[Pkg-drupal-commits] r1753 - in /branches/drupal-4.7: ./ debian/
includes/ modules/ sites/default/
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Tue Jan 30 03:03:33 CET 2007
Author: luigi
Date: Tue Jan 30 03:03:31 2007
New Revision: 1753
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1753
Log:
Import 4.7.6 source
Modified:
branches/drupal-4.7/.htaccess
branches/drupal-4.7/CHANGELOG.txt
branches/drupal-4.7/debian/changelog
branches/drupal-4.7/includes/common.inc
branches/drupal-4.7/includes/form.inc
branches/drupal-4.7/includes/theme.inc
branches/drupal-4.7/modules/comment.module
branches/drupal-4.7/modules/contact.module
branches/drupal-4.7/modules/filter.module
branches/drupal-4.7/modules/node.module
branches/drupal-4.7/modules/profile.module
branches/drupal-4.7/modules/system.module
branches/drupal-4.7/modules/user.module
branches/drupal-4.7/sites/default/settings.php
Modified: branches/drupal-4.7/.htaccess
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/.htaccess?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/.htaccess (original)
+++ branches/drupal-4.7/.htaccess Tue Jan 30 03:03:31 2007
@@ -42,8 +42,13 @@
php_value session.auto_start 0
</IfModule>
-# Reduce the time dynamically generated pages are cache-able.
+# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
+ # Enable expirations.
+ ExpiresActive On
+ # Cache all files for 2 weeks after access (A).
+ ExpiresDefault A1209600
+ # Do not cache dynamically generated pages.
ExpiresByType text/html A1
</IfModule>
@@ -85,4 +90,4 @@
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>
-# $Id: .htaccess,v 1.73.2.1 2007/01/01 17:47:24 killes Exp $
+# $Id: .htaccess,v 1.73.2.2 2007/01/26 00:09:37 killes Exp $
Modified: branches/drupal-4.7/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/CHANGELOG.txt?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/CHANGELOG.txt (original)
+++ branches/drupal-4.7/CHANGELOG.txt Tue Jan 30 03:03:31 2007
@@ -1,4 +1,8 @@
-// $Id: CHANGELOG.txt,v 1.117.2.9 2007/01/05 00:22:28 killes Exp $
+// $Id: CHANGELOG.txt,v 1.117.2.11 2007/01/29 21:48:20 killes Exp $
+Drupal 4.7.6, 2007-01-29
+------------------------
+- fixed security issue (code execution), see SA-2007-005
+
Drupal 4.7.5, 2007-01-05
------------------------
- fixed security issue (XSS), see SA-2007-001
@@ -93,6 +97,30 @@
* added support for a tolerant Base URL.
* output URIs relative to the root, without a base tag.
+Drupal 4.6.11, 2007-01-05
+-------------------------
+- fixed security issue (XSS), see SA-2007-001
+- fixed security issue (DoS), see SA-2007-002
+
+Drupal 4.6.10, 2006-10-18
+------------------------
+- fixed security issue (XSS), see SA-2006-024
+- fixed security issue (CSRF), see SA-2006-025
+- fixed security issue (Form action attribute injection), see SA-2006-026
+
+Drupal 4.6.9, 2006-08-02
+------------------------
+- fixed security issue (XSS), see SA-2006-011
+
+Drupal 4.6.8, 2006-06-01
+------------------------
+- fixed critical upload issue, see SA-2006-007
+- fixed taxonomy XSS issue, see SA-2006-008
+
+Drupal 4.6.7, 2006-05-24
+------------------------
+- fixed critical SQL issue, see SA-2006-005
+
Drupal 4.6.6, 2006-03-13
------------------------
- fixed bugs, including 4 security vulnerabilities.
Modified: branches/drupal-4.7/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/debian/changelog?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/debian/changelog (original)
+++ branches/drupal-4.7/debian/changelog Tue Jan 30 03:03:31 2007
@@ -1,3 +1,9 @@
+drupal (4.7.6-1) UNRELEASED; urgency=low
+
+ * (NOT RELEASED YET) New upstream release
+
+ -- Luigi Gangitano <luigi at debian.org> Tue, 30 Jan 2007 03:03:21 +0100
+
drupal (4.7.5-2) UNRELEASED; urgency=low
[ Luigi Gangitano ]
Modified: branches/drupal-4.7/includes/common.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/includes/common.inc?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/includes/common.inc (original)
+++ branches/drupal-4.7/includes/common.inc Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: common.inc,v 1.537.2.20 2007/01/01 22:10:37 killes Exp $
+// $Id: common.inc,v 1.537.2.21 2007/01/27 16:18:52 killes Exp $
/**
* @file
@@ -492,11 +492,16 @@
* 1 = Log errors to database and to screen.
*/
function error_handler($errno, $message, $filename, $line) {
+ // If the @ error suppression operator was used, error_reporting is temporarily set to 0
+ if (error_reporting() == 0) {
+ return;
+ }
+
if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning');
$entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
- // Note: force display of error messages in update.php
+ // Force display of error messages in update.php
if (variable_get('error_level', 1) == 1 || strstr($_SERVER['PHP_SELF'], 'update.php')) {
drupal_set_message($entry, 'error');
}
Modified: branches/drupal-4.7/includes/form.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/includes/form.inc?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/includes/form.inc (original)
+++ branches/drupal-4.7/includes/form.inc Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: form.inc,v 1.112.2.19 2007/01/01 21:29:27 killes Exp $
+// $Id: form.inc,v 1.112.2.20 2007/01/29 21:39:27 killes Exp $
/**
* @defgroup form Form generation
@@ -682,7 +682,7 @@
else {
$selected = '';
}
- $options .= '<option value="'. $key .'"'. $selected .'>'. check_plain($choice) .'</option>';
+ $options .= '<option value="'. check_plain($key) .'"'. $selected .'>'. check_plain($choice) .'</option>';
}
}
return $options;
@@ -725,7 +725,7 @@
$output = '<input type="radio" ';
$output .= 'name="' . $element['#name'] .'" ';
$output .= 'value="'. $element['#return_value'] .'" ';
- $output .= ($element['#value'] == $element['#return_value']) ? ' checked="checked" ' : ' ';
+ $output .= (check_plain($element['#value']) == $element['#return_value']) ? ' checked="checked" ' : ' ';
$output .= drupal_attributes($element['#attributes']) .' />';
if (!is_null($element['#title'])) {
$output = '<label class="option">'. $output .' '. $element['#title'] .'</label>';
@@ -909,7 +909,7 @@
if (count($element['#options']) > 0) {
foreach ($element['#options'] as $key => $choice) {
if (!isset($element[$key])) {
- $element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => $key, '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
+ $element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => check_plain($key), '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
}
}
}
Modified: branches/drupal-4.7/includes/theme.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/includes/theme.inc?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/includes/theme.inc (original)
+++ branches/drupal-4.7/includes/theme.inc Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: theme.inc,v 1.292.2.7 2006/09/05 10:22:24 killes Exp $
+// $Id: theme.inc,v 1.292.2.8 2007/01/29 21:39:27 killes Exp $
/**
* @file
@@ -626,10 +626,10 @@
if ($title) {
if ($id) {
- $output .= ' <label for="'. form_clean_id($id) .'">'. t('%title: %required', array('%title' => $title, '%required' => $required)) . "</label>\n";
+ $output .= ' <label for="'. form_clean_id($id) .'">'. t('%title: %required', array('%title' => filter_xss_admin($title), '%required' => $required)) . "</label>\n";
}
else {
- $output .= ' <label>'. t('%title: %required', array('%title' => $title, '%required' => $required)) . "</label>\n";
+ $output .= ' <label>'. t('%title: %required', array('%title' => filter_xss_admin($title), '%required' => $required)) . "</label>\n";
}
}
Modified: branches/drupal-4.7/modules/comment.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/comment.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/comment.module (original)
+++ branches/drupal-4.7/modules/comment.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: comment.module,v 1.455.2.14 2007/01/03 21:56:58 killes Exp $
+// $Id: comment.module,v 1.455.2.15 2007/01/29 21:39:27 killes Exp $
/**
* @file
@@ -1367,24 +1367,26 @@
$output = '';
- comment_validate($edit);
- $comment = (object)_comment_form_submit($edit);
-
- // Attach the user and time information.
- if ($edit['author']) {
- $account = user_load(array('name' => $edit['author']));
- }
- elseif ($user->uid && !isset($edit['is_anonymous'])) {
- $account = $user;
- }
- if ($account) {
- $comment->uid = $account->uid;
- $comment->name = check_plain($account->name);
- }
- $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
-
- // Preview the comment with security check.
+ // Invoke full validation for the form, to protect against cross site
+ // request forgeries (CSRF) and setting arbitrary values for fields such as
+ // the input format. Preview the comment only when form validation does not
+ // set any errors.
+ drupal_validate_form($form['form_id']['#value'], $form);
if (!form_get_errors()) {
+ $comment = (object)_comment_form_submit($edit);
+
+ // Attach the user and time information.
+ if ($edit['author']) {
+ $account = user_load(array('name' => $edit['author']));
+ }
+ elseif ($user->uid && !isset($edit['is_anonymous'])) {
+ $account = $user;
+ }
+ if ($account) {
+ $comment->uid = $account->uid;
+ $comment->name = check_plain($account->name);
+ }
+ $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
$output .= theme('comment_view', $comment);
}
$form['comment_preview'] = array(
Modified: branches/drupal-4.7/modules/contact.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/contact.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/contact.module (original)
+++ branches/drupal-4.7/modules/contact.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: contact.module,v 1.51.2.1 2006/10/18 20:14:42 killes Exp $
+// $Id: contact.module,v 1.51.2.2 2007/01/26 13:56:33 killes Exp $
/**
* @file
@@ -469,9 +469,11 @@
'#title' => t('Message'),
'#required' => TRUE,
);
- $form['copy'] = array('#type' => 'checkbox',
- '#title' => t('Send me a copy.'),
- );
+ if ($user->uid) {
+ $form['copy'] = array('#type' => 'checkbox',
+ '#title' => t('Send me a copy.'),
+ );
+ }
$form['submit'] = array('#type' => 'submit',
'#value' => t('Send e-mail'),
);
Modified: branches/drupal-4.7/modules/filter.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/filter.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/filter.module (original)
+++ branches/drupal-4.7/modules/filter.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: filter.module,v 1.122.2.5 2007/01/04 22:01:17 killes Exp $
+// $Id: filter.module,v 1.122.2.6 2007/01/26 00:11:03 killes Exp $
/**
* @file
@@ -1083,7 +1083,7 @@
$chunk = preg_replace('!(</'. $block .'>)!', "$1\n\n", $chunk); // Space things out a little
$chunk = preg_replace("/\n\n+/", "\n\n", $chunk); // take care of duplicates
$chunk = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $chunk); // make paragraphs, including one at the end
- $chunk = preg_replace('|<p>\s*?</p>|', '', $chunk); // under certain strange conditions it could create a P of entirely whitespace
+ $chunk = preg_replace('|<p>\s*?</p>\n|', '', $chunk); // under certain strange conditions it could create a P of entirely whitespace
$chunk = preg_replace("|<p>(<li.+?)</p>|", "$1", $chunk); // problem with nested lists
$chunk = preg_replace('|<p><blockquote([^>]*)>|i', "<blockquote$1><p>", $chunk);
$chunk = str_replace('</blockquote></p>', '</p></blockquote>', $chunk);
Modified: branches/drupal-4.7/modules/node.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/node.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/node.module (original)
+++ branches/drupal-4.7/modules/node.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: node.module,v 1.641.2.31 2007/01/04 20:50:02 killes Exp $
+// $Id: node.module,v 1.641.2.32 2007/01/29 21:39:28 killes Exp $
/**
* @file
@@ -1724,6 +1724,10 @@
$op = isset($_POST['op']) ? $_POST['op'] : '';
if ($op == t('Preview')) {
+ // Invoke full validation for the form, to protect against cross site
+ // request forgeries (CSRF) and setting arbitrary values for fields such as
+ // the input format. Preview the node only when form validation does not
+ // set any errors.
drupal_validate_form($form['form_id']['#value'], $form);
if (!form_get_errors()) {
// Because the node preview may display a form, we must render it
Modified: branches/drupal-4.7/modules/profile.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/profile.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/profile.module (original)
+++ branches/drupal-4.7/modules/profile.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: profile.module,v 1.154.2.6 2006/10/22 18:18:22 killes Exp $
+// $Id: profile.module,v 1.154.2.7 2007/01/26 00:29:32 killes Exp $
/**
* @file
@@ -619,6 +619,7 @@
// Use LOWER('%s') instead of PHP's strtolower() to avoid UTF-8 conversion issues.
}
+ $w = 0;
while ($field = db_fetch_object($result)) {
$category = $field->category;
if (!isset($fields[$category])) {
Modified: branches/drupal-4.7/modules/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/system.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/system.module (original)
+++ branches/drupal-4.7/modules/system.module Tue Jan 30 03:03:31 2007
@@ -1,12 +1,12 @@
<?php
-// $Id: system.module,v 1.320.2.19 2007/01/04 22:01:17 killes Exp $
+// $Id: system.module,v 1.320.2.21 2007/01/29 21:39:28 killes Exp $
/**
* @file
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '4.7.5');
+define('VERSION', '4.7.6');
/**
* Implementation of hook_help().
Modified: branches/drupal-4.7/modules/user.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/modules/user.module?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/modules/user.module (original)
+++ branches/drupal-4.7/modules/user.module Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: user.module,v 1.612.2.26 2007/01/01 18:25:17 killes Exp $
+// $Id: user.module,v 1.612.2.28 2007/01/29 19:37:48 killes Exp $
/**
* @file
@@ -1764,9 +1764,11 @@
}
// Compile role array:
- $roles = array();
+ // Add a comma at the end so when searching for a permission, we can
+ // always search for "$perm," to make sure we do not confuse
+ // permissions that are substrings of each other.
while ($role = db_fetch_object($result)) {
- $role_permissions[$role->rid] = $role->perm;
+ $role_permissions[$role->rid] = $role->perm .',';
}
if($rids) {
@@ -1791,7 +1793,7 @@
$form['permission'][$perm] = array('#type' => 'markup', '#value' => t($perm));
foreach ($role_names as $rid => $name) {
// Builds arrays for checked boxes for each role
- if (strstr($role_permissions[$rid], $perm)) {
+ if (strpos($role_permissions[$rid], $perm .',') !== FALSE) {
$status[$rid][] = $perm;
}
}
@@ -2150,9 +2152,11 @@
*/
function user_autocomplete($string) {
$matches = array();
- $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER('%s%%')", $string, 0, 10);
- while ($user = db_fetch_object($result)) {
- $matches[$user->name] = check_plain($user->name);
+ if ($string) {
+ $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER('%s%%')", $string, 0, 10);
+ while ($user = db_fetch_object($result)) {
+ $matches[$user->name] = check_plain($user->name);
+ }
}
print drupal_to_js($matches);
exit();
Modified: branches/drupal-4.7/sites/default/settings.php
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-4.7/sites/default/settings.php?rev=1753&op=diff
==============================================================================
--- branches/drupal-4.7/sites/default/settings.php (original)
+++ branches/drupal-4.7/sites/default/settings.php Tue Jan 30 03:03:31 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: settings.php,v 1.27 2006/04/24 19:25:37 dries Exp $
+// $Id: settings.php,v 1.27.2.2 2007/01/14 14:17:53 killes Exp $
/**
* @file
@@ -131,6 +131,19 @@
ini_set('url_rewriter.tags', '');
/**
+ * We try to set the correct cookie domain. If you are experiencing problems
+ * try commenting out the code below or specifying the cookie domain by hand.
+ */
+if (isset($_SERVER['HTTP_HOST'])) {
+ $domain = '.'. preg_replace('`^www.`', '', $_SERVER['HTTP_HOST']);
+ // Per RFC 2109, cookie domains must contain at least one dot other than the
+ // first. For hosts such as 'localhost', we don't set a cookie domain.
+ if (count(explode('.', $domain)) > 2) {
+ ini_set('session.cookie_domain', $domain);
+ }
+}
+
+/**
* Variable overrides:
*
* To override specific entries in the 'variable' table for this site,
More information about the Pkg-drupal-commits
mailing list