[Pkg-drupal-commits] r2057 - in /branches/drupal-5.0/debian: changelog patches/00list patches/20_SA-CORE-2009-007.dpatch
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Mon Jul 13 15:24:44 UTC 2009
Author: luigi
Date: Mon Jul 13 15:24:43 2009
New Revision: 2057
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2057
Log:
Integrate NMU
Added:
branches/drupal-5.0/debian/patches/20_SA-CORE-2009-007.dpatch
Modified:
branches/drupal-5.0/debian/changelog
branches/drupal-5.0/debian/patches/00list
Modified: branches/drupal-5.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/changelog?rev=2057&op=diff
==============================================================================
--- branches/drupal-5.0/debian/changelog (original)
+++ branches/drupal-5.0/debian/changelog Mon Jul 13 15:24:43 2009
@@ -1,3 +1,11 @@
+drupal5 (5.18-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply upstream patch to fix possible password leakage
+ via URLs (no CVE id yet; SA-CORE-2009-007; Closes: #535476).
+
+ -- Nico Golde <nion at debian.org> Mon, 06 Jul 2009 20:24:02 +0200
+
drupal5 (5.18-1) unstable; urgency=low
[ Luigi Gangitano ]
Modified: branches/drupal-5.0/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/00list?rev=2057&op=diff
==============================================================================
--- branches/drupal-5.0/debian/patches/00list (original)
+++ branches/drupal-5.0/debian/patches/00list Mon Jul 13 15:24:43 2009
@@ -1,1 +1,2 @@
10_cronjob
+20_SA-CORE-2009-007
Added: branches/drupal-5.0/debian/patches/20_SA-CORE-2009-007.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/20_SA-CORE-2009-007.dpatch?rev=2057&op=file
==============================================================================
--- branches/drupal-5.0/debian/patches/20_SA-CORE-2009-007.dpatch (added)
+++ branches/drupal-5.0/debian/patches/20_SA-CORE-2009-007.dpatch Mon Jul 13 15:24:43 2009
@@ -1,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_SA-CORE-2009-007.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix password leakage in URL
+
+ at DPATCH@
+diff -urNad drupal5-5.18~/includes/pager.inc drupal5-5.18/includes/pager.inc
+--- drupal5-5.18~/includes/pager.inc 2006-10-15 21:57:05.000000000 +0200
++++ drupal5-5.18/includes/pager.inc 2009-07-06 20:21:30.000000000 +0200
+@@ -85,7 +85,7 @@
+ function pager_get_querystring() {
+ static $string = NULL;
+ if (!isset($string)) {
+- $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
++ $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
+ }
+ return $string;
+ }
+diff -urNad drupal5-5.18~/includes/tablesort.inc drupal5-5.18/includes/tablesort.inc
+--- drupal5-5.18~/includes/tablesort.inc 2007-06-17 00:29:25.000000000 +0200
++++ drupal5-5.18/includes/tablesort.inc 2009-07-06 20:21:30.000000000 +0200
+@@ -131,7 +131,7 @@
+ * except for those pertaining to table sorting.
+ */
+ function tablesort_get_querystring() {
+- return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
++ return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
+ }
+
+ /**
+diff -urNad drupal5-5.18~/modules/forum/forum.module drupal5-5.18/modules/forum/forum.module
+--- drupal5-5.18~/modules/forum/forum.module 2009-04-29 20:53:38.000000000 +0200
++++ drupal5-5.18/modules/forum/forum.module 2009-07-06 20:21:30.000000000 +0200
+@@ -833,6 +833,11 @@
+ * Menu callback; prints a forum listing.
+ */
+ function forum_page($tid = 0) {
++ if (!is_numeric($tid)) {
++ return MENU_NOT_FOUND;
++ }
++ $tid = (int)$tid;
++
+ drupal_add_css(drupal_get_path('module', 'forum') .'/forum.css');
+ $forum_per_page = variable_get('forum_per_page', 25);
+ $sortby = variable_get('forum_order', 1);
More information about the Pkg-drupal-commits
mailing list