Drupal 6.136.13

11 files changed, 75 insertions, 13 deletions

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8f0ea52..706a0fb 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,10 @@
 // $Id$
 
-Drupal 6.13-dev, xxxx-xx-xx (development release)
+Drupal 6.13, 2009-07-01
 ----------------------
+- Fixed security issues (Cross site scripting, Input format access bypass and
+  Password leakage in URL), see SA-CORE-2009-007.
+- Fixed a variety of small bugs.
 
 Drupal 6.12, 2009-05-13
 ----------------------
@@ -189,6 +192,11 @@ Drupal 6.0, 2008-02-13
 - Removed old system updates. Updates from Drupal versions prior to 5.x will
   require upgrading to 5.x before upgrading to 6.x.
 
+Drupal 5.19, 2009-07-01
+-----------------------
+- Fixed security issues (Cross site scripting and Password leakage in URL), see SA-CORE-2009-007.
+- Fixed a variety of small bugs.
+
 Drupal 5.18, 2009-05-13
 ----------------------
 - Fixed security issues (Cross site scripting), see SA-CORE-2009-006.
diff --git a/includes/common.inc b/includes/common.inc
index 1165e10..5db1fe6 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -587,7 +587,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
     return;
   }
 
-  if ($errno & (E_ALL)) {
+  if ($errno & (E_ALL ^ E_NOTICE)) {
     $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
 
     // For database errors, we want the line number/file name of the place that
diff --git a/includes/pager.inc b/includes/pager.inc
index 68e453a..340fd8f 100644
--- a/includes/pager.inc
+++ b/includes/pager.inc
@@ -85,7 +85,7 @@ function pager_query($query, $limit = 10, $element = 0, $count_query = NULL) {
 function pager_get_querystring() {
   static $string = NULL;
   if (!isset($string)) {
-    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
+    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
   }
   return $string;
 }
diff --git a/includes/tablesort.inc b/includes/tablesort.inc
index 9c39c5c..9249be7 100644
--- a/includes/tablesort.inc
+++ b/includes/tablesort.inc
@@ -136,7 +136,7 @@ function tablesort_cell($cell, $header, $ts, $i) {
  *   except for those pertaining to table sorting.
  */
 function tablesort_get_querystring() {
-  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
+  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
 }
 
 /**
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 7bc02dd..ee09bef 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -936,7 +936,7 @@ function comment_render($node, $cid = 0) {
 
     if ($cid && is_numeric($cid)) {
       // Single comment view.
-      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
+      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
       $query_args = array($cid);
       if (!user_access('administer comments')) {
         $query .= ' AND c.status = %d';
@@ -957,7 +957,7 @@ function comment_render($node, $cid = 0) {
     else {
       // Multiple comment view
       $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d';
-      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
+      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
 
       $query_args = array($nid);
       if (!user_access('administer comments')) {
@@ -1468,7 +1468,7 @@ function comment_form_add_preview($form, &$form_state) {
   $output = '';
 
   if ($edit['pid']) {
-    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
+    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
     $comment = drupal_unpack($comment);
     $comment->name = $comment->uid ? $comment->registered_name : $comment->name;
     $output .= theme('comment_view', $comment, $node);
@@ -1778,14 +1778,14 @@ function theme_comment_thread_expanded($comment, $node) {
 function theme_comment_post_forbidden($node) {
   global $user;
   static $authenticated_post_comments;
-  
+
   if (!$user->uid) {
     if (!isset($authenticated_post_comments)) {
       // We only output any link if we are certain, that users get permission
       // to post comments by logging in. We also locally cache this information.
       $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval'));
     }
-    
+
     if ($authenticated_post_comments) {
       // We cannot use drupal_get_destination() because these links
       // sometimes appear on /node and taxonomy listing pages.
diff --git a/modules/comment/comment.pages.inc b/modules/comment/comment.pages.inc
index 0bf1689..e318fa1 100644
--- a/modules/comment/comment.pages.inc
+++ b/modules/comment/comment.pages.inc
@@ -70,7 +70,7 @@ function comment_reply($node, $pid = NULL) {
       // $pid indicates that this is a reply to a comment.
       if ($pid) {
         // load the comment whose cid = $pid
-        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
+        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
           // If that comment exists, make sure that the current comment and the parent comment both
           // belong to the same parent node.
           if ($comment->nid != $node->nid) {
diff --git a/modules/forum/forum.pages.inc b/modules/forum/forum.pages.inc
index d1fa160..4931411 100644
--- a/modules/forum/forum.pages.inc
+++ b/modules/forum/forum.pages.inc
@@ -10,6 +10,11 @@
  * Menu callback; prints a forum listing.
  */
 function forum_page($tid = 0) {
+  if (!is_numeric($tid)) {
+    return MENU_NOT_FOUND;
+  }
+  $tid = (int)$tid;
+
   $topics = '';
   $forum_per_page = variable_get('forum_per_page', 25);
   $sortby = variable_get('forum_order', 1);
diff --git a/modules/system/system.install b/modules/system/system.install
index 7ef4f1d..0f4b287 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -2565,6 +2565,39 @@ function system_update_6050() {
 }
 
 /**
+ * Create a signature_format column.
+ */
+function system_update_6051() {
+  $ret = array();
+
+  if (!db_column_exists('users', 'signature_format')) {
+
+    // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default
+    // when incompatible modules insert into the users table. An actual format
+    // will be assigned when users save their signature.
+
+    $schema = array(
+      'type' => 'int',
+      'size' => 'small',
+      'not null' => TRUE,
+      'default' => FILTER_FORMAT_DEFAULT,
+      'description' => 'The {filter_formats}.format of the signature.',
+    );
+
+    db_add_field($ret, 'users', 'signature_format', $schema);
+
+    // Set the format of existing signatures to the current default input format.
+    if ($current_default_filter = variable_get('filter_default_format', 0)) {
+      $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter);
+    }
+
+    drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format.");
+  }
+
+  return $ret;
+}
+
+/**
  * @} End of "defgroup updates-6.x-extra"
  * The next series of updates should start at 7000.
  */
diff --git a/modules/system/system.module b/modules/system/system.module
index e399525..57d80b8 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.13-dev');
+define('VERSION', '6.13');
 
 /**
  * Core API compatibility.
diff --git a/modules/user/user.install b/modules/user/user.install
index d04a397..44d55f3 100644
--- a/modules/user/user.install
+++ b/modules/user/user.install
@@ -191,6 +191,13 @@ function user_schema() {
         'default' => '',
         'description' => "User's signature.",
       ),
+      'signature_format' => array(
+        'type' => 'int',
+        'size' => 'small',
+        'not null' => TRUE,
+        'default' => 0,
+        'description' => 'The {filter_formats}.format of the signature.',
+      ),
       'created' => array(
         'type' => 'int',
         'not null' => TRUE,
diff --git a/modules/user/user.module b/modules/user/user.module
index 72e1e7b..79ddb7a 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -532,7 +532,7 @@ function user_fields() {
     }
     else {
       // Make sure we return the default fields at least.
-      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
+      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'signature_format', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
     }
   }
 
@@ -1519,6 +1519,15 @@ function user_edit_form(&$form_state, $uid, $edit, $register = FALSE) {
       '#default_value' => $edit['signature'],
       '#description' => t('Your signature will be publicly displayed at the end of your comments.'),
     );
+
+    // Prevent a "validation error" message when the user attempts to save with a default value they
+    // do not have access to.
+    if (!filter_access($edit['signature_format']) && empty($_POST)) {
+      drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page."));
+      $edit['signature_format'] = FILTER_FORMAT_DEFAULT;
+    }
+
+    $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format'));
   }
 
   // Picture/avatar:
@@ -2031,7 +2040,7 @@ function user_comment(&$comment, $op) {
   // Validate signature.
   if ($op == 'view') {
     if (variable_get('user_signatures', 0) && !empty($comment->signature)) {
-      $comment->signature = check_markup($comment->signature, $comment->format);
+      $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE);
     }
     else {
       $comment->signature = '';