From bbd975f134910bde03eaf1133b1b8ce1633d0cc5 Mon Sep 17 00:00:00 2001
From: Max Mendez <maxmv@maxmendez.net>
Date: Mon, 1 Aug 2022 16:08:27 -0600
Subject: [PATCH 1/5] Issue #3254699 by joelpittet, Liam Morland,
 joseph.olstad: [PHP 8.1] Passing...

Issue #3254699 by joelpittet, Liam Morland, joseph.olstad: [PHP 8.1] Passing null to parameter #1 check_plain()
---
 includes/bootstrap.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index d1bcedfa71..b7b45e3133 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -864,7 +864,7 @@ function check_plain($text) {
   // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.
 
   if ($php525) {
-    return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
+    return htmlspecialchars((string) $text, ENT_QUOTES, 'UTF-8');
   }
   return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
 }

From 01c63f7c0a8274ba70fb0162697c9bee27ebd38c Mon Sep 17 00:00:00 2001
From: Max Mendez <maxmv@maxmendez.net>
Date: Mon, 1 Aug 2022 16:20:30 -0600
Subject: [PATCH 2/5] Issue #3270546 by mcdruid, poker10, mfb: PHP 8.1
 str_replace(): Passing null...

Issue #3270546 by mcdruid, poker10, mfb: PHP 8.1 str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in filter_xss()
---
 includes/bootstrap.inc       | 2 +-
 modules/filter/filter.module | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index b7b45e3133..e3f88ea238 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -899,7 +899,7 @@ function check_plain($text) {
  *   TRUE if the text is valid UTF-8, FALSE if not.
  */
 function drupal_validate_utf8($text) {
-  if (strlen($text) == 0) {
+  if (strlen((string) $text) == 0) {
     return TRUE;
   }
   // For performance reasons this logic is duplicated in check_plain().
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index bc48d798ee..ce142c2595 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -998,7 +998,7 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
   // Store the input format
   _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)
-  $string = str_replace(chr(0), '', $string);
+  $string = str_replace(chr(0), '', (string) $string);
   // Remove Netscape 4 JS entities
   $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
 

From 8d7be71c2f2f6d378b51412cbe35acaf67a34cf0 Mon Sep 17 00:00:00 2001
From: Max Mendez <maxmv@maxmendez.net>
Date: Mon, 1 Aug 2022 16:27:47 -0600
Subject: [PATCH 3/5] Issue #3281663 by mcdruid: D7 backport: Fix htaccess
 files for PHP 8

---
 includes/file.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/includes/file.inc b/includes/file.inc
index 32371f4fb5..9b08e4958a 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -201,6 +201,10 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+# From PHP 8 there is no number in the module name.
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>
 # PHP 4, Apache 1.
 <IfModule mod_php4.c>
   php_flag engine off

From 93a1213d9daffd4561e73c0050fc6e07aa7fa8b7 Mon Sep 17 00:00:00 2001
From: Max Mendez <maxmv@maxmendez.net>
Date: Mon, 1 Aug 2022 16:30:12 -0600
Subject: [PATCH 4/5] Issue #3270543 by mcdruid, poker10: PHP 8.1 preg_split():
 Passing null to...

Issue #3270543 by mcdruid, poker10: PHP 8.1 preg_split(): Passing null to parameter #2 ($subject) of type string is deprecated in _locale_parse_js_file()
---
 includes/locale.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/locale.inc b/includes/locale.inc
index 44166a1a80..5680408da6 100644
--- a/includes/locale.inc
+++ b/includes/locale.inc
@@ -1734,7 +1734,7 @@ function _locale_parse_js_file($filepath) {
       if ($source = db_fetch_object($result)) {
         // We already have this source string and now have to add the location
         // to the location column, if this file is not yet present in there.
-        $locations = preg_split('~\s*;\s*~', $source->location);
+        $locations = preg_split('~\s*;\s*~', (string) $source->location);
 
         if (!in_array($filepath, $locations)) {
           $locations[] = $filepath;

From 576cd989e5804727d2e4ceb6d786384fa8d8e824 Mon Sep 17 00:00:00 2001
From: Max Mendez <maxmv@maxmendez.net>
Date: Mon, 1 Aug 2022 16:47:53 -0600
Subject: [PATCH 5/5] Issue #2431283 by willzyx, salvis, David_Rothstein,
 thalles, Berdir, Fabianx,...

Issue #2431283 by willzyx, salvis, David_Rothstein, thalles, Berdir, Fabianx, tstoeckler, alexpott, Dave Reid, mcdruid: Cron CSRF vulnerability
---
 modules/system/system.admin.inc | 4 ++++
 modules/system/system.install   | 2 +-
 modules/update/update.module    | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc
index 315390cf21..23ccb3d9a6 100644
--- a/modules/system/system.admin.inc
+++ b/modules/system/system.admin.inc
@@ -1744,6 +1744,10 @@ function system_status($check = FALSE) {
  * Menu callback: run cron manually.
  */
 function system_run_cron() {
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'run-cron')) {
+    return MENU_ACCESS_DENIED;
+  }
+
   // Run cron manually
   if (drupal_cron_run()) {
     drupal_set_message(t('Cron ran successfully.'));
diff --git a/modules/system/system.install b/modules/system/system.install
index 9a4be93960..3d4152ae5e 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -197,7 +197,7 @@ function system_requirements($phase) {
       'title' => $t('Cron maintenance tasks'),
       'severity' => $severity,
       'value' => $summary,
-      'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))),
+      'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron', array('query' => array('token' => drupal_get_token('run-cron')))))),
     );
   }
 
diff --git a/modules/update/update.module b/modules/update/update.module
index 7c622b39f7..d27de8eddb 100644
--- a/modules/update/update.module
+++ b/modules/update/update.module
@@ -322,8 +322,9 @@ function update_form_alter(&$form, $form_state, $form_id) {
  */
 function _update_no_data() {
   $destination = drupal_get_destination();
+  $cron_token = array('token' => drupal_get_token('run-cron'));
   return t('No information is available about potential new releases for currently installed modules and themes. To check for updates, you may need to <a href="@run_cron">run cron</a> or you can <a href="@check_manually">check manually</a>. Please note that checking for available updates can take a long time, so please be patient.', array(
-    '@run_cron' => url('admin/reports/status/run-cron', array('query' => $destination)),
+    '@run_cron' => url('admin/reports/status/run-cron', array('query' => $cron_token + $destination)),
     '@check_manually' => url('admin/reports/updates/check', array('query' => $destination)),
   ));
 }