Commit b62ba500 authored by Gábor Hojtsy's avatar Gábor Hojtsy

Drupal 6.14

parent beba5dd8
// $Id$
Drupal 6.14-dev, xxxx-xx-xx (development release)
Drupal 6.14, 2009-09-16
----------------------
- Fixed security issues (OpenID association cross site request forgeries,
OpenID impersonation and File upload), see SA-CORE-2009-008.
- Changed the system modules page to not run all cache rebuilds; use the
button on the performance settings page to achieve the same effect.
- Added support for PHP 5.3.0 out of the box.
- Fixed a variety of small bugs.
Drupal 6.13, 2009-07-01
----------------------
......@@ -195,6 +201,12 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
Drupal 5.20, 2009-09-16
-----------------------
- Avoid security problems resulting from writing Drupal 6-style menu declarations.
- Fixed security issues (session fixation), see SA-CORE-2009-008.
- Fixed a variety of small bugs.
Drupal 5.19, 2009-07-01
-----------------------
- Fixed security issues (Cross site scripting and Password leakage in URL), see SA-CORE-2009-007.
......
......@@ -617,7 +617,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
if ($errno & (E_ALL ^ E_DEPRECATED)) {
if ($errno & (E_ALL ^ E_NOTICE ^ E_DEPRECATED)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
......
......@@ -529,13 +529,6 @@ function file_save_upload($source, $validators = array(), $dest = FALSE, $replac
$file->filepath = $_FILES['files']['tmp_name'][$source];
$file->filemime = file_get_mimetype($file->filename);
// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
$file->filepath .= '.txt';
$file->filename .= '.txt';
}
// If the destination is not provided, or is not writable, then use the
// temporary directory.
if (empty($dest) || file_check_path($dest) === FALSE) {
......@@ -555,6 +548,18 @@ function file_save_upload($source, $validators = array(), $dest = FALSE, $replac
$errors = array_merge($errors, call_user_func_array($function, $args));
}
// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
$file->filepath .= '.txt';
$file->filename .= '.txt';
// As the file may be named example.php.txt, we need to munge again to
// convert to example.php_.txt, then create the correct destination.
$file->filename = file_munge_filename($file->filename, $extensions);
$file->destination = file_destination(file_create_path($dest .'/'. $file->filename), $replace);
}
// Check for validation errors.
if (!empty($errors)) {
$message = t('The selected file %name could not be uploaded.', array('%name' => $file->filename));
......
......@@ -192,8 +192,8 @@ function openid_begin($claimed_id, $return_to = '', $form_values = array()) {
}
if (isset($services[0]['types']) && is_array($services[0]['types']) && in_array(OPENID_NS_2_0 .'/server', $services[0]['types'])) {
$identity = 'http://specs.openid.net/auth/2.0/identifier_select';
}
$claimed_id = $identity = 'http://specs.openid.net/auth/2.0/identifier_select';
}
$authn_request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $services[0]['version']);
if ($services[0]['version'] == 2) {
......
......@@ -73,12 +73,14 @@ function openid_user_add_validate($form, &$form_state) {
if (db_result(db_query("SELECT authname FROM {authmap} WHERE authname='%s'", $claimed_id))) {
form_set_error('openid_identifier', t('That OpenID is already in use on this site.'));
}
else {
$return_to = url('user/'. arg(1) .'/openid', array('absolute' => TRUE));
openid_begin($form_state['values']['openid_identifier'], $return_to);
}
}
function openid_user_add_submit($form, &$form_state) {
$return_to = url('user/'. arg(1) .'/openid', array('absolute' => TRUE));
openid_begin($form_state['values']['openid_identifier'], $return_to);
}
/**
* Present a confirmation form to delete the specified OpenID identity from the system.
*
......
......@@ -9,7 +9,7 @@
/**
* The current system version.
*/
define('VERSION', '6.14-dev');
define('VERSION', '6.14');
/**
* Core API compatibility.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment