summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2014-11-19 15:18:34 -0500
committerDavid Rothstein2014-11-19 15:18:34 -0500
commit01c9f6164e9b48a7d715e07fb0d98fbe71bae87b (patch)
tree5446925593ac9546d02396e962ca519baf1d14fb
parentc71b15f68010db028f07839c226d31563f220890 (diff)
Drupal 6.346.34
-rw-r--r--CHANGELOG.txt4
-rw-r--r--includes/session.inc2
-rw-r--r--modules/system/system.module2
3 files changed, 6 insertions, 2 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 814adba..ce78b01 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,4 +1,8 @@
+Drupal 6.34, 2014-11-19
+----------------------
+- Fixed security issues (session hijacking). See SA-CORE-2014-006.
+
Drupal 6.33, 2014-08-06
----------------------
- Fixed security issues (denial of service). See SA-CORE-2014-004.
diff --git a/includes/session.inc b/includes/session.inc
index 9f671b3..540b8d9 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -41,7 +41,7 @@ function sess_read($key) {
register_shutdown_function('session_write_close');
// Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers).
- if (!isset($_COOKIE[session_name()])) {
+ if (empty($key) || !isset($_COOKIE[session_name()])) {
$user = drupal_anonymous_user();
return '';
}
diff --git a/modules/system/system.module b/modules/system/system.module
index 9e852c2..4f61ce1 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.33');
+define('VERSION', '6.34');
/**
* Core API compatibility.