diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 637191f985892a0f79b2fafd47688eeb38429189..1c2de54d8a98a944e0a5405e527d1643f9e48609 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,9 @@
-Drupal 4.6.0, 2005-04-15
+Drupal 4.6.1, 2005-06-01
 ------------------------
+- fixed bugs, including a critical input validation bug.
 
+Drupal 4.6.0, 2005-04-15
+------------------------
 - PHP5 compliance
 - search:
     * added UTF-8 support to make it work with all languages.
@@ -45,7 +48,7 @@ Drupal 4.6.0, 2005-04-15
 
 Drupal 4.5.2, 2005-01-15
 ------------------------
-- fixed bugs: a cross-site scripting (XSS) vulnerability has been fixed.
+- fixed bugs, including a cross-site scripting (XSS) vulnerability
 
 Drupal 4.5.1, 2004-12-01
 ------------------------
diff --git a/modules/user.module b/modules/user.module
index 7a87cb597ef375a3601d2f1e17dc88e8308e1e9e..c3e1af9213e6d504eea0930b9129d418a159c43c 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -974,7 +974,11 @@ function user_register($edit = array()) {
 
       // TODO: Is this necessary? Won't session_write() replicate this?
       unset($edit['session']);
-      $account = user_save('', array_merge(array('name' => $edit['name'], 'pass' => $pass, 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => array(_user_authenticated_id()), 'status' => (variable_get('user_register', 1) == 1 ? 1 : 0)), $edit));
+      if (array_intersect(array_keys($edit), array('uid', 'roles', 'init', 'session', 'status'))) {
+        watchdog('security', t('Detected malicious attempt to alter protected user fields.'), WATCHDOG_WARNING);
+        drupal_goto('user/register');
+      }
+      $account = user_save('', array_merge($edit, array('pass' => $pass, 'init' => $edit['mail'], 'roles' => array(_user_authenticated_id()), 'status' => (variable_get('user_register', 1) == 1 ? 1 : 0))));
       watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>'))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit'));
 
       $variables = array('%username' => $edit['name'], '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $edit['mail'], '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));