[Pkg-drupal-commits] r1806 - in /branches/upstream/current-4.7: ./ includes/ misc/ modules/ sites/default/
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Fri Jul 27 00:13:57 UTC 2007
Author: luigi
Date: Fri Jul 27 00:13:56 2007
New Revision: 1806
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1806
Log:
[svn-upgrade] Integrating new upstream version, drupal (4.7.7)
Modified:
branches/upstream/current-4.7/CHANGELOG.txt
branches/upstream/current-4.7/INSTALL.txt
branches/upstream/current-4.7/includes/bootstrap.inc
branches/upstream/current-4.7/includes/common.inc
branches/upstream/current-4.7/includes/database.inc
branches/upstream/current-4.7/misc/textarea.js
branches/upstream/current-4.7/modules/block.module
branches/upstream/current-4.7/modules/comment.module
branches/upstream/current-4.7/modules/filter.module
branches/upstream/current-4.7/modules/poll.module
branches/upstream/current-4.7/modules/profile.module
branches/upstream/current-4.7/modules/system.module
branches/upstream/current-4.7/modules/upload.module
branches/upstream/current-4.7/modules/user.module
branches/upstream/current-4.7/sites/default/settings.php
Modified: branches/upstream/current-4.7/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/CHANGELOG.txt?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/CHANGELOG.txt (original)
+++ branches/upstream/current-4.7/CHANGELOG.txt Fri Jul 27 00:13:56 2007
@@ -1,4 +1,9 @@
-// $Id: CHANGELOG.txt,v 1.117.2.11 2007/01/29 21:48:20 killes Exp $
+// $Id: CHANGELOG.txt,v 1.117.2.12 2007/07/26 19:17:24 killes Exp $
+
+Drupal 4.7.7, 2007-07-26
+------------------------
+- fixed security issue (XSS), see SA-2007-018
+
Drupal 4.7.6, 2007-01-29
------------------------
- fixed security issue (code execution), see SA-2007-005
Modified: branches/upstream/current-4.7/INSTALL.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/INSTALL.txt?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/INSTALL.txt (original)
+++ branches/upstream/current-4.7/INSTALL.txt Fri Jul 27 00:13:56 2007
@@ -1,4 +1,4 @@
-// $Id: INSTALL.txt,v 1.29.2.4 2006/06/08 21:25:50 dries Exp $
+// $Id: INSTALL.txt,v 1.29.2.5 2007/06/27 18:16:45 killes Exp $
CONTENTS OF THIS FILE
---------------------
@@ -173,7 +173,7 @@
this. The following example crontab line will activate the cron
tasks automatically on the hour:
- 0 * * * * wget -O - -q http://www.example.com/cron.php
+ 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php
More information about the cron scripts are available in the admin
help pages and in the Drupal handbook at drupal.org. Example
Modified: branches/upstream/current-4.7/includes/bootstrap.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/includes/bootstrap.inc?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/includes/bootstrap.inc (original)
+++ branches/upstream/current-4.7/includes/bootstrap.inc Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: bootstrap.inc,v 1.96.2.8 2007/01/01 17:52:00 killes Exp $
+// $Id: bootstrap.inc,v 1.96.2.9 2007/07/26 19:17:24 killes Exp $
/**
* @file
@@ -116,7 +116,7 @@
}
$confdir = 'sites';
- $uri = explode('/', $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']);
+ $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
$server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
for ($i = count($uri) - 1; $i > 0; $i--) {
for ($j = count($server); $j > 0; $j--) {
@@ -166,8 +166,14 @@
else {
// Create base URL
$base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
- $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST'];
- if ($dir = trim(dirname($_SERVER['PHP_SELF']), '\,/')) {
+
+ // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains
+ // characters allowed in hostnames.
+ $base_url = $base_root .= '://'. preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']);
+
+ // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
+ // be modified by a visitor.
+ if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) {
$base_path = "/$dir";
$base_url .= $base_path;
$base_path .= '/';
@@ -495,7 +501,7 @@
/**
* Set HTTP headers in preparation for a page response.
- *
+ *
* The general approach here is that anonymous users can keep a local cache of
* the page, but must revalidate it on every request. Then, they are given a
* '304 Not Modified' response as long as they stay logged out and the page
@@ -536,7 +542,7 @@
// The following headers force validation of cache
header("Expires: Sun, 19 Nov 1978 05:00:00 GMT");
header("Cache-Control: must-revalidate");
-
+
// Determine if the browser accepts gzipped data.
if (@strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') === false && function_exists('gzencode')) {
// Strip the gzip header and run uncompress.
@@ -620,10 +626,10 @@
}
else {
if (isset($_SERVER['argv'])) {
- $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['argv'][0];
+ $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0];
}
else {
- $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['QUERY_STRING'];
+ $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
}
}
Modified: branches/upstream/current-4.7/includes/common.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/includes/common.inc?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/includes/common.inc (original)
+++ branches/upstream/current-4.7/includes/common.inc Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: common.inc,v 1.537.2.21 2007/01/27 16:18:52 killes Exp $
+// $Id: common.inc,v 1.537.2.24 2007/07/26 19:17:24 killes Exp $
/**
* @file
@@ -502,7 +502,7 @@
$entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
// Force display of error messages in update.php
- if (variable_get('error_level', 1) == 1 || strstr($_SERVER['PHP_SELF'], 'update.php')) {
+ if (variable_get('error_level', 1) == 1 || strstr($_SERVER['SCRIPT_NAME'], 'update.php')) {
drupal_set_message($entry, 'error');
}
@@ -1301,14 +1301,17 @@
array('\r', '\n', '\x3c', '\x3e', '\x26'),
addslashes($var)) .'"';
case 'array':
- if (array_keys($var) === range(0, sizeof($var) - 1)) {
+ // Arrays in JSON can't be associative. If the array is empty or if it
+ // has sequential whole number keys starting with 0, it's not associative
+ // so we can go ahead and convert it as an array.
+ if (empty($var) || array_keys($var) === range(0, sizeof($var) - 1)) {
$output = array();
foreach($var as $v) {
$output[] = drupal_to_js($v);
}
return '[ '. implode(', ', $output) .' ]';
}
- // Fall through
+ // Otherwise, fall through to convert the array as an object.
case 'object':
$output = array();
foreach ($var as $k => $v) {
@@ -1330,17 +1333,19 @@
* Notes:
* - For esthetic reasons, we do not escape slashes. This also avoids a 'feature'
* in Apache where it 404s on any path containing '%2F'.
- * - mod_rewrite's unescapes %-encoded ampersands and hashes when clean URLs
- * are used, which are interpreted as delimiters by PHP. These characters are
- * double escaped so PHP will still see the encoded version.
+ * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean
+ * URLs are used, which are interpreted as delimiters by PHP. These
+ * characters are double escaped so PHP will still see the encoded version.
+ * - With clean URLs, Apache changes '//' to '/', so every second slash is
+ * double escaped.
*
* @param $text
* String to encode
*/
function drupal_urlencode($text) {
if (variable_get('clean_url', '0')) {
- return str_replace(array('%2F', '%26', '%23'),
- array('/', '%2526', '%2523'),
+ return str_replace(array('%2F', '%26', '%23', '//'),
+ array('/', '%2526', '%2523', '/%252F'),
urlencode($text));
}
else {
Modified: branches/upstream/current-4.7/includes/database.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/includes/database.inc?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/includes/database.inc (original)
+++ branches/upstream/current-4.7/includes/database.inc Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: database.inc,v 1.56.2.3 2007/01/04 19:45:04 killes Exp $
+// $Id: database.inc,v 1.56.2.4 2007/02/27 12:02:26 dries Exp $
/**
* @file
@@ -217,7 +217,7 @@
/**
* Helper function for db_rewrite_sql.
*
- * Collects JOIN and WHERE statements via hook_sql.
+ * Collects JOIN and WHERE statements via hook_db_rewrite_sql()
* Decides whether to select primary_key or DISTINCT(primary_key)
*
* @param $query
Modified: branches/upstream/current-4.7/misc/textarea.js
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/misc/textarea.js?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/misc/textarea.js (original)
+++ branches/upstream/current-4.7/misc/textarea.js Fri Jul 27 00:13:56 2007
@@ -1,4 +1,4 @@
-// $Id: textarea.js,v 1.9.2.2 2006/12/01 14:57:29 killes Exp $
+// $Id: textarea.js,v 1.9.2.3 2007/05/27 20:54:42 killes Exp $
if (isJsEnabled()) {
addLoadEvent(textAreaAutoAttach);
@@ -47,9 +47,11 @@
this.element.style.width = '100%';
this.element.style.height = this.dimensions.height +'px';
- // Wrap textarea
+ // Wrap textarea, working around an IE margin bug.
removeNode(this.element);
- this.wrapper.insertBefore(this.element, this.grippie);
+ this.iewrap = document.createElement('span');
+ this.iewrap.appendChild(this.element);
+ this.wrapper.insertBefore(this.iewrap, this.grippie);
// Measure difference between desired and actual textarea dimensions to account for padding/borders
this.widthOffset = dimensions(this.wrapper).width - this.dimensions.width;
Modified: branches/upstream/current-4.7/modules/block.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/block.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/block.module (original)
+++ branches/upstream/current-4.7/modules/block.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: block.module,v 1.206.2.7 2006/11/14 10:46:07 killes Exp $
+// $Id: block.module,v 1.206.2.9 2007/03/25 21:30:06 killes Exp $
/**
* @file
Modified: branches/upstream/current-4.7/modules/comment.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/comment.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/comment.module (original)
+++ branches/upstream/current-4.7/modules/comment.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: comment.module,v 1.455.2.15 2007/01/29 21:39:27 killes Exp $
+// $Id: comment.module,v 1.455.2.16 2007/05/27 16:11:26 killes Exp $
/**
* @file
@@ -546,13 +546,6 @@
global $user;
if (user_access('post comments') && (user_access('administer comments') || node_comment_mode($edit['nid']) == COMMENT_NODE_READ_WRITE)) {
if (!form_get_errors()) {
- // Check for duplicate comments. Note that we have to use the
- // validated/filtered data to perform such check.
- $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0);
- if ($duplicate != 0) {
- watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
- }
-
if ($edit['cid']) {
// Update the comment in the database.
db_query("UPDATE {comments} SET status = %d, timestamp = %d, subject = '%s', comment = '%s', format = %d, uid = %d, name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['status'], $edit['timestamp'], $edit['subject'], $edit['comment'], $edit['format'], $edit['uid'], $edit['name'], $edit['mail'], $edit['homepage'], $edit['cid']);
@@ -567,6 +560,13 @@
watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid']));
}
else {
+ // Check for duplicate comments. Note that we have to use the
+ // validated/filtered data to perform such check.
+ $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0);
+ if ($duplicate != 0) {
+ watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING);
+ }
+
// Add the comment to database.
$status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
$roles = variable_get('comment_roles', array());
Modified: branches/upstream/current-4.7/modules/filter.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/filter.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/filter.module (original)
+++ branches/upstream/current-4.7/modules/filter.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: filter.module,v 1.122.2.6 2007/01/26 00:11:03 killes Exp $
+// $Id: filter.module,v 1.122.2.7 2007/07/02 19:05:22 killes Exp $
/**
* @file
@@ -1083,7 +1083,7 @@
$chunk = preg_replace('!(</'. $block .'>)!', "$1\n\n", $chunk); // Space things out a little
$chunk = preg_replace("/\n\n+/", "\n\n", $chunk); // take care of duplicates
$chunk = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $chunk); // make paragraphs, including one at the end
- $chunk = preg_replace('|<p>\s*?</p>\n|', '', $chunk); // under certain strange conditions it could create a P of entirely whitespace
+ $chunk = preg_replace('|<p>\s*</p>\n|', '', $chunk); // under certain strange conditions it could create a P of entirely whitespace
$chunk = preg_replace("|<p>(<li.+?)</p>|", "$1", $chunk); // problem with nested lists
$chunk = preg_replace('|<p><blockquote([^>]*)>|i', "<blockquote$1><p>", $chunk);
$chunk = str_replace('</blockquote></p>', '</p></blockquote>', $chunk);
Modified: branches/upstream/current-4.7/modules/poll.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/poll.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/poll.module (original)
+++ branches/upstream/current-4.7/modules/poll.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: poll.module,v 1.195.2.4 2007/01/04 20:28:41 killes Exp $
+// $Id: poll.module,v 1.195.2.5 2007/07/26 19:17:24 killes Exp $
/**
* @file
@@ -282,7 +282,9 @@
$teaser = NULL;
if (is_array($node->choice)) {
foreach ($node->choice as $k => $choice) {
- $teaser .= '* '. $choice['chtext'] .'\n';
+ if ($choice['chtext'] != '') {
+ $teaser .= '* '. check_plain($choice['chtext']) ."\n";
+ }
}
}
return $teaser;
Modified: branches/upstream/current-4.7/modules/profile.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/profile.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/profile.module (original)
+++ branches/upstream/current-4.7/modules/profile.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: profile.module,v 1.154.2.7 2007/01/26 00:29:32 killes Exp $
+// $Id: profile.module,v 1.154.2.9 2007/07/26 19:17:24 killes Exp $
/**
* @file
@@ -94,7 +94,7 @@
$fields = array();
$result = db_query('SELECT name, title, weight, visibility FROM {profile_fields} WHERE visibility IN (%d, %d) ORDER BY weight', PROFILE_PUBLIC, PROFILE_PUBLIC_LISTINGS);
while ($record = db_fetch_object($result)) {
- $fields[$record->name] = $record->title;
+ $fields[$record->name] = check_plain($record->title);
}
$fields['user_profile'] = t('Link to full user profile');
$form['profile_block_author_fields'] = array('#type' => 'checkboxes',
@@ -373,7 +373,7 @@
$result = db_query('SELECT * FROM {profile_fields} ORDER BY category, weight');
$rows = array();
while ($field = db_fetch_object($result)) {
- $rows[] = array(check_plain($field->title), $field->name, _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid"));
+ $rows[] = array(check_plain($field->title), check_plain($field->name), _profile_field_types($field->type), $field->category, l(t('edit'), "admin/settings/profile/edit/$field->fid"), l(t('delete'), "admin/settings/profile/delete/$field->fid"));
}
if (count($rows) == 0) {
$rows[] = array(array('data' => t('No fields defined.'), 'colspan' => '6'));
@@ -619,11 +619,11 @@
// Use LOWER('%s') instead of PHP's strtolower() to avoid UTF-8 conversion issues.
}
- $w = 0;
+ $w = 1;
while ($field = db_fetch_object($result)) {
$category = $field->category;
if (!isset($fields[$category])) {
- $fields[$category] = array('#type' => 'fieldset', '#title' => $category, '#weight' => $w++);
+ $fields[$category] = array('#type' => 'fieldset', '#title' => check_plain($category), '#weight' => $w++);
}
switch ($field->type) {
case 'textfield':
@@ -748,7 +748,7 @@
$output .= "<p>$field->value</p>\n";
}
else {
- $output .= "<p><strong>$field->title</strong><br />$field->value</p>\n";
+ $output .= '<p><strong>'. check_plain($field->title) ."</strong><br />$field->value</p>\n";
}
}
}
Modified: branches/upstream/current-4.7/modules/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/system.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/system.module (original)
+++ branches/upstream/current-4.7/modules/system.module Fri Jul 27 00:13:56 2007
@@ -1,12 +1,12 @@
<?php
-// $Id: system.module,v 1.320.2.21 2007/01/29 21:39:28 killes Exp $
+// $Id: system.module,v 1.320.2.23 2007/07/26 21:25:22 killes Exp $
/**
* @file
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '4.7.6');
+define('VERSION', '4.7.8');
/**
* Implementation of hook_help().
Modified: branches/upstream/current-4.7/modules/upload.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/upload.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/upload.module (original)
+++ branches/upstream/current-4.7/modules/upload.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: upload.module,v 1.100.2.12 2007/01/01 18:10:05 killes Exp $
+// $Id: upload.module,v 1.100.2.13 2007/03/08 08:22:07 killes Exp $
/**
* @file
@@ -479,8 +479,10 @@
$header = array(t('Attachment'), t('Size'));
$rows = array();
foreach ($files as $file) {
- if ($file->list) {
- $href = $file->fid ? file_create_url($file->filepath) : url(file_create_filename($file->filename, file_create_path()));
+ $file = (object)$file;
+ if ($file->list && !$file->remove) {
+ // Generate valid URL for both existing attachments and preview of new attachments (these have 'upload' in fid)
+ $href = file_create_url((strpos($file->fid, 'upload') === FALSE ? $file->filepath : file_create_filename($file->filename, file_create_path())));
$text = $file->description ? $file->description : $file->filename;
$rows[] = array(l($text, $href), format_size($file->filesize));
}
Modified: branches/upstream/current-4.7/modules/user.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/user.module?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/user.module (original)
+++ branches/upstream/current-4.7/modules/user.module Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: user.module,v 1.612.2.28 2007/01/29 19:37:48 killes Exp $
+// $Id: user.module,v 1.612.2.31 2007/07/26 19:17:24 killes Exp $
/**
* @file
@@ -397,10 +397,32 @@
* <em>When sending mail, the mail must contain a From header.</em>
* @return Returns TRUE if the mail was successfully accepted for delivery, FALSE otherwise.
*/
-function user_mail($mail, $subject, $message, $header) {
+function user_mail($mail, $subject, $message, $header = NULL) {
+ $defaults = array(
+ 'MIME-Version' => '1.0',
+ 'Content-Type' => 'text/plain; charset=UTF-8; format=flowed',
+ 'Content-Transfer-Encoding' => '8Bit',
+ 'X-Mailer' => 'Drupal'
+ );
+ // To prevent e-mail from looking like spam, the addresses in the Sender and
+ // Return-Path headers should have a domain authorized to use the originating
+ // SMTP server. Errors-To is redundant, but shouldn't hurt.
+ $default_from = variable_get('site_mail', ini_get('sendmail_from'));
+ if ($default_from) {
+ $defaults['From'] = $defaults['Reply-To'] = $defaults['Sender'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $default_from;
+ }
+ $mimeheaders = array();
+ foreach ($defaults as $name => $value) {
+ $mimeheaders[] = $name .': '. mime_header_encode($value);
+ }
+ $headers = join("\n", $mimeheaders);
+ if (!is_null($header)) {
+ $headers .="\n".$header;
+ }
+
if (variable_get('smtp_library', '') && file_exists(variable_get('smtp_library', ''))) {
include_once './' . variable_get('smtp_library', '');
- return user_mail_wrapper($mail, $subject, $message, $header);
+ return user_mail_wrapper($mail, $subject, $message, $headers);
}
else {
/*
@@ -427,7 +449,7 @@
$mail,
mime_header_encode($subject),
str_replace("\r", '', $message),
- "MIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8; format=flowed\nContent-transfer-encoding: 8Bit\n" . $header
+ $headers
);
}
}
@@ -677,7 +699,7 @@
$output .= theme('user_picture', $account);
foreach ($fields as $category => $items) {
if (strlen($category) > 0) {
- $output .= '<h2 class="title">'. $category .'</h2>';
+ $output .= '<h2 class="title">'. check_plain($category) .'</h2>';
}
$output .= '<dl>';
foreach ($items as $item) {
@@ -928,17 +950,17 @@
if ($form_values['name']) {
if (user_is_blocked($form_values['name'])) {
// blocked in user administration
- form_set_error('login', t('The username %name has not been activated or is blocked.', array('%name' => theme('placeholder', $form_values['name']))));
+ form_set_error('name', t('The username %name has not been activated or is blocked.', array('%name' => theme('placeholder', $form_values['name']))));
}
else if (drupal_is_denied('user', $form_values['name'])) {
// denied by access controls
- form_set_error('login', t('The name %name is a reserved username.', array('%name' => theme('placeholder', $form_values['name']))));
+ form_set_error('name', t('The name %name is a reserved username.', array('%name' => theme('placeholder', $form_values['name']))));
}
else if ($form_values['pass']) {
$user = user_authenticate($form_values['name'], trim($form_values['pass']));
if (!$user->uid) {
- form_set_error('login', t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'));
+ form_set_error('name', t('Sorry. Unrecognized username or password.') .' '. l(t('Have you forgotten your password?'), 'user/password'));
watchdog('user', t('Login attempt failed for %user.', array('%user' => theme('placeholder', $form_values['name']))));
}
}
@@ -1073,14 +1095,12 @@
global $base_url;
$account = $form_values['account'];
- $from = variable_get('site_mail', ini_get('sendmail_from'));
// Mail one time login URL and instructions.
$variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%login_url' => user_pass_reset_url($account), '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
$subject = _user_mail_text('pass_subject', $variables);
$body = _user_mail_text('pass_body', $variables);
- $headers = "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from";
- $mail_success = user_mail($account->mail, $subject, $body, $headers);
+ $mail_success = user_mail($account->mail, $subject, $body);
if ($mail_success) {
watchdog('user', t('Password reset instructions mailed to %name at %email.', array('%name' => theme('placeholder', $account->name), '%email' => theme('placeholder', $account->mail))));
@@ -1239,7 +1259,6 @@
$name = $form_values['name'];
$pass = $admin ? $form_values['pass'] : user_password();
$notify = $form_values['notify'];
- $from = variable_get('site_mail', ini_get('sendmail_from'));
if (!$admin && array_intersect(array_keys($form_values), array('uid', 'roles', 'init', 'session', 'status'))) {
watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
@@ -1255,7 +1274,7 @@
// The first user may login immediately, and receives a customized welcome e-mail.
if ($account->uid == 1) {
- user_mail($mail, t('Drupal user account details for %s', array('%s' => $name)), strtr(t("%username,\n\nYou may now login to %uri using the following username and password:\n\n username: %username\n password: %password\n\n%edit_uri\n\n--drupal"), $variables), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
+ user_mail($mail, t('Drupal user account details for %s', array('%s' => $name)), strtr(t("%username,\n\nYou may now login to %uri using the following username and password:\n\n username: %username\n password: %password\n\n%edit_uri\n\n--drupal"), $variables));
drupal_set_message(t('<p>Welcome to Drupal. You are user #1, which gives you full and immediate access. All future registrants will receive their passwords via e-mail, so please make sure your website e-mail address is set properly under the general settings on the <a href="%settings">settings page</a>.</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass, '%settings' => url('admin/settings'))));
user_authenticate($account->name, trim($pass));
@@ -1276,7 +1295,7 @@
$subject = $notify ? _user_mail_text('admin_subject', $variables) : _user_mail_text('welcome_subject', $variables);
$body = $notify ? _user_mail_text('admin_body', $variables) : _user_mail_text('welcome_body', $variables);
- user_mail($mail, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
+ user_mail($mail, $subject, $body);
if ($notify) {
drupal_set_message(t('Password and further instructions have been e-mailed to the new user %user.', array('%user' => theme('placeholder', $name))));
@@ -1292,8 +1311,8 @@
$subject = _user_mail_text('approval_subject', $variables);
$body = _user_mail_text('approval_body', $variables);
- user_mail($mail, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
- user_mail(variable_get('site_mail', ini_get('sendmail_from')), $subject, t("%u has applied for an account.\n\n%uri", array('%u' => $account->name, '%uri' => url("user/$account->uid/edit", NULL, NULL, TRUE))), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
+ user_mail($mail, $subject, $body);
+ user_mail(variable_get('site_mail', ini_get('sendmail_from')), $subject, t("%u has applied for an account.\n\n%uri", array('%u' => $account->name, '%uri' => url("user/$account->uid/edit", NULL, NULL, TRUE))));
drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />In the meantime, your password and further instructions have been sent to your e-mail address.'));
}
Modified: branches/upstream/current-4.7/sites/default/settings.php
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/sites/default/settings.php?rev=1806&op=diff
==============================================================================
--- branches/upstream/current-4.7/sites/default/settings.php (original)
+++ branches/upstream/current-4.7/sites/default/settings.php Fri Jul 27 00:13:56 2007
@@ -1,5 +1,5 @@
<?php
-// $Id: settings.php,v 1.27.2.2 2007/01/14 14:17:53 killes Exp $
+// $Id: settings.php,v 1.27.2.4 2007/07/26 19:17:25 killes Exp $
/**
* @file
@@ -131,17 +131,29 @@
ini_set('url_rewriter.tags', '');
/**
- * We try to set the correct cookie domain. If you are experiencing problems
- * try commenting out the code below or specifying the cookie domain by hand.
+ * We try to set the correct cookie domain.
*/
if (isset($_SERVER['HTTP_HOST'])) {
$domain = '.'. preg_replace('`^www.`', '', $_SERVER['HTTP_HOST']);
// Per RFC 2109, cookie domains must contain at least one dot other than the
// first. For hosts such as 'localhost', we don't set a cookie domain.
if (count(explode('.', $domain)) > 2) {
- ini_set('session.cookie_domain', $domain);
+ // We need to use escaping because $_SERVER['HTTP_HOST'] can be modified
+ // by a visitor.
+ ini_set('session.cookie_domain', check_plain($domain));
}
}
+
+/**
+ * On some sites, multiple domains or subdomains may point to the same site.
+ * For instance, example.com may redirect to foo.example.com. In that case,
+ * the browser may confuse the cookies between the two domains, resulting in
+ * an inability to log in. In that case, uncomment the line below and set
+ * it to the more generic domain name. For instance, .example.com is more
+ * generic than .foo.example.com. Remember the leading period on the domain
+ * name, even if you wouldn't type it in your browser.
+ */
+#ini_set('session.cookie_domain', '.example.com');
/**
* Variable overrides:
More information about the Pkg-drupal-commits
mailing list