Commit da8023a9 authored by Gábor Hojtsy's avatar Gábor Hojtsy

Drupal 6.27

parent 8d33b062
Drupal 6.27-dev, xxxx-xx-xx (development release)
Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
......
......@@ -663,7 +663,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
if ($errno & (E_ALL ^ E_DEPRECATED)) {
if ($errno & (E_ALL ^ E_DEPRECATED ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
......
......@@ -403,6 +403,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
// Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
......
......@@ -8,7 +8,7 @@
/**
* The current system version.
*/
define('VERSION', '6.27-dev');
define('VERSION', '6.27');
/**
* Core API compatibility.
......
......@@ -314,10 +314,10 @@ function upload_nodeapi(&$node, $op, $teaser = NULL) {
break;
case 'search result':
return isset($node->files) && is_array($node->files) ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
return isset($node->files) && is_array($node->files) && user_access('view uploaded files') ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
case 'rss item':
if (is_array($node->files)) {
if (is_array($node->files) && user_access('view uploaded files')) {
$files = array();
foreach ($node->files as $file) {
if ($file->list) {
......
......@@ -599,14 +599,17 @@ function user_search($op = 'search', $keys = NULL, $skip_access_check = FALSE) {
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
if (user_access('administer users')) {
// Administrators can also search in the otherwise private email field.
// Administrators can also search in the otherwise private email
// field, and they don't need to be restricted to only active users.
$result = pager_query("SELECT name, uid, mail FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%') OR LOWER(mail) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name .' ('. $account->mail .')', 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}
}
else {
$result = pager_query("SELECT name, uid FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
// Regular users can only search via user names, and we do not show
// them blocked accounts.
$result = pager_query("SELECT name, uid FROM {users} WHERE status = 1 AND LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment