diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 0475fbe47a40a00c518cdd37a8ad82f21d14e920..f03b5037c43b0cd077466cc883107f934db5c23b 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,8 +1,9 @@
// $Id$
-Drupal 5.8, xxxx-xx-xx
+Drupal 5.8, 2008-07-09
----------------------
-
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044
Drupal 5.7, 2008-01-28
----------------------
diff --git a/includes/theme.inc b/includes/theme.inc
index 890b27eea62c23f4c5c88f9ce0d173030fcba435..a526c61d3596b573deacc239f4210ccfd63835e0 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -545,16 +545,14 @@ function theme_links($links, $attributes = array('class' => 'links')) {
$i = 1;
foreach ($links as $key => $link) {
- $class = '';
+ $class = $key;
// Automatically add a class to each link and also to each LI
if (isset($link['attributes']) && isset($link['attributes']['class'])) {
$link['attributes']['class'] .= ' ' . $key;
- $class = $key;
}
else {
$link['attributes']['class'] = $key;
- $class = $key;
}
// Add first and last classes to the list of links to help out themers.
@@ -565,7 +563,7 @@ function theme_links($links, $attributes = array('class' => 'links')) {
if ($i == $num_links) {
$extra_class .= 'last ';
}
- $output .= '
$extra_class . $class)) .'>';
// Is the title HTML?
$html = isset($link['html']) && $link['html'];
diff --git a/install.php b/install.php
index 417400c60661f17ac4f82e76853c289c66371154..f0f2ce6e9db509f15d717f31badbc855cbaf48e1 100644
--- a/install.php
+++ b/install.php
@@ -153,6 +153,15 @@ function install_change_settings($profile = 'default', $install_locale = '') {
include_once './includes/form.inc';
drupal_maintenance_theme();
+ // Don't fill in placeholders
+ if ($db_url == 'mysql://username:password@localhost/databasename') {
+ $db_user = $db_pass = $db_path = '';
+ }
+ elseif (!empty($db_url)) {
+ // Do not install over a configured settings.php.
+ install_already_done_error();
+ }
+
// The existing database settings are not working, so we need write access
// to settings.php to change them.
if (!drupal_verify_install_file($settings_file, FILE_EXIST|FILE_READABLE|FILE_WRITABLE)) {
@@ -163,14 +172,6 @@ function install_change_settings($profile = 'default', $install_locale = '') {
exit;
}
- // Don't fill in placeholders
- if ($db_url == 'mysql://username:password@localhost/databasename') {
- $db_user = $db_pass = $db_path = '';
- }
- elseif (!empty($db_url)) {
- // Do not install over a configured settings.php.
- install_already_done_error();
- }
$output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
drupal_set_title(st('Database configuration'));
print theme('install_page', $output);
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 463de1baa1217ca125a524729525fad352173622..d7a07260f2410867c07a5379124936b51368e22e 100644
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -1244,7 +1244,7 @@ function _filter_autop($text) {
* for scripts and styles.
*/
function filter_xss_admin($string) {
- return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+ return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
}
/**
diff --git a/modules/locale/locale.module b/modules/locale/locale.module
index c3bf22672b42c9aa4e304bf718cc9d07343449f0..9c7210127981fb9c2dcb9736757fefa8d2c663e5 100644
--- a/modules/locale/locale.module
+++ b/modules/locale/locale.module
@@ -111,7 +111,7 @@ function locale_menu($may_cache) {
'type' => MENU_CALLBACK);
$items[] = array('path' => 'admin/settings/locale/string/delete/'. arg(5),
'title' => t('Delete string'),
- 'callback' => 'locale_admin_string_delete',
+ 'callback' => 'locale_admin_string_delete_page',
'callback arguments' => array(arg(5)),
'access' => $access,
'type' => MENU_CALLBACK);
@@ -407,9 +407,29 @@ function locale_admin_string_edit_submit($form_id, $form_values) {
}
/**
- * Delete a string.
+ * String deletion confirmation page.
*/
-function locale_admin_string_delete($lid) {
+function locale_admin_string_delete_page($lid) {
+ if ($source = db_fetch_object(db_query('SELECT * FROM {locales_source} WHERE lid = %d', $lid))) {
+ return drupal_get_form('locale_string_delete_form', $source);
+ }
+ else {
+ return drupal_not_found();
+ }
+}
+
+/**
+ * User interface for the string deletion confirmation screen.
+ */
+function locale_string_delete_form($source) {
+ $form['lid'] = array('#type' => 'value', '#value' => $source->lid);
+ return confirm_form($form, t('Are you sure you want to delete the string "%source"?', array('%source' => $source->source)), 'admin/build/translate/search', t('Deleting the string will remove all translations of this string in all languages. This action cannot be undone.'), t('Delete'), t('Cancel'));
+}
+
+/**
+ * Process string deletion submissions.
+ */
+function locale_string_delete_form_submit($form_id, $form_values) {
include_once './includes/locale.inc';
- _locale_string_delete($lid);
+ _locale_string_delete($form_values['lid']);
}
diff --git a/modules/system/system.module b/modules/system/system.module
index bd28b9e9025af8d8108b256f1cad336f9095b342..e11d22ca62e9f2a2be1cc32eeed3f373a4d5dd99 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.8-dev');
+define('VERSION', '5.8');
/**
* Implementation of hook_help().