summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Drumm2009-04-30 00:13:49 +0000
committerNeil Drumm2009-04-30 00:13:49 +0000
commit2518420df9bbd3dbdcae363df864a9d0c961c9ba (patch)
treeac9443f230aeee5500f92951bc4e325c7d9f4972
parent3a4912c843f45fb9942c7860f5b655bbda34d0dd (diff)
Drupal 5.175.17
-rw-r--r--CHANGELOG.txt5
-rw-r--r--includes/bootstrap.inc2
-rw-r--r--includes/common.inc9
-rw-r--r--includes/theme.inc7
-rw-r--r--modules/system/system.module2
-rw-r--r--themes/bluemarine/page.tpl.php2
-rw-r--r--themes/chameleon/chameleon.theme2
-rw-r--r--themes/garland/page.tpl.php2
-rw-r--r--themes/pushbutton/page.tpl.php2
9 files changed, 26 insertions, 7 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index d727bdc..3cdd1c6 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,10 @@
// $Id$
-Drupal 5.17, xxxx-xx-xx (development version)
+Drupal 5.17, 2009-04-29
-----------------------
+- Fixed security issues (Cross site scripting and limited information
+ disclosure) see SA-CORE-2009-005.
+- Fixed a variety of small bugs.
Drupal 5.16, 2009-02-25
-----------------------
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 2a3fdfe..9742ee9 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -725,6 +725,8 @@ function request_uri() {
$uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
}
}
+ // Prevent multiple slashes to avoid cross site requests via the FAPI.
+ $uri = '/'. ltrim($uri, '/');
return $uri;
}
diff --git a/includes/common.inc b/includes/common.inc
index 32527c7..0cb2290 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -152,6 +152,15 @@ function drupal_get_headers() {
}
/**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+ // Make sure that the charset is always specified as the first element of the
+ // head region to prevent encoding-based attacks.
+ return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**
* Add a feed URL for the current page.
*
* @param $url
diff --git a/includes/theme.inc b/includes/theme.inc
index 3e8f103..2047311 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -168,7 +168,12 @@ function theme() {
$functions[$function] = theme_get_function($function);
}
if ($functions[$function]) {
- return call_user_func_array($functions[$function], $args);
+ $output = call_user_func_array($functions[$function], $args);
+ // Add final markup to the full page.
+ if ($function == 'page') {
+ $output = drupal_final_markup($output);
+ }
+ return $output;
}
}
diff --git a/modules/system/system.module b/modules/system/system.module
index f7dd432..40d4269 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.17-dev');
+define('VERSION', '5.17');
/**
* Implementation of hook_help().
diff --git a/themes/bluemarine/page.tpl.php b/themes/bluemarine/page.tpl.php
index 5298c1d..69f33df 100644
--- a/themes/bluemarine/page.tpl.php
+++ b/themes/bluemarine/page.tpl.php
@@ -2,8 +2,8 @@
<html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
<head>
- <title><?php print $head_title ?></title>
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
<script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
diff --git a/themes/chameleon/chameleon.theme b/themes/chameleon/chameleon.theme
index cf286e6..5daf5b7 100644
--- a/themes/chameleon/chameleon.theme
+++ b/themes/chameleon/chameleon.theme
@@ -39,8 +39,8 @@ function chameleon_page($content, $show_blocks = TRUE) {
$output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
$output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n";
$output .= "<head>\n";
- $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
$output .= drupal_get_html_head();
+ $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
$output .= drupal_get_css();
$output .= drupal_get_js();
$output .= "</head>";
diff --git a/themes/garland/page.tpl.php b/themes/garland/page.tpl.php
index 2562513..a54335d 100644
--- a/themes/garland/page.tpl.php
+++ b/themes/garland/page.tpl.php
@@ -2,8 +2,8 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language ?>" lang="<?php print $language ?>">
<head>
- <title><?php print $head_title ?></title>
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
<style type="text/css" media="print">@import "<?php print base_path() . path_to_theme() ?>/print.css";</style>
diff --git a/themes/pushbutton/page.tpl.php b/themes/pushbutton/page.tpl.php
index 2a1e341..d98a2fc 100644
--- a/themes/pushbutton/page.tpl.php
+++ b/themes/pushbutton/page.tpl.php
@@ -1,9 +1,9 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
<head>
- <title><?php print $head_title ?></title>
<meta http-equiv="Content-Style-Type" content="text/css" />
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
</head>