diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3e63e7ba32a5a53c90a4242d50f9cf57b457b82e..be83e4766d90dfa3a20314be6fa3cf523cab4c2a 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,7 +1,9 @@ // $Id$ -Drupal 5.4, xxxx-xx-xx +Drupal 5.4, 2007-12-05 ---------------------- +- fixed a variety of small bugs. +- fixed a security issue (SQL injection), see SA-2007-031 Drupal 5.3, 2007-10-17 ---------------------- @@ -101,6 +103,10 @@ Drupal 5.0, 2007-01-15 * added nested lists generation. * added a self-clearing block class. +Drupal 4.7.9, 2007-12-05 +------------------------ +- fixed a security issue (SQL injection), see SA-2007-031 + Drupal 4.7.8, 2007-10-17 ------------------------ - fixed a security issue (HTTP response splitting), see SA-2007-024 diff --git a/modules/system/system.module b/modules/system/system.module index 0f14a071877b0f2954a1c4a4c18a16c8e16162e9..cfbba6e6ffbc0635312c6cd937ad8c10c21dc948 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -6,7 +6,7 @@ * Configuration system that lets administrators modify the workings of the site. */ -define('VERSION', '5.4-dev'); +define('VERSION', '5.4'); /** * Implementation of hook_help(). diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module index c31e9173ea14d34e938ea5cd5650438c0b930c3d..1bc75e0ba9e3a7352bfc7f550ba012c7f8477051 100644 --- a/modules/taxonomy/taxonomy.module +++ b/modules/taxonomy/taxonomy.module @@ -1243,16 +1243,20 @@ function taxonomy_select_nodes($tids = array(), $operator = 'or', $depth = 0, $p } if ($operator == 'or') { - $str_tids = implode(',', call_user_func_array('array_merge', $descendant_tids)); - $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY '. $order; - $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1'; + $args = call_user_func_array('array_merge', $descendant_tids); + $placeholders = implode(',', array_fill(0, count($args), '%d')); + $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1 ORDER BY '. $order; + $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1'; } else { $joins = ''; $wheres = ''; + $args = array(); foreach ($descendant_tids as $index => $tids) { $joins .= ' INNER JOIN {term_node} tn'. $index .' ON n.nid = tn'. $index .'.nid'; - $wheres .= ' AND tn'. $index .'.tid IN ('. implode(',', $tids) .')'; + $placeholders = implode(',', array_fill(0, count($tids), '%d')); + $wheres .= ' AND tn'. $index .'.tid IN ('. $placeholders .')'; + $args = array_merge($args, $tids); } $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres .' ORDER BY '. $order; $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres; @@ -1260,10 +1264,10 @@ function taxonomy_select_nodes($tids = array(), $operator = 'or', $depth = 0, $p $sql = db_rewrite_sql($sql); $sql_count = db_rewrite_sql($sql_count); if ($pager) { - $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count); + $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count, $args); } else { - $result = db_query_range($sql, 0, variable_get('feed_default_items', 10)); + $result = db_query_range($sql, 0, variable_get('feed_default_items', 10), $args); } }