[Pkg-drupal-commits] r2036 - in /branches/drupal-5.0/debian: changelog patches/00list patches/20_xss.dpatch
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Tue Jun 2 00:15:48 UTC 2009
Author: luigi
Date: Tue Jun 2 00:15:47 2009
New Revision: 2036
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2036
Log:
Acknowledge NMU
Added:
branches/drupal-5.0/debian/patches/20_xss.dpatch
Modified:
branches/drupal-5.0/debian/changelog
branches/drupal-5.0/debian/patches/00list
Modified: branches/drupal-5.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/changelog?rev=2036&op=diff
==============================================================================
--- branches/drupal-5.0/debian/changelog (original)
+++ branches/drupal-5.0/debian/changelog Tue Jun 2 00:15:47 2009
@@ -1,3 +1,10 @@
+drupal5 (5.17-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix several XSS issues (SA-CORE-2009-006; Closes: #529191).
+
+ -- Nico Golde <nion at debian.org> Thu, 28 May 2009 20:30:39 +0200
+
drupal5 (5.17-1) unstable; urgency=low
[ Luigi Gangitano ]
Modified: branches/drupal-5.0/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/00list?rev=2036&op=diff
==============================================================================
--- branches/drupal-5.0/debian/patches/00list (original)
+++ branches/drupal-5.0/debian/patches/00list Tue Jun 2 00:15:47 2009
@@ -1,1 +1,2 @@
10_cronjob
+20_xss
Added: branches/drupal-5.0/debian/patches/20_xss.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/20_xss.dpatch?rev=2036&op=file
==============================================================================
--- branches/drupal-5.0/debian/patches/20_xss.dpatch (added)
+++ branches/drupal-5.0/debian/patches/20_xss.dpatch Tue Jun 2 00:15:47 2009
@@ -1,0 +1,63 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_xss.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix SA-CORE-2009-006
+
+ at DPATCH@
+diff -urNad drupal5-5.17~/includes/theme.inc drupal5-5.17/includes/theme.inc
+--- drupal5-5.17~/includes/theme.inc 2009-04-30 02:13:48.000000000 +0200
++++ drupal5-5.17/includes/theme.inc 2009-05-28 20:28:29.000000000 +0200
+@@ -170,7 +170,7 @@
+ if ($functions[$function]) {
+ $output = call_user_func_array($functions[$function], $args);
+ // Add final markup to the full page.
+- if ($function == 'page') {
++ if ($function == 'page' || $function == 'book_export_html') {
+ $output = drupal_final_markup($output);
+ }
+ return $output;
+diff -urNad drupal5-5.17~/modules/book/book.module drupal5-5.17/modules/book/book.module
+--- drupal5-5.17~/modules/book/book.module 2007-02-14 05:30:33.000000000 +0100
++++ drupal5-5.17/modules/book/book.module 2009-05-28 20:28:29.000000000 +0200
+@@ -702,8 +702,9 @@
+ global $base_url;
+ $html = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n";
+ $html .= '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">';
+- $html .= "<head>\n<title>". $title ."</title>\n";
++ $html .= "\n<head>\n";
+ $html .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
++ $html .= "\n<title>". $title ."</title>\n";
+ $html .= '<base href="'. $base_url .'/" />' . "\n";
+ $html .= "<style type=\"text/css\">\n at import url(misc/print.css);\n</style>\n";
+ $html .= "</head>\n<body>\n". $content ."\n</body>\n</html>\n";
+diff -urNad drupal5-5.17~/modules/taxonomy/taxonomy.module drupal5-5.17/modules/taxonomy/taxonomy.module
+--- drupal5-5.17~/modules/taxonomy/taxonomy.module 2009-02-23 06:42:20.000000000 +0100
++++ drupal5-5.17/modules/taxonomy/taxonomy.module 2009-05-28 20:28:29.000000000 +0200
+@@ -621,7 +621,7 @@
+ */
+ function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') {
+ $vocabulary = taxonomy_get_vocabulary($vid);
+- $help = ($help) ? $help : $vocabulary->help;
++ $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
+
+ if (!$vocabulary->multiple) {
+ $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
+@@ -718,7 +718,7 @@
+ $typed_string = implode(', ', $typed_terms) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
+
+ if ($vocabulary->help) {
+- $help = $vocabulary->help;
++ $help = filter_xss_admin($vocabulary->help);
+ }
+ else {
+ $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".');
+@@ -741,7 +741,7 @@
+ $default_terms[$term->tid] = $term;
+ }
+ }
+- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
++ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
+ $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
+ $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
+ }
More information about the Pkg-drupal-commits
mailing list