Commit 77b6714f authored by Gábor Hojtsy's avatar Gábor Hojtsy

Drupal 6.16

parent d3aa9253
// $Id$
Drupal 6.16-dev, xxxx-xx-xx (development release)
Drupal 6.16, 2010-03-03
----------------------
- Fixed security issues (Installation cross site scripting, Open redirection,
Locale module cross site scripting, Blocked user session regeneration),
see SA-CORE-2010-001.
- Better support for updated jQuery versions.
- Reduced resource usage of update.module.
- Fixed several issues relating to support of install profiles and
distributions.
- Added a locking framework to avoid data corruption on long operations.
- Fixed a variety of other bugs.
Drupal 6.15, 2009-12-16
----------------------
......@@ -209,6 +218,11 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
Drupal 5.22, 2010-03-03
-----------------------
- Fixed security issues (Open redirection, Locale module cross site scripting,
Blocked user session regeneration), see SA-CORE-2010-001.
Drupal 5.21, 2009-12-16
-----------------------
- Fixed a security issue (Cross site scripting), see SA-CORE-2009-009.
......
......@@ -311,11 +311,21 @@ function drupal_get_destination() {
*/
function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) {
$destination = FALSE;
if (isset($_REQUEST['destination'])) {
extract(parse_url(urldecode($_REQUEST['destination'])));
$destination = $_REQUEST['destination'];
}
else if (isset($_REQUEST['edit']['destination'])) {
extract(parse_url(urldecode($_REQUEST['edit']['destination'])));
$destination = $_REQUEST['edit']['destination'];
}
if ($destination) {
// Do not redirect to an absolute URL originating from user input.
$colonpos = strpos($destination, ':');
$absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos)));
if (!$absolute) {
extract(parse_url(urldecode($destination)));
}
}
$url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE));
......@@ -617,7 +627,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
if ($errno & (E_ALL ^ E_DEPRECATED)) {
if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
......
......@@ -34,6 +34,9 @@ function locale_languages_overview_form() {
$options = array();
$form['weight'] = array('#tree' => TRUE);
foreach ($languages as $langcode => $language) {
// Language code should contain no markup, but is emitted
// by radio and checkbox options.
$langcode = check_plain($langcode);
$options[$langcode] = '';
if ($language->enabled) {
......@@ -335,6 +338,17 @@ function locale_languages_predefined_form_submit($form, &$form_state) {
* Validate the language editing form. Reused for custom language addition too.
*/
function locale_languages_edit_form_validate($form, &$form_state) {
// Validate that the name, native, and langcode variables are safe.
if (preg_match('/["<>\']/', $form_state['values']['langcode'])) {
form_set_error('langcode', t('The characters &lt;, &gt;, " and \' are not allowed in the language code field.'));
}
if (preg_match('/["<>\']/', $form_state['values']['name'])) {
form_set_error('name', t('The characters &lt;, &gt;, " and \' are not allowed in the language name in English field.'));
}
if (preg_match('/["<>\']/', $form_state['values']['native'])) {
form_set_error('native', t('The characters &lt;, &gt;, " and \' are not allowed in the native language name field.'));
}
if (!empty($form_state['values']['domain']) && !empty($form_state['values']['prefix'])) {
form_set_error('prefix', t('Domain and path prefix values should not be set at the same time.'));
}
......@@ -536,8 +550,13 @@ function locale_translate_seek_screen() {
*/
function locale_translate_seek_form() {
// Get all languages, except English
$languages = locale_language_list('name', TRUE);
unset($languages['en']);
$raw_languages = locale_language_list('name', TRUE);
unset($raw_languages['en']);
// Sanitize the values to be used in radios.
$languages = array();
foreach ($raw_languages as $key => $value) {
$languages[check_plain($key)] = check_plain($value);
}
// Present edit form preserving previous user settings
$query = _locale_translate_seek_query();
......
......@@ -31,8 +31,9 @@ function sess_read($key) {
// Otherwise, if the session is still active, we have a record of the client's session in the database.
$user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key));
// We found the client's session record and they are an authenticated user
if ($user && $user->uid > 0) {
// We found the client's session record and they are an authenticated,
// active user.
if ($user && $user->uid > 0 && $user->status == 1) {
// This is done to unserialize the data member of $user
$user = drupal_unpack($user);
......@@ -44,7 +45,8 @@ function sess_read($key) {
$user->roles[$role->rid] = $role->name;
}
}
// We didn't find the client's record (session has expired), or they are an anonymous user.
// We didn't find the client's record (session has expired), or they are
// blocked, or they are an anonymous user.
else {
$session = isset($user->session) ? $user->session : '';
$user = drupal_anonymous_user($session);
......
......@@ -125,9 +125,9 @@ function theme_install_page($content) {
$title = count($messages['error']) > 1 ? st('The following errors must be resolved before you can continue the installation process') : st('The following error must be resolved before you can continue the installation process');
$variables['messages'] .= '<h3>'. $title .':</h3>';
$variables['messages'] .= theme('status_messages', 'error');
$variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => request_uri())) .'</p>';
$variables['content'] .= '<p>'. st('Please check the error messages and <a href="!url">try again</a>.', array('!url' => check_url(request_uri()))) .'</p>';
}
// Special handling of warning messages
if (isset($messages['warning'])) {
$title = count($messages['warning']) > 1 ? st('The following installation warnings should be carefully reviewed') : st('The following installation warning should be carefully reviewed');
......
......@@ -201,6 +201,26 @@ function locale_update_6005() {
return array();
}
/**
* Neutralize unsafe language names in the database.
*/
function locale_update_6006() {
$ret = array();
$matches = db_result(db_query("SELECT 1 FROM {languages} WHERE native LIKE '%<%' OR native LIKE '%>%' OR name LIKE '%<%' OR name LIKE '%>%'"));
if ($matches) {
$ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '<', ''), native = REPLACE(native, '<', '')");
$ret[] = update_sql("UPDATE {languages} SET name = REPLACE(name, '>', ''), native = REPLACE(native, '>', '')");
drupal_set_message('The language name in English and the native language name values of all the existing custom languages of your site have been sanitized for security purposes. Visit the <a href="'. url('admin/settings/language') .'">Languages</a> page to check these and fix them if necessary.', 'warning');
}
// Check if some langcode values contain potentially dangerous characters and
// warn the user if so. These are not fixed since they are referenced in other
// tables (e.g. {node}).
if (db_result(db_query("SELECT 1 FROM {languages} WHERE language LIKE '%<%' OR language LIKE '%>%' OR language LIKE '%\"%' OR language LIKE '%\\\\\%'"))) {
drupal_set_message('Some of your custom language code values contain invalid characters. You should examine the <a href="'. url('admin/settings/language') .'">Languages</a> page. These must be fixed manually.', 'error');
}
return $ret;
}
/**
* @} End of "defgroup updates-5.x-to-6.x"
*/
......
......@@ -215,7 +215,7 @@ function locale_user($type, $edit, &$user, $category = NULL) {
$names = array();
foreach ($languages as $langcode => $item) {
$name = t($item->name);
$names[$langcode] = $name . ($item->native != $name ? ' ('. $item->native .')' : '');
$names[check_plain($langcode)] = check_plain($name . ($item->native != $name ? ' ('. $item->native .')' : ''));
}
$form['locale'] = array(
'#type' => 'fieldset',
......@@ -228,7 +228,7 @@ function locale_user($type, $edit, &$user, $category = NULL) {
$form['locale']['language'] = array(
'#type' => (count($names) <= 5 ? 'radios' : 'select'),
'#title' => t('Language'),
'#default_value' => $user_preferred_language->language,
'#default_value' => check_plain($user_preferred_language->language),
'#options' => $names,
'#description' => ($mode == LANGUAGE_NEGOTIATION_PATH) ? t("This account's default language for e-mails, and preferred language for site presentation.") : t("This account's default language for e-mails."),
);
......
......@@ -9,7 +9,7 @@
/**
* The current system version.
*/
define('VERSION', '6.16-dev');
define('VERSION', '6.16');
/**
* Core API compatibility.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment