diff -Nru drupal6-6.16/.bzr/branch/branch.conf drupal6-6.19/.bzr/branch/branch.conf
--- drupal6-6.16/.bzr/branch/branch.conf 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/branch/branch.conf 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1 @@
+parent_location = bzr+ssh://bazaar.launchpad.net/~ubuntu-small-business-server/%2Bjunk/drupal6-core/
diff -Nru drupal6-6.16/.bzr/branch/format drupal6-6.19/.bzr/branch/format
--- drupal6-6.16/.bzr/branch/format 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/branch/format 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1 @@
+Bazaar Branch Format 7 (needs bzr 1.6)
diff -Nru drupal6-6.16/.bzr/branch/last-revision drupal6-6.19/.bzr/branch/last-revision
--- drupal6-6.16/.bzr/branch/last-revision 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/branch/last-revision 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1 @@
+14 david@fourkitchens.com-20100811205417-lnphb75h8gqkrwsm
diff -Nru drupal6-6.16/.bzr/branch/tags drupal6-6.19/.bzr/branch/tags
--- drupal6-6.16/.bzr/branch/tags 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/branch/tags 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1 @@
+d3:6.657:bzr@web3.fourkitchens.com-20081206090233-iiw30tyxi6lq1rcf3:6.757:bzr@web3.fourkitchens.com-20081211045637-mvfr7y7hzjjcxpk411:DRUPAL-6-1057:bzr@web3.fourkitchens.com-20090225223309-ya4v006gu9q2rusr11:DRUPAL-6-1157:bzr@web3.fourkitchens.com-20090430003653-gwp19yqbdzggw0rs11:DRUPAL-6-1257:bzr@web3.fourkitchens.com-20090513204741-i1qqucbz7nxj8rn611:DRUPAL-6-1357:bzr@web3.fourkitchens.com-20090701223352-332v8xxs6b2mv5td11:DRUPAL-6-1454:david@fourkitchens.com-20090916195716-bi9stbs141s8jwy411:DRUPAL-6-1554:david@fourkitchens.com-20091216214650-430zd7jrkbdus1w911:DRUPAL-6-1654:david@fourkitchens.com-20100304013205-rzm7nzx405tybf1o11:DRUPAL-6-1754:david@fourkitchens.com-20100602203018-a7xev8yhbrlx2lcx11:DRUPAL-6-1854:david@fourkitchens.com-20100811205244-1ktjme1c89eay97i11:DRUPAL-6-1954:david@fourkitchens.com-20100811205417-lnphb75h8gqkrwsm10:DRUPAL-6-657:bzr@web3.fourkitchens.com-20081206090233-iiw30tyxi6lq1rcf10:DRUPAL-6-757:bzr@web3.fourkitchens.com-20081211045637-mvfr7y7hzjjcxpk410:DRUPAL-6-857:bzr@web3.fourkitchens.com-20081211184810-doysuz3j49jln3be10:DRUPAL-6-957:bzr@web3.fourkitchens.com-20090115003006-09rbv04r2gw9bnkde
\ No newline at end of file
diff -Nru drupal6-6.16/.bzr/branch-format drupal6-6.19/.bzr/branch-format
--- drupal6-6.16/.bzr/branch-format 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/branch-format 2010-08-18 09:52:53.000000000 +0100
@@ -0,0 +1 @@
+Bazaar-NG meta directory, format 1
diff -Nru drupal6-6.16/.bzr/checkout/conflicts drupal6-6.19/.bzr/checkout/conflicts
--- drupal6-6.16/.bzr/checkout/conflicts 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/checkout/conflicts 2010-08-18 09:52:58.000000000 +0100
@@ -0,0 +1 @@
+BZR conflict list format 1
Binary files /tmp/qMsWXH8ddj/drupal6-6.16/.bzr/checkout/dirstate and /tmp/q7FbXOgh65/drupal6-6.19/.bzr/checkout/dirstate differ
diff -Nru drupal6-6.16/.bzr/checkout/format drupal6-6.19/.bzr/checkout/format
--- drupal6-6.16/.bzr/checkout/format 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/checkout/format 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1 @@
+Bazaar Working Tree Format 6 (bzr 1.14)
diff -Nru drupal6-6.16/.bzr/README drupal6-6.19/.bzr/README
--- drupal6-6.16/.bzr/README 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/README 2010-08-18 09:52:53.000000000 +0100
@@ -0,0 +1,3 @@
+This is a Bazaar control directory.
+Do not change any files in this directory.
+See http://bazaar-vcs.org/ for more information about Bazaar.
diff -Nru drupal6-6.16/.bzr/repository/format drupal6-6.19/.bzr/repository/format
--- drupal6-6.16/.bzr/repository/format 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/repository/format 2010-08-18 09:52:53.000000000 +0100
@@ -0,0 +1 @@
+Bazaar RepositoryFormatKnitPack6RichRoot (bzr 1.9)
Binary files /tmp/qMsWXH8ddj/drupal6-6.16/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.iix and /tmp/q7FbXOgh65/drupal6-6.19/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.iix differ
Binary files /tmp/qMsWXH8ddj/drupal6-6.16/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.rix and /tmp/q7FbXOgh65/drupal6-6.19/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.rix differ
diff -Nru drupal6-6.16/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.six drupal6-6.19/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.six
--- drupal6-6.16/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.six 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.six 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1,5 @@
+B+Tree Graph Index 2
+node_ref_lists=0
+key_elements=1
+len=0
+row_lengths=
Binary files /tmp/qMsWXH8ddj/drupal6-6.16/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.tix and /tmp/q7FbXOgh65/drupal6-6.19/.bzr/repository/indices/8f76abb147d93b780476fccf2d0339bc.tix differ
diff -Nru drupal6-6.16/.bzr/repository/pack-names drupal6-6.19/.bzr/repository/pack-names
--- drupal6-6.16/.bzr/repository/pack-names 1970-01-01 01:00:00.000000000 +0100
+++ drupal6-6.19/.bzr/repository/pack-names 2010-08-18 09:52:57.000000000 +0100
@@ -0,0 +1,6 @@
+B+Tree Graph Index 2
+node_ref_lists=0
+key_elements=1
+len=1
+row_lengths=1
+xœÁ±À @k§päµÈ0‚R¥H‘&ÛçîýžsÝgE]fM°'Fh¸íÊ<ÍSê,EJÐ( ü)õ³
\ No newline at end of file
Binary files /tmp/qMsWXH8ddj/drupal6-6.16/.bzr/repository/packs/8f76abb147d93b780476fccf2d0339bc.pack and /tmp/q7FbXOgh65/drupal6-6.19/.bzr/repository/packs/8f76abb147d93b780476fccf2d0339bc.pack differ
diff -Nru drupal6-6.16/CHANGELOG.txt drupal6-6.19/CHANGELOG.txt
--- drupal6-6.16/CHANGELOG.txt 2010-03-04 00:15:28.000000000 +0000
+++ drupal6-6.19/CHANGELOG.txt 2010-08-18 09:52:58.000000000 +0100
@@ -1,4 +1,23 @@
-// $Id: CHANGELOG.txt,v 1.253.2.37 2010/03/04 00:15:28 goba Exp $
+// $Id: CHANGELOG.txt,v 1.253.2.41 2010/08/11 20:35:47 goba Exp $
+
+Drupal 6.19, 2010-08-11
+----------------------
+- Fixed a variety of small bugs, improved code documentation.
+
+Drupal 6.18, 2010-08-11
+----------------------
+- Fixed security issues (OpenID authentication bypass, File download access
+ bypass, Comment unpublishing bypass, Actions cross site scripting),
+ see SA-CORE-2010-002.
+
+Drupal 6.17, 2010-06-02
+----------------------
+- Improved PostgreSQL compatibility
+- Better PHP 5.3 and PHP 4 compatibility
+- Better browser compatibility of CSS and JS aggregation
+- Improved logging for login failures
+- Fixed an incompatibility with some contributed modules and the locking system
+- Fixed a variety of other bugs.
Drupal 6.16, 2010-03-03
----------------------
@@ -218,6 +237,11 @@
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
+Drupal 5.23, 2010-08-11
+-----------------------
+- Fixed security issues (File download access bypass, Comment unpublishing
+ bypass), see SA-CORE-2010-002.
+
Drupal 5.22, 2010-03-03
-----------------------
- Fixed security issues (Open redirection, Locale module cross site scripting,
diff -Nru drupal6-6.16/COPYRIGHT.txt drupal6-6.19/COPYRIGHT.txt
--- drupal6-6.16/COPYRIGHT.txt 2009-09-14 13:50:38.000000000 +0100
+++ drupal6-6.19/COPYRIGHT.txt 2010-08-18 09:52:58.000000000 +0100
@@ -1,6 +1,6 @@
-// $Id: COPYRIGHT.txt,v 1.2.2.2 2009/09/14 12:50:38 goba Exp $
+// $Id: COPYRIGHT.txt,v 1.2.2.3 2010/08/06 10:58:29 goba Exp $
-All Drupal code is Copyright 2001 - 2009 by the original authors.
+All Drupal code is Copyright 2001 - 2010 by the original authors.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -Nru drupal6-6.16/debian/changelog drupal6-6.19/debian/changelog
--- drupal6-6.16/debian/changelog 2010-08-18 10:12:48.000000000 +0100
+++ drupal6-6.19/debian/changelog 2010-08-18 09:55:57.000000000 +0100
@@ -1,3 +1,9 @@
+drupal6 (6.19-1usbs1) lucid; urgency=high
+
+ * Rebuild for 6.19
+
+ -- Anders Wallenquist Wed, 18 Aug 2010 10:54:59 +0200
+
drupal6 (6.16-1) unstable; urgency=high
[ Luigi Gangitano ]
diff -Nru drupal6-6.16/includes/actions.inc drupal6-6.19/includes/actions.inc
--- drupal6-6.16/includes/actions.inc 2009-11-06 08:14:05.000000000 +0000
+++ drupal6-6.19/includes/actions.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$params) {
if (is_numeric($action_id)) { // Configurable actions need parameters.
$function = $params['callback'];
- $context = array_merge($context, $params);
- $result[$action_id] = $function($object, $context, $a1, $a2);
+ if (function_exists($function)) {
+ $context = array_merge($context, $params);
+ $actions_result[$action_id] = $function($object, $context, $a1, $a2);
+ }
+ else {
+ $actions_result[$action_id] = FALSE;
+ }
}
// Singleton action; $action_id is the function name.
else {
@@ -96,8 +139,13 @@
if (is_numeric($action_ids)) {
$action = db_fetch_object(db_query("SELECT * FROM {actions} WHERE aid = '%s'", $action_ids));
$function = $action->callback;
- $context = array_merge($context, unserialize($action->parameters));
- $result[$action_ids] = $function($object, $context, $a1, $a2);
+ if (function_exists($function)) {
+ $context = array_merge($context, unserialize($action->parameters));
+ $actions_result[$action_ids] = $function($object, $context, $a1, $a2);
+ }
+ else {
+ $actions_result[$action_ids] = FALSE;
+ }
}
// Singleton action; $action_ids is the function name.
else {
@@ -280,7 +328,7 @@
else {
// This is a new singleton that we don't have an aid for; assign one.
db_query("INSERT INTO {actions} (aid, type, callback, parameters, description) VALUES ('%s', '%s', '%s', '%s', '%s')", $callback, $array['type'], $callback, '', $array['description']);
- watchdog('actions', "Action '%action' added.", array('%action' => filter_xss_admin($array['description'])));
+ watchdog('actions', "Action '%action' added.", array('%action' => $array['description']));
}
}
}
@@ -302,7 +350,7 @@
$results = db_query("SELECT a.aid, a.description FROM {actions} a WHERE callback IN ($placeholders)", $orphaned);
while ($action = db_fetch_object($results)) {
actions_delete($action->aid);
- watchdog('actions', "Removed orphaned action '%action' from database.", array('%action' => filter_xss_admin($action->description)));
+ watchdog('actions', "Removed orphaned action '%action' from database.", array('%action' => $action->description));
}
}
else {
diff -Nru drupal6-6.16/includes/batch.inc drupal6-6.19/includes/batch.inc
--- drupal6-6.16/includes/batch.inc 2007-12-20 11:57:20.000000000 +0000
+++ drupal6-6.19/includes/batch.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
'. $batch['error_message'];
+ drupal_maintenance_theme();
$fallback = theme('maintenance_page', $fallback, FALSE, FALSE);
// We strip the end of the page using a marker in the template, so any
diff -Nru drupal6-6.16/includes/bootstrap.inc drupal6-6.19/includes/bootstrap.inc
--- drupal6-6.16/includes/bootstrap.inc 2010-02-01 16:49:14.000000000 +0000
+++ drupal6-6.19/includes/bootstrap.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
@@ -488,7 +566,11 @@
}
/**
- * Return a persistent variable.
+ * Returns a persistent variable.
+ *
+ * Case-sensitivity of the variable_* functions depends on the database
+ * collation used. To avoid problems, always use lower case for persistent
+ * variable names.
*
* @param $name
* The name of the variable to return.
@@ -506,7 +588,11 @@
}
/**
- * Set a persistent variable.
+ * Sets a persistent variable.
+ *
+ * Case-sensitivity of the variable_* functions depends on the database
+ * collation used. To avoid problems, always use lower case for persistent
+ * variable names.
*
* @param $name
* The name of the variable to set.
@@ -531,7 +617,11 @@
}
/**
- * Unset a persistent variable.
+ * Unsets a persistent variable.
+ *
+ * Case-sensitivity of the variable_* functions depends on the database
+ * collation used. To avoid problems, always use lower case for persistent
+ * variable names.
*
* @param $name
* The name of the variable to undefine.
@@ -674,15 +764,19 @@
header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
header("Cache-Control: must-revalidate");
- if (variable_get('page_compression', TRUE)) {
+ if (variable_get('page_compression', TRUE) && extension_loaded('zlib')) {
// Determine if the browser accepts gzipped data.
- if (@strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') === FALSE && function_exists('gzencode')) {
- // Strip the gzip header and run uncompress.
- $cache->data = gzinflate(substr(substr($cache->data, 10), 0, -8));
- }
- elseif (function_exists('gzencode')) {
+ if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE) {
+ // $cache->data is already gzip'ed, so make sure zlib.output_compression
+ // does not compress it once more.
+ ini_set('zlib.output_compression', '0');
header('Content-Encoding: gzip');
}
+ else {
+ // The client does not support compression, so unzip the data in the
+ // cache. Strip the gzip header and run uncompress.
+ $cache->data = gzinflate(substr(substr($cache->data, 10), 0, -8));
+ }
}
// Send the original request's headers. We send them one after
@@ -714,7 +808,7 @@
function drupal_unpack($obj, $field = 'data') {
if ($obj->$field && $data = unserialize($obj->$field)) {
foreach ($data as $key => $value) {
- if (!isset($obj->$key)) {
+ if (!empty($key) && !isset($obj->$key)) {
$obj->$key = $value;
}
}
@@ -734,11 +828,35 @@
/**
* Encode special characters in a plain-text string for display as HTML.
*
- * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Also validates strings as UTF-8 to prevent cross site scripting attacks on
* Internet Explorer 6.
+ *
+ * @param $text
+ * The text to be checked or processed.
+ * @return
+ * An HTML safe version of $text, or an empty string if $text is not
+ * valid UTF-8.
+ *
+ * @see drupal_validate_utf8().
*/
function check_plain($text) {
- return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+ static $php525;
+
+ if (!isset($php525)) {
+ $php525 = version_compare(PHP_VERSION, '5.2.5', '>=');
+ }
+ // We duplicate the preg_match() to validate strings as UTF-8 from
+ // drupal_validate_utf8() here. This avoids the overhead of an additional
+ // function call, since check_plain() may be called hundreds of times during
+ // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
+ // internally by PHP in htmlspecialchars().
+ // @see http://www.php.net/releases/5_2_5.php
+ // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.
+
+ if ($php525) {
+ return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
+ }
+ return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
}
/**
@@ -774,6 +892,7 @@
if (strlen($text) == 0) {
return TRUE;
}
+ // For performance reasons this logic is duplicated in check_plain().
return (preg_match('/^./us', $text) == 1);
}
@@ -807,7 +926,8 @@
* Log a system message.
*
* @param $type
- * The category to which this message belongs.
+ * The category to which this message belongs. Can be any string, but the
+ * general practice is to use the name of the module calling watchdog().
* @param $message
* The message to store in the log. See t() for documentation
* on how $message and $variables interact. Keep $message
@@ -817,7 +937,8 @@
* NULL if message is already translated or not possible to
* translate.
* @param $severity
- * The severity of the message, as per RFC 3164
+ * The severity of the message, as per RFC 3164. Possible values are
+ * WATCHDOG_ERROR, WATCHDOG_WARNING, etc.
* @param $link
* A link to associate with the message.
*
@@ -841,7 +962,7 @@
);
// Call the logging hooks to log/process the message
- foreach (module_implements('watchdog', TRUE) as $module) {
+ foreach (module_implements('watchdog') as $module) {
module_invoke($module, 'watchdog', $log_message);
}
}
@@ -1020,6 +1141,10 @@
// Initialize the default database.
require_once './includes/database.inc';
db_set_active();
+ // Allow specifying alternate lock implementations in settings.php, like
+ // those using APC or memcached.
+ require_once variable_get('lock_inc', './includes/lock.inc');
+ lock_init();
break;
case DRUPAL_BOOTSTRAP_ACCESS:
@@ -1060,8 +1185,6 @@
exit;
}
// Prepare for non-cached page workflow.
- require_once variable_get('lock_inc', './includes/lock.inc');
- lock_init();
drupal_page_header();
break;
@@ -1200,7 +1323,8 @@
if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) {
// If there are several arguments, we need to check the most
// recently added one, i.e. the last one.
- $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
+ $ip_address_parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+ $ip_address = array_pop($ip_address_parts);
}
}
}
diff -Nru drupal6-6.16/includes/common.inc drupal6-6.19/includes/common.inc
--- drupal6-6.16/includes/common.inc 2010-03-04 00:15:28.000000000 +0000
+++ drupal6-6.19/includes/common.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
data) = explode("\r\n\r\n", $response, 2);
$split = preg_split("/\r\n|\n|\r/", $split);
- list($protocol, $code, $text) = explode(' ', trim(array_shift($split)), 3);
+ list($protocol, $code, $status_message) = explode(' ', trim(array_shift($split)), 3);
+ $result->protocol = $protocol;
+ $result->status_message = $status_message;
+
$result->headers = array();
// Parse headers.
@@ -603,7 +607,7 @@
break;
default:
- $result->error = $text;
+ $result->error = $status_message;
}
$result->code = $code;
@@ -985,7 +989,7 @@
if ($absolute) {
return (bool)preg_match("
/^ # Start at the beginning of the text
- (?:ftp|https?):\/\/ # Look for ftp, http, or https schemes
+ (?:ftp|https?|feed):\/\/ # Look for ftp, http, https or feed schemes
(?: # Userinfo (optional) which is typically
(?:(?:[\w\.\-\+!$&'\(\)*\+,;=]|%[0-9a-f]{2})+:)* # a username or a username and password
(?:[\w\.\-\+%!$&'\(\)*\+,;=]|%[0-9a-f]{2})+@ # combination
@@ -1378,42 +1382,48 @@
*/
/**
- * Generate a URL from a Drupal menu path. Will also pass-through existing URLs.
+ * Generates an internal or external URL.
+ *
+ * When creating links in modules, consider whether l() could be a better
+ * alternative than url().
*
* @param $path
- * The Drupal path being linked to, such as "admin/content/node", or an
- * existing URL like "http://drupal.org/". The special path
- * '' may also be given and will generate the site's base URL.
+ * The internal path or external URL being linked to, such as "node/34" or
+ * "http://example.com/foo". A few notes:
+ * - If you provide a full URL, it will be considered an external URL.
+ * - If you provide only the path (e.g. "node/34"), it will be
+ * considered an internal link. In this case, it should be a system URL,
+ * and it will be replaced with the alias, if one exists. Additional query
+ * arguments for internal paths must be supplied in $options['query'], not
+ * included in $path.
+ * - If you provide an internal path and $options['alias'] is set to TRUE, the
+ * path is assumed already to be the correct path alias, and the alias is
+ * not looked up.
+ * - The special string '' generates a link to the site's base URL.
+ * - If your external URL contains a query (e.g. http://example.com/foo?a=b),
+ * then you can either URL encode the query keys and values yourself and
+ * include them in $path, or use $options['query'] to let this function
+ * URL encode them.
* @param $options
- * An associative array of additional options, with the following keys:
- * - 'query'
- * A URL-encoded query string to append to the link, or an array of query
- * key/value-pairs without any URL-encoding.
- * - 'fragment'
- * A fragment identifier (or named anchor) to append to the link.
- * Do not include the '#' character.
- * - 'absolute' (default FALSE)
- * Whether to force the output to be an absolute link (beginning with
- * http:). Useful for links that will be displayed outside the site, such
- * as in an RSS feed.
- * - 'alias' (default FALSE)
- * Whether the given path is an alias already.
- * - 'external'
- * Whether the given path is an external URL.
- * - 'language'
- * An optional language object. Used to build the URL to link to and
- * look up the proper alias for the link.
- * - 'base_url'
- * Only used internally, to modify the base URL when a language dependent
- * URL requires so.
- * - 'prefix'
- * Only used internally, to modify the path when a language dependent URL
- * requires so.
+ * An associative array of additional options, with the following elements:
+ * - 'query': A URL-encoded query string to append to the link, or an array of
+ * query key/value-pairs without any URL-encoding.
+ * - 'fragment': A fragment identifier (named anchor) to append to the URL.
+ * Do not include the leading '#' character.
+ * - 'absolute' (default FALSE): Whether to force the output to be an absolute
+ * link (beginning with http:). Useful for links that will be displayed
+ * outside the site, such as in an RSS feed.
+ * - 'alias' (default FALSE): Whether the given path is a URL alias already.
+ * - 'external': Whether the given path is an external URL.
+ * - 'language': An optional language object. Used to build the URL to link
+ * to and look up the proper alias for the link.
+ * - 'base_url': Only used internally, to modify the base URL when a language
+ * dependent URL requires so.
+ * - 'prefix': Only used internally, to modify the path when a language
+ * dependent URL requires so.
+ *
* @return
* A string containing a URL to the given path.
- *
- * When creating links in modules, consider whether l() could be a better
- * alternative than url().
*/
function url($path = NULL, $options = array()) {
// Merge in defaults.
@@ -1540,47 +1550,37 @@
}
/**
- * Format an internal Drupal link.
+ * Formats an internal or external URL link as an HTML anchor tag.
*
- * This function correctly handles aliased paths, and allows themes to highlight
- * links to the current page correctly, so all internal links output by modules
- * should be generated by this function if possible.
+ * This function correctly handles aliased paths, and adds an 'active' class
+ * attribute to links that point to the current page (for theming), so all
+ * internal links output by modules should be generated by this function if
+ * possible.
*
* @param $text
- * The text to be enclosed with the anchor tag.
+ * The link text for the anchor tag.
* @param $path
- * The Drupal path being linked to, such as "admin/content/node". Can be an
- * external or internal URL.
- * - If you provide the full URL, it will be considered an external URL.
- * - If you provide only the path (e.g. "admin/content/node"), it is
- * considered an internal link. In this case, it must be a system URL
- * as the url() function will generate the alias.
- * - If you provide '', it generates a link to the site's
- * base URL (again via the url() function).
- * - If you provide a path, and 'alias' is set to TRUE (see below), it is
- * used as is.
+ * The internal path or external URL being linked to, such as "node/34" or
+ * "http://example.com/foo". After the url() function is called to construct
+ * the URL from $path and $options, the resulting URL is passed through
+ * check_url() before it is inserted into the HTML anchor tag, to ensure
+ * well-formed HTML. See url() for more information and notes.
* @param $options
- * An associative array of additional options, with the following keys:
- * - 'attributes'
- * An associative array of HTML attributes to apply to the anchor tag.
- * - 'query'
- * A query string to append to the link, or an array of query key/value
- * properties.
- * - 'fragment'
- * A fragment identifier (named anchor) to append to the link.
- * Do not include the '#' character.
- * - 'absolute' (default FALSE)
- * Whether to force the output to be an absolute link (beginning with
- * http:). Useful for links that will be displayed outside the site, such
- * as in an RSS feed.
- * - 'html' (default FALSE)
- * Whether the title is HTML, or just plain-text. For example for making
- * an image a link, this must be set to TRUE, or else you will see the
- * escaped HTML.
- * - 'alias' (default FALSE)
- * Whether the given path is an alias already.
+ * An associative array of additional options, with the following elements:
+ * - 'attributes': An associative array of HTML attributes to apply to the
+ * anchor tag.
+ * - 'html' (default FALSE): Whether $text is HTML or just plain-text. For
+ * example, to make an image tag into a link, this must be set to TRUE, or
+ * you will see the escaped HTML image tag.
+ * - 'language': An optional language object. If the path being linked to is
+ * internal to the site, $options['language'] is used to look up the alias
+ * for the URL, and to determine whether the link is "active", or pointing
+ * to the current page (the language as well as the path must match).This
+ * element is also used by url().
+ * - Additional $options elements used by the url() function.
+ *
* @return
- * an HTML string containing a link to the given path.
+ * An HTML string containing a link to the given path.
*/
function l($text, $path, $options = array()) {
global $language;
@@ -2017,10 +2017,21 @@
if ($_optimize) {
// Perform some safe CSS optimizations.
- $contents = preg_replace('<
- \s*([@{}:;,]|\)\s|\s\()\s* | # Remove whitespace around separators, but keep space around parentheses.
- /\*([^*\\\\]|\*(?!/))+\*/ # Remove comments that are not CSS hacks.
- >x', '\1', $contents);
+ // Regexp to match comment blocks.
+ $comment = '/\*[^*]*\*+(?:[^/*][^*]*\*+)*/';
+ // Regexp to match double quoted strings.
+ $double_quot = '"[^"\\\\]*(?:\\\\.[^"\\\\]*)*"';
+ // Regexp to match single quoted strings.
+ $single_quot = "'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'";
+ $contents = preg_replace_callback(
+ "<$double_quot|$single_quot|$comment>Sus", // Match all comment blocks along
+ "_process_comment", // with double/single quoted strings
+ $contents); // and feed them to _process_comment().
+ $contents = preg_replace(
+ '<\s*([@{}:;,]|\)\s|\s\()\s*>S', // Remove whitespace around separators,
+ '\1', $contents); // but keep space around parentheses.
+ // End the file with a new line.
+ $contents .= "\n";
}
// Change back directory.
@@ -2031,6 +2042,41 @@
}
/**
+ * Process comment blocks.
+ *
+ * This is the callback function for the preg_replace_callback()
+ * used in drupal_load_stylesheet_content(). Support for comment
+ * hacks is implemented here.
+ */
+function _process_comment($matches) {
+ static $keep_nextone = FALSE;
+
+ // Quoted string, keep it.
+ if ($matches[0][0] == "'" || $matches[0][0] == '"') {
+ return $matches[0];
+ }
+ // End of IE-Mac hack, keep it.
+ if ($keep_nextone) {
+ $keep_nextone = FALSE;
+ return $matches[0];
+ }
+ switch (strrpos($matches[0], '\\')) {
+ case FALSE :
+ // No backslash, strip it.
+ return '';
+
+ case drupal_strlen($matches[0])-3 :
+ // Ends with \*/ so is a multi line IE-Mac hack, keep the next one also.
+ $keep_nextone = TRUE;
+ return '/*_\*/';
+
+ default :
+ // Single line IE-Mac hack.
+ return '/*\_*/';
+ }
+}
+
+/**
* Loads stylesheets recursively and returns contents with corrected paths.
*
* This function is used for recursive loading of stylesheets and
@@ -2040,8 +2086,16 @@
$filename = $matches[1];
// Load the imported stylesheet and replace @import commands in there as well.
$file = drupal_load_stylesheet($filename);
- // Alter all url() paths, but not external.
- return preg_replace('/url\(([\'"]?)(?![a-z]+:)([^\'")]+)[\'"]?\)?;/i', 'url(\1'. dirname($filename) .'/', $file);
+ // Determine the file's directory.
+ $directory = dirname($filename);
+ // If the file is in the current directory, make sure '.' doesn't appear in
+ // the url() path.
+ $directory = $directory == '.' ? '' : $directory .'/';
+
+ // Alter all internal url() paths. Leave external paths alone. We don't need
+ // to normalize absolute paths here (i.e. remove folder/... segments) because
+ // that will be done later.
+ return preg_replace('/url\s*\(([\'"]?)(?![a-z]+:|\/+)/i', 'url(\1'. $directory, $file);
}
/**
@@ -2408,8 +2462,8 @@
// Build aggregate JS file.
foreach ($files as $path => $info) {
if ($info['preprocess']) {
- // Append a ';' after each JS file to prevent them from running together.
- $contents .= file_get_contents($path) .';';
+ // Append a ';' and a newline after each JS file to prevent them from running together.
+ $contents .= file_get_contents($path) .";\n";
}
}
@@ -2626,13 +2680,13 @@
/**
* Store the current page in the cache.
*
- * We try to store a gzipped version of the cache. This requires the
- * PHP zlib extension (http://php.net/manual/en/ref.zlib.php).
- * Presence of the extension is checked by testing for the function
- * gzencode. There are two compression algorithms: gzip and deflate.
- * The majority of all modern browsers support gzip or both of them.
- * We thus only deal with the gzip variant and unzip the cache in case
- * the browser does not accept gzip encoding.
+ * If page_compression is enabled, a gzipped version of the page is stored in
+ * the cache to avoid compressing the output on each request. The cache entry
+ * is unzipped in the relatively rare event that the page is requested by a
+ * client without gzip support.
+ *
+ * Page compression requires the PHP zlib extension
+ * (http://php.net/manual/en/ref.zlib.php).
*
* @see drupal_page_header
*/
@@ -2642,23 +2696,11 @@
if (!$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET' && page_get_cache(TRUE)) {
// This will fail in some cases, see page_get_cache() for the explanation.
if ($data = ob_get_contents()) {
- $cache = TRUE;
- if (variable_get('page_compression', TRUE) && function_exists('gzencode')) {
- // We do not store the data in case the zlib mode is deflate.
- // This should be rarely happening.
- if (zlib_get_coding_type() == 'deflate') {
- $cache = FALSE;
- }
- else if (zlib_get_coding_type() == FALSE) {
- $data = gzencode($data, 9, FORCE_GZIP);
- }
- // The remaining case is 'gzip' which means the data is
- // already compressed and nothing left to do but to store it.
+ if (variable_get('page_compression', TRUE) && extension_loaded('zlib')) {
+ $data = gzencode($data, 9, FORCE_GZIP);
}
ob_end_flush();
- if ($cache && $data) {
- cache_set($base_root . request_uri(), $data, 'cache_page', CACHE_TEMPORARY, drupal_get_headers());
- }
+ cache_set($base_root . request_uri(), $data, 'cache_page', CACHE_TEMPORARY, drupal_get_headers());
}
}
}
@@ -2793,9 +2835,11 @@
/**
- * This dispatch function hands off structured Drupal arrays to type-specific
- * *_alter implementations. It ensures a consistent interface for all altering
- * operations.
+ * Hands off alterable variables to type-specific *_alter implementations.
+ *
+ * This dispatch function hands off the passed in variables to type-specific
+ * hook_TYPE_alter() implementations in modules. It ensures a consistent
+ * interface for all altering operations.
*
* @param $type
* The data type of the structured array. 'form', 'links',
@@ -2845,9 +2889,16 @@
* Renders HTML given a structured array tree.
*
* Recursively iterates over each of the array elements, generating HTML code.
- * This function is usually called from within a another function, like
+ * This function is usually called from within another function, like
* drupal_get_form() or node_view().
*
+ * drupal_render() flags each element with a '#printed' status to indicate that
+ * the element has been rendered, which allows individual elements of a given
+ * array to be rendered independently. This prevents elements from being
+ * rendered more than once on subsequent calls to drupal_render() if, for example,
+ * they are part of a larger array. If the same array or array element is passed
+ * more than once to drupal_render(), it simply returns a NULL value.
+ *
* @param $elements
* The structured array describing the data to be rendered.
* @return
@@ -3313,7 +3364,7 @@
*/
function drupal_get_schema_unprocessed($module, $table = NULL) {
// Load the .install file to get hook_schema.
- module_load_include('install', $module);
+ module_load_install($module);
$schema = module_invoke($module, 'schema');
if (!is_null($table) && isset($schema[$table])) {
@@ -3641,6 +3692,8 @@
/**
* Explode a string of given tags into an array.
+ *
+ * @see drupal_implode_tags()
*/
function drupal_explode_tags($tags) {
// This regexp allows the following types of user input:
@@ -3665,6 +3718,8 @@
/**
* Implode an array of tags into a string.
+ *
+ * @see drupal_explode_tags()
*/
function drupal_implode_tags($tags) {
$encoded_tags = array();
diff -Nru drupal6-6.16/includes/database.inc drupal6-6.19/includes/database.inc
--- drupal6-6.16/includes/database.inc 2010-02-01 16:32:10.000000000 +0000
+++ drupal6-6.19/includes/database.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
= 0)";
- }
- else {
- $sql .= '_unsigned';
- }
- }
if (in_array($spec['type'], array('varchar', 'char', 'text')) && isset($spec['length'])) {
$sql .= '('. $spec['length'] .')';
@@ -595,6 +587,10 @@
$sql .= '('. $spec['precision'] .', '. $spec['scale'] .')';
}
+ if (!empty($spec['unsigned'])) {
+ $sql .= " CHECK ($name >= 0)";
+ }
+
if (isset($spec['not null']) && $spec['not null']) {
$sql .= ' NOT NULL';
}
diff -Nru drupal6-6.16/includes/file.inc drupal6-6.19/includes/file.inc
--- drupal6-6.16/includes/file.inc 2010-03-01 09:51:16.000000000 +0000
+++ drupal6-6.19/includes/file.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
filepath : $source;
@@ -344,11 +359,23 @@
/**
* Modify a filename as needed for security purposes.
*
- * Dangerous file names will be altered; for instance, the file name
- * "exploit.php.pps" will become "exploit.php_.pps". All extensions that are
+ * Munging a file name prevents unknown file extensions from masking exploit
+ * files. When web servers such as Apache decide how to process a URL request,
+ * they use the file extension. If the extension is not recognized, Apache
+ * skips that extension and uses the previous file extension. For example, if
+ * the file being requested is exploit.php.pps, and Apache does not recognize
+ * the '.pps' extension, it treats the file as PHP and executes it. To make
+ * this file name safe for Apache and prevent it from executing as PHP, the
+ * .php extension is "munged" into .php_, making the safe file name
+ * exploit.php_.pps.
+ *
+ * Specifically, this function adds an underscore to all extensions that are
* between 2 and 5 characters in length, internal to the file name, and not
- * included in $extensions will be altered by adding an underscore. If variable
- * 'allow_insecure_uploads' evaluates to TRUE, no alterations will be made.
+ * included in $extensions.
+ *
+ * Function behavior is also controlled by the Drupal variable
+ * 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no
+ * alterations will be made, if it evaluates to FALSE, the filename is 'munged'.
*
* @param $filename
* File name to modify.
@@ -558,7 +585,7 @@
}
// Rename potentially executable files, to help prevent exploits.
- if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+ if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
$file->filemime = 'text/plain';
$file->filepath .= '.txt';
$file->filename .= '.txt';
diff -Nru drupal6-6.16/includes/form.inc drupal6-6.19/includes/form.inc
--- drupal6-6.16/includes/form.inc 2010-03-01 09:24:22.000000000 +0000
+++ drupal6-6.19/includes/form.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
filename)) {
- list($nplurals, $plural) = $p;
- db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", $nplurals, $plural, $lang);
- }
- else {
- db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", 0, '', $lang);
+ $languages = language_list();
+ if (($mode != LOCALE_IMPORT_KEEP) || empty($languages[$lang]->plurals)) {
+ // Since we only need to parse the header if we ought to update the
+ // plural formula, only run this if we don't need to keep existing
+ // data untouched or if we don't have an existing plural formula.
+ $header = _locale_import_parse_header($value['msgstr']);
+
+ // Get the plural formula and update in database.
+ if (isset($header["Plural-Forms"]) && $p = _locale_import_parse_plural_forms($header["Plural-Forms"], $file->filename)) {
+ list($nplurals, $plural) = $p;
+ db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", $nplurals, $plural, $lang);
+ }
+ else {
+ db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", 0, '', $lang);
+ }
}
$headerdone = TRUE;
}
diff -Nru drupal6-6.16/includes/lock.inc drupal6-6.19/includes/lock.inc
--- drupal6-6.16/includes/lock.inc 2010-02-01 16:49:14.000000000 +0000
+++ drupal6-6.19/includes/lock.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
).
*
* @param $text
* The text to decode entities in.
* @param $exclude
* An array of characters which should not be decoded. For example,
* array('<', '&', '"'). This affects both named and numerical entities.
+ *
+ * @return
+ * The input $text, with all HTML entities decoded once.
*/
function decode_entities($text, $exclude = array()) {
static $table;
diff -Nru drupal6-6.16/includes/xmlrpc.inc drupal6-6.19/includes/xmlrpc.inc
--- drupal6-6.16/includes/xmlrpc.inc 2009-01-14 21:36:16.000000000 +0000
+++ drupal6-6.19/includes/xmlrpc.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
message = preg_replace('/<\?xml(.*)?\?'.'>/', '', $xmlrpc_message->message);
- if (trim($xmlrpc_message->message) == '') {
- return FALSE;
- }
$xmlrpc_message->_parser = xml_parser_create();
// Set XML parser to take the case of tags into account.
xml_parser_set_option($xmlrpc_message->_parser, XML_OPTION_CASE_FOLDING, FALSE);
@@ -175,7 +170,10 @@
xml_parser_free($xmlrpc_message->_parser);
// Grab the error messages, if any
$xmlrpc_message = xmlrpc_message_get();
- if ($xmlrpc_message->messagetype == 'fault') {
+ if (!isset($xmlrpc_message->messagetype)) {
+ return FALSE;
+ }
+ elseif ($xmlrpc_message->messagetype == 'fault') {
$xmlrpc_message->fault_code = $xmlrpc_message->params[0]['faultCode'];
$xmlrpc_message->fault_string = $xmlrpc_message->params[0]['faultString'];
}
diff -Nru drupal6-6.16/includes/xmlrpcs.inc drupal6-6.19/includes/xmlrpcs.inc
--- drupal6-6.16/includes/xmlrpcs.inc 2009-12-07 11:36:28.000000000 +0000
+++ drupal6-6.19/includes/xmlrpcs.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
is_error) {
+ if (is_object($result) && !empty($result->is_error)) {
$return[] = array(
'faultCode' => $result->code,
'faultString' => $result->message
diff -Nru drupal6-6.16/install.php drupal6-6.19/install.php
--- drupal6-6.16/install.php 2010-03-01 09:36:01.000000000 +0000
+++ drupal6-6.19/install.php 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$feed['title']));
drupal_set_message(t('There is new syndicated content from %site.', array('%site' => $feed['title'])));
- break;
}
- $result->error = t('feed not parseable');
- // Deliberate no break.
+ break;
default:
watchdog('aggregator', 'The feed from %site seems to be broken, due to "%error".', array('%site' => $feed['title'], '%error' => $result->code .' '. $result->error), WATCHDOG_WARNING);
drupal_set_message(t('The feed from %site seems to be broken, because of error "%error".', array('%site' => $feed['title'], '%error' => $result->code .' '. $result->error)));
diff -Nru drupal6-6.16/modules/block/block.info drupal6-6.19/modules/block/block.info
--- drupal6-6.16/modules/block/block.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/block/block.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/blog/blog.info drupal6-6.19/modules/blog/blog.info
--- drupal6-6.16/modules/blog/blog.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/blog/blog.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/blogapi/blogapi.info drupal6-6.19/modules/blogapi/blogapi.info
--- drupal6-6.16/modules/blogapi/blogapi.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/blogapi/blogapi.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/book/book.info drupal6-6.19/modules/book/book.info
--- drupal6-6.16/modules/book/book.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/book/book.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/book/book.pages.inc drupal6-6.19/modules/book/book.pages.inc
--- drupal6-6.16/modules/book/book.pages.inc 2008-08-14 00:59:13.000000000 +0100
+++ drupal6-6.19/modules/book/book.pages.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
+ return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
}
}
@@ -949,7 +949,7 @@
if ($comment = db_fetch_object($result)) {
$comment->name = $comment->uid ? $comment->registered_name : $comment->name;
$links = module_invoke_all('link', 'comment', $comment, 1);
- drupal_alter('link', $links, $node);
+ drupal_alter('link', $links, $node, $comment);
$output .= theme('comment_view', $comment, $node, $links);
}
@@ -1744,7 +1744,7 @@
*/
function theme_comment_flat_expanded($comment, $node) {
$links = module_invoke_all('link', 'comment', $comment, 0);
- drupal_alter('link', $links, $node);
+ drupal_alter('link', $links, $node, $comment);
return theme('comment_view', $comment, $node, $links);
}
@@ -1772,7 +1772,7 @@
*/
function theme_comment_thread_expanded($comment, $node) {
$links = module_invoke_all('link', 'comment', $comment, 0);
- drupal_alter('link', $links, $node);
+ drupal_alter('link', $links, $node, $comment);
return theme('comment_view', $comment, $node, $links);
}
@@ -2033,6 +2033,14 @@
*/
function comment_action_info() {
return array(
+ 'comment_publish_action' => array(
+ 'description' => t('Publish comment'),
+ 'type' => 'comment',
+ 'configurable' => FALSE,
+ 'hooks' => array(
+ 'comment' => array('insert', 'update'),
+ ),
+ ),
'comment_unpublish_action' => array(
'description' => t('Unpublish comment'),
'type' => 'comment',
@@ -2053,12 +2061,37 @@
}
/**
- * Drupal action to unpublish a comment.
+ * Action to publish a comment.
*
+ * @param $comment
+ * An optional comment object.
* @param $context
* Keyed array. Must contain the id of the comment if $comment is not passed.
+ *
+ * @ingroup actions
+ */
+function comment_publish_action($comment, $context = array()) {
+ if (isset($comment->cid)) {
+ $cid = $comment->cid;
+ $subject = $comment->subject;
+ }
+ else {
+ $cid = $context['cid'];
+ $subject = db_result(db_query("SELECT subject FROM {comments} WHERE cid = %d", $cid));
+ }
+ db_query('UPDATE {comments} SET status = %d WHERE cid = %d', COMMENT_PUBLISHED, $cid);
+ watchdog('action', 'Published comment %subject.', array('%subject' => $subject));
+}
+
+/**
+ * Action to unpublish a comment.
+ *
* @param $comment
* An optional comment object.
+ * @param $context
+ * Keyed array. Must contain the id of the comment if $comment is not passed.
+ *
+ * @ingroup actions
*/
function comment_unpublish_action($comment, $context = array()) {
if (isset($comment->cid)) {
@@ -2074,9 +2107,35 @@
}
/**
+ * Action to unpublish a comment if it contains a certain string.
+ *
+ * @param $comment
+ * A comment object.
+ * @param $context
+ * An array providing more information about the context of the call to this action.
+ * Unused here, since this action currently only supports the insert and update ops of
+ * the comment hook, both of which provide a complete $comment object.
+ *
+ * @ingroup actions
+ * @see comment_unpublish_by_keyword_action_form()
+ * @see comment_unpublish_by_keyword_action_submit()
+ */
+function comment_unpublish_by_keyword_action($comment, $context) {
+ foreach ($context['keywords'] as $keyword) {
+ if (strpos($comment->comment, $keyword) !== FALSE || strpos($comment->subject, $keyword) !== FALSE) {
+ db_query('UPDATE {comments} SET status = %d WHERE cid = %d', COMMENT_NOT_PUBLISHED, $comment->cid);
+ watchdog('action', 'Unpublished comment %subject.', array('%subject' => $comment->subject));
+ break;
+ }
+ }
+}
+
+/**
* Form builder; Prepare a form for blacklisted keywords.
*
* @ingroup forms
+ * @see comment_unpublish_by_keyword_action()
+ * @see comment_unpublish_by_keyword_action_submit()
*/
function comment_unpublish_by_keyword_action_form($context) {
$form['keywords'] = array(
@@ -2090,28 +2149,9 @@
/**
* Process comment_unpublish_by_keyword_action_form form submissions.
+ *
+ * @see comment_unpublish_by_keyword_action()
*/
function comment_unpublish_by_keyword_action_submit($form, $form_state) {
return array('keywords' => drupal_explode_tags($form_state['values']['keywords']));
}
-
-/**
- * Implementation of a configurable Drupal action.
- * Unpublish a comment if it contains a certain string.
- *
- * @param $context
- * An array providing more information about the context of the call to this action.
- * Unused here since this action currently only supports the insert and update ops of
- * the comment hook, both of which provide a complete $comment object.
- * @param $comment
- * A comment object.
- */
-function comment_unpublish_by_keyword_action($comment, $context) {
- foreach ($context['keywords'] as $keyword) {
- if (strstr($comment->comment, $keyword) || strstr($comment->subject, $keyword)) {
- db_query('UPDATE {comments} SET status = %d WHERE cid = %d', COMMENT_NOT_PUBLISHED, $comment->cid);
- watchdog('action', 'Unpublished comment %subject.', array('%subject' => $comment->subject));
- break;
- }
- }
-}
diff -Nru drupal6-6.16/modules/contact/contact.info drupal6-6.19/modules/contact/contact.info
--- drupal6-6.16/modules/contact/contact.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/contact/contact.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/dblog/dblog.info drupal6-6.19/modules/dblog/dblog.info
--- drupal6-6.16/modules/dblog/dblog.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/dblog/dblog.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/filter/filter.info drupal6-6.19/modules/filter/filter.info
--- drupal6-6.16/modules/filter/filter.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/filter/filter.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/filter/filter.module drupal6-6.19/modules/filter/filter.module
--- drupal6-6.16/modules/filter/filter.module 2010-03-01 10:54:29.000000000 +0000
+++ drupal6-6.19/modules/filter/filter.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
]+?)>/', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
+ $split = preg_split('/<(!--.*?--|[^>]+?)>/s', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
// Note: PHP ensures the array consists of alternating delimiters and literals
// and begins and ends with a literal (inserting $null as required).
@@ -787,37 +796,43 @@
foreach ($split as $value) {
// Process HTML tags.
if ($tag) {
- list($tagname) = explode(' ', strtolower($value), 2);
- // Closing tag
- if ($tagname{0} == '/') {
- $tagname = substr($tagname, 1);
- // Discard XHTML closing tags for single use tags.
- if (!isset($single_use[$tagname])) {
- // See if we possibly have a matching opening tag on the stack.
- if (in_array($tagname, $stack)) {
- // Close other tags lingering first.
- do {
- $output .= ''. $stack[0] .'>';
- } while (array_shift($stack) != $tagname);
- }
- // Otherwise, discard it.
- }
+ // Passthrough comments.
+ if (substr($value, 0, 3) == '!--') {
+ $output .= '<'. $value .'>';
}
- // Opening tag
else {
- // See if we have an identical 'no nesting' tag already open and close it if found.
- if (count($stack) && ($stack[0] == $tagname) && isset($no_nesting[$stack[0]])) {
- $output .= ''. array_shift($stack) .'>';
- }
- // Push non-single-use tags onto the stack
- if (!isset($single_use[$tagname])) {
- array_unshift($stack, $tagname);
+ list($tagname) = preg_split('/\s/', strtolower($value), 2);
+ // Closing tag
+ if ($tagname{0} == '/') {
+ $tagname = substr($tagname, 1);
+ // Discard XHTML closing tags for single use tags.
+ if (!isset($single_use[$tagname])) {
+ // See if we possibly have a matching opening tag on the stack.
+ if (in_array($tagname, $stack)) {
+ // Close other tags lingering first.
+ do {
+ $output .= ''. $stack[0] .'>';
+ } while (array_shift($stack) != $tagname);
+ }
+ // Otherwise, discard it.
+ }
}
- // Add trailing slash to single-use tags as per X(HT)ML.
+ // Opening tag
else {
- $value = rtrim($value, ' /') .' /';
+ // See if we have an identical 'no nesting' tag already open and close it if found.
+ if (count($stack) && ($stack[0] == $tagname) && isset($no_nesting[$stack[0]])) {
+ $output .= ''. array_shift($stack) .'>';
+ }
+ // Push non-single-use tags onto the stack
+ if (!isset($single_use[$tagname])) {
+ array_unshift($stack, $tagname);
+ }
+ // Add trailing slash to single-use tags as per X(HT)ML.
+ else {
+ $value = rtrim($value, ' /') .' /';
+ }
+ $output .= '<'. $value .'>';
}
- $output .= '<'. $value .'>';
}
}
else {
@@ -882,7 +897,7 @@
// We don't apply any processing to the contents of these tags to avoid messing
// up code. We look for matched pairs and allow basic nesting. For example:
// "processed ignored ignored
processed"
- $chunks = preg_split('@(?(?:pre|script|style|object)[^>]*>)@i', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
+ $chunks = preg_split('@(<(?:!--.*?--|/?(?:pre|script|style|object)[^>]*)>)@si', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
// Note: PHP ensures the array consists of alternating delimiters and literals
// and begins and ends with a literal (inserting NULL as required).
$ignore = FALSE;
@@ -890,19 +905,25 @@
$output = '';
foreach ($chunks as $i => $chunk) {
if ($i % 2) {
- // Opening or closing tag?
- $open = ($chunk[1] != '/');
- list($tag) = split('[ >]', substr($chunk, 2 - $open), 2);
- if (!$ignore) {
- if ($open) {
- $ignore = TRUE;
- $ignoretag = $tag;
- }
+ // Passthrough comments.
+ if (substr($chunk, 1, 3) == '!--') {
+ $output .= $chunk;
}
- // Only allow a matching tag to close it.
- else if (!$open && $ignoretag == $tag) {
- $ignore = FALSE;
- $ignoretag = '';
+ else {
+ // Opening or closing tag?
+ $open = ($chunk[1] != '/');
+ list($tag) = split('[ >]', substr($chunk, 2 - $open), 2);
+ if (!$ignore) {
+ if ($open) {
+ $ignore = TRUE;
+ $ignoretag = $tag;
+ }
+ }
+ // Only allow a matching tag to close it.
+ else if (!$open && $ignoretag == $tag) {
+ $ignore = FALSE;
+ $ignoretag = '';
+ }
}
}
else if (!$ignore) {
@@ -911,7 +932,8 @@
$chunk = preg_replace('!(<'. $block .'[^>]*>)!', "\n$1", $chunk); // Space things out a little
$chunk = preg_replace('!('. $block .'>)!', "$1\n\n", $chunk); // Space things out a little
$chunk = preg_replace("/\n\n+/", "\n\n", $chunk); // take care of duplicates
- $chunk = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "$1
\n", $chunk); // make paragraphs, including one at the end
+ $chunk = preg_replace('/^\n|\n\s*\n$/', '', $chunk);
+ $chunk = ''. preg_replace('/\n\s*\n\n?(.)/', "
\n$1", $chunk) ."
\n"; // make paragraphs, including one at the end
$chunk = preg_replace("|(
|", "$1", $chunk); // problem with nested lists
$chunk = preg_replace('|]*)>|i', "", $chunk);
$chunk = str_replace('
', '', $chunk);
@@ -943,23 +965,30 @@
}
/**
- * Filters XSS. Based on kses by Ulf Harnhammar, see
- * http://sourceforge.net/projects/kses
+ * Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
*
- * For examples of various XSS attacks, see:
- * http://ha.ckers.org/xss.html
+ * Based on kses by Ulf Harnhammar, see http://sourceforge.net/projects/kses.
+ * For examples of various XSS attacks, see http://ha.ckers.org/xss.html.
*
* This code does four things:
- * - Removes characters and constructs that can trick browsers
- * - Makes sure all HTML entities are well-formed
- * - Makes sure all HTML tags and attributes are well-formed
- * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:)
+ * - Removes characters and constructs that can trick browsers.
+ * - Makes sure all HTML entities are well-formed.
+ * - Makes sure all HTML tags and attributes are well-formed.
+ * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g.
+ * javascript:).
*
* @param $string
- * The string with raw HTML in it. It will be stripped of everything that can cause
- * an XSS attack.
+ * The string with raw HTML in it. It will be stripped of everything that can
+ * cause an XSS attack.
* @param $allowed_tags
* An array of allowed tags.
+ *
+ * @return
+ * An XSS safe version of $string, or an empty string if $string is not
+ * valid UTF-8.
+ *
+ * @see drupal_validate_utf8()
+ * @ingroup sanitization
*/
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
@@ -988,6 +1017,8 @@
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
+ # a comment
+ | # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
@@ -1026,7 +1057,7 @@
return '<';
}
- if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
+ if (!preg_match('%^(?:<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?|())$%', $string, $matches)) {
// Seriously malformed
return '';
}
@@ -1034,12 +1065,21 @@
$slash = trim($matches[1]);
$elem = &$matches[2];
$attrlist = &$matches[3];
+ $comment = &$matches[4];
+
+ if ($comment) {
+ $elem = '!--';
+ }
if (!isset($allowed_html[strtolower($elem)])) {
// Disallowed HTML element
return '';
}
+ if ($comment) {
+ return $comment;
+ }
+
if ($slash != '') {
return "$elem>";
}
diff -Nru drupal6-6.16/modules/forum/forum.info drupal6-6.19/modules/forum/forum.info
--- drupal6-6.16/modules/forum/forum.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/forum/forum.info 2010-08-18 09:52:58.000000000 +0100
@@ -7,8 +7,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/help/help.info drupal6-6.19/modules/help/help.info
--- drupal6-6.16/modules/help/help.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/help/help.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/locale/locale.info drupal6-6.19/modules/locale/locale.info
--- drupal6-6.16/modules/locale/locale.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/locale/locale.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/menu/menu.admin.inc drupal6-6.19/modules/menu/menu.admin.inc
--- drupal6-6.16/modules/menu/menu.admin.inc 2009-12-16 20:47:10.000000000 +0000
+++ drupal6-6.19/modules/menu/menu.admin.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
body = drupal_render($node->content);
// Fetch comments for snippet.
- $node->body .= module_invoke('comment', 'nodeapi', $node, 'update index');
+ if (module_exists('comment')) {
+ $node->body .= comment_nodeapi($node, 'update index');
+ }
// Fetch terms for snippet.
- $node->body .= module_invoke('taxonomy', 'nodeapi', $node, 'update index');
+ if (module_exists('taxonomy')) {
+ $node->body .= taxonomy_nodeapi($node, 'update index');
+ }
$extra = node_invoke_nodeapi($node, 'search result');
$results[] = array(
@@ -2183,13 +2190,13 @@
}
/**
- * This function will call module invoke to get a list of grants and then
- * write them to the database. It is called at node save, and should be
- * called by modules whenever something other than a node_save causes
- * the permissions on a node to change.
+ * Gets the list of node access grants and writes them to the database.
*
- * This function is the only function that should write to the node_access
- * table.
+ * This function is called when a node is saved, and can also be called by
+ * modules if something other than a node save causes node access permissions
+ * to change. It collects all node access grants for the node from
+ * hook_node_access_records() implementations and saves the collected
+ * grants to the database.
*
* @param $node
* The $node to acquire grants for.
@@ -2213,12 +2220,12 @@
}
/**
- * This function will write a list of grants to the database, deleting
- * any pre-existing grants. If a realm is provided, it will only
- * delete grants from that realm, but it will always delete a grant
- * from the 'all' realm. Modules which utilize node_access can
- * use this function when doing mass updates due to widespread permission
- * changes.
+ * Writes a list of grants to the database, deleting any previously saved ones.
+ *
+ * If a realm is provided, it will only delete grants from that realm, but it
+ * will always delete a grant from the 'all' realm. Modules that utilize
+ * node_access can use this function when doing mass updates due to widespread
+ * permission changes.
*
* @param $node
* The $node being written to. All that is necessary is that it contain a nid.
@@ -2376,7 +2383,7 @@
node_access_acquire_grants($loaded_node);
}
$context['sandbox']['progress']++;
- $context['sandbox']['current_node'] = $loaded_node->nid;
+ $context['sandbox']['current_node'] = $row['nid'];
}
// Multistep processing : report progress.
diff -Nru drupal6-6.16/modules/openid/openid.info drupal6-6.19/modules/openid/openid.info
--- drupal6-6.16/modules/openid/openid.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/openid/openid.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
package = Core - optional
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/openid/openid.install drupal6-6.19/modules/openid/openid.install
--- drupal6-6.16/modules/openid/openid.install 2009-01-06 15:46:37.000000000 +0000
+++ drupal6-6.19/modules/openid/openid.install 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
array('assoc_handle'),
);
+ $schema['openid_nonce'] = array(
+ 'description' => 'Stores received openid.response_nonce per OpenID endpoint URL to prevent replay attacks.',
+ 'fields' => array(
+ 'idp_endpoint_uri' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'description' => 'URI of the OpenID Provider endpoint.',
+ ),
+ 'nonce' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'description' => 'The value of openid.response_nonce'
+ ),
+ 'expires' => array(
+ 'type' => 'int',
+ 'not null' => TRUE,
+ 'default' => 0,
+ 'description' => 'A Unix timestamp indicating when the entry should expire.',
+ ),
+ ),
+ 'indexes' => array(
+ 'nonce' => array('nonce'),
+ 'expires' => array('expires'),
+ ),
+ );
+
return $schema;
}
+
+/**
+ * @defgroup updates-6.x-extra Extra openid updates for 6.x
+ * @{
+ */
+
+/**
+ * Add the openid_nonce table.
+ *
+ * Implementation of hook_update_N().
+ */
+function openid_update_6000() {
+ $ret = array();
+
+ $schema['openid_nonce'] = array(
+ 'description' => 'Stores received openid.response_nonce per OpenID endpoint URL to prevent replay attacks.',
+ 'fields' => array(
+ 'idp_endpoint_uri' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'description' => 'URI of the OpenID Provider endpoint.',
+ ),
+ 'nonce' => array(
+ 'type' => 'varchar',
+ 'length' => 255,
+ 'description' => 'The value of openid.response_nonce'
+ ),
+ 'expires' => array(
+ 'type' => 'int',
+ 'not null' => TRUE,
+ 'default' => 0,
+ 'description' => 'A Unix timestamp indicating when the entry should expire.',
+ ),
+ ),
+ 'indexes' => array(
+ 'nonce' => array('nonce'),
+ 'expires' => array('expires'),
+ ),
+ );
+
+ db_create_table($ret, 'openid_nonce', $schema['openid_nonce']);
+
+ return $ret;
+}
+
+/**
+ * @} End of "defgroup updates-6.x-extra"
+ * The next series of updates should start at 7000.
+ */
diff -Nru drupal6-6.16/modules/openid/openid.module drupal6-6.19/modules/openid/openid.module
--- drupal6-6.16/modules/openid/openid.module 2009-12-07 12:52:22.000000000 +0000
+++ drupal6-6.19/modules/openid/openid.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
l(t('Cancel OpenID login'), '#'),
'class' => 'user-link',
);
-
+
$form['openid_links'] = array(
'#value' => theme('item_list', $items),
'#weight' => 1,
@@ -111,7 +111,7 @@
'#weight' => -1,
'#description' => l(t('What is OpenID?'), 'http://openid.net/', array('external' => TRUE)),
);
- $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => drupal_get_destination())));
+ $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => user_login_destination())));
}
elseif ($form_id == 'user_register' && isset($_SESSION['openid']['values'])) {
// We were unable to auto-register a new user. Prefill the registration
@@ -220,12 +220,13 @@
* $response['status'] set to one of 'success', 'failed' or 'cancel'.
*/
function openid_complete($response = array()) {
+ global $base_url;
module_load_include('inc', 'openid');
if (count($response) == 0) {
$response = _openid_response();
}
-
+
// Default to failed response
$response['status'] = 'failed';
if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) {
@@ -238,7 +239,7 @@
$response['status'] = 'cancel';
}
else {
- if (openid_verify_assertion($service['uri'], $response)) {
+ if (openid_verify_assertion($service, $response)) {
// If the returned claimed_id is different from the session claimed_id,
// then we need to do discovery and make sure the op_endpoint matches.
if ($service['version'] == 2 && $response['openid.claimed_id'] != $claimed_id) {
@@ -250,6 +251,31 @@
else {
$response['openid.claimed_id'] = $claimed_id;
}
+ // Verify that openid.return_to matches the current URL (see OpenID
+ // Authentication 2.0, section 11.1).
+ // While OpenID Authentication 1.1, section 4.3 does not mandate
+ // return_to verification, the received return_to should still
+ // match these constraints.
+ $return_to_parts = parse_url($response['openid.return_to']);
+
+ $base_url_parts = parse_url($base_url);
+ $current_parts = parse_url($base_url_parts['scheme'] .'://'. $base_url_parts['host'] . request_uri());
+
+ if ($return_to_parts['scheme'] != $current_parts['scheme'] ||
+ $return_to_parts['host'] != $current_parts['host'] ||
+ $return_to_parts['path'] != $current_parts['path']) {
+
+ return $response;
+ }
+ // Verify that all query parameters in the openid.return_to URL have
+ // the same value in the current URL. In addition, the current URL
+ // contains a number of other parameters added by the OpenID Provider.
+ parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters);
+ foreach ($return_to_query_parameters as $name => $value) {
+ if (!array_key_exists($name, $_GET) || $_GET[$name] != $value) {
+ return $response;
+ }
+ }
$response['status'] = 'success';
}
}
@@ -502,33 +528,39 @@
/**
* Attempt to verify the response received from the OpenID Provider.
*
- * @param $op_endpoint The OpenID Provider URL.
- * @param $response Array of repsonse values from the provider.
+ * @param $service
+ * Array describing the OpenID provider.
+ * @param $response
+ * Array of response values from the provider.
*
* @return boolean
*/
-function openid_verify_assertion($op_endpoint, $response) {
+function openid_verify_assertion($service, $response) {
module_load_include('inc', 'openid');
- $valid = FALSE;
+ // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.3
+ // Check the Nonce to protect against replay attacks.
+ if (!openid_verify_assertion_nonce($service, $response)) {
+ return FALSE;
+ }
+ // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4
+ // Verify the signatures.
+ $valid = FALSE;
$association = db_fetch_object(db_query("SELECT * FROM {openid_association} WHERE assoc_handle = '%s'", $response['openid.assoc_handle']));
if ($association && isset($association->session_type)) {
- $keys_to_sign = explode(',', $response['openid.signed']);
- $self_sig = _openid_signature($association, $response, $keys_to_sign);
- if ($self_sig == $response['openid.sig']) {
- $valid = TRUE;
- }
- else {
- $valid = FALSE;
- }
+ // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2
+ // Verification using an association.
+ $valid = openid_verify_assertion_signature($service, $association, $response);
}
else {
+ // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.3
+ // Direct verification.
$request = $response;
$request['openid.mode'] = 'check_authentication';
$message = _openid_create_message($request);
$headers = array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8');
- $result = drupal_http_request($op_endpoint, $headers, 'POST', _openid_encode_message($message));
+ $result = drupal_http_request($service['uri'], $headers, 'POST', _openid_encode_message($message));
if (!isset($result->error)) {
$response = _openid_parse_message($result->data);
if (strtolower(trim($response['is_valid'])) == 'true') {
@@ -541,3 +573,101 @@
}
return $valid;
}
+
+/**
+ * Verify the signature of the response received from the OpenID provider.
+ *
+ * @param $service
+ * Array describing the OpenID provider.
+ * @param $association
+ * Information on the association with the OpenID provider.
+ * @param $response
+ * Array of response values from the provider.
+ *
+ * @return
+ * TRUE if the signature is valid and covers all fields required to be signed.
+ * @see http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4
+ */
+function openid_verify_assertion_signature($service, $association, $response) {
+ if ($service['version'] == 2) {
+ // OpenID Authentication 2.0, section 10.1:
+ // These keys must always be signed.
+ $mandatory_keys = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle');
+ if (isset($response['openid.claimed_id'])) {
+ // If present, these two keys must also be signed. According to the spec,
+ // they are either both present or both absent.
+ $mandatory_keys[] = 'claimed_id';
+ $mandatory_keys[] = 'identity';
+ }
+ }
+ else {
+ // OpenID Authentication 1.1. section 4.3.3.
+ $mandatory_keys = array('identity', 'return_to');
+ }
+
+ $keys_to_sign = explode(',', $response['openid.signed']);
+
+ if (count(array_diff($mandatory_keys, $keys_to_sign)) > 0) {
+ return FALSE;
+ }
+
+ return _openid_signature($association, $response, $keys_to_sign) == $response['openid.sig'];
+}
+
+/**
+ * Verify that the nonce has not been used in earlier assertions from the same OpenID provider.
+ *
+ * @param $service
+ * Array describing the OpenID provider.
+ * @param $response
+ * Array of response values from the provider.
+ *
+ * @return
+ * TRUE if the nonce has not expired and has not been used earlier.
+ */
+function openid_verify_assertion_nonce($service, $response) {
+ if ($service['version'] != 2) {
+ return TRUE;
+ }
+
+ if (preg_match('/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z/', $response['openid.response_nonce'], $matches)) {
+ list(, $year, $month, $day, $hour, $minutes, $seconds) = $matches;
+ $nonce_timestamp = gmmktime($hour, $minutes, $seconds, $month, $day, $year);
+ }
+ else {
+ watchdog('openid', 'Nonce from @endpoint rejected because it is not correctly formatted, nonce: @nonce.', array('@endpoint' => $service['uri'], '@nonce' => $response['openid.response_nonce']), WATCHDOG_WARNING);
+ return FALSE;
+ }
+
+ // A nonce with a timestamp to far in the past or future will already have
+ // been removed and cannot be checked for single use anymore.
+ $time = time();
+ $expiry = 900;
+ if ($nonce_timestamp <= $time - $expiry || $nonce_timestamp >= $time + $expiry) {
+ watchdog('openid', 'Nonce received from @endpoint is out of range (time difference: @intervals). Check possible clock skew.', array('@endpoint' => $service['uri'], '@interval' => $time - $nonce_timestamp), WATCHDOG_WARNING);
+ return FALSE;
+ }
+
+ // Record that this nonce was used.
+ db_query("INSERT INTO {openid_nonce} (idp_endpoint_uri, nonce, expires) VALUES ('%s', '%s', %d)", $service['uri'], $response['openid.response_nonce'], $nonce_timestamp + $expiry);
+
+ // Count the number of times this nonce was used.
+ $count_used = db_result(db_query("SELECT COUNT(*) FROM {openid_nonce} WHERE nonce = '%s' AND idp_endpoint_uri = '%s'", $response['openid.response_nonce'], $service['uri']));
+
+ if ($count_used == 1) {
+ return TRUE;
+ }
+ else {
+ watchdog('openid', 'Nonce replay attempt blocked from @ip, nonce: @nonce.', array('@ip' => ip_address(), '@nonce' => $response['openid.response_nonce']), WATCHDOG_CRITICAL);
+ return FALSE;
+ }
+}
+
+/**
+ * Remove expired nonces from the database.
+ *
+ * Implementation of hook_cron().
+ */
+function openid_cron() {
+ db_query("DELETE FROM {openid_nonce} WHERE expires < %d", time());
+}
diff -Nru drupal6-6.16/modules/path/path.info drupal6-6.19/modules/path/path.info
--- drupal6-6.16/modules/path/path.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/path/path.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/php/php.info drupal6-6.19/modules/php/php.info
--- drupal6-6.16/modules/php/php.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/php/php.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/ping/ping.info drupal6-6.19/modules/ping/ping.info
--- drupal6-6.16/modules/ping/ping.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/ping/ping.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/poll/poll.info drupal6-6.19/modules/poll/poll.info
--- drupal6-6.16/modules/poll/poll.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/poll/poll.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/poll/poll.module drupal6-6.19/modules/poll/poll.module
--- drupal6-6.16/modules/poll/poll.module 2009-09-14 11:16:54.000000000 +0100
+++ drupal6-6.19/modules/poll/poll.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
TRUE,
);
@@ -308,17 +306,15 @@
'#default_value' => $value,
'#parents' => array('choice', $delta, 'chtext'),
);
-
- if ($admin) {
- $form['chvotes'] = array(
- '#type' => 'textfield',
- '#title' => t('Votes for choice @n', array('@n' => ($delta + 1))),
- '#default_value' => $votes,
- '#size' => 5,
- '#maxlength' => 7,
- '#parents' => array('choice', $delta, 'chvotes'),
- );
- }
+ $form['chvotes'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Votes for choice @n', array('@n' => ($delta + 1))),
+ '#default_value' => $votes,
+ '#size' => 5,
+ '#maxlength' => 7,
+ '#parents' => array('choice', $delta, 'chvotes'),
+ '#access' => user_access('administer nodes'),
+ );
return $form;
}
diff -Nru drupal6-6.16/modules/profile/profile.info drupal6-6.19/modules/profile/profile.info
--- drupal6-6.16/modules/profile/profile.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/profile/profile.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/search/search.info drupal6-6.19/modules/search/search.info
--- drupal6-6.16/modules/search/search.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/search/search.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/search/search.module drupal6-6.19/modules/search/search.module
--- drupal6-6.16/modules/search/search.module 2009-12-07 15:44:33.000000000 +0000
+++ drupal6-6.19/modules/search/search.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
variable_get('statistics_enable_access_log', 0),
'#options' => $options,
'#description' => t('Log each page access. Required for referrer statistics.'));
- $period = drupal_map_assoc(array(3600, 10800, 21600, 32400, 43200, 86400, 172800, 259200, 604800, 1209600, 2419200, 4838400, 9676800), 'format_interval');
+ $period = array('0' => t('Never')) + drupal_map_assoc(array(3600, 10800, 21600, 32400, 43200, 86400, 172800, 259200, 604800, 1209600, 2419200, 4838400, 9676800), 'format_interval');
$form['access']['statistics_flush_accesslog_timer'] = array(
'#type' => 'select',
'#title' => t('Discard access logs older than'),
diff -Nru drupal6-6.16/modules/statistics/statistics.info drupal6-6.19/modules/statistics/statistics.info
--- drupal6-6.16/modules/statistics/statistics.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/statistics/statistics.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/statistics/statistics.module drupal6-6.19/modules/statistics/statistics.module
--- drupal6-6.16/modules/statistics/statistics.module 2009-04-27 13:25:24.000000000 +0100
+++ drupal6-6.19/modules/statistics/statistics.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
0) {
+ db_query('DELETE FROM {accesslog} WHERE timestamp < %d', time() - variable_get('statistics_flush_accesslog_timer', 259200));
+ }
}
/**
diff -Nru drupal6-6.16/modules/syslog/syslog.info drupal6-6.19/modules/syslog/syslog.info
--- drupal6-6.16/modules/syslog/syslog.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/syslog/syslog.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/system/page.tpl.php drupal6-6.19/modules/system/page.tpl.php
--- drupal6-6.16/modules/system/page.tpl.php 2009-04-30 01:13:31.000000000 +0100
+++ drupal6-6.19/modules/system/page.tpl.php 2010-08-18 09:52:58.000000000 +0100
@@ -1,10 +1,9 @@
language contains its textual representation.
- * $language->dir contains the language direction. It will either be 'ltr' or 'rtl'.
- * - $head_title: A modified version of the page title, for use in the TITLE tag.
- * - $head: Markup for the HEAD section (including meta tags, keyword tags, and
+ * $language->dir contains the language direction. It will either be 'ltr' or
+ * 'rtl'.
+ * - $head_title: A modified version of the page title, for use in the TITLE
+ * element.
+ * - $head: Markup for the HEAD element (including meta tags, keyword tags, and
* so on).
* - $styles: Style tags necessary to import all CSS files for the page.
* - $scripts: Script tags necessary to load the JavaScript files and settings
* for the page.
* - $body_classes: A set of CSS classes for the BODY tag. This contains flags
- * indicating the current layout (multiple columns, single column), the current
- * path, whether the user is logged in, and so on.
+ * indicating the current layout (multiple columns, single column), the
+ * current path, whether the user is logged in, and so on.
*
* Site identity:
* - $front_page: The URL of the front page. Use this instead of $base_path,
- * when linking to the front page. This includes the language domain or prefix.
+ * when linking to the front page. This includes the language domain or
+ * prefix.
* - $logo: The path to the logo image, as defined in theme configuration.
- * - $site_name: The name of the site, empty when display has been disabled
- * in theme settings.
+ * - $site_name: The name of the site, empty when display has been disabled in
+ * theme settings.
* - $site_slogan: The slogan of the site, empty when display has been disabled
* in theme settings.
- * - $mission: The text of the site mission, empty when display has been disabled
- * in theme settings.
+ * - $mission: The text of the site mission, empty when display has been
+ * disabled in theme settings.
*
* Navigation:
- * - $search_box: HTML to display the search box, empty if search has been disabled.
- * - $primary_links (array): An array containing primary navigation links for the
- * site, if they have been configured.
- * - $secondary_links (array): An array containing secondary navigation links for
+ * - $search_box: HTML to display the search box, empty if search has been
+ * disabled.
+ * - $primary_links (array): An array containing primary navigation links for
* the site, if they have been configured.
+ * - $secondary_links (array): An array containing secondary navigation links
+ * for the site, if they have been configured.
*
- * Page content (in order of occurrance in the default page.tpl.php):
+ * Page content (in order of occurrence in the default page.tpl.php):
* - $left: The HTML for the left sidebar.
- *
* - $breadcrumb: The breadcrumb trail for the current page.
* - $title: The page title, for use in the actual HTML content.
* - $help: Dynamic help text, mostly for admin pages.
- * - $messages: HTML for status and error messages. Should be displayed prominently.
- * - $tabs: Tabs linking to any sub-pages beneath the current page (e.g., the view
- * and edit tabs when displaying a node).
- *
+ * - $messages: HTML for status and error messages. Should be displayed
+ * prominently.
+ * - $tabs: Tabs linking to any sub-pages beneath the current page (e.g., the
+ * view and edit tabs when displaying a node).
* - $content: The main content of the current Drupal page.
- *
* - $right: The HTML for the right sidebar.
+ * - $node: The node object, if there is an automatically-loaded node associated
+ * with the page, and the node ID is the second argument in the page's path
+ * (e.g. node/12345 and node/12345/revisions, but not comment/reply/12345).
*
* Footer/closing data:
* - $feed_icons: A string of all feed icons for the current page.
* - $footer_message: The footer message as defined in the admin settings.
* - $footer : The footer region.
* - $closure: Final closing markup from any modules that have altered the page.
- * This variable should always be output last, after all other dynamic content.
+ * This variable should always be output last, after all other dynamic
+ * content.
*
* @see template_preprocess()
* @see template_preprocess_page()
diff -Nru drupal6-6.16/modules/system/system.info drupal6-6.19/modules/system/system.info
--- drupal6-6.16/modules/system/system.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/system/system.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/system/system.install drupal6-6.19/modules/system/system.install
--- drupal6-6.16/modules/system/system.install 2010-03-01 16:53:57.000000000 +0000
+++ drupal6-6.19/modules/system/system.install 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
TRUE,
'default' => 0),
'status' => array(
- 'description' => 'A flag indicating whether file is temporary (1) or permanent (0).',
+ 'description' => 'A flag indicating whether file is temporary (0) or permanent (1).',
'type' => 'int',
'not null' => TRUE,
'default' => 0),
diff -Nru drupal6-6.16/modules/system/system.module drupal6-6.19/modules/system/system.module
--- drupal6-6.16/modules/system/system.module 2010-03-04 00:15:28.000000000 +0000
+++ drupal6-6.19/modules/system/system.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
foo?").
+ * block foo?"). The page title will be set to this value.
* @param $path
- * The page to go to if the user denies the action.
- * Can be either a drupal path, or an array with the keys 'path', 'query', 'fragment'.
+ * The page to go to if the user cancels the action. This can be either:
+ * - A string containing a Drupal path.
+ * - An associative array with a 'path' key. Additional array values are
+ * passed as the $options parameter to l().
+ * If the 'destination' query parameter is set in the URL when viewing a
+ * confirmation form, that value will be used instead of $path.
* @param $description
- * Additional text to display (defaults to "This action cannot be undone.").
+ * Additional text to display. Defaults to t('This action cannot be undone.').
* @param $yes
- * A caption for the button which confirms the action (e.g. "Delete",
- * "Replace", ...).
+ * A caption for the button that confirms the action (e.g. "Delete",
+ * "Replace", ...). Defaults to t('Confirm').
* @param $no
- * A caption for the link which denies the action (e.g. "Cancel").
+ * A caption for the link which cancels the action (e.g. "Cancel"). Defaults
+ * to t('Cancel').
* @param $name
* The internal name used to refer to the confirmation item.
+ *
* @return
- * The form.
+ * The form array.
*/
function confirm_form($form, $question, $path, $description = NULL, $yes = NULL, $no = NULL, $name = 'confirm') {
$description = isset($description) ? $description : t('This action cannot be undone.');
@@ -1378,7 +1388,7 @@
while ($action = db_fetch_object($result)) {
$row[] = array(
array('data' => $action->type),
- array('data' => $action->description),
+ array('data' => filter_xss_admin($action->description)),
array('data' => $action->parameters ? l(t('configure'), "admin/settings/actions/configure/$action->aid") : ''),
array('data' => $action->parameters ? l(t('delete'), "admin/settings/actions/delete/$action->aid") : '')
);
@@ -1584,9 +1594,8 @@
$aid = $form_state['values']['aid'];
$action = actions_load($aid);
actions_delete($aid);
- $description = check_plain($action->description);
- watchdog('user', 'Deleted action %aid (%action)', array('%aid' => $aid, '%action' => $description));
- drupal_set_message(t('Action %action was deleted', array('%action' => $description)));
+ watchdog('user', 'Deleted action %aid (%action)', array('%aid' => $aid, '%action' => $action->description));
+ drupal_set_message(t('Action %action was deleted', array('%action' => $action->description)));
$form_state['redirect'] = 'admin/settings/actions/manage';
}
@@ -1786,7 +1795,7 @@
);
}
$subject = strtr($context['subject'], $variables);
- $body = strtr($context['message'], $variables);
+ $body = strtr(filter_xss_admin($context['message']), $variables);
$message['subject'] .= str_replace(array("\r", "\n"), '', $subject);
$message['body'][] = drupal_html_to_text($body);
}
@@ -1835,11 +1844,11 @@
case 'taxonomy':
$vocabulary = taxonomy_vocabulary_load($object->vid);
$variables = array_merge($variables, array(
- '%term_name' => $object->name,
- '%term_description' => $object->description,
+ '%term_name' => check_plain($object->name),
+ '%term_description' => filter_xss_admin($object->description),
'%term_id' => $object->tid,
- '%vocabulary_name' => $vocabulary->name,
- '%vocabulary_description' => $vocabulary->description,
+ '%vocabulary_name' => check_plain($vocabulary->name),
+ '%vocabulary_description' => filter_xss_admin($vocabulary->description),
'%vocabulary_id' => $vocabulary->vid,
)
);
@@ -1854,13 +1863,13 @@
'%uid' => $node->uid,
'%node_url' => url('node/'. $node->nid, array('absolute' => TRUE)),
'%node_type' => check_plain(node_get_types('name', $node)),
- '%title' => filter_xss($node->title),
- '%teaser' => filter_xss($node->teaser),
- '%body' => filter_xss($node->body),
+ '%title' => check_plain($node->title),
+ '%teaser' => check_markup($node->teaser, $node->format, FALSE),
+ '%body' => check_markup($node->body, $node->format, FALSE),
)
);
}
- $context['message'] = strtr($context['message'], $variables);
+ $context['message'] = strtr(filter_xss_admin($context['message']), $variables);
drupal_set_message($context['message']);
}
diff -Nru drupal6-6.16/modules/taxonomy/taxonomy.admin.inc drupal6-6.19/modules/taxonomy/taxonomy.admin.inc
--- drupal6-6.16/modules/taxonomy/taxonomy.admin.inc 2009-02-25 12:53:24.000000000 +0000
+++ drupal6-6.19/modules/taxonomy/taxonomy.admin.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$form_state['values']['name'])));
watchdog('taxonomy', 'Reset vocabulary %name to alphabetical order.', array('%name' => $form_state['values']['name']), WATCHDOG_NOTICE);
$form_state['redirect'] = 'admin/content/taxonomy/'. $form_state['values']['vid'];
diff -Nru drupal6-6.16/modules/taxonomy/taxonomy.info drupal6-6.19/modules/taxonomy/taxonomy.info
--- drupal6-6.16/modules/taxonomy/taxonomy.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/taxonomy/taxonomy.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/taxonomy/taxonomy.module drupal6-6.19/modules/taxonomy/taxonomy.module
--- drupal6-6.16/modules/taxonomy/taxonomy.module 2010-03-01 10:08:21.000000000 +0000
+++ drupal6-6.19/modules/taxonomy/taxonomy.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
nid) ? array() : taxonomy_node_get_terms($node);
}
else {
- // After preview the terms must be converted to objects.
- if (isset($form_state['node_preview'])) {
+ // After a preview or form reload, the terms must be converted to objects.
+ reset($node->taxonomy);
+ if (!is_object(current($node->taxonomy))) {
$node->taxonomy = taxonomy_preview_terms($node);
}
$terms = $node->taxonomy;
@@ -1314,7 +1330,9 @@
}
/**
- * Implode a list of tags of a certain vocabulary into a string.
+ * Implodes a list of tags of a certain vocabulary into a string.
+ *
+ * @see drupal_explode_tags()
*/
function taxonomy_implode_tags($tags, $vid = NULL) {
$typed_tags = array();
diff -Nru drupal6-6.16/modules/throttle/throttle.info drupal6-6.19/modules/throttle/throttle.info
--- drupal6-6.16/modules/throttle/throttle.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/throttle/throttle.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/tracker/tracker.info drupal6-6.19/modules/tracker/tracker.info
--- drupal6-6.16/modules/tracker/tracker.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/tracker/tracker.info 2010-08-18 09:52:58.000000000 +0100
@@ -6,8 +6,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/translation/translation.info drupal6-6.19/modules/translation/translation.info
--- drupal6-6.16/modules/translation/translation.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/translation/translation.info 2010-08-18 09:52:58.000000000 +0100
@@ -6,8 +6,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/trigger/trigger.admin.inc drupal6-6.19/modules/trigger/trigger.admin.inc
--- drupal6-6.16/modules/trigger/trigger.admin.inc 2008-01-08 10:35:43.000000000 +0000
+++ drupal6-6.19/modules/trigger/trigger.admin.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
check_plain($actions[$aid]['description'])));
+ watchdog('actions', 'Action %action has been unassigned.', array('%action' => $actions[$aid]['description']));
drupal_set_message(t('Action %action has been unassigned.', array('%action' => $actions[$aid]['description'])));
$hook = $form_values['hook'] == 'nodeapi' ? 'node' : $form_values['hook'];
$form_state['redirect'] = 'admin/build/trigger/'. $hook;
@@ -239,7 +239,7 @@
$rows = array();
foreach ($element['assigned']['#value'] as $aid => $info) {
$rows[] = array(
- $info['description'],
+ filter_xss_admin($info['description']),
$info['link']
);
}
diff -Nru drupal6-6.16/modules/trigger/trigger.info drupal6-6.19/modules/trigger/trigger.info
--- drupal6-6.16/modules/trigger/trigger.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/trigger/trigger.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/trigger/trigger.module drupal6-6.19/modules/trigger/trigger.module
--- drupal6-6.16/modules/trigger/trigger.module 2009-06-08 17:34:57.000000000 +0100
+++ drupal6-6.19/modules/trigger/trigger.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$nice_name,
'page callback' => 'trigger_assign',
'page arguments' => array($module),
+ 'access callback' => 'trigger_access_check',
'access arguments' => array($module),
'type' => MENU_LOCAL_TASK,
'file' => 'trigger.admin.inc',
diff -Nru drupal6-6.16/modules/update/update.compare.inc drupal6-6.19/modules/update/update.compare.inc
--- drupal6-6.16/modules/update/update.compare.inc 2010-03-01 09:40:45.000000000 +0000
+++ drupal6-6.19/modules/update/update.compare.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$value) {
+ if (!isset($whitelist[$key])) {
+ unset($info[$key]);
+ }
+ }
+ return $info;
}
diff -Nru drupal6-6.16/modules/update/update.info drupal6-6.19/modules/update/update.info
--- drupal6-6.16/modules/update/update.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/update/update.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
package = Core - optional
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/update/update.install drupal6-6.19/modules/update/update.install
--- drupal6-6.16/modules/update/update.install 2009-01-06 15:46:38.000000000 +0000
+++ drupal6-6.19/modules/update/update.install 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
filepath) {
+ // Since some database servers sometimes use a case-insensitive
+ // comparison by default, double check that the filename is an exact
+ // match.
+ continue;
+ }
if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
return array(
'Content-Type: ' . $file->filemime,
@@ -189,6 +195,9 @@
if (isset($form_state['values']['files'])) {
foreach ($form_state['values']['files'] as $fid => $file) {
+ // If the node was previewed prior to saving, $form['#node']->files[$fid]
+ // is an array instead of an object. Convert file to object for compatibility.
+ $form['#node']->files[$fid] = (object) $form['#node']->files[$fid];
$form_state['values']['files'][$fid]['new'] = !empty($form['#node']->files[$fid]->new);
}
}
diff -Nru drupal6-6.16/modules/user/user.info drupal6-6.19/modules/user/user.info
--- drupal6-6.16/modules/user/user.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/modules/user/user.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/modules/user/user.module drupal6-6.19/modules/user/user.module
--- drupal6-6.16/modules/user/user.module 2010-03-01 11:42:50.000000000 +0000
+++ drupal6-6.19/modules/user/user.module 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
USERNAME_MAX_LENGTH) return t('The username %name is too long: it must be %max characters or less.', array('%name' => $name, '%max' => USERNAME_MAX_LENGTH));
+ if (drupal_strlen($name) > USERNAME_MAX_LENGTH) {
+ return t('The username %name is too long: it must be %max characters or less.', array('%name' => $name, '%max' => USERNAME_MAX_LENGTH));
+ }
}
function user_validate_mail($mail) {
@@ -1154,7 +1165,7 @@
$accounts[$uid] = user_load($uid);
}
$valid = TRUE;
- if ($account = $accounts[$uid]) {
+ if (($account = $accounts[$uid]) && isset($map[$index + 1]) && $map[$index + 1] == 'edit') {
// Since the path is like user/%/edit/category_name, the category name will
// be at a position 2 beyond the index corresponding to the % wildcard.
$category_index = $index + 2;
@@ -1239,7 +1250,7 @@
if ($value) {
db_query("UPDATE {authmap} SET authname = '%s' WHERE uid = %d AND module = '%s'", $value, $account->uid, $module[1]);
if (!db_affected_rows()) {
- db_query("INSERT INTO {authmap} (authname, uid, module) VALUES ('%s', %d, '%s')", $value, $account->uid, $module[1]);
+ @db_query("INSERT INTO {authmap} (authname, uid, module) VALUES ('%s', %d, '%s')", $value, $account->uid, $module[1]);
}
}
else {
@@ -1335,7 +1346,6 @@
global $user;
if (!$user->uid) {
form_set_error('name', t('Sorry, unrecognized username or password. Have you forgotten your password?', array('@password' => url('user/password'))));
- watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
}
}
@@ -1368,6 +1378,9 @@
user_authenticate_finalize($form_values);
return $user;
}
+ else {
+ watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_values['name']));
+ }
}
/**
@@ -1439,6 +1452,16 @@
}
}
+/**
+ * Generates a unique URL for a user to login and reset their password.
+ *
+ * @param object $account
+ * An object containing the user account.
+ *
+ * @return
+ * A unique URL that provides a one-time log in for the user, from which
+ * they can change their password.
+ */
function user_pass_reset_url($account) {
$timestamp = time();
return url("user/reset/$account->uid/$timestamp/". user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
@@ -2504,3 +2527,18 @@
return empty($groups) ? FALSE : $groups;
}
+
+/**
+ * Prepare a destination query string for use in combination with drupal_goto().
+ *
+ * Used to direct the user back to the referring page after completing
+ * the openid login. This function prevents the login page from being
+ * returned because that page will give an access denied message to an
+ * authenticated user.
+ *
+ * @see drupal_get_destination()
+ */
+function user_login_destination() {
+ $destination = drupal_get_destination();
+ return $destination == 'destination=user%2Flogin' ? 'destination=user' : $destination;
+}
diff -Nru drupal6-6.16/modules/user/user.pages.inc drupal6-6.19/modules/user/user.pages.inc
--- drupal6-6.16/modules/user/user.pages.inc 2009-09-16 18:54:20.000000000 +0100
+++ drupal6-6.19/modules/user/user.pages.inc 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@
$name)));
- }
// Try to load by email.
$account = user_load(array('mail' => $name, 'status' => 1));
@@ -56,6 +51,13 @@
// No success, try to load by name.
$account = user_load(array('name' => $name, 'status' => 1));
}
+ if ($account) {
+ // Blocked accounts cannot request a new password,
+ // check provided username and email against access rules.
+ if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
+ form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
+ }
+ }
if (isset($account->uid)) {
form_set_value(array('#parents' => array('account')), $account, $form_state);
}
diff -Nru drupal6-6.16/themes/bluemarine/bluemarine.info drupal6-6.19/themes/bluemarine/bluemarine.info
--- drupal6-6.16/themes/bluemarine/bluemarine.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/themes/bluemarine/bluemarine.info 2010-08-18 09:52:58.000000000 +0100
@@ -5,8 +5,8 @@
core = 6.x
engine = phptemplate
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/themes/chameleon/chameleon.info drupal6-6.19/themes/chameleon/chameleon.info
--- drupal6-6.16/themes/chameleon/chameleon.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/themes/chameleon/chameleon.info 2010-08-18 09:52:58.000000000 +0100
@@ -12,8 +12,8 @@
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/themes/chameleon/marvin/marvin.info drupal6-6.19/themes/chameleon/marvin/marvin.info
--- drupal6-6.16/themes/chameleon/marvin/marvin.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/themes/chameleon/marvin/marvin.info 2010-08-18 09:52:58.000000000 +0100
@@ -7,8 +7,8 @@
core = 6.x
base theme = chameleon
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/themes/engines/phptemplate/phptemplate.engine drupal6-6.19/themes/engines/phptemplate/phptemplate.engine
--- drupal6-6.16/themes/engines/phptemplate/phptemplate.engine 2007-10-02 17:19:23.000000000 +0100
+++ drupal6-6.19/themes/engines/phptemplate/phptemplate.engine 2010-08-18 09:52:58.000000000 +0100
@@ -1,11 +1,14 @@
filename) .'/template.php';
if (file_exists($file)) {
@@ -14,14 +17,10 @@
}
/**
- * Implementation of hook_theme to tell Drupal what templates the engine
- * and the current theme use. The $existing argument will contain hooks
- * pre-defined by Drupal so that we can use that information if
- * we need to.
+ * Implementation of hook_theme().
*/
function phptemplate_theme($existing, $type, $theme, $path) {
$templates = drupal_find_theme_functions($existing, array('phptemplate', $theme));
$templates += drupal_find_theme_templates($existing, '.tpl.php', $path);
return $templates;
}
-
diff -Nru drupal6-6.16/themes/garland/garland.info drupal6-6.19/themes/garland/garland.info
--- drupal6-6.16/themes/garland/garland.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/themes/garland/garland.info 2010-08-18 09:52:58.000000000 +0100
@@ -7,8 +7,8 @@
stylesheets[all][] = style.css
stylesheets[print][] = print.css
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/themes/garland/minnelli/minnelli.info drupal6-6.19/themes/garland/minnelli/minnelli.info
--- drupal6-6.16/themes/garland/minnelli/minnelli.info 2010-03-04 00:20:08.000000000 +0000
+++ drupal6-6.19/themes/garland/minnelli/minnelli.info 2010-08-18 09:52:58.000000000 +0100
@@ -6,8 +6,8 @@
base theme = garland
stylesheets[all][] = minnelli.css
-; Information added by drupal.org packaging script on 2010-03-04
-version = "6.16"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "6.19"
project = "drupal"
-datestamp = "1267662008"
+datestamp = "1281559292"
diff -Nru drupal6-6.16/themes/garland/print.css drupal6-6.19/themes/garland/print.css
--- drupal6-6.16/themes/garland/print.css 2007-09-06 22:23:32.000000000 +0100
+++ drupal6-6.19/themes/garland/print.css 2010-08-18 09:52:58.000000000 +0100
@@ -1,4 +1,4 @@
-/* $Id: print.css,v 1.3 2007/09/06 21:23:32 goba Exp $ */
+/* $Id: print.css,v 1.3.2.1 2010/08/06 11:37:38 goba Exp $ */
/**
* Garland, for Drupal 5.0
@@ -19,7 +19,7 @@
display: none;
}
-body.sidebars, body.sideber-left, body.sidebar-right, body {
+body.sidebars, body.sidebar-left, body.sidebar-right, body {
width: 640px;
}
diff -Nru drupal6-6.16/themes/garland/template.php drupal6-6.19/themes/garland/template.php
--- drupal6-6.16/themes/garland/template.php 2009-08-10 12:32:54.000000000 +0100
+++ drupal6-6.19/themes/garland/template.php 2010-08-18 09:52:58.000000000 +0100
@@ -1,5 +1,5 @@