Commit afe3f431 authored by Gábor Hojtsy's avatar Gábor Hojtsy
Browse files

security fixes forward ported from Drupal 5.2 - previously not committed parts...

security fixes forward ported from Drupal 5.2 - previously not committed parts of http://drupal.org/cvs?commit=74833
parent bc0d7cb3
......@@ -56,8 +56,9 @@ function sess_read($key) {
function sess_write($key, $value) {
global $user;
// If the client doesn't have a session, and one isn't being created ($value), do nothing.
if (empty($_COOKIE[session_name()]) && empty($value)) {
// If saving of session data is disabled or if the client doesn't have a session,
// and one isn't being created ($value), do nothing.
if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) {
return TRUE;
}
......@@ -153,3 +154,23 @@ function sess_gc($lifetime) {
return TRUE;
}
/**
* Determine whether to save session data of the current request.
*
* This function allows the caller to temporarily disable writing of session data,
* should the request end while performing potentially dangerous operations, such as
* manipulating the global $user object.
*
* @param $status
* Disables writing of session data when FALSE, (re-)enables writing when TRUE.
* @return
* FALSE if writing session data has been disabled. Otherwise, TRUE.
*/
function session_save_session($status = NULL) {
static $save_session = TRUE;
if (isset($status)) {
$save_session = $status;
}
return ($save_session);
}
......@@ -1373,10 +1373,9 @@ function node_menu() {
'type' => MENU_CALLBACK,
);
foreach (node_get_types('types', NULL, TRUE) as $type) {
$name = check_plain($type->name);
$type_url_str = str_replace('_', '-', $type->type);
$items['node/add/'. $type_url_str] = array(
'title' => drupal_ucfirst($name),
'title' => drupal_ucfirst($type->name),
'page callback' => 'node_add',
'page arguments' => array(2),
'access callback' => 'node_access',
......
......@@ -84,7 +84,7 @@ function template_preprocess_search_result(&$variables) {
$info = array();
if (!empty($result['type'])) {
$info['type'] = $result['type'];
$info['type'] = check_plain($result['type']);
}
if (!empty($result['user'])) {
$info['user'] = $result['user'];
......
......@@ -172,7 +172,7 @@ function system_admin_theme_settings() {
* Menu callback; displays a listing of all themes.
*
* @ingroup forms
* @see system_themes_form_submt().
* @see system_themes_form_submit().
*/
function system_themes_form() {
......@@ -405,7 +405,7 @@ function system_theme_settings(&$form_state, $key = '') {
'#suffix' => '</div>',
);
foreach ($node_types as $type => $name) {
$form['node_info']["toggle_node_info_$type"] = array('#type' => 'checkbox', '#title' => $name, '#default_value' => $settings["toggle_node_info_$type"]);
$form['node_info']["toggle_node_info_$type"] = array('#type' => 'checkbox', '#title' => check_plain($name), '#default_value' => $settings["toggle_node_info_$type"]);
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment