[Pkg-drupal-commits] r1861 - in /branches/upstream/current-4.7: CHANGELOG.txt INSTALL.txt includes/bootstrap.inc includes/database.inc modules/aggregator.module modules/filter.module modules/poll.module modules/system.module modules/watchdog.module
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Fri Jan 11 14:40:55 UTC 2008
Author: luigi
Date: Fri Jan 11 14:40:55 2008
New Revision: 1861
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1861
Log:
[svn-upgrade] Integrating new upstream version, drupal (4.7.11)
Modified:
branches/upstream/current-4.7/CHANGELOG.txt
branches/upstream/current-4.7/INSTALL.txt
branches/upstream/current-4.7/includes/bootstrap.inc
branches/upstream/current-4.7/includes/database.inc
branches/upstream/current-4.7/modules/aggregator.module
branches/upstream/current-4.7/modules/filter.module
branches/upstream/current-4.7/modules/poll.module
branches/upstream/current-4.7/modules/system.module
branches/upstream/current-4.7/modules/watchdog.module
Modified: branches/upstream/current-4.7/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/CHANGELOG.txt?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/CHANGELOG.txt (original)
+++ branches/upstream/current-4.7/CHANGELOG.txt Fri Jan 11 14:40:55 2008
@@ -1,4 +1,10 @@
-// $Id: CHANGELOG.txt,v 1.117.2.16 2007/12/06 20:20:14 killes Exp $
+// $Id: CHANGELOG.txt,v 1.117.2.18 2008/01/10 22:18:19 killes Exp $
+
+Drupal 4.7.11, 2008-01-10
+-------------------------
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
Drupal 4.7.10, 2007-12-06
-------------------------
Modified: branches/upstream/current-4.7/INSTALL.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/INSTALL.txt?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/INSTALL.txt (original)
+++ branches/upstream/current-4.7/INSTALL.txt Fri Jan 11 14:40:55 2008
@@ -1,4 +1,4 @@
-// $Id: INSTALL.txt,v 1.29.2.5 2007/06/27 18:16:45 killes Exp $
+// $Id: INSTALL.txt,v 1.29.2.6 2008/01/10 22:18:19 killes Exp $
CONTENTS OF THIS FILE
---------------------
@@ -13,7 +13,7 @@
REQUIREMENTS
------------
-Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5
+Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5
(http://www.php.net/) and either MySQL (http://www.mysql.com/)
or PostgreSQL (http://www.postgresql.org/). Your database user
will also need sufficient privileges to run Drupal. Please
Modified: branches/upstream/current-4.7/includes/bootstrap.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/includes/bootstrap.inc?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/includes/bootstrap.inc (original)
+++ branches/upstream/current-4.7/includes/bootstrap.inc Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: bootstrap.inc,v 1.96.2.9 2007/07/26 19:17:24 killes Exp $
+// $Id: bootstrap.inc,v 1.96.2.10 2008/01/10 22:18:19 killes Exp $
/**
* @file
@@ -610,9 +610,49 @@
/**
* Encode special characters in a plain-text string for display as HTML.
+ *
+ * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Internet Explorer 6.
+ *
*/
function check_plain($text) {
- return htmlspecialchars($text, ENT_QUOTES);
+ return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+}
+
+/**
+ * Checks whether a string is valid UTF-8.
+ *
+ * All functions designed to filter input should use drupal_validate_utf8
+ * to ensure they operate on valid UTF-8 strings to prevent bypass of the
+ * filter.
+ *
+ * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
+ * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
+ * bytes. When these subsequent bytes are HTML control characters such as
+ * quotes or angle brackets, parts of the text that were deemed safe by filters
+ * end up in locations that are potentially unsafe; An onerror attribute that
+ * is outside of a tag, and thus deemed safe by a filter, can be interpreted
+ * by the browser as if it were inside the tag.
+ *
+ * This function exploits preg_match behaviour (since PHP 4.3.5) when used with
+ * the u modifier as a fast way to find invalid UTF-8. When the matched string
+ * contains invalid byte sequences, it will fail silently.
+ *
+ * preg_match may not fail on 4 and 5 octet sequences, even though they
+ * are not supported by the specification.
+ *
+ * The specific preg_match behaviour is present
+ *
+ * @param $text
+ * The text to check.
+ * @return
+ * TRUE if the text is valid UTF-8, FALSE if not.
+ */
+function drupal_validate_utf8($text) {
+ if (strlen($text) == 0) {
+ return TRUE;
+ }
+ return (preg_match('/^./us', $text) == 1);
}
/**
Modified: branches/upstream/current-4.7/includes/database.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/includes/database.inc?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/includes/database.inc (original)
+++ branches/upstream/current-4.7/includes/database.inc Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: database.inc,v 1.56.2.4 2007/02/27 12:02:26 dries Exp $
+// $Id: database.inc,v 1.56.2.5 2008/01/10 18:51:37 killes Exp $
/**
* @file
@@ -100,7 +100,7 @@
*/
function db_set_active($name = 'default') {
global $db_url, $db_type, $active_db;
- static $db_conns;
+ static $db_conns, $active_name = FALSE;
if (!isset($db_conns[$name])) {
// Initiate a new connection, using the named DB URL specified.
@@ -128,11 +128,12 @@
$db_conns[$name] = db_connect($connect_url);
}
- $previous_db = $active_db;
+ $previous_name = $active_name;
// Set the active connection.
+ $active_name = $name;
$active_db = $db_conns[$name];
- return array_search($previous_db, $db_conns);
+ return $previous_name;
}
/**
Modified: branches/upstream/current-4.7/modules/aggregator.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/aggregator.module?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/aggregator.module (original)
+++ branches/upstream/current-4.7/modules/aggregator.module Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: aggregator.module,v 1.278.2.12 2007/01/02 18:05:41 killes Exp $
+// $Id: aggregator.module,v 1.278.2.13 2008/01/10 22:18:19 killes Exp $
/**
* @file
@@ -995,12 +995,30 @@
return $output;
}
-/**
- * Menu callback; removes all items from a feed, then redirects to the overview page.
- */
-function aggregator_admin_remove_feed($feed) {
- aggregator_remove(aggregator_get_feed($feed));
- drupal_goto('admin/aggregator');
+function aggregator_admin_remove_feed($fid) {
+ $feed = aggregator_get_feed($fid);
+ return confirm_form(
+ 'aggregator_admin_remove_feed',
+ array(
+ 'feed' => array(
+ '#type' => 'value',
+ '#value' => $feed,
+ ),
+ ),
+ t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => theme('placeholder', $feed['title']))),
+ 'admin/aggregator',
+ t('This action cannot be undone.'),
+ t('Remove items'),
+ t('Cancel')
+ );
+}
+
+/**
+ * Remove all items from a feed and redirect to the overview page.
+ */
+function aggregator_admin_remove_feed_submit($form_id, $form_values) {
+ aggregator_remove($form_values['feed']);
+ return 'admin/aggregator';
}
/**
Modified: branches/upstream/current-4.7/modules/filter.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/filter.module?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/filter.module (original)
+++ branches/upstream/current-4.7/modules/filter.module Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: filter.module,v 1.122.2.7 2007/07/02 19:05:22 killes Exp $
+// $Id: filter.module,v 1.122.2.8 2008/01/10 22:18:19 killes Exp $
/**
* @file
@@ -1135,6 +1135,11 @@
* The format to use.
*/
function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+ // Only operate on valid UTF-8 strings. This is necessary to prevent cross
+ // site scripting issues on Internet Explorer 6.
+ if (!drupal_validate_utf8($string)) {
+ return '';
+ }
// Store the input format
_filter_xss_split($allowed_tags, TRUE);
// Remove NUL characters (ignored by some browsers)
Modified: branches/upstream/current-4.7/modules/poll.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/poll.module?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/poll.module (original)
+++ branches/upstream/current-4.7/modules/poll.module Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: poll.module,v 1.195.2.5 2007/07/26 19:17:24 killes Exp $
+// $Id: poll.module,v 1.195.2.6 2008/01/10 18:58:52 killes Exp $
/**
* @file
@@ -175,6 +175,7 @@
db_query("INSERT INTO {poll} (nid, runtime, active) VALUES (%d, %d, %d)", $node->nid, $node->runtime, $node->active);
+ $i = 0;
foreach ($node->choice as $choice) {
if ($choice['chtext'] != '') {
db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $choice['chtext'], $choice['chvotes'], $i++);
Modified: branches/upstream/current-4.7/modules/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/system.module?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/system.module (original)
+++ branches/upstream/current-4.7/modules/system.module Fri Jan 11 14:40:55 2008
@@ -1,12 +1,12 @@
<?php
-// $Id: system.module,v 1.320.2.29 2007/12/06 19:49:19 killes Exp $
+// $Id: system.module,v 1.320.2.32 2008/01/10 22:18:19 killes Exp $
/**
* @file
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '4.7.10');
+define('VERSION', '4.7.11');
/**
* Implementation of hook_help().
@@ -169,7 +169,7 @@
}
}
-/*
+/**
* Returns a fieldset containing the theme select form.
*
* @param $description
Modified: branches/upstream/current-4.7/modules/watchdog.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-4.7/modules/watchdog.module?rev=1861&op=diff
==============================================================================
--- branches/upstream/current-4.7/modules/watchdog.module (original)
+++ branches/upstream/current-4.7/modules/watchdog.module Fri Jan 11 14:40:55 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: watchdog.module,v 1.143 2006/04/13 08:25:27 killes Exp $
+// $Id: watchdog.module,v 1.143.2.1 2008/01/10 22:18:19 killes Exp $
/**
* @file
@@ -74,6 +74,9 @@
* Menu callback; displays a listing of log messages.
*/
function watchdog_overview() {
+ if (ini_get('register_globals')) {
+ drupal_set_message(t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.'), 'error');
+ }
$icons = array(WATCHDOG_NOTICE => '',
WATCHDOG_WARNING => theme('image', 'misc/watchdog-warning.png', t('warning'), t('warning')),
WATCHDOG_ERROR => theme('image', 'misc/watchdog-error.png', t('error'), t('error')));
More information about the Pkg-drupal-commits
mailing list