Drupal investigation

update.compare.inc 21KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493
  1. <?php
  2. /**
  3. * @file
  4. * Code required only when comparing available updates to existing data.
  5. */
  6. /**
  7. * Determines version and type information for currently installed projects.
  8. *
  9. * Processes the list of projects on the system to figure out the currently
  10. * installed versions, and other information that is required before we can
  11. * compare against the available releases to produce the status report.
  12. *
  13. * @param $projects
  14. * Array of project information from
  15. * \Drupal\Update\UpdateManager::getProjects().
  16. */
  17. function update_process_project_info(&$projects) {
  18. foreach ($projects as $key => $project) {
  19. // Assume an official release until we see otherwise.
  20. $install_type = 'official';
  21. $info = $project['info'];
  22. if (isset($info['version'])) {
  23. // Check for development snapshots
  24. if (preg_match('@(dev|HEAD)@', $info['version'])) {
  25. $install_type = 'dev';
  26. }
  27. // Figure out what the currently installed major version is. We need
  28. // to handle both contribution (e.g. "5.x-1.3", major = 1) and core
  29. // (e.g. "5.1", major = 5) version strings.
  30. $matches = [];
  31. if (preg_match('/^(\d+\.x-)?(\d+)\..*$/', $info['version'], $matches)) {
  32. $info['major'] = $matches[2];
  33. }
  34. elseif (!isset($info['major'])) {
  35. // This would only happen for version strings that don't follow the
  36. // drupal.org convention. We let contribs define "major" in their
  37. // .info.yml in this case, and only if that's missing would we hit this.
  38. $info['major'] = -1;
  39. }
  40. }
  41. else {
  42. // No version info available at all.
  43. $install_type = 'unknown';
  44. $info['version'] = t('Unknown');
  45. $info['major'] = -1;
  46. }
  47. // Finally, save the results we care about into the $projects array.
  48. $projects[$key]['existing_version'] = $info['version'];
  49. $projects[$key]['existing_major'] = $info['major'];
  50. $projects[$key]['install_type'] = $install_type;
  51. }
  52. }
  53. /**
  54. * Calculates the current update status of all projects on the site.
  55. *
  56. * The results of this function are expensive to compute, especially on sites
  57. * with lots of modules or themes, since it involves a lot of comparisons and
  58. * other operations. Therefore, we store the results. However, since this is not
  59. * the data about available updates fetched from the network, it is ok to
  60. * invalidate it somewhat quickly. If we keep this data for very long, site
  61. * administrators are more likely to see incorrect results if they upgrade to a
  62. * newer version of a module or theme but do not visit certain pages that
  63. * automatically clear this.
  64. *
  65. * @param array $available
  66. * Data about available project releases.
  67. *
  68. * @return
  69. * An array of installed projects with current update status information.
  70. *
  71. * @see update_get_available()
  72. * @see \Drupal\Update\UpdateManager::getProjects()
  73. * @see update_process_project_info()
  74. * @see \Drupal\update\UpdateManagerInterface::projectStorage()
  75. */
  76. function update_calculate_project_data($available) {
  77. // Retrieve the projects from storage, if present.
  78. $projects = \Drupal::service('update.manager')->projectStorage('update_project_data');
  79. // If $projects is empty, then the data must be rebuilt.
  80. // Otherwise, return the data and skip the rest of the function.
  81. if (!empty($projects)) {
  82. return $projects;
  83. }
  84. $projects = \Drupal::service('update.manager')->getProjects();
  85. update_process_project_info($projects);
  86. foreach ($projects as $project => $project_info) {
  87. if (isset($available[$project])) {
  88. update_calculate_project_update_status($projects[$project], $available[$project]);
  89. }
  90. else {
  91. $projects[$project]['status'] = UPDATE_UNKNOWN;
  92. $projects[$project]['reason'] = t('No available releases found');
  93. }
  94. }
  95. // Give other modules a chance to alter the status (for example, to allow a
  96. // contrib module to provide fine-grained settings to ignore specific
  97. // projects or releases).
  98. \Drupal::moduleHandler()->alter('update_status', $projects);
  99. // Store the site's update status for at most 1 hour.
  100. \Drupal::keyValueExpirable('update')->setWithExpire('update_project_data', $projects, 3600);
  101. return $projects;
  102. }
  103. /**
  104. * Calculates the current update status of a specific project.
  105. *
  106. * This function is the heart of the update status feature. For each project it
  107. * is invoked with, it first checks if the project has been flagged with a
  108. * special status like "unsupported" or "insecure", or if the project node
  109. * itself has been unpublished. In any of those cases, the project is marked
  110. * with an error and the next project is considered.
  111. *
  112. * If the project itself is valid, the function decides what major release
  113. * series to consider. The project defines what the currently supported major
  114. * versions are for each version of core, so the first step is to make sure the
  115. * current version is still supported. If so, that's the target version. If the
  116. * current version is unsupported, the project maintainer's recommended major
  117. * version is used. There's also a check to make sure that this function never
  118. * recommends an earlier release than the currently installed major version.
  119. *
  120. * Given a target major version, the available releases are scanned looking for
  121. * the specific release to recommend (avoiding beta releases and development
  122. * snapshots if possible). For the target major version, the highest patch level
  123. * is found. If there is a release at that patch level with no extra ("beta",
  124. * etc.), then the release at that patch level with the most recent release date
  125. * is recommended. If every release at that patch level has extra (only betas),
  126. * then the latest release from the previous patch level is recommended. For
  127. * example:
  128. *
  129. * - 1.6-bugfix <-- recommended version because 1.6 already exists.
  130. * - 1.6
  131. *
  132. * or
  133. *
  134. * - 1.6-beta
  135. * - 1.5 <-- recommended version because no 1.6 exists.
  136. * - 1.4
  137. *
  138. * Also, the latest release from the same major version is looked for, even beta
  139. * releases, to display to the user as the "Latest version" option.
  140. * Additionally, the latest official release from any higher major versions that
  141. * have been released is searched for to provide a set of "Also available"
  142. * options.
  143. *
  144. * Finally, and most importantly, the release history continues to be scanned
  145. * until the currently installed release is reached, searching for anything
  146. * marked as a security update. If any security updates have been found between
  147. * the recommended release and the installed version, all of the releases that
  148. * included a security fix are recorded so that the site administrator can be
  149. * warned their site is insecure, and links pointing to the release notes for
  150. * each security update can be included (which, in turn, will link to the
  151. * official security announcements for each vulnerability).
  152. *
  153. * This function relies on the fact that the .xml release history data comes
  154. * sorted based on major version and patch level, then finally by release date
  155. * if there are multiple releases such as betas from the same major.patch
  156. * version (e.g., 5.x-1.5-beta1, 5.x-1.5-beta2, and 5.x-1.5). Development
  157. * snapshots for a given major version are always listed last.
  158. *
  159. * @param $project_data
  160. * An array containing information about a specific project.
  161. * @param $available
  162. * Data about available project releases of a specific project.
  163. */
  164. function update_calculate_project_update_status(&$project_data, $available) {
  165. foreach (['title', 'link'] as $attribute) {
  166. if (!isset($project_data[$attribute]) && isset($available[$attribute])) {
  167. $project_data[$attribute] = $available[$attribute];
  168. }
  169. }
  170. // If the project status is marked as something bad, there's nothing else
  171. // to consider.
  172. if (isset($available['project_status'])) {
  173. switch ($available['project_status']) {
  174. case 'insecure':
  175. $project_data['status'] = UPDATE_NOT_SECURE;
  176. if (empty($project_data['extra'])) {
  177. $project_data['extra'] = [];
  178. }
  179. $project_data['extra'][] = [
  180. 'label' => t('Project not secure'),
  181. 'data' => t('This project has been labeled insecure by the Drupal security team, and is no longer available for download. Immediately disabling everything included by this project is strongly recommended!'),
  182. ];
  183. break;
  184. case 'unpublished':
  185. case 'revoked':
  186. $project_data['status'] = UPDATE_REVOKED;
  187. if (empty($project_data['extra'])) {
  188. $project_data['extra'] = [];
  189. }
  190. $project_data['extra'][] = [
  191. 'label' => t('Project revoked'),
  192. 'data' => t('This project has been revoked, and is no longer available for download. Disabling everything included by this project is strongly recommended!'),
  193. ];
  194. break;
  195. case 'unsupported':
  196. $project_data['status'] = UPDATE_NOT_SUPPORTED;
  197. if (empty($project_data['extra'])) {
  198. $project_data['extra'] = [];
  199. }
  200. $project_data['extra'][] = [
  201. 'label' => t('Project not supported'),
  202. 'data' => t('This project is no longer supported, and is no longer available for download. Disabling everything included by this project is strongly recommended!'),
  203. ];
  204. break;
  205. case 'not-fetched':
  206. $project_data['status'] = UPDATE_NOT_FETCHED;
  207. $project_data['reason'] = t('Failed to get available update data.');
  208. break;
  209. default:
  210. // Assume anything else (e.g. 'published') is valid and we should
  211. // perform the rest of the logic in this function.
  212. break;
  213. }
  214. }
  215. if (!empty($project_data['status'])) {
  216. // We already know the status for this project, so there's nothing else to
  217. // compute. Record the project status into $project_data and we're done.
  218. $project_data['project_status'] = $available['project_status'];
  219. return;
  220. }
  221. // Figure out the target major version.
  222. $existing_major = $project_data['existing_major'];
  223. $supported_majors = [];
  224. if (isset($available['supported_majors'])) {
  225. $supported_majors = explode(',', $available['supported_majors']);
  226. }
  227. elseif (isset($available['default_major'])) {
  228. // Older release history XML file without supported or recommended.
  229. $supported_majors[] = $available['default_major'];
  230. }
  231. if (in_array($existing_major, $supported_majors)) {
  232. // Still supported, stay at the current major version.
  233. $target_major = $existing_major;
  234. }
  235. elseif (isset($available['recommended_major'])) {
  236. // Since 'recommended_major' is defined, we know this is the new XML
  237. // format. Therefore, we know the current release is unsupported since
  238. // its major version was not in the 'supported_majors' list. We should
  239. // find the best release from the recommended major version.
  240. $target_major = $available['recommended_major'];
  241. $project_data['status'] = UPDATE_NOT_SUPPORTED;
  242. }
  243. elseif (isset($available['default_major'])) {
  244. // Older release history XML file without recommended, so recommend
  245. // the currently defined "default_major" version.
  246. $target_major = $available['default_major'];
  247. }
  248. else {
  249. // Malformed XML file? Stick with the current version.
  250. $target_major = $existing_major;
  251. }
  252. // Make sure we never tell the admin to downgrade. If we recommended an
  253. // earlier version than the one they're running, they'd face an
  254. // impossible data migration problem, since Drupal never supports a DB
  255. // downgrade path. In the unfortunate case that what they're running is
  256. // unsupported, and there's nothing newer for them to upgrade to, we
  257. // can't print out a "Recommended version", but just have to tell them
  258. // what they have is unsupported and let them figure it out.
  259. $target_major = max($existing_major, $target_major);
  260. $release_patch_changed = '';
  261. $patch = '';
  262. // If the project is marked as UPDATE_FETCH_PENDING, it means that the
  263. // data we currently have (if any) is stale, and we've got a task queued
  264. // up to (re)fetch the data. In that case, we mark it as such, merge in
  265. // whatever data we have (e.g. project title and link), and move on.
  266. if (!empty($available['fetch_status']) && $available['fetch_status'] == UPDATE_FETCH_PENDING) {
  267. $project_data['status'] = UPDATE_FETCH_PENDING;
  268. $project_data['reason'] = t('No available update data');
  269. $project_data['fetch_status'] = $available['fetch_status'];
  270. return;
  271. }
  272. // Defend ourselves from XML history files that contain no releases.
  273. if (empty($available['releases'])) {
  274. $project_data['status'] = UPDATE_UNKNOWN;
  275. $project_data['reason'] = t('No available releases found');
  276. return;
  277. }
  278. foreach ($available['releases'] as $version => $release) {
  279. // First, if this is the existing release, check a few conditions.
  280. if ($project_data['existing_version'] === $version) {
  281. if (isset($release['terms']['Release type']) &&
  282. in_array('Insecure', $release['terms']['Release type'])) {
  283. $project_data['status'] = UPDATE_NOT_SECURE;
  284. }
  285. elseif ($release['status'] == 'unpublished') {
  286. $project_data['status'] = UPDATE_REVOKED;
  287. if (empty($project_data['extra'])) {
  288. $project_data['extra'] = [];
  289. }
  290. $project_data['extra'][] = [
  291. 'class' => ['release-revoked'],
  292. 'label' => t('Release revoked'),
  293. 'data' => t('Your currently installed release has been revoked, and is no longer available for download. Disabling everything included in this release or upgrading is strongly recommended!'),
  294. ];
  295. }
  296. elseif (isset($release['terms']['Release type']) &&
  297. in_array('Unsupported', $release['terms']['Release type'])) {
  298. $project_data['status'] = UPDATE_NOT_SUPPORTED;
  299. if (empty($project_data['extra'])) {
  300. $project_data['extra'] = [];
  301. }
  302. $project_data['extra'][] = [
  303. 'class' => ['release-not-supported'],
  304. 'label' => t('Release not supported'),
  305. 'data' => t('Your currently installed release is now unsupported, and is no longer available for download. Disabling everything included in this release or upgrading is strongly recommended!'),
  306. ];
  307. }
  308. }
  309. // Otherwise, ignore unpublished, insecure, or unsupported releases.
  310. if ($release['status'] == 'unpublished' ||
  311. (isset($release['terms']['Release type']) &&
  312. (in_array('Insecure', $release['terms']['Release type']) ||
  313. in_array('Unsupported', $release['terms']['Release type'])))) {
  314. continue;
  315. }
  316. // See if this is a higher major version than our target and yet still
  317. // supported. If so, record it as an "Also available" release.
  318. // Note: Some projects have a HEAD release from CVS days, which could
  319. // be one of those being compared. They would not have version_major
  320. // set, so we must call isset first.
  321. if (isset($release['version_major']) && $release['version_major'] > $target_major) {
  322. if (in_array($release['version_major'], $supported_majors)) {
  323. if (!isset($project_data['also'])) {
  324. $project_data['also'] = [];
  325. }
  326. if (!isset($project_data['also'][$release['version_major']])) {
  327. $project_data['also'][$release['version_major']] = $version;
  328. $project_data['releases'][$version] = $release;
  329. }
  330. }
  331. // Otherwise, this release can't matter to us, since it's neither
  332. // from the release series we're currently using nor the recommended
  333. // release. We don't even care about security updates for this
  334. // branch, since if a project maintainer puts out a security release
  335. // at a higher major version and not at the lower major version,
  336. // they must remove the lower version from the supported major
  337. // versions at the same time, in which case we won't hit this code.
  338. continue;
  339. }
  340. // Look for the 'latest version' if we haven't found it yet. Latest is
  341. // defined as the most recent version for the target major version.
  342. if (!isset($project_data['latest_version'])
  343. && $release['version_major'] == $target_major) {
  344. $project_data['latest_version'] = $version;
  345. $project_data['releases'][$version] = $release;
  346. }
  347. // Look for the development snapshot release for this branch.
  348. if (!isset($project_data['dev_version'])
  349. && $release['version_major'] == $target_major
  350. && isset($release['version_extra'])
  351. && $release['version_extra'] == 'dev') {
  352. $project_data['dev_version'] = $version;
  353. $project_data['releases'][$version] = $release;
  354. }
  355. // Look for the 'recommended' version if we haven't found it yet (see
  356. // phpdoc at the top of this function for the definition).
  357. if (!isset($project_data['recommended'])
  358. && $release['version_major'] == $target_major
  359. && isset($release['version_patch'])) {
  360. if ($patch != $release['version_patch']) {
  361. $patch = $release['version_patch'];
  362. $release_patch_changed = $release;
  363. }
  364. if (empty($release['version_extra']) && $patch == $release['version_patch']) {
  365. $project_data['recommended'] = $release_patch_changed['version'];
  366. $project_data['releases'][$release_patch_changed['version']] = $release_patch_changed;
  367. }
  368. }
  369. // Stop searching once we hit the currently installed version.
  370. if ($project_data['existing_version'] === $version) {
  371. break;
  372. }
  373. // If we're running a dev snapshot and have a timestamp, stop
  374. // searching for security updates once we hit an official release
  375. // older than what we've got. Allow 100 seconds of leeway to handle
  376. // differences between the datestamp in the .info.yml file and the
  377. // timestamp of the tarball itself (which are usually off by 1 or 2
  378. // seconds) so that we don't flag that as a new release.
  379. if ($project_data['install_type'] == 'dev') {
  380. if (empty($project_data['datestamp'])) {
  381. // We don't have current timestamp info, so we can't know.
  382. continue;
  383. }
  384. elseif (isset($release['date']) && ($project_data['datestamp'] + 100 > $release['date'])) {
  385. // We're newer than this, so we can skip it.
  386. continue;
  387. }
  388. }
  389. // See if this release is a security update.
  390. if (isset($release['terms']['Release type'])
  391. && in_array('Security update', $release['terms']['Release type'])) {
  392. $project_data['security updates'][] = $release;
  393. }
  394. }
  395. // If we were unable to find a recommended version, then make the latest
  396. // version the recommended version if possible.
  397. if (!isset($project_data['recommended']) && isset($project_data['latest_version'])) {
  398. $project_data['recommended'] = $project_data['latest_version'];
  399. }
  400. //
  401. // Check to see if we need an update or not.
  402. //
  403. if (!empty($project_data['security updates'])) {
  404. // If we found security updates, that always trumps any other status.
  405. $project_data['status'] = UPDATE_NOT_SECURE;
  406. }
  407. if (isset($project_data['status'])) {
  408. // If we already know the status, we're done.
  409. return;
  410. }
  411. // If we don't know what to recommend, there's nothing we can report.
  412. // Bail out early.
  413. if (!isset($project_data['recommended'])) {
  414. $project_data['status'] = UPDATE_UNKNOWN;
  415. $project_data['reason'] = t('No available releases found');
  416. return;
  417. }
  418. // If we're running a dev snapshot, compare the date of the dev snapshot
  419. // with the latest official version, and record the absolute latest in
  420. // 'latest_dev' so we can correctly decide if there's a newer release
  421. // than our current snapshot.
  422. if ($project_data['install_type'] == 'dev') {
  423. if (isset($project_data['dev_version']) && $available['releases'][$project_data['dev_version']]['date'] > $available['releases'][$project_data['latest_version']]['date']) {
  424. $project_data['latest_dev'] = $project_data['dev_version'];
  425. }
  426. else {
  427. $project_data['latest_dev'] = $project_data['latest_version'];
  428. }
  429. }
  430. // Figure out the status, based on what we've seen and the install type.
  431. switch ($project_data['install_type']) {
  432. case 'official':
  433. if ($project_data['existing_version'] === $project_data['recommended'] || $project_data['existing_version'] === $project_data['latest_version']) {
  434. $project_data['status'] = UPDATE_CURRENT;
  435. }
  436. else {
  437. $project_data['status'] = UPDATE_NOT_CURRENT;
  438. }
  439. break;
  440. case 'dev':
  441. $latest = $available['releases'][$project_data['latest_dev']];
  442. if (empty($project_data['datestamp'])) {
  443. $project_data['status'] = UPDATE_NOT_CHECKED;
  444. $project_data['reason'] = t('Unknown release date');
  445. }
  446. elseif (($project_data['datestamp'] + 100 > $latest['date'])) {
  447. $project_data['status'] = UPDATE_CURRENT;
  448. }
  449. else {
  450. $project_data['status'] = UPDATE_NOT_CURRENT;
  451. }
  452. break;
  453. default:
  454. $project_data['status'] = UPDATE_UNKNOWN;
  455. $project_data['reason'] = t('Invalid info');
  456. }
  457. }