[Pkg-drupal-commits] r2036 - in /branches/drupal-5.0/debian: changelog patches/00list patches/20_xss.dpatch

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Tue Jun 2 00:15:48 UTC 2009 

Author: luigi
Date: Tue Jun  2 00:15:47 2009
New Revision: 2036

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=2036
Log:
Acknowledge NMU

Added:
    branches/drupal-5.0/debian/patches/20_xss.dpatch
Modified:
    branches/drupal-5.0/debian/changelog
    branches/drupal-5.0/debian/patches/00list

Modified: branches/drupal-5.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/changelog?rev=2036&op=diff
==============================================================================
--- branches/drupal-5.0/debian/changelog (original)
+++ branches/drupal-5.0/debian/changelog Tue Jun  2 00:15:47 2009
@@ -1,3 +1,10 @@
+drupal5 (5.17-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix several XSS issues (SA-CORE-2009-006; Closes: #529191).
+
+ -- Nico Golde <nion at debian.org>  Thu, 28 May 2009 20:30:39 +0200
+
 drupal5 (5.17-1) unstable; urgency=low
 
   [ Luigi Gangitano ]

Modified: branches/drupal-5.0/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/00list?rev=2036&op=diff
==============================================================================
--- branches/drupal-5.0/debian/patches/00list (original)
+++ branches/drupal-5.0/debian/patches/00list Tue Jun  2 00:15:47 2009
@@ -1,1 +1,2 @@
 10_cronjob
+20_xss

Added: branches/drupal-5.0/debian/patches/20_xss.dpatch
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/patches/20_xss.dpatch?rev=2036&op=file
==============================================================================
--- branches/drupal-5.0/debian/patches/20_xss.dpatch (added)
+++ branches/drupal-5.0/debian/patches/20_xss.dpatch Tue Jun  2 00:15:47 2009
@@ -1,0 +1,63 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_xss.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix SA-CORE-2009-006
+
+ at DPATCH@
+diff -urNad drupal5-5.17~/includes/theme.inc drupal5-5.17/includes/theme.inc
+--- drupal5-5.17~/includes/theme.inc	2009-04-30 02:13:48.000000000 +0200
++++ drupal5-5.17/includes/theme.inc	2009-05-28 20:28:29.000000000 +0200
+@@ -170,7 +170,7 @@
+   if ($functions[$function]) {
+     $output = call_user_func_array($functions[$function], $args);
+     // Add final markup to the full page.
+-    if ($function == 'page') {
++    if ($function == 'page' || $function == 'book_export_html') {
+       $output = drupal_final_markup($output);
+     }
+     return $output;
+diff -urNad drupal5-5.17~/modules/book/book.module drupal5-5.17/modules/book/book.module
+--- drupal5-5.17~/modules/book/book.module	2007-02-14 05:30:33.000000000 +0100
++++ drupal5-5.17/modules/book/book.module	2009-05-28 20:28:29.000000000 +0200
+@@ -702,8 +702,9 @@
+   global $base_url;
+   $html = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n";
+   $html .= '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">';
+-  $html .= "<head>\n<title>". $title ."</title>\n";
++  $html .= "\n<head>\n";
+   $html .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
++  $html .= "\n<title>". $title ."</title>\n";
+   $html .= '<base href="'. $base_url .'/" />' . "\n";
+   $html .= "<style type=\"text/css\">\n at import url(misc/print.css);\n</style>\n";
+   $html .= "</head>\n<body>\n". $content ."\n</body>\n</html>\n";
+diff -urNad drupal5-5.17~/modules/taxonomy/taxonomy.module drupal5-5.17/modules/taxonomy/taxonomy.module
+--- drupal5-5.17~/modules/taxonomy/taxonomy.module	2009-02-23 06:42:20.000000000 +0100
++++ drupal5-5.17/modules/taxonomy/taxonomy.module	2009-05-28 20:28:29.000000000 +0200
+@@ -621,7 +621,7 @@
+  */
+ function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') {
+   $vocabulary = taxonomy_get_vocabulary($vid);
+-  $help = ($help) ? $help : $vocabulary->help;
++  $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
+ 
+   if (!$vocabulary->multiple) {
+     $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
+@@ -718,7 +718,7 @@
+         $typed_string = implode(', ', $typed_terms) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
+ 
+         if ($vocabulary->help) {
+-          $help = $vocabulary->help;
++          $help = filter_xss_admin($vocabulary->help);
+         }
+         else {
+           $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".');
+@@ -741,7 +741,7 @@
+             $default_terms[$term->tid] = $term;
+           }
+         }
+-        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
++        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
+         $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
+         $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
+       }

More information about the Pkg-drupal-commits mailing list