "string" ?
+        $(document).find(options.of) :
+        $(options.of);
+
+      options.of = (target[0] === undefined) ? null : target;
+      return fnOriginalPosition.call(this, options);
+    }
+  });
+
+})(jQuery);

frontend/drupal/modules/aggregator/aggregator.info

@@ -7,7 +7,7 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/aggregator/tests/aggregator_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/block/block.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/block/tests/block_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/block/tests/themes/block_test_theme/block_test_theme.info

@@ -13,7 +13,7 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/blog/blog.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/book/book.info

@@ -7,7 +7,7 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/color/color.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/color/color.module

@@ -724,7 +724,7 @@ function _color_blend($img, $hex1, $hex2, $alpha) {
   $in2 = _color_unpack($hex2);
   $out = array($img);
   for ($i = 0; $i < 3; ++$i) {
-    $out[] = $in1[$i] + ($in2[$i] - $in1[$i]) * $alpha;
+    $out[] = (int) ($in1[$i] + ($in2[$i] - $in1[$i]) * $alpha);
   }
 
   return call_user_func_array('imagecolorallocate', $out);
@@ -752,7 +752,7 @@ function _color_unpack($hex, $normalize = FALSE) {
 function _color_pack($rgb, $normalize = FALSE) {
   $out = 0;
   foreach ($rgb as $k => $v) {
-    $out |= (($v * ($normalize ? 255 : 1)) << (16 - $k * 8));
+    $out |= (((int) ($v * ($normalize ? 255 : 1))) << (16 - $k * 8));
   }
 
   return '#' . str_pad(dechex($out), 6, 0, STR_PAD_LEFT);

frontend/drupal/modules/color/color.test

@@ -131,3 +131,53 @@ class ColorTestCase extends DrupalWebTestCase {
     }
   }
 }
+
+/**
+ * Unit tests for the color.module
+ */
+class ColorUnitTestCase extends DrupalUnitTestCase {
+
+  protected $test_values;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getInfo() {
+    return array(
+      'name' => 'Color module unit tests',
+      'description' => 'Test color.module functionality.',
+      'group' => 'Color',
+    );
+  }
+
+  /**
+   * Set up the test environment.
+   */
+  public function setUp() {
+    drupal_load('module', 'color');
+    parent::setUp();
+
+    $this->test_values = array(
+      array(array(0.2, 0.4, 0.8), TRUE, '#3366cc'),
+      array(array(51, 102, 204), FALSE, '#3366cc'),
+      array(array(6, 120, 190), FALSE, '#0678be'),
+      array(array(192, 192, 192), FALSE, '#c0c0c0'),
+      array(array(255, 255, 0), FALSE, '#ffff00'),
+      array(array(128, 0, 128), FALSE, '#800080'),
+      array(array(0.6, 0.8, 1), TRUE, '#99ccff'),
+      array(array(221, 72, 20), FALSE, '#dd4814'),
+    );
+  }
+
+  public function testColorPack() {
+    foreach ($this->test_values as $test) {
+      $this->assertEqual(_color_pack($test[0], $test[1]), $test[2], __FUNCTION__ . ' hex: ' . $test[2] . ' normalize: ' . ($test[1] ? 'TRUE' : 'FALSE'));
+    }
+  }
+
+  public function testColorUnpack() {
+    foreach ($this->test_values as $test) {
+      $this->assertEqual(_color_unpack($test[2], $test[1]), $test[0], __FUNCTION__ . ' hex: ' . $test[2] . ' normalize: ' . ($test[1] ? 'TRUE' : 'FALSE'));
+    }
+  }
+}

frontend/drupal/modules/comment/comment.info

@@ -9,7 +9,7 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/comment/comment.module

@@ -1515,7 +1515,7 @@ function comment_save($comment) {
         // by retrieving the maximum thread level.
         $max = db_query('SELECT MAX(thread) FROM {comment} WHERE nid = :nid', array(':nid' => $comment->nid))->fetchField();
         // Strip the "/" from the end of the thread.
-        $max = rtrim($max, '/');
+        $max = rtrim((string) $max, '/');
         // We need to get the value at the correct depth.
         $parts = explode('.', $max);
         $firstsegment = $parts[0];

frontend/drupal/modules/contact/contact.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/contextual/contextual.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/dashboard/dashboard.info

@@ -7,7 +7,7 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/dblog/dblog.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/field.info

@@ -11,7 +11,7 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/field_sql_storage/field_sql_storage.info

@@ -7,7 +7,7 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/list/list.info

@@ -7,7 +7,7 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/list/list.module

@@ -67,7 +67,7 @@ function list_field_settings_form($field, $instance, $has_data) {
       $form['allowed_values'] = array(
         '#type' => 'textarea',
         '#title' => t('Allowed values list'),
-        '#default_value' => list_allowed_values_string($settings['allowed_values']),
+        '#default_value' => empty($settings['allowed_values_function']) ? list_allowed_values_string($settings['allowed_values']) : array(),
         '#rows' => 10,
         '#element_validate' => array('list_allowed_values_setting_validate'),
         '#field_has_data' => $has_data,

frontend/drupal/modules/field/modules/list/tests/list.test

@@ -406,18 +406,36 @@ class ListFieldUITestCase extends FieldTestCase {
     $this->assertFalse(isset($field['settings']['off']), 'The off value is not saved into settings');
   }
 
+  /**
+   * List (text) : test 'allowed values function' input.
+   */
+  function testDynamicListAllowedValuesText() {
+    $this->field_name = 'field_list_text';
+    $this->createListField('list_text', array(
+      'allowed_values_function' => 'list_test_dynamic_values_callback',
+      'allowed_values' => '',
+    ));
+    $this->drupalGet($this->admin_path);
+  }
+
   /**
    * Helper function to create list field of a given type.
    *
    * @param string $type
    *   'list_integer', 'list_float', 'list_text' or 'list_boolean'
+   * @param array $settings
+   *
+   * @throws \FieldException
    */
-  protected function createListField($type) {
+  protected function createListField($type, $settings = array()) {
     // Create a test field and instance.
     $field = array(
       'field_name' => $this->field_name,
       'type' => $type,
     );
+    if (!empty($settings)) {
+      $field['settings'] = $settings;
+    }
     field_create_field($field);
     $instance = array(
       'field_name' => $this->field_name,

frontend/drupal/modules/field/modules/list/tests/list_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/number/number.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = number.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/options/options.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = options.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/modules/text/text.info

@@ -7,7 +7,7 @@ dependencies[] = field
 files[] = text.test
 required = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field/tests/field_test.info

@@ -6,7 +6,7 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/field_ui/field_ui.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/file/file.field.inc

@@ -20,7 +20,7 @@ function file_field_info() {
       ),
       'instance_settings' => array(
         'file_extensions' => 'txt',
-        'file_directory' => '',
+        'file_directory' => '[date:custom:Y]-[date:custom:m]',
         'max_filesize' => '',
         'description_field' => 0,
       ),

frontend/drupal/modules/file/file.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/file/tests/file.test

@@ -1354,10 +1354,11 @@ class FileFieldPathTestCase extends FileFieldTestCase {
     // Create a new node.
     $nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
 
-    // Check that the file was uploaded to the file root.
+    // Check that the file was uploaded to the correct location.
     $node = node_load($nid, NULL, TRUE);
     $node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
-    $this->assertPathMatch('public://' . $test_file->filename, $node_file->uri, format_string('The file %file was uploaded to the correct path.', array('%file' => $node_file->uri)));
+    $expected_path = 'public://' . date('Y', REQUEST_TIME) . '-' . date('m', REQUEST_TIME) . '/' . $test_file->filename;
+    $this->assertPathMatch($expected_path, $node_file->uri, format_string('The file %file was uploaded to the correct path.', array('%file' => $node_file->uri)));
 
     // Change the path to contain multiple subdirectories.
     $field = $this->updateFileField($field_name, $type_name, array('file_directory' => 'foo/bar/baz'));

frontend/drupal/modules/file/tests/file_module_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/filter/filter.info

@@ -7,7 +7,7 @@ files[] = filter.test
 required = TRUE
 configure = admin/config/content/formats
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/filter/filter.module

@@ -785,7 +785,7 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE)
 
   // Convert all Windows and Mac newlines to a single newline, so filters only
   // need to deal with one possibility.
-  $text = str_replace(array("\r\n", "\r"), "\n", $text);
+  $text = str_replace(array("\r\n", "\r"), "\n", (string) $text);
 
   // Get a complete list of filters, ordered properly.
   $filters = filter_list_format($format->format);
@@ -1661,7 +1661,7 @@ function _filter_url_trim($text, $length = NULL) {
   }
 
   // Use +3 for '...' string length.
-  if ($_length && strlen($text) > $_length + 3) {
+  if ($_length && strlen((string) $text) > $_length + 3) {
     $text = substr($text, 0, $_length) . '...';
   }
 

frontend/drupal/modules/forum/forum.info

@@ -9,7 +9,7 @@ files[] = forum.test
 configure = admin/structure/forum
 stylesheets[all][] = forum.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/help/help.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = help.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/image/image.effects.inc

@@ -259,7 +259,7 @@ function image_rotate_effect(&$image, $data) {
   );
 
   // Convert short #FFF syntax to full #FFFFFF syntax.
-  if (strlen($data['bgcolor']) == 4) {
+  if (strlen((string) $data['bgcolor']) == 4) {
     $c = $data['bgcolor'];
     $data['bgcolor'] = $c[0] . $c[1] . $c[1] . $c[2] . $c[2] . $c[3] . $c[3];
   }

frontend/drupal/modules/image/image.field.inc

@@ -19,7 +19,7 @@ function image_field_info() {
       ),
       'instance_settings' => array(
         'file_extensions' => 'png gif jpg jpeg',
-        'file_directory' => '',
+        'file_directory' => '[date:custom:Y]-[date:custom:m]',
         'max_filesize' => '',
         'alt_field' => 0,
         'title_field' => 0,

frontend/drupal/modules/image/image.info

@@ -7,7 +7,7 @@ dependencies[] = file
 files[] = image.test
 configure = admin/config/media/image-styles
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/image/image.module

@@ -804,7 +804,7 @@ function image_style_options($include_empty = TRUE, $output = CHECK_PLAIN) {
  * @param $scheme
  *   The file scheme, for example 'public' for public files.
  */
-function image_style_deliver($style, $scheme) {
+function image_style_deliver($style, $scheme = NULL) {
   $args = func_get_args();
   array_shift($args);
   array_shift($args);
@@ -817,7 +817,7 @@ function image_style_deliver($style, $scheme) {
   // site's vulnerability to denial-of-service attacks. To prevent this
   // variable from leaving the site vulnerable to the most serious attacks, a
   // token is always required when a derivative of a derivative is requested.)
-  $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme);
+  $valid = !empty($style) && !empty($scheme) && file_stream_wrapper_valid_scheme($scheme);
   if (!variable_get('image_allow_insecure_derivatives', FALSE) || strpos(ltrim($target, '\/'), 'styles/') === 0) {
     $valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target);
   }

frontend/drupal/modules/image/image.test

@@ -378,6 +378,11 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
     $directory = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/' . $this->randomName();
     $this->drupalGet(file_create_url($directory . '/' . $this->randomName()));
     $this->assertFalse(file_exists($directory), 'New directory was not created in the filesystem when requesting an unauthorized image.');
+
+    // Check that requesting a partial image style path returns access denied.
+    $partial_url = $scheme . '://styles/' . $this->style_name . '/';
+    $this->drupalGet(file_create_url($partial_url) . '/');
+    $this->assertResponse(403, 'Access was denied to a partial image style path.');
   }
 }
 

frontend/drupal/modules/image/tests/image_module_test.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = image_module_test.module
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/locale/locale.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = locale.test
 configure = admin/config/regional/language
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/locale/tests/locale_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/menu/menu.admin.inc

@@ -59,13 +59,8 @@ function menu_overview_form($form, &$form_state, $menu) {
   foreach ($result as $item) {
     $links[] = $item;
   }
-
-    /**
-     * 1KA iskanje
-     */
-    $link_count = db_query("SELECT COUNT(*) AS counter FROM {menu_links} WHERE menu_name = :menu AND link_path NOT LIKE :link_path", array(':menu' => $menu['menu_name'], ':link_path' => '%\%%'))->fetchObject();
-    $counter = intval($link_count->counter / 2 ) + 1;
-
+  $link_count = db_query("SELECT COUNT(*) AS counter FROM {menu_links} WHERE menu_name = :menu AND link_path NOT LIKE :link_path", array(':menu' => $menu['menu_name'], ':link_path' => '%\%%'))->fetchObject();
+  $counter = intval($link_count->counter / 2 ) + 1;
 
   $tree = menu_tree_data($links);
   $node_links = array();
@@ -75,12 +70,8 @@ function menu_overview_form($form, &$form_state, $menu) {
   menu_tree_check_access($tree, $node_links);
   $menu_admin = FALSE;
 
-    /**
-     * 1KA menu
-     */
   $delta = _menu_get_menu_weight_delta($menu['menu_name'], $counter);
   $form = array_merge($form, _menu_overview_tree_form($tree, $delta));
-
   $form['#menu'] =  $menu;
 
   if (element_children($form)) {
@@ -100,10 +91,11 @@ function menu_overview_form($form, &$form_state, $menu) {
  * Recursive helper function for menu_overview_form().
  *
  * @param $tree
- *  * @param $delta
+ *   The menu_tree retrieved by menu_tree_data.
+ * @param $delta
  *   The number of items to use in the menu weight selector. Defaults to 50.
  */
-function _menu_overview_tree_form($tree,  $delta = 50) {
+function _menu_overview_tree_form($tree, $delta = 50) {
   $form = &drupal_static(__FUNCTION__, array('#tree' => TRUE));
   foreach ($tree as $data) {
     $title = '';
@@ -114,12 +106,7 @@ function _menu_overview_tree_form($tree,  $delta = 50) {
       $form[$mlid]['#item'] = $item;
       $form[$mlid]['#attributes'] = $item['hidden'] ? array('class' => array('menu-disabled')) : array('class' => array('menu-enabled'));
       $form[$mlid]['title']['#markup'] = l($item['title'], $item['href'], $item['localized_options']);
-      if ($item['hidden']) {
-        $form[$mlid]['title']['#markup'] .= ' (' . t('disabled') . ')';
-      }
-      elseif ($item['link_path'] == 'user' && $item['module'] == 'system') {
-        $form[$mlid]['title']['#markup'] .= ' (' . t('logged in users only') . ')';
-      }
+      menu_add_link_labels($form[$mlid]['title']['#markup'], $item);
 
       $form[$mlid]['hidden'] = array(
         '#type' => 'checkbox',
@@ -157,8 +144,7 @@ function _menu_overview_tree_form($tree,  $delta = 50) {
     }
 
     if ($data['below']) {
-        # 1ka menu $delta
-        _menu_overview_tree_form($data['below'], $delta);
+      _menu_overview_tree_form($data['below'], $delta);
     }
   }
   return $form;
@@ -373,20 +359,17 @@ function menu_edit_item($form, &$form_state, $type, $item, $menu) {
     '#description' => t('The maximum depth for a link and all its children is fixed at !maxdepth. Some menu links may not be available as parents if selecting them would exceed this limit.', array('!maxdepth' => MENU_MAX_DEPTH)),
     '#attributes' => array('class' => array('menu-title-select')),
   );
-
-    /**
-     * 1ka menu
-     */
-    // Get number of items in all possible parent menus so the weight selector is sized appropriately.
-    $menu_names = array_keys(menu_get_menus());
-    $menu_options = array();
-    foreach ($menu_names as $menu_name) {
-        if (isset($options[$menu_name . ':0'])) {
-            $menu_options[] = $menu_name;
-        }
+  // Get number of items in all possible parent menus so the weight selector is
+  // sized appropriately.
+  $menu_names = array_keys(menu_get_menus());
+  $menu_options = array();
+  foreach ($menu_names as $menu_name) {
+    if (isset($options[$menu_name . ':0'])) {
+      $menu_options[] = $menu_name;
     }
-    // Make sure that we always have values in menu_options.
-    $menu_options = !empty($menu_options) ? $menu_options : $menu_names;
+  }
+  // Make sure that we always have values in menu_options.
+  $menu_options = !empty($menu_options) ? $menu_options : $menu_names;
 
   $form['weight'] = array(
     '#type' => 'weight',

frontend/drupal/modules/menu/menu.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = menu.test
 configure = admin/structure/menu
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/menu/menu.module

@@ -42,39 +42,6 @@ function menu_help($path, $arg) {
   }
 }
 
-/**
- * Calculate weight's delta for a menu or group of menu options.
- *
- * @param string|array $menu_names
- *   Menu name or an array of menu names to caclulate its weight's delta.
- * @param integer $max_delta
- *   Optional value, delta's maximum value.
- *
- * @return int
- *   Delta value for the given menu name or menu names.
- */
-function _menu_get_menu_weight_delta($menu_names, $max_delta = NULL) {
-
-    if (is_string($menu_names)) {
-        $menu_names = array($menu_names);
-    }
-
-    $weight_info = db_query("SELECT MAX(weight) AS max_weight, MIN(weight) as min_weight FROM {menu_links} WHERE menu_name IN (:menu_names)", array(':menu_names' => $menu_names))->fetchObject();
-
-    $delta = max(abs($weight_info->min_weight), abs($weight_info->max_weight)) + 1;
-
-    // Honor max param, if given.
-    if (!is_null($max_delta) && $delta > $max_delta) {
-        $delta = $max_delta;
-    }
-
-    // At minimum use the old hardcoded value.
-    if ($delta < 50) {
-        $delta = 50;
-    }
-    return $delta;
-}
-
 /**
  * Implements hook_permission().
  */
@@ -434,6 +401,9 @@ function menu_parent_options_js() {
  * Helper function to get the items of the given menu.
  */
 function _menu_get_options($menus, $available_menus, $item) {
+  global $menu_admin;
+  $menu_admin = TRUE;
+
   // If the item has children, there is an added limit to the depth of valid parents.
   if (isset($item['parent_depth_limit'])) {
     $limit = $item['parent_depth_limit'];
@@ -450,6 +420,8 @@ function _menu_get_options($menus, $available_menus, $item) {
       _menu_parents_recurse($tree, $menu_name, '--', $options, $item['mlid'], $limit);
     }
   }
+
+  $menu_admin = FALSE;
   return $options;
 }
 
@@ -464,9 +436,7 @@ function _menu_parents_recurse($tree, $menu_name, $indent, &$options, $exclude,
     }
     if ($data['link']['mlid'] != $exclude && $data['link']['hidden'] >= 0) {
       $title = $indent . ' ' . truncate_utf8($data['link']['title'], 30, TRUE, FALSE);
-      if ($data['link']['hidden']) {
-        $title .= ' (' . t('disabled') . ')';
-      }
+      menu_add_link_labels($title, $data['link']);
       $options[$menu_name . ':' . $data['link']['mlid']] = $title;
       if ($data['below']) {
         _menu_parents_recurse($data['below'], $menu_name, $indent . '--', $options, $exclude, $depth_limit);
@@ -475,6 +445,27 @@ function _menu_parents_recurse($tree, $menu_name, $indent, &$options, $exclude,
   }
 }
 
+/**
+ * Adds labels to the title of a hidden, unpublished or logged-in menu link.
+ *
+ * @param string $title
+ *   The title of the menu link. This will be modified as necessary to add the
+ *   appropriate label in parentheses at the end.
+ * @param array $item
+ *   An array representing the menu link item.
+ */
+function menu_add_link_labels(&$title, $item) {
+  if ($item['hidden']) {
+    $title .= ' (' . t('disabled') . ')';
+  }
+  elseif (!empty($item['node_unpublished'])) {
+    $title .= ' (' . t('unpublished') . ')';
+  }
+  elseif ($item['link_path'] == 'user' && $item['module'] == 'system') {
+    $title .= ' (' . t('logged in users only') . ')';
+  }
+}
+
 /**
  * Reset a system-defined menu link.
  */
@@ -649,6 +640,39 @@ function _menu_parent_depth_limit($item) {
   return MENU_MAX_DEPTH - 1 - (($item['mlid'] && $item['has_children']) ? menu_link_children_relative_depth($item) : 0);
 }
 
+/**
+ * Calculate the delta for the weight element for a given set of menus.
+ *
+ * @param string|array $menu_names
+ *   Menu name or an array of menu names.
+ * @param int $max_delta
+ *   Optional maximum value.
+ *
+ * @return int
+ *   Delta value.
+ */
+function _menu_get_menu_weight_delta($menu_names, $max_delta = NULL) {
+
+  if (is_string($menu_names)) {
+    $menu_names = array($menu_names);
+  }
+
+  $weight_info = db_query("SELECT MAX(weight) AS max_weight, MIN(weight) as min_weight FROM {menu_links} WHERE menu_name IN (:menu_names)", array(':menu_names' => $menu_names))->fetchObject();
+
+  $delta = max(abs((int) $weight_info->min_weight), abs((int) $weight_info->max_weight)) + 1;
+
+  // Honor max param, if given.
+  if (!is_null($max_delta) && $delta > $max_delta) {
+    $delta = $max_delta;
+  }
+
+  // Provide a minimum.
+  if ($delta < 50) {
+    $delta = 50;
+  }
+  return $delta;
+}
+
 /**
  * Implements hook_form_BASE_FORM_ID_alter().
  *
@@ -735,17 +759,17 @@ function menu_form_node_form_alter(&$form, $form_state) {
     '#options' => $options,
     '#attributes' => array('class' => array('menu-parent-select')),
   );
-
-    // Get number of items in all possible parent menus so the weight selector is sized appropriately.
-    $menu_names = array_keys(menu_get_menus());
-    $menu_options = array();
-    foreach ($menu_names as $menu_name) {
-        if (isset($options[$menu_name . ':0'])) {
-            $menu_options[] = $menu_name;
-        }
+  // Get number of items in all possible parent menus so the weight selector is
+  // sized appropriately.
+  $menu_names = array_keys(menu_get_menus());
+  $menu_options = array();
+  foreach ($menu_names as $menu_name) {
+    if (isset($options[$menu_name . ':0'])) {
+      $menu_options[] = $menu_name;
     }
-    // Make sure that we always have values in menu_options.
-    $menu_options = !empty($menu_options) ? $menu_options : $menu_names;
+  }
+  // Make sure that we always have values in menu_options.
+  $menu_options = !empty($menu_options) ? $menu_options : $menu_names;
 
   $form['menu']['link']['weight'] = array(
     '#type' => 'weight',

frontend/drupal/modules/node/node.api.php

@@ -747,10 +747,10 @@ function hook_node_update_index($node) {
 /**
  * Perform node validation before a node is created or updated.
  *
- * This hook is invoked from node_validate(), after a user has has finished
- * editing the node and is previewing or submitting it. It is invoked at the
- * end of all the standard validation steps, and after the type-specific
- * hook_validate() is invoked.
+ * This hook is invoked from node_validate(), after a user has finished editing
+ * the node and is previewing or submitting it. It is invoked at the end of all
+ * the standard validation steps, and after the type-specific hook_validate() is
+ * invoked.
  *
  * To indicate a validation error, use form_set_error().
  *

frontend/drupal/modules/node/node.info

@@ -9,7 +9,7 @@ required = TRUE
 configure = admin/structure/types
 stylesheets[all][] = node.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/node/tests/node_access_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/node/tests/node_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/node/tests/node_test_exception.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/openid/openid.inc

@@ -445,7 +445,7 @@ function _openid_signature($association, $message_array, $keys_to_sign) {
   }
 
   $message = _openid_create_message($sign_data);
-  $secret = base64_decode($association->mac_key);
+  $secret = base64_decode((string) $association->mac_key);
   $signature = _openid_hmac($secret, $message);
 
   return base64_encode($signature);

frontend/drupal/modules/openid/openid.info

@@ -5,7 +5,7 @@ package = Core
 core = 7.x
 files[] = openid.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/openid/tests/openid_test.info

@@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = openid
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/overlay/overlay.info

@@ -4,7 +4,7 @@ package = Core
 version = VERSION
 core = 7.x
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/path/path.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = path.test
 configure = admin/config/search/path
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/php/php.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = php.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/poll/poll.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = poll.test
 stylesheets[all][] = poll.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/profile/profile.info

@@ -11,7 +11,7 @@ configure = admin/config/people/profile
 ; See user_system_info_alter().
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/rdf/rdf.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = rdf.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/rdf/tests/rdf_test.info

@@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = blog
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/search/search.info

@@ -8,7 +8,7 @@ files[] = search.test
 configure = admin/config/search/settings
 stylesheets[all][] = search.css
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/search/tests/search_embedded_form.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/search/tests/search_extra_type.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/search/tests/search_node_tags.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/shortcut/shortcut.info

@@ -6,7 +6,7 @@ core = 7.x
 files[] = shortcut.test
 configure = admin/config/user-interface/shortcut
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/drupal_web_test_case.php

@@ -1536,7 +1536,7 @@ class DrupalWebTestCase extends DrupalTestCase {
 
     // Inform others that this cache is usable now.
     $cache_file = $this->originalFileDirectory . '/simpletest/' . $cache_key . '/simpletest-cache-setup';
-    file_put_contents($cache_file, time(NULL));
+    file_put_contents($cache_file, time());
 
     lock_release($lock_key);
     return TRUE;

frontend/drupal/modules/simpletest/simpletest.info

@@ -58,7 +58,7 @@ files[] = tests/upgrade/update.trigger.test
 files[] = tests/upgrade/update.field.test
 files[] = tests/upgrade/update.user.test
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/tests/actions_loop_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/tests/ajax_forms_test.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/tests/ajax_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/tests/batch_test.info

@@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"

frontend/drupal/modules/simpletest/tests/boot_test_1.info

@@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2021-06-02
-version = "7.81"
+; Information added by Drupal.org packaging script on 2022-01-19
+version = "7.87"
 project = "drupal"
-datestamp = "1622633234"
+datestamp = "1642633901"