Commit a3f3cb34 authored by Gábor Hojtsy's avatar Gábor Hojtsy

Drupal 6.0-beta 2 release with all Drupal 5.3 security fixes applied

parent 988d4f50
// $Id$
Drupal 6.0, xxxx-xx-xx (development version)
Drupal 6.0-beta2, 2007-10-17
----------------------
- New, faster and better menu system.
- New watchdog as a hook functionality.
......@@ -92,6 +92,27 @@ Drupal 6.0, xxxx-xx-xx (development version)
- Removed drupal.module. The functionality lives on as the Site network
contributed module (http://drupal.org/project/site_network).
Drupal 5.3, 2007-10-17
----------------------
- fixed a variety of small bugs.
- fixed a security issue (HTTP response splitting), see SA-2007-024
- fixed a security issue (Arbitrary code execution via installer), see SA-2007-025
- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
- fixed a security issue (User deletion cross site request forgery), see SA-2007-029
- fixed a security issue (API handling of unpublished comment), see SA-2007-030
Drupal 5.2, 2007-07-26
----------------------
- changed hook_link() $teaser argument to match documentation.
- fixed a variety of small bugs.
- fixed a security issue (cross-site request forgery), see SA-2007-017
- fixed a security issue (cross-site scripting), see SA-2007-018
Drupal 5.1, 2007-01-29
----------------------
- fixed security issue (code execution), see SA-2007-005
- fixed a variety of small bugs.
Drupal 5.0, 2007-01-15
----------------------
- Completely retooled the administration page
......@@ -169,6 +190,20 @@ Drupal 5.0, 2007-01-15
* Added nested lists generation.
* Added a self-clearing block class.
Drupal 4.7.8, 2007-10-17
----------------------
- fixed a security issue (HTTP response splitting), see SA-2007-024
- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
- fixed a security issue (API handling of unpublished comment), see SA-2007-030
Drupal 4.7.7, 2007-07-26
------------------------
- fixed security issue (XSS), see SA-2007-018
Drupal 4.7.6, 2007-01-29
------------------------
- fixed security issue (code execution), see SA-2007-005
Drupal 4.7.5, 2007-01-05
------------------------
- Fixed security issue (XSS), see SA-2007-001
......
......@@ -268,11 +268,8 @@ function drupal_get_destination() {
* 'user login'-block in a sidebar. The function drupal_get_destination()
* can be used to help set the destination URL.
*
* It is advised to use drupal_goto() instead of PHP's header(), because
* drupal_goto() will append the user's session ID to the URI when PHP is
* compiled with "--enable-trans-sid". In addition, Drupal will ensure that
* messages set by drupal_set_message() and other session data are written to
* the database before the user is redirected.
* Drupal will ensure that messages set by drupal_set_message() and other
* session data are written to the database before the user is redirected.
*
* This function ends the request; use it rather than a print theme('page')
* statement in your menu callback.
......@@ -305,6 +302,8 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response
}
$url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE));
// Remove newlines from the URL to avoid header injection attacks.
$url = str_replace(array("\n", "\r"), '', $url);
// Allow modules to react to the end of the page request before redirecting.
module_invoke_all('exit', $url);
......@@ -558,7 +557,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
if ($errno & (E_ALL)) {
if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning');
// For database errors, we want the line number/file name of the place that
......
......@@ -208,6 +208,14 @@ function install_change_settings($profile = 'default', $install_locale = '') {
exit;
}
if ($db_url == 'mysql://username:password@localhost/databasename') {
$db_user = $db_pass = $db_path = '';
}
elseif (!empty($db_url)) {
// Do not install over a configured settings.php.
install_already_done_error();
}
$output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
drupal_set_title(st('Database configuration'));
print theme('install_page', $output);
......
......@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
define('VERSION', '6.0-dev');
define('VERSION', '6.0-beta2');
define('DRUPAL_CORE_COMPATIBILITY', '6.x');
define('DRUPAL_MINIMUM_PHP', '4.3.3');
......
......@@ -55,7 +55,7 @@ function upload_admin_settings_validate($form, &$form_state) {
* Menu callback for the upload settings form.
*/
function upload_admin_settings() {
$upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
$upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
$upload_uploadsize_default = variable_get('upload_uploadsize_default', 1);
$upload_usersize_default = variable_get('upload_usersize_default', 1);
......
......@@ -120,9 +120,9 @@ function upload_menu_alter(&$items) {
function _upload_file_limits($user) {
$file_limit = variable_get('upload_uploadsize_default', 1);
$user_limit = variable_get('upload_usersize_default', 1);
$all_extensions = explode(' ', variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
$all_extensions = explode(' ', variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
foreach ($user->roles as $rid => $name) {
$extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
$extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
$all_extensions = array_merge($all_extensions, explode(' ', $extensions));
// A zero value indicates no limit, take the least restrictive limit.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment