summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2009-04-30 00:13:31 +0000
committerGábor Hojtsy2009-04-30 00:13:31 +0000
commit8135c33f6fd219124b085a2e50ea9bf1f6e87612 (patch)
treeb3c98809f2f6dfd6bfd852ad83610717f676e991
parenta8f2b31b4d82d32f093d8ea6d103a8c6c7253123 (diff)
Drupal 6.116.11
-rw-r--r--CHANGELOG.txt17
-rw-r--r--includes/bootstrap.inc2
-rw-r--r--includes/common.inc11
-rw-r--r--includes/theme.inc4
-rw-r--r--modules/system/maintenance-page.tpl.php2
-rw-r--r--modules/system/page.tpl.php2
-rw-r--r--modules/system/system.module2
-rw-r--r--themes/bluemarine/page.tpl.php2
-rw-r--r--themes/chameleon/chameleon.theme2
-rw-r--r--themes/garland/maintenance-page.tpl.php2
-rw-r--r--themes/garland/page.tpl.php2
-rw-r--r--themes/pushbutton/page.tpl.php2
12 files changed, 40 insertions, 10 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 30a33c3..72a6e18 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,12 @@
// $Id$
-Drupal 6.11-dev, xxxx-xx-xx (development release)
+Drupal 6.11, 2009-04-29
----------------------
+- Fixed security issues (Cross site scripting and limited information
+ disclosure), see SA-CORE-2009-005
+- Fixed performance issues with the menu router cache, the update
+ status cache and improved cache invalidation
+- Fixed a variety of small bugs.
Drupal 6.10, 2009-02-25
----------------------
@@ -176,6 +181,16 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
+Drupal 5.17, 2009-04-29
+-----------------------
+- Fixed security issues (Cross site scripting and limited information disclosure) see SA-CORE-2009-005.
+- Fixed a variety of small bugs.
+
+Drupal 5.16, 2009-02-25
+-----------------------
+- Fixed a security issue, (Local file inclusion on Windows), see SA-CORE-2009-004.
+- Fixed a variety of small bugs.
+
Drupal 5.15, 2009-01-14
----------------------
- Fixed security issues, (Hardening against SQL injection), see SA-CORE-2009-001
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 49aa63e..f2f61a4 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -791,6 +791,8 @@ function request_uri() {
$uri = $_SERVER['SCRIPT_NAME'];
}
}
+ // Prevent multiple slashes to avoid cross site requests via the FAPI.
+ $uri = '/'. ltrim($uri, '/');
return $uri;
}
diff --git a/includes/common.inc b/includes/common.inc
index 2118875..ed8ebab 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -152,6 +152,15 @@ function drupal_get_headers() {
}
/**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+ // Make sure that the charset is always specified as the first element of the
+ // head region to prevent encoding-based attacks.
+ return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**
* Add a feed URL for the current page.
*
* @param $url
@@ -577,7 +586,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
- if ($errno & (E_ALL)) {
+ if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
diff --git a/includes/theme.inc b/includes/theme.inc
index ebcbade..cfa4ad3 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -687,6 +687,10 @@ function theme() {
}
// restore path_to_theme()
$theme_path = $temp;
+ // Add final markup to the full page.
+ if ($hook == 'page') {
+ $output = drupal_final_markup($output);
+ }
return $output;
}
diff --git a/modules/system/maintenance-page.tpl.php b/modules/system/maintenance-page.tpl.php
index e29f2cb..4e4e409 100644
--- a/modules/system/maintenance-page.tpl.php
+++ b/modules/system/maintenance-page.tpl.php
@@ -19,8 +19,8 @@
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title; ?></title>
<?php print $head; ?>
+ <title><?php print $head_title; ?></title>
<?php print $styles; ?>
<?php print $scripts; ?>
<script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
diff --git a/modules/system/page.tpl.php b/modules/system/page.tpl.php
index 95a53db..d4cfe92 100644
--- a/modules/system/page.tpl.php
+++ b/modules/system/page.tpl.php
@@ -80,8 +80,8 @@
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title; ?></title>
<?php print $head; ?>
+ <title><?php print $head_title; ?></title>
<?php print $styles; ?>
<?php print $scripts; ?>
<script type="text/javascript"><?php /* Needed to avoid Flash of Unstyled Content in IE */ ?> </script>
diff --git a/modules/system/system.module b/modules/system/system.module
index 721976c..0bc059b 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.11-dev');
+define('VERSION', '6.11');
/**
* Core API compatibility.
diff --git a/themes/bluemarine/page.tpl.php b/themes/bluemarine/page.tpl.php
index b83111a..cd324f9 100644
--- a/themes/bluemarine/page.tpl.php
+++ b/themes/bluemarine/page.tpl.php
@@ -4,8 +4,8 @@
<html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title ?></title>
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
<script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
diff --git a/themes/chameleon/chameleon.theme b/themes/chameleon/chameleon.theme
index 8f3a519..d10b127 100644
--- a/themes/chameleon/chameleon.theme
+++ b/themes/chameleon/chameleon.theme
@@ -30,8 +30,8 @@ function chameleon_page($content, $show_blocks = TRUE, $show_messages = TRUE) {
$output = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
$output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\" dir=\"$direction\">\n";
$output .= "<head>\n";
- $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
$output .= drupal_get_html_head();
+ $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
$output .= drupal_get_css();
$output .= drupal_get_js();
$output .= "</head>";
diff --git a/themes/garland/maintenance-page.tpl.php b/themes/garland/maintenance-page.tpl.php
index e3d1b9d..1a422cd 100644
--- a/themes/garland/maintenance-page.tpl.php
+++ b/themes/garland/maintenance-page.tpl.php
@@ -15,8 +15,8 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title ?></title>
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
<!--[if lt IE 7]>
diff --git a/themes/garland/page.tpl.php b/themes/garland/page.tpl.php
index 92559d8..773869c 100644
--- a/themes/garland/page.tpl.php
+++ b/themes/garland/page.tpl.php
@@ -4,8 +4,8 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language->language ?>" lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title ?></title>
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
<!--[if lt IE 7]>
diff --git a/themes/pushbutton/page.tpl.php b/themes/pushbutton/page.tpl.php
index d6f3541..d3dce0d 100644
--- a/themes/pushbutton/page.tpl.php
+++ b/themes/pushbutton/page.tpl.php
@@ -3,9 +3,9 @@
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language->language ?>" xml:lang="<?php print $language->language ?>" dir="<?php print $language->dir ?>">
<head>
- <title><?php print $head_title ?></title>
<meta http-equiv="Content-Style-Type" content="text/css" />
<?php print $head ?>
+ <title><?php print $head_title ?></title>
<?php print $styles ?>
<?php print $scripts ?>
</head>