| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Drupal 6.15, 2009-12-16
----------------------
- Fixed security issues (Cross site scripting), see SA-CORE-2009-009.
- Fixed a variety of other bugs.
other pkgsrc changes:
* Add PKG_DESTDIR_SUPPORT spport.
* Use REPLACE_INTERPRETER.
* Change default.settings.php handling to fix PR pkg/42355.
|
|
pkgsrc change: add LICENSE.
Drupal 6.14, 2009-09-16
----------------------
- Fixed security issues (OpenID association cross site request forgeries,
OpenID impersonation and File upload), see SA-CORE-2009-008.
- Changed the system modules page to not run all cache rebuilds; use the
button on the performance settings page to achieve the same effect.
- Added support for PHP 5.3.0 out of the box.
- Fixed a variety of small bugs.
|
|
immediately after reading the security announcement:
* SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.12 release:
* - Patch #463450 by wulff: fixed documentation glitch.
* #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags
* #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too
* #452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc.
* #468732 by andypost: cache_clear_all() mentioned cache_flush_delay incorrectly; it should say we use cache_lifetime
* #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not needed; menu already sets the title and is localized
* #398902 by Nick Urban, alexanderpas, kscheirer: password equality checking was not using strict type checking; we should assume these are strings and compared character to character
* #479216 by jhedstrom: fix grammar in forum module messages
* #445748 by Dave Reid, dww: Fix module support for disabled module update status checking and do not track usage in that case.
* #465190 by Heine: The Anonymous name is a plain text setting, so it should be escaped properly for output.
* #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to run on cron were not actually triggered.
* #226479 by gpk, BrianV, catch: We should always show the node access rebuild button. The check on when to show it was fragile, so the button might not have been there when actually needed.
* #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass on the instance identifier (database prefix).
* #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only calling file_space_used() when a limit is provided.
* #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was used but not documented.
* #145733 by kepten, brianV: The session.use_cookies PHP setting is required by Drupal, but it can be turned off, so try to ensure it is turned on at all times.
* #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs explicit type casting to ensure that values are kept properly.
* #236657 by hctom, swentel: In system_clear_cache_submit(), the function arguments were swapped (but it did not affect how it actually worked).
* #243253 by Benjamin Melançon, dww: Update status should not attempt to request update data until a limit is reached. Fixed Drupal instances when drupal.org is down and gets less load on Drupal.org if data is not found.
* #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from remote links and link in a more user friendly OpenID provider list.
* #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site slogan, just like footer message and mission
* #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, so that it encourages to set the body of the email as an array (like core does).
* #329797 by berenddeboer, redndahead, danielb: The tablesort code did not account for possibly nested tables; only match immediate descendats, so elements of nested tables are not matched.
* #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check on translations should only be applied to the default textgroup. Strings in other textgroups such as blocks and menu items are displayed via escaping and filtering, and might contain arbitrary HTML.
|
|
|
|
The twelfth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-006 - Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed since the 6.11 release:
* #353328 by catch, BrianV: When a new commment is added, the redirection path should point to page, where the new comment is.
* #239945 by Xano, JeremyFrench, Damien Tournoud, andypost: Should not iterate over the children in taxonomy_get_tree() anymore if we reached max_depth.
* #292565 by grendzy, John Morahan, Jody Linn: remove path munging on 403/404 pages, which caused problems for login redirects
* #448268 by dww: Make sure that submitting the themes admin form clears out the update status cache, just like the modules admin form does.
|
|
This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-005 - Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed since the 6.10 release:
* #376408 follow up by pwolanin: search_nodeapi() lacked break in switch; resulted in issue in logic not code flow
* #197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum module instead of hook_link_alter(); simplfies code, improves performance and compatibility.
* #314314 by bastos, Dave Reid, mr.baileys, Pasqualle: fix invalid XHTML markup in update.php output
* #372914 by chx, pwolanin, webchick: Menu link title localization was broken when a non-t callback was used
* #395086 by Freso: call trim() before truncate_utf8() in comment module for better quality truncation.
* #404244 by cwgordon7: minor code style fix in openid_help().
* #357031 by hinfox, dereine, aaronbauman: trigger_nodeapi() passed a4 twice and did not pass a3 to the action when the action type was other then node
* #141965 by jeffschuler: taxonomy_term_path() and its phpdoc block was separated by one blank line, thus disconnecting it for the API docs parser
* #408962 by brianV: improve phpdoc documentation for menu_tree_collect_node_links() and menu_tree_check_access().
* #290561 by mustafau, AlexisWilke: aggregator_save_category() should ask for the last insert ID in 'aggregator_category', not 'aggregator' when saving.
* #292565 by lyricnz, Damien Tournoud, Jody Lynn, kleinmp, John Morahan, akalsey: Make forms work on 404 and 403 pages. Remove any fake destination set by drupal_not_found() or drupal_access_denied() so that we can properly redirect from those pages.
* #325810 by darren.ferguson, miglius: in tableheader.js $('td'+ location.hash).offset() does not alway return an object, which breaks all JavaScript on the page, so check for the return value before using it.
* #297972 by wilson98, scor, Steven Jones, yched, heyrocker: make the batch API compatible with drupal_execute(), so things like creating a CCK type or adding fields to it (by submitting forms programatically) are possible in update functions
* #365996 by sammys: the correct full name for the timestamp field in postgresql is timestamp without time zone; improve compatibility with PostgreSQL / schema module
* #279233 by Aren Cambre, jbomb: Message printed when email is not being possible to send was informal and had a grammar problem.
* - Patch #316515 by jmburnz, momendo: fixed position of OpenID logo.
* - Patch #372414 by JohnAlbin: don't output empty div when no comment exist.
* - Patch #228477 by anuradha: corrected Sinhala language.
* - Patch #286374 by jhodgdon: fixed documentation of file_save_upload() validators.
* #382096 by Arancaytar: clean up #maxlength use in the installer; remove arbitrary 45 character limits, put reasonable limits in place where it makes sense
* #330084 by c960657: Remove unnecessary duplication of the From header value in Reply-to; standards indicate setting the From header should be sufficient
* #385602 by Damien Tournoud, desbeers: log messages were not remembered on node preview
* #437120 by mfb: avoid double escaping of taxonomy term names in feed links and channel titles
* #437930 by soxofaan: remove unnecessary tabindex attribute from login form; makes altering harder
* #160226 by kymmx, karschsp, Dave Reid, Berdir: statistics module was matching on prefixes of node paths instead of the node paths themselves (and possible subtabs)
* #401304 by Darren Oh: make conditional in statistics_link() more explicit to catch node related invocations
* #363262 follow up by Dave Reid: fix phpdoc comments on update functions to properly mark update functions added after 6.0 was released
* #317775 by Starminder, pwolanin: do not store the menu router table serialized in cache, since it cases more performance problems then it solves
* #282852 by Arancaytar, will_in_wi: remove negative margin on .node in Garland, so nodes do no overlap the messages area on the page
* #227228 by ilmaestro, gpk, ball.in.th, catch, andypost: use per-table cache_flush variables to avoid not flushing all but the first table when multiple tables are cleared
* #445600 by Rob Loach: allow for as few as 1 required word in submission of a node of a content type if the admin wants to set so
* #343415 by Damien Tournoud: the form cache is not automatically cleared on submit if the page cache is activated
* Rolling back #343415 given disputes around its change in Drupal 7.
* #229660 by Dave Reid: use theme('username', ...) to display usernames on the user contact page
* #447700 by dww: Earl Miles is not update.module maintainer anymore
* #431148 by pwolanin, dww: Make it easier to visually distinguish security updates on Updates report
* #396224 by pwolanin: Further harden template file name discovery
* #220592 by dww and pwolanin: Always use the database for caching in update module, so that drupal.org project data persists. Improves both local and drupal.org site performance.
|
|
immediately after reading the security announcement:
* SA-CORE-2009-003 - Local file inclusion on Windows
In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:
* - Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
* #310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
* #275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
* #328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().
* #62926 by karschsp: increase the free tagging field maximum length to 1024; the database limits are per-tag.
* #220559 by eMPee584, Desbeers, Damien Tournoud: only ever add the active class to links in l() and theme_links(), if the language was set and is the current language or if the language was not set on the link
* #365183 by Eaton: node_feed() did not use the same API functions as node_view() did, so custom fields were missing from the output
* #356721 by c960657, Dave Reid: remove static caching of the clean URLs setting in url() to help automated tests; the setting is cached through variable_get(), which however allows altering of the setting
* #290282 by kratib, jvandyk, ainigma32: Only track/limit the recursive invocations of actions_do(), instead of tracking/limiting them all.
* #320395 by qutoz, swentel: Set node format to 0 in node_submit() if the body was turned off to avoid a minor notice.
* #359918 by Dave Reid: database.inc documents the 'unique key' key, while it should be 'unique keys'
* #152098 by hunthunthunt, mgifford, Dave Reid: add 'for' attribute to 'label' tags on checkboxes and radio buttons, even if the 'label' wraps the element - accessibility best practice
* #314286 backport of some of #229129 by assimonds: disbaled checkboxes did not receive their values properly from the default value set
* #243524 by christefano, chx: our phpinfo page was very limited; give all info possible instead
* #203323 by JirkaRybka, robertgarrigos, lilou, thePanz, c960657, sun: move the LANGUAGE_* constants to bootstrap.inc and remove several defined() checks on them now that they are always defined
* #276174 by nbz, John Morahan, slightly modified: do not escape username more then once at multiple places in blog.module
* #310768 by bob_hirnlego, cdale: missing primary table and field specification in db_rewrite_sql() when called from taxonomy_overview_terms()
* #363262 by catch, chx: in Drupal 6, the url_alias table introduced a language column, but did not extend its index to that; though queries are formed on src and language
* #326210 by AlexisWilke, grendzy, jhedstrom: Take the menu item in its first submission and menu_nodeapi() by reference, so that any modifications of the item in the saving process will carry over to other submit handlers; making itpossible to write modules extending menu item manipulation
* - Patch #383318 by mr.baileys: incorrect memory shortage warning when memory limit is unlimited.
* #337162 by midkemia and ainigma32: keep the Drupal 5 menu items descriptions when upgrading to Drupal 6
* - Patch #381438 by drumm: do not use page cache for drupal.sh requests.
* #109588 by fago, cdale: use the existing user account objects instead of arg() checks, as well as fix use of where it should be
* #296082 by jandd, stefanor, nigel: avoid table aliasing in UPDATE query in system_update_6001() since PostreSQL does not support that
* #376408 by ajevans85, pwolanin: Prevent an empty anchor tag and parenthesis appearing in the output for the search index in search_nodeapi()
* #383724 by Heine, bjaspan: SA-CORE-2009-003
|
|
|
|
Update drupal.conf based on .htaccess supplied with tarball
PKGREVISION++
|
|
* Rolling back #280934. PHP 4 incompatibility.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-001- Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.8 release:
* - Patch #331708 by chx: poll_choice_js uses FAPI2.
* - Patch #350708 by dww: t() documentation clean-up.
* #245990 by Dave Reid, chx, dww: Look for the www.example.com page when a HTTP request seems to fail. Looking for the local page caused problems for people with interactive authentication, redirects, hosting added JavaScript code, and so on.
* - Patch #262920 by ainigma32: language selection for domain should look at HTTP_HOST not SERVER_NAME.
* - Patch #353886 by killes: too many arguments to SQL query in locale import.
* - Rollback of #325908.
* #347228 by kajetan: user was redirected to admin/build/translate instead of admin/build/translate/import
* #332123 by webchick, lilou, andypost: backport of removal of t() around schema desciptions
* #257009 by bjaspan, Freso, Darren Oh: check to not create global constraints twice in PostgreSQL (for example, when the testing framework is running)
* #169937 by Heine, drumm, alexanderpas, Darren Oh: only regenerate session if the user is the current global user
* #308526 by chx: Also reset actions_list() cache on actions_synchronize()
* #323474 by gpk, Dave Reid, catch: hook_boot() was not called on non-cached pages when agreesive caching was on
* #61108 by Uwe Hermann: update LICENSE.txt with latest version of GPL2 text
* #328977 by Dave Reid, hgmichna: comment_controls() form function lacks first form_state parameter, so passed values are incorrectly used
* #323386 by mariuss: The selection type in profile module expects items each on their own line and should not break items on commas
* #347485 by cdale: only add upload submit handler if the upload form is added
* #344052 by salvis: remove unused $update_node variable from node module
* #356782 by quicksketch: remove unused unset($edit) from _form_builder_handle_input_element()
* #124492 by m3avrck, mfer: more accurate checking for valid URLs in valid_url()
* #346285 by grendzy, Damien Tournoud, thekevinday et al: fixed problem when HTTP_HOST is not transmitted
* #245990 follow up by Damien Tournoud, David_Rothstein, pwolanin: Move back to an internal URL check for HTTP request checking and make the request checking less intrusive on what requests can be accomplished
|
|
The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-073 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.6 release:
* - Patch #324118 by winterheart: fixed invalid XHTML being generated for forum topic listings.
* - Patch #329019 by dww, sun: fixed PHP warning.
* #315739 by sun: The theme name is in arg(4) on the block admin page, so only redirect to theme specific page if that is set.
* - Patch #329646 by Damien Tournoud: properly reset user_access().
* - Patch #255293 by Gribnif, maartenvg: incorrect regex causes some aggregated CSS to fail.
* #329998 by pwolanin: escape markup looking non-HTML tags in schema descriptions
* #258089 by JohnAlbin, Arancaytar, merlinofchaos: themes cannot have a preprocess function without a corresponding .tpl.php file
* #255150 by dropcube, tested by catch, asimmonds: content type names were double escaped on create content page
* #329660 by pwolanin: node_configure_validate() should be replaced with a #submit handler to conform to FormAPI rules
* #299742 by Darren Oh: missing #ahah support on checkboxes
* #193580 follow up by gpk: late but important changelog entry for Drupal 6.0
* #302638 by pwolanin: avoid running several no-op queries while the menu is being rebuilt; improves performance
* Rolling back #302638, it caused problems reported in #328110
* #319165 by Alex_Tutubalin: add explicit UTF-8 client encoding setting for PostgreSQL
* - Patch #277644 by lilou: documentation improvement.
* - Patch #335385 by Dave Reid: fixed maxlength of path alias fields to be consistent with the database.
* - Patch #337454 by earnie: fixed the phpdoc of drupal_render_form().
* - Patch #293370 by swentel et al: make block sorting work when there are more than 20 blocks.
* - Patch #325908 by kbahey: removed redundant cache flusing.
* - Patch #281131 by Damien Tournoud: document the missing quote in .htaccess.
* - Patch #336115 by Nedjo: better documentation for t().
* - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
* #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
* #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
* #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
* #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.
* #305653 by snowball43, cdale, Dave Reid, sun: All themes were disabled when update.php was run
* #344661 by Dave Reid: fix phpdoc documentation on translation_translation_link_alter()
* #333060 by neclimdul, merlinofchaos, dvessel: child themes did not inherit patterns correctly, so more specific template files are not detected
* #206138 by pwolanin et al: little documentation fix for node base module name handling
* #276111 by pwolanin, meba and myself: disallow possibly dangerous submissions in locale translations and imports
* #345167 by JacobSingh, pwolanin, Heine: drupal_http_request() includes an extra CRLF, not conformant to HTTP specs
http://drupal.org/node/345462
|
|
After some feedback from Roy Marples set up the package so it's easier
to get drupal to run under other web servers than apache. As the
default web server, apache will remain. Users can disable it using
the options.mk framework.
Rename APACHE_* variables to WWW_* and set some sane defaults.
|
|
The sixth maintenance and security release of the Drupal 6 series. Only
fixes for security vulnerabilities and other bugs have been committed. New
features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement:
* SA-2008-067 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been
fixed since the 6.5 release:
- Patch #315656 by Damien Tournoud: fixed bug in drupal_lookup_path('wipe').
#318102 by Dave Reid: hook_exit() was not invoked for some cached requests.
#277206 by Damien Tournoud, lilou, fp: untranslatable string in the installer
- Patch #324080 by winterheart: missing </td>-tag.
See http://drupal.org/node/324832 for all the details
|
|
immediately after reading the security announcement:
* SA-2008-060 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.4 release:
* - Patch 246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
* - Patch 221230 by Heine: convert requirement error on update to requirement warning.
* - Patch 252430 by quicksketch: allow base theme prefix in preprocessor function names to correct expected behavior.
* - Patch 245322 by mfb: fixed breadcrumb behavior.
* - Patch 287949 by Freso, Damien Tournoud: keep language icons in consistent order across nodes.
* - Patch 265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch 272952 by NancyDru and chx: fixed documentation issue.
* - Patch 170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
* - Patch 243063 by GoofyX: fixed typo in context-sensitve help.
* - Patch 295152 by dww, Damien Tournoud, et al: fixed version comparison.
* - Patch 278759 by douggreen, fletchgqc: improved code comment.
* - Patch 276018 by mfb: extend the lifetime of temporary files.
* - Patch 228576 by sun: too ambiguous stylesheet in dblog.css when form_altering the watchdog table.
* - Patch 285309 by pwolanin: menu_name in hook_menu is ignored on updates.
* - Patch 261859 by rse, Damien Tournoud: make the trigger module work on PostgreSQL.
* - Patch 305436 by Damien Tournoud, lelutin: fixed unclosed <li> tag in the context-sensitive help.
Any many more. See http://drupal.org/node/318701 for all the details
|
|
Drupal 6.4, 2008-08-13
----------------------
- Fixed a security issue (Cross site scripting, Arbitrary file uploads via
BlogAPI, Cross site request forgeries and Various Upload module
vulnerabilities), see SA-2008-047.
- Improved error messages during installation.
- Fixed a bug that prevented AHAH handlers to be attached to radios widgets.
- Fixed a variety of small bugs.
|
|
All the details of the changes can be found here: http://drupal.org/node/280583
The main reason for this update is to fix a known security issue:
http://drupal.org/node/280571
|
|
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
|
|
This release fixes security vulnerabilities and also changes APIs. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-026 - Drupal core - Drupal core - Access bypass
In addition to this security vulnerability, the following bugs have been fixed since the 6.0 release:
* #228120 by jvandyk: typo in documentation in comment.tpl.php
* #226480 by gpk: fix wording on when node access rebuild button is displayed in node_configure()
* #229817 by mcarrera: l() attributes were not properly specified in theme.inc's theme_username()
* #234403 by alienbrain: PHP.net documents we should use CRLF in mail headers, so do that
* #226555 by jvandyk, Rok Zlender: fix notice level error in xmlrpc.inc
* #204415 by chx: actually use 'administer content types' permission for node type editing instead of 'administer nodes'
* #234699 by hass: theme_link() did not mark frontpage links active properly
* #237717 by hass: missing t() in system_clear_cache_submit()
* #232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)
* #226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big
* #231587 by pwolanin, killes: (performance) use two level cache in menus, instead of storing very large amounts of data multiple times
* #239196 by jvandyk and myself: missing status check on nodes in search indexing counter
* rolling back #234403 by Bevan and damz: we should keep using LF in mail headers, without CR, CRLF causes problems
* #238564 by scor: two missing t() calls in update.module
* #241629 by solotandem: dblog module left one more row in, when cleaning up in cron
* #244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed
|
|
|
|
Drupal is software that allows an individual or a community of users to easily
publish, manage and organize a great variety of content on a website. Tens of
thousands of people and organizations have used Drupal to set up scores of
different kinds of web sites, including
* community web portals and discussion sites
* corporate web sites/intranet portals
* personal web sites
* aficionado sites
* e-commerce applications
* resource directories
Drupal includes features to enable:
* content management systems
* blogs
* collaborative authoring environments
* forums
* newsletters
* picture galleries
* file uploads and download
|
