[Pkg-drupal-commits] r1960 - in /branches/upstream/current-5: ./ includes/ modules/aggregator/ modules/block/ modules/blog/ modules/blogapi/ modules/book/ modules/color/ modules/comment/ modules/contact/ modules/drupal/ modules/filter/ modules/forum/ modules/help/ modules/legacy/ modules/locale/ modules/menu/ modules/node/ modules/path/ modules/ping/ modules/poll/ modules/profile/ modules/search/ modules/statistics/ modules/system/ modules/taxonomy/ modules/throttle/ modules/tracker/ modules/upload/ modules/user/ modules/watchdog/

[luigi at users.alioth.debian.org]

Author: luigi
Date: Sun Nov 30 23:08:16 2008
New Revision: 1960

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1960
Log:
[svn-upgrade] Integrating new upstream version, drupal5 (5.12)

Modified:
    branches/upstream/current-5/CHANGELOG.txt
    branches/upstream/current-5/includes/bootstrap.inc
    branches/upstream/current-5/includes/database.mysql.inc
    branches/upstream/current-5/includes/database.mysqli.inc
    branches/upstream/current-5/includes/database.pgsql.inc
    branches/upstream/current-5/includes/file.inc
    branches/upstream/current-5/includes/form.inc
    branches/upstream/current-5/includes/install.inc
    branches/upstream/current-5/includes/theme.inc
    branches/upstream/current-5/includes/xmlrpc.inc
    branches/upstream/current-5/modules/aggregator/aggregator.info
    branches/upstream/current-5/modules/block/block.info
    branches/upstream/current-5/modules/blog/blog.info
    branches/upstream/current-5/modules/blogapi/blogapi.info
    branches/upstream/current-5/modules/blogapi/blogapi.install
    branches/upstream/current-5/modules/blogapi/blogapi.module
    branches/upstream/current-5/modules/book/book.info
    branches/upstream/current-5/modules/color/color.info
    branches/upstream/current-5/modules/comment/comment.info
    branches/upstream/current-5/modules/contact/contact.info
    branches/upstream/current-5/modules/contact/contact.module
    branches/upstream/current-5/modules/drupal/drupal.info
    branches/upstream/current-5/modules/filter/filter.info
    branches/upstream/current-5/modules/filter/filter.module
    branches/upstream/current-5/modules/forum/forum.info
    branches/upstream/current-5/modules/help/help.info
    branches/upstream/current-5/modules/legacy/legacy.info
    branches/upstream/current-5/modules/locale/locale.info
    branches/upstream/current-5/modules/menu/menu.info
    branches/upstream/current-5/modules/node/node.info
    branches/upstream/current-5/modules/node/node.module
    branches/upstream/current-5/modules/path/path.info
    branches/upstream/current-5/modules/ping/ping.info
    branches/upstream/current-5/modules/poll/poll.info
    branches/upstream/current-5/modules/poll/poll.module
    branches/upstream/current-5/modules/profile/profile.info
    branches/upstream/current-5/modules/search/search.info
    branches/upstream/current-5/modules/statistics/statistics.info
    branches/upstream/current-5/modules/system/system.info
    branches/upstream/current-5/modules/system/system.module
    branches/upstream/current-5/modules/taxonomy/taxonomy.info
    branches/upstream/current-5/modules/throttle/throttle.info
    branches/upstream/current-5/modules/tracker/tracker.info
    branches/upstream/current-5/modules/upload/upload.info
    branches/upstream/current-5/modules/upload/upload.module
    branches/upstream/current-5/modules/user/user.info
    branches/upstream/current-5/modules/user/user.module
    branches/upstream/current-5/modules/watchdog/watchdog.info

Modified: branches/upstream/current-5/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/CHANGELOG.txt?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/CHANGELOG.txt (original)
+++ branches/upstream/current-5/CHANGELOG.txt Sun Nov 30 23:08:16 2008
@@ -1,4 +1,15 @@
-// $Id: CHANGELOG.txt,v 1.173.2.25 2008/08/13 23:59:09 drumm Exp $
+// $Id: CHANGELOG.txt,v 1.173.2.29 2008/10/22 19:25:27 drumm Exp $
+
+Drupal 5.12, 2008-10-22
+-----------------------
+- fixed security issues, (File inclusion), see SA-2008-067
+
+
+Drupal 5.11, 2008-10-08
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (File upload access bypass, Access rules bypass,
+  BlogAPI access bypass, Node validation bypass), see SA-2008-060
 
 Drupal 5.10, 2008-08-13
 -----------------------

Modified: branches/upstream/current-5/includes/bootstrap.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/bootstrap.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/bootstrap.inc (original)
+++ branches/upstream/current-5/includes/bootstrap.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: bootstrap.inc,v 1.145.2.8 2008/01/10 22:14:24 drumm Exp $
+// $Id: bootstrap.inc,v 1.145.2.10 2008/10/22 19:25:28 drumm Exp $
 
 /**
  * @file
@@ -201,6 +201,11 @@
 
   $confdir = 'sites';
   $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
+  if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
+    // A HTTP_HOST containing slashes may be an attack and is invalid.
+    header('HTTP/1.1 400 Bad Request');
+    exit;
+  }
   $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
   for ($i = count($uri) - 1; $i > 0; $i--) {
     for ($j = count($server); $j > 0; $j--) {
@@ -289,6 +294,15 @@
     if (!empty($_SERVER['HTTP_HOST'])) {
       $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
     }
+  }
+  // To prevent session cookies from being hijacked, a user can configure the
+  // SSL version of their website to only transfer session cookies via SSL by
+  // using PHP's session.cookie_secure setting. The browser will then use two
+  // separate session cookies for the HTTPS and HTTP versions of the site. So we
+  // must use different session identifiers for HTTPS and HTTP to prevent a
+  // cookie collision.
+  if (ini_get('session.cookie_secure')) {
+    $session_name .= 'SSL';
   }
   // Strip leading periods, www., and port numbers from cookie domain.
   $cookie_domain = ltrim($cookie_domain, '.');

Modified: branches/upstream/current-5/includes/database.mysql.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.mysql.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.mysql.inc (original)
+++ branches/upstream/current-5/includes/database.mysql.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.mysql.inc,v 1.66.2.2 2007/10/19 21:49:26 drumm Exp $
+// $Id: database.mysql.inc,v 1.66.2.3 2008/09/15 06:14:52 drumm Exp $
 
 /**
  * @file
@@ -63,6 +63,7 @@
       install_goto('install.php');
     }
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP MySQL support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -119,6 +120,7 @@
 
   if (!mysql_select_db(substr($url['path'], 1))) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to select database');
     print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
 <p>The MySQL error was: '. theme('placeholder', mysql_error($connection)) .'.</p>

Modified: branches/upstream/current-5/includes/database.mysqli.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.mysqli.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.mysqli.inc (original)
+++ branches/upstream/current-5/includes/database.mysqli.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.mysqli.inc,v 1.32.2.4 2008/07/16 18:55:38 drumm Exp $
+// $Id: database.mysqli.inc,v 1.32.2.5 2008/09/15 06:14:52 drumm Exp $
 
 /**
  * @file
@@ -56,6 +56,7 @@
   // Check if MySQLi support is present in PHP
   if (!function_exists('mysqli_init') && !extension_loaded('mysqli')) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP MySQLi support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the MySQLi database because the MySQLi extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -102,6 +103,7 @@
   }
   else if (mysqli_connect_errno() > 0) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to select database');
     print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
 <p>The MySQL error was: '. theme('placeholder', mysqli_connect_error($connection)) .'.</p>

Modified: branches/upstream/current-5/includes/database.pgsql.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.pgsql.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.pgsql.inc (original)
+++ branches/upstream/current-5/includes/database.pgsql.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.pgsql.inc,v 1.43.2.2 2008/07/16 19:12:52 drumm Exp $
+// $Id: database.pgsql.inc,v 1.43.2.3 2008/09/15 06:14:52 drumm Exp $
 
 /**
  * @file
@@ -54,6 +54,7 @@
    // Check if MySQL support is present in PHP
   if (!function_exists('pg_connect')) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP PostgreSQL support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the PostgreSQL database because the PostgreSQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');

Modified: branches/upstream/current-5/includes/file.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/file.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/file.inc (original)
+++ branches/upstream/current-5/includes/file.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: file.inc,v 1.90.2.5 2008/08/13 23:59:09 drumm Exp $
+// $Id: file.inc,v 1.90.2.6 2008/09/15 06:23:52 drumm Exp $
 
 /**
  * @file
@@ -641,7 +641,7 @@
   $files = array();
 
   if (is_dir($dir) && $handle = opendir($dir)) {
-    while ($file = readdir($handle)) {
+    while (FALSE !== ($file = readdir($handle))) {
       if (!in_array($file, $nomask) && $file[0] != '.') {
         if (is_dir("$dir/$file") && $recurse) {
           $files = array_merge($files, file_scan_directory("$dir/$file", $mask, $nomask, $callback, $recurse, $key, $min_depth, $depth + 1));

Modified: branches/upstream/current-5/includes/form.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/form.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/form.inc (original)
+++ branches/upstream/current-5/includes/form.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: form.inc,v 1.174.2.14 2008/08/04 04:00:24 drumm Exp $
+// $Id: form.inc,v 1.174.2.15 2008/09/15 06:03:17 drumm Exp $
 
 /**
  * @defgroup form Form generation
@@ -1538,7 +1538,11 @@
  *   A string representing the form element.
  */
 function theme_form_element($element, $value) {
-  $output  = '<div class="form-item">'."\n";
+  $output  = '<div class="form-item"';
+  if (!empty($element['#id'])) {
+    $output .= ' id="'. $element['#id'] .'-wrapper"';
+  }
+  $output .= ">\n";
   $required = !empty($element['#required']) ? '<span class="form-required" title="'. t('This field is required.') .'">*</span>' : '';
 
   if (!empty($element['#title'])) {

Modified: branches/upstream/current-5/includes/install.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/install.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/install.inc (original)
+++ branches/upstream/current-5/includes/install.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: install.inc,v 1.31.2.2 2007/10/06 22:38:28 drumm Exp $
+// $Id: install.inc,v 1.31.2.4 2008/10/05 01:46:57 drumm Exp $
 
 define('SCHEMA_UNINSTALLED', -1);
 define('SCHEMA_INSTALLED', 0);
@@ -33,8 +33,8 @@
  * @param $module
  *   A module name.
  * @return
- *   If the module has updates, an array of available updates. Otherwise,
- *   FALSE.
+ *   If the module has updates, an array of available updates sorted by version.
+ *   Otherwise, FALSE.
  */
 function drupal_get_schema_versions($module) {
   $updates = array();
@@ -50,6 +50,7 @@
   if (count($updates) == 0) {
     return FALSE;
   }
+  sort($updates, SORT_NUMERIC);
   return $updates;
 }
 
@@ -243,7 +244,7 @@
 function drupal_get_install_files($module_list = array()) {
   $installs = array();
   foreach ($module_list as $module) {
-    $installs = array_merge($installs, file_scan_directory('./modules', "^$module.install$", array('.', '..', 'CVS'), 0, TRUE, 'name', 0));
+    $installs = array_merge($installs, drupal_system_listing($module .'.install$', 'modules'));
   }
   return $installs;
 }
@@ -677,6 +678,7 @@
  */
 function drupal_check_profile($profile) {
   include_once './includes/file.inc';
+  include_once './includes/common.inc';
 
   $profile_file = "./profiles/$profile/$profile.profile";
 

Modified: branches/upstream/current-5/includes/theme.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/theme.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/theme.inc (original)
+++ branches/upstream/current-5/includes/theme.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: theme.inc,v 1.337.2.5 2008/07/09 21:48:41 drumm Exp $
+// $Id: theme.inc,v 1.337.2.6 2008/10/01 22:48:47 drumm Exp $
 
 /**
  * @file
@@ -8,7 +8,7 @@
  * The theme system allows for nearly all output of the Drupal system to be
  * customized by user themes.
  *
- * @see <a href="http://drupal.org/node/253">Theme system</a>
+ * @see <a href="http://drupal.org/node/171179">Theme guide</a>
  * @see themeable
  */
 

Modified: branches/upstream/current-5/includes/xmlrpc.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/xmlrpc.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/xmlrpc.inc (original)
+++ branches/upstream/current-5/includes/xmlrpc.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: xmlrpc.inc,v 1.38.2.4 2008/08/13 18:01:53 drumm Exp $
+// $Id: xmlrpc.inc,v 1.38.2.5 2008/10/01 22:01:17 drumm Exp $
 
 /*
   Drupal XML-RPC library. Based on the IXR - The Incutio XML-RPC Library - (c) Incutio Ltd 2002-2005
@@ -343,13 +343,16 @@
 }
 
 
-function xmlrpc_error($code = NULL, $message = NULL) {
+function xmlrpc_error($code = NULL, $message = NULL, $reset = FALSE) {
   static $xmlrpc_error;
   if (isset($code)) {
     $xmlrpc_error = new stdClass();
     $xmlrpc_error->is_error = TRUE;
     $xmlrpc_error->code = $code;
     $xmlrpc_error->message = $message;
+  }
+  elseif ($reset) {
+    $xmlrpc_error = NULL;
   }
   return $xmlrpc_error;
 }
@@ -427,6 +430,7 @@
 function _xmlrpc() {
   $args = func_get_args();
   $url = array_shift($args);
+  xmlrpc_clear_error();
   if (is_array($args[0])) {
     $method = 'system.multicall';
     $multicall_args = array();
@@ -475,3 +479,10 @@
   $error = xmlrpc_error();
   return $error->message;
 }
+
+/**
+ * Clears any previous error.
+ */
+function xmlrpc_clear_error() {
+  xmlrpc_error(NULL, NULL, TRUE);
+}

Modified: branches/upstream/current-5/modules/aggregator/aggregator.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/aggregator/aggregator.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/aggregator/aggregator.info (original)
+++ branches/upstream/current-5/modules/aggregator/aggregator.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/block/block.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/block/block.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/block/block.info (original)
+++ branches/upstream/current-5/modules/block/block.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/blog/blog.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blog/blog.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blog/blog.info (original)
+++ branches/upstream/current-5/modules/blog/blog.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/blogapi/blogapi.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.info (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/blogapi/blogapi.install
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.install?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.install (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.install Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: blogapi.install,v 1.2.2.2 2008/08/13 23:59:09 drumm Exp $
+// $Id: blogapi.install,v 1.2.2.3 2008/08/27 13:25:13 drumm Exp $
 
 /**
  * Implementation of hook_install().
@@ -22,7 +22,7 @@
     case 'pgsql':
       db_query("CREATE TABLE {blogapi_files} (
         fid serial,
-        filename varchar(255) NOT NULL default '',
+        uid int_unsigned NOT NULL default 0,
         filepath varchar(255) NOT NULL default '',
         filesize int_unsigned NOT NULL default 0,
         PRIMARY KEY (fid)
@@ -70,7 +70,7 @@
     case 'pgsql':
       $ret[] = update_sql("CREATE TABLE {blogapi_files} (
         fid serial,
-        filename varchar(255) NOT NULL default '',
+        uid int_unsigned NOT NULL default 0,
         filepath varchar(255) NOT NULL default '',
         filesize int_unsigned NOT NULL default 0,
         PRIMARY KEY (fid)

Modified: branches/upstream/current-5/modules/blogapi/blogapi.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.module (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: blogapi.module,v 1.100.2.5 2008/08/13 23:59:09 drumm Exp $
+// $Id: blogapi.module,v 1.100.2.6 2008/10/08 20:10:25 drumm Exp $
 
 /**
  * @file
@@ -217,6 +217,11 @@
 
   node_invoke_nodeapi($edit, 'blogapi new');
 
+  $valid = blogapi_status_error_check($edit, $publish);
+  if ($valid !== TRUE) {
+    return $valid;
+  }
+
   node_validate($edit);
   if ($errors = form_get_errors()) {
     return blogapi_error(implode("\n", $errors));
@@ -254,7 +259,8 @@
   if (!node_access('update', $node)) {
     return blogapi_error(t('You do not have permission to update this post.'));
   }
-
+  // Save the original status for validation of permissions.
+  $original_status = $node->status;
   $node->status = $publish;
 
   // check for bloggerAPI vs. metaWeblogAPI
@@ -270,6 +276,11 @@
 
   node_invoke_nodeapi($node, 'blogapi edit');
 
+  $valid = blogapi_status_error_check($node, $original_status);
+  if ($valid !== TRUE) {
+    return $valid;
+  }
+
   node_validate($node);
   if ($errors = form_get_errors()) {
     return blogapi_error(implode("\n", $errors));
@@ -301,6 +312,33 @@
 
   return _blogapi_get_post($node, TRUE);
 }
+
+/**
+ * Check that the user has permission to save the node with the chosen status.
+ *
+ * @return
+ *   TRUE if no error, or the blogapi_error().
+ */
+function blogapi_status_error_check($node, $original_status) {
+  
+  $node = (object) $node;
+
+  $node_type_default = variable_get('node_options_'. $node->type, array('status', 'promote'));
+
+  // If we don't have the 'administer nodes' permission and the status is
+  // changing or for a new node the status is not the content type's default,
+  // then return an error.
+  if (!user_access('administer nodes') && (($node->status != $original_status) || (empty($node->nid) && $node->status != in_array('status', $node_type_default)))) {
+    if ($node->status) {
+      return blogapi_error(t('You do not have permission to publish this type of post. Please save it as a draft instead.'));
+    }
+    else {
+      return blogapi_error(t('You do not have permission to save this post as a draft. Please publish it instead.'));
+    }
+  }
+  return TRUE;
+}
+
 
 /**
  * Blogging API callback. Removes the specified blog node.
@@ -492,7 +530,56 @@
   foreach ($categories as $category) {
     $node->taxonomy[] = $category['categoryId'];
   }
+  $validated = blogapi_mt_validate_terms($node);
+  if ($validated !== TRUE) {
+    return $validated;
+  }
   node_save($node);
+  return TRUE;
+}
+
+/**
+ * Blogging API helper - find allowed taxonomy terms for a node type.
+ */
+function blogapi_mt_validate_terms($node) {
+  // We do a lot of heavy lifting here since taxonomy module doesn't have a
+  // stand-alone validation function.
+  if (module_exists('taxonomy')) {
+    $found_terms = array();
+    if (!empty($node->taxonomy)) {
+      $term_list = array_unique($node->taxonomy);
+      $placeholders = implode(', ', array_fill(0, count($term_list), '%d'));
+      $params = $term_list;
+      $params[] = $node->type;
+      $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". $placeholders .") AND n.type = '%s'", 't', 'tid'), $params);
+      $found_terms = array();
+      $found_count = 0;
+      while ($term = db_fetch_object($result)) {
+        $found_terms[$term->vid][$term->tid] = $term->tid;
+        $found_count++;
+      }
+      // If the counts don't match, some terms are invalid or not accessible to this user.
+      if (count($term_list) != $found_count) {
+        return blogapi_error(t('Invalid categories submitted.'));
+      }
+    }
+    // Look up all the vocabularies for this node type.
+    $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type);
+    // Check each vocabulary associated with this node type.
+    while ($vocabulary = db_fetch_object($result2)) {
+      // Required vocabularies must have at least one term.
+      if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) {
+        return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name)));
+      }
+      // Vocabularies that don't allow multiple terms may have at most one.
+      if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) {
+        return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name));
+      }
+    }
+  }
+  elseif (!empty($node->taxonomy)) {
+    return blogapi_error(t('Error saving categories. This feature is not available.'));
+  }
   return TRUE;
 }
 
@@ -527,11 +614,16 @@
     return blogapi_error(t('Invalid post.'));
   }
 
+  // Nothing needs to be done if already published.
+  if ($node->status) {
+    return;
+  }
+
+  if (!node_access('update', $node) || !user_access('administer nodes')) {
+    return blogapi_error(t('You do not have permission to update this post.'));
+  }
+
   $node->status = 1;
-  if (!node_access('update', $node)) {
-    return blogapi_error(t('You do not have permission to update this post.'));
-  }
-
   node_save($node);
 
   return TRUE;

Modified: branches/upstream/current-5/modules/book/book.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/book/book.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/book/book.info (original)
+++ branches/upstream/current-5/modules/book/book.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/color/color.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/color/color.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/color/color.info (original)
+++ branches/upstream/current-5/modules/color/color.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/comment/comment.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/comment/comment.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/comment/comment.info (original)
+++ branches/upstream/current-5/modules/comment/comment.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/contact/contact.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/contact/contact.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/contact/contact.info (original)
+++ branches/upstream/current-5/modules/contact/contact.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/contact/contact.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/contact/contact.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/contact/contact.module (original)
+++ branches/upstream/current-5/modules/contact/contact.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: contact.module,v 1.74.2.1 2007/06/05 07:18:05 drumm Exp $
+// $Id: contact.module,v 1.74.2.2 2008/09/15 06:19:06 drumm Exp $
 
 /**
  * @file
@@ -27,7 +27,7 @@
         $menu_note = '';
       }
       $output .= '<p>'. t('The contact module also adds a <a href="@menu-settings">menu item</a> (disabled by default) to the navigation block.', array('@menu-settings' => url('admin/build/menu'))) .' '. $menu_note .'</p>';
-      return($output);
+      return $output;
   }
 }
 
@@ -227,7 +227,7 @@
     db_query('UPDATE {contact} SET selected = 0');
   }
   $recipients = explode(',', $form_values['recipients']);
-  foreach ($recipients as $key=>$recipient) {
+  foreach ($recipients as $key => $recipient) {
     // E-mail address validation has already been done in _validate.
     $recipients[$key] = trim($recipient);
   }
@@ -547,6 +547,6 @@
   drupal_set_message(t('Your message has been sent.'));
 
   // Jump to home page rather than back to contact page to avoid contradictory messages if flood control has been activated.
-  return('');
-}
-
+  return '';
+}
+

Modified: branches/upstream/current-5/modules/drupal/drupal.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/drupal/drupal.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/drupal/drupal.info (original)
+++ branches/upstream/current-5/modules/drupal/drupal.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/filter/filter.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/filter/filter.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/filter/filter.info (original)
+++ branches/upstream/current-5/modules/filter/filter.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/filter/filter.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/filter/filter.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/filter/filter.module (original)
+++ branches/upstream/current-5/modules/filter/filter.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: filter.module,v 1.160.2.9 2008/08/13 23:59:09 drumm Exp $
+// $Id: filter.module,v 1.160.2.10 2008/09/17 19:14:19 drumm Exp $
 
 /**
  * @file
@@ -1244,7 +1244,7 @@
  * for scripts and styles.
  */
 function filter_xss_admin($string) {
-  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
 }
 
 /**

Modified: branches/upstream/current-5/modules/forum/forum.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/forum/forum.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/forum/forum.info (original)
+++ branches/upstream/current-5/modules/forum/forum.info Sun Nov 30 23:08:16 2008
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/help/help.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/help/help.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/help/help.info (original)
+++ branches/upstream/current-5/modules/help/help.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/legacy/legacy.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/legacy/legacy.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/legacy/legacy.info (original)
+++ branches/upstream/current-5/modules/legacy/legacy.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/locale/locale.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/locale/locale.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/locale/locale.info (original)
+++ branches/upstream/current-5/modules/locale/locale.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/menu/menu.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/menu/menu.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/menu/menu.info (original)
+++ branches/upstream/current-5/modules/menu/menu.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/node/node.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/node/node.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/node/node.info (original)
+++ branches/upstream/current-5/modules/node/node.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/node/node.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/node/node.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/node/node.module (original)
+++ branches/upstream/current-5/modules/node/node.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: node.module,v 1.776.2.30 2008/07/16 19:04:21 drumm Exp $
+// $Id: node.module,v 1.776.2.31 2008/10/08 20:10:26 drumm Exp $
 
 /**
  * @file
@@ -2165,6 +2165,14 @@
     $form['delete'] = array('#type' => 'button', '#value' => t('Delete'), '#weight' => 50);
   }
   $form['#after_build'] = array('node_form_add_preview');
+  // Ensure that node_validate() will always get called.
+  $form['#validate']['node_form_validate'] = array();
+  // Also, if the module defines its own _validate() routine based on the
+  // form_id, include that in the #validate array, as well.
+  $node_validate = $node->type .'_node_form_validate';
+  if (function_exists($node_validate)) {
+    $form['#validate'][$node_validate] = array();
+  }
   $form['#base'] = 'node_form';
   return $form;
 }

Modified: branches/upstream/current-5/modules/path/path.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/path/path.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/path/path.info (original)
+++ branches/upstream/current-5/modules/path/path.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/ping/ping.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/ping/ping.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/ping/ping.info (original)
+++ branches/upstream/current-5/modules/ping/ping.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/poll/poll.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/poll/poll.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/poll/poll.info (original)
+++ branches/upstream/current-5/modules/poll/poll.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/poll/poll.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/poll/poll.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/poll/poll.module (original)
+++ branches/upstream/current-5/modules/poll/poll.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: poll.module,v 1.222.2.4 2007/12/27 08:26:00 drumm Exp $
+// $Id: poll.module,v 1.222.2.5 2008/10/05 00:51:40 drumm Exp $
 
 /**
  * @file
@@ -284,15 +284,15 @@
 function poll_load($node) {
   global $user;
 
-  // Load the appropriate choices into the $node object
   $poll = db_fetch_object(db_query("SELECT runtime, active FROM {poll} WHERE nid = %d", $node->nid));
 
+  // Load the appropriate choices into the $poll object.
   $result = db_query("SELECT chtext, chvotes, chorder FROM {poll_choices} WHERE nid = %d ORDER BY chorder", $node->nid);
   while ($choice = db_fetch_array($result)) {
     $poll->choice[$choice['chorder']] = $choice;
   }
 
-  // Determine whether or not this user is allowed to vote
+  // Determine whether or not this user is allowed to vote.
   $poll->allowvotes = FALSE;
   if (user_access('vote on polls') && $poll->active) {
     if ($user->uid) {
@@ -629,18 +629,32 @@
  * Implementation of hook_update().
  */
 function poll_update($node) {
+  // Update poll settings.
   db_query('UPDATE {poll} SET runtime = %d, active = %d WHERE nid = %d', $node->runtime, $node->active, $node->nid);
 
+  // Clean poll choices.
   db_query('DELETE FROM {poll_choices} WHERE nid = %d', $node->nid);
-  db_query('DELETE FROM {poll_votes} WHERE nid = %d', $node->nid);
-
-  $i = 0;
-  foreach ($node->choice as $choice) {
-    $chvotes = (int)$choice['chvotes'];
+
+  // Poll choices come in the same order with the same numbers as they are in
+  // the database, but some might have an empty title, which signifies that
+  // they should be removed. We remove all votes to the removed options, so
+  // people who voted on them can vote again.
+  $new_chorder = 0;
+  foreach ($node->choice as $old_chorder => $choice) {
+    $chvotes = isset($choice['chvotes']) ? (int)$choice['chvotes'] : 0;
     $chtext = $choice['chtext'];
 
-    if ($chtext != '') {
-      db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $i++);
+    if (!empty($chtext)) {
+      db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $new_chorder);
+      if ($new_chorder != $old_chorder) {
+        // We can only remove items in the middle, not add, so
+        // new_chorder is always <= old_chorder, making this safe.
+        db_query("UPDATE {poll_votes} SET chorder = %d WHERE nid = %d AND chorder = %d", $new_chorder, $node->nid, $old_chorder);
+      }
+      $new_chorder++;
+    }
+    else {
+      db_query("DELETE FROM {poll_votes} WHERE nid = %d AND chorder = %d", $node->nid, $old_chorder);
     }
   }
 }

Modified: branches/upstream/current-5/modules/profile/profile.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/profile/profile.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/profile/profile.info (original)
+++ branches/upstream/current-5/modules/profile/profile.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/search/search.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/search/search.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/search/search.info (original)
+++ branches/upstream/current-5/modules/search/search.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/statistics/statistics.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/statistics/statistics.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/statistics/statistics.info (original)
+++ branches/upstream/current-5/modules/statistics/statistics.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/system/system.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/system/system.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/system/system.info (original)
+++ branches/upstream/current-5/modules/system/system.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/system/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/system/system.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/system/system.module (original)
+++ branches/upstream/current-5/modules/system/system.module Sun Nov 30 23:08:16 2008
@@ -1,12 +1,12 @@
 <?php
-// $Id: system.module,v 1.440.2.35 2008/08/13 23:59:09 drumm Exp $
+// $Id: system.module,v 1.440.2.39 2008/10/22 19:25:28 drumm Exp $
 
 /**
  * @file
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.10');
+define('VERSION', '5.12');
 
 /**
  * Implementation of hook_help().

Modified: branches/upstream/current-5/modules/taxonomy/taxonomy.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/taxonomy/taxonomy.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/taxonomy/taxonomy.info (original)
+++ branches/upstream/current-5/modules/taxonomy/taxonomy.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/throttle/throttle.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/throttle/throttle.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/throttle/throttle.info (original)
+++ branches/upstream/current-5/modules/throttle/throttle.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/tracker/tracker.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/tracker/tracker.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/tracker/tracker.info (original)
+++ branches/upstream/current-5/modules/tracker/tracker.info Sun Nov 30 23:08:16 2008
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/upload/upload.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/upload/upload.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/upload/upload.info (original)
+++ branches/upstream/current-5/modules/upload/upload.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/upload/upload.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/upload/upload.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/upload/upload.module (original)
+++ branches/upstream/current-5/modules/upload/upload.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: upload.module,v 1.148.2.4 2008/05/26 05:03:47 drumm Exp $
+// $Id: upload.module,v 1.148.2.5 2008/10/08 20:10:26 drumm Exp $
 
 /**
  * @file
@@ -878,8 +878,21 @@
  * Menu-callback for JavaScript-based uploads.
  */
 function upload_js() {
-  // We only do the upload.module part of the node validation process.
-  $node = (object)$_POST;
+  if (isset($_POST['vid']) && is_numeric($_POST['vid'])) {
+    // Load the node and check the user is allowed to post attachments to it.
+    $node = node_load(array('vid' => $_POST['vid']));
+    if (!$node || !node_access('update', $node) || !variable_get('upload_'. $node->type, TRUE)) {
+      // Setting this error will cause the form to fail validation.
+      form_set_error('form_token', t('Validation error, please try again. If this error persists, please contact the site administrator.'));
+      $output = theme('status_messages');
+      print drupal_to_js(array('status' => TRUE, 'data' => $output));
+      exit();
+    }
+  }
+  else {
+    // This is a new node.
+    $node = new stdClass();
+  }
 
   // Load existing node files.
   $node->files = upload_load($node);

Modified: branches/upstream/current-5/modules/user/user.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/user/user.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/user/user.info (original)
+++ branches/upstream/current-5/modules/user/user.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
 

Modified: branches/upstream/current-5/modules/user/user.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/user/user.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/user/user.module (original)
+++ branches/upstream/current-5/modules/user/user.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
 <?php
-// $Id: user.module,v 1.745.2.32 2008/08/13 23:59:09 drumm Exp $
+// $Id: user.module,v 1.745.2.35 2008/10/08 20:10:26 drumm Exp $
 
 /**
  * @file
@@ -979,11 +979,21 @@
 
   // Try to log in the user locally. Don't set $user unless successful.
   if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
-    $user = $account;
-    return $user;
+    // Check if the e-mail is denied by an access rule.
+    // Doing this check here saves us a user_load() in user_login_validate()
+    // and introduces less code change for a security fix.
+    if (drupal_is_denied('mail', $account->mail)) {
+      form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $account->name)));
+      return;
+    }
+    else {
+      $user = $account;
+      return $user;
+    }
   }
 
   // Strip name and server from ID:
+  $fullname = $name;
   if ($server = strrchr($name, '@')) {
     $name = substr($name, 0, strlen($name) - strlen($server));
     $server = substr($server, 1);
@@ -991,10 +1001,10 @@
 
   // When possible, determine corresponding external auth source. Invoke
   // source, and log in user if successful:
-  if ($server && ($result = user_get_authmaps("$name@$server"))) {
+  if ($result = user_get_authmaps($fullname)) {
     if (module_invoke(key($result), 'auth', $name, $pass, $server)) {
-      $user = user_external_load("$name@$server");
-      watchdog('user', t('External load by %user using module %module.', array('%user' => $name .'@'. $server, '%module' => key($result))));
+      $user = user_external_load($fullname);
+      watchdog('user', t('External load by %user using module %module.', array('%user' => $fullname, '%module' => key($result))));
     }
   }
 
@@ -1003,23 +1013,18 @@
   else {
     foreach (module_implements('auth') as $module) {
       if (module_invoke($module, 'auth', $name, $pass, $server)) {
-        if ($server) {
-          $name .= '@'. $server;
-        }
-        $registered_user = user_load(array('name' => $name));
+        $registered_user = user_load(array('name' => $fullname));
         if (!$registered_user->uid) { // Register this new user.
           $userinfo = array(
-            'name' => $name, 
+            'name' => $fullname,
             'pass' => user_password(), 
-            'init' => $name, 
+            'init' => $fullname,
             'status' => 1, 
             'access' => time(),
           );
-          if ($server) {
-            $userinfo["authname_$module"] = $name;
-          }
+          $userinfo["authname_$module"] = $fullname;
           $user = user_save('', $userinfo);
-          watchdog('user', t('New external user: %user using module %module.', array('%user' => $name, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
+          watchdog('user', t('New external user: %user using module %module.', array('%user' => $fullname, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
           break;
         }
       }
@@ -1064,6 +1069,13 @@
 
 function user_pass_validate($form_id, $form_values) {
   $name = $form_values['name'];
+
+  // Blocked accounts cannot request a new password,
+  // check provided username and email against access rules.
+  if (drupal_is_denied('user', $name) || drupal_is_denied('mail', $name)) {
+    form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
+  }
+
   $account = user_load(array('mail' => $name, 'status' => 1));
   if (!$account) {
     $account = user_load(array('name' => $name, 'status' => 1));
@@ -1083,7 +1095,7 @@
   $from = variable_get('site_mail', ini_get('sendmail_from'));
 
   // Mail one time login URL and instructions.
-  $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => substr($base_url, strlen('http://')), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
+  $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => preg_replace('!^https?://!', '', $base_url), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
   $subject = _user_mail_text('pass_subject', $variables);
   $body = _user_mail_text('pass_body', $variables);
   $mail_success = drupal_mail('user-pass', $account->mail, $subject, $body, $from);
@@ -1116,6 +1128,11 @@
     $current = time();
     // Some redundant checks for extra security ?
     if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {
+      // Deny one-time login to blocked accounts.
+      if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
+        drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
+        drupal_goto();
+      }
       // No time out for first time login.
       if ($account->login && $current - $timestamp > $timeout) {
         drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));

Modified: branches/upstream/current-5/modules/watchdog/watchdog.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/watchdog/watchdog.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/watchdog/watchdog.info (original)
+++ branches/upstream/current-5/modules/watchdog/watchdog.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
 project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"