Update to Drupal 7.19

istos · Jan 28, 2013 · 25d7fd7 · 25d7fd7
1 parent caada7d
commit 25d7fd7
Show file tree

Hide file tree

Showing 134 changed files with 476 additions and 368 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 7.19, 2013-01-16
+-----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2013-001.
+
 Drupal 7.18, 2012-12-19
 -----------------------
 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2012-004.

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.18');
+define('VERSION', '7.19');
 
 /**
  * Core API compatibility.

diff --git a/misc/collapse.js b/misc/collapse.js
@@ -58,9 +58,9 @@ Drupal.behaviors.collapse = {
     $('fieldset.collapsible', context).once('collapse', function () {
       var $fieldset = $(this);
       // Expand fieldset if there are errors inside, or if it contains an
-      // element that is targeted by the URI fragment identifier. 
+      // element that is targeted by the URI fragment identifier.
       var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : '';
-      if ($('.error' + anchor, $fieldset).length) {
+      if ($fieldset.find('.error' + anchor).length) {
         $fieldset.removeClass('collapsed');
       }
 

diff --git a/misc/drupal.js b/misc/drupal.js
@@ -6,6 +6,27 @@ jQuery.noConflict();
 
 (function ($) {
 
+/**
+ * Override jQuery.fn.init to guard against XSS attacks.
+ *
+ * See http://bugs.jquery.com/ticket/9521
+ */
+var jquery_init = $.fn.init;
+$.fn.init = function (selector, context, rootjQuery) {
+  // If the string contains a "#" before a "<", treat it as invalid HTML.
+  if (selector && typeof selector === 'string') {
+    var hash_position = selector.indexOf('#');
+    if (hash_position >= 0) {
+      var bracket_position = selector.indexOf('<');
+      if (bracket_position > hash_position) {
+        throw 'Syntax error, unrecognized expression: ' + selector;
+      }
+    }
+  }
+  return jquery_init.call(this, selector, context, rootjQuery);
+};
+$.fn.init.prototype = jquery_init.prototype;
+
 /**
  * Attach all registered behaviors to a page element.
  *

diff --git a/misc/vertical-tabs.js b/misc/vertical-tabs.js
@@ -50,8 +50,8 @@ Drupal.behaviors.verticalTabs = {
       if (!tab_focus) {
         // If the current URL has a fragment and one of the tabs contains an
         // element that matches the URL fragment, activate that tab.
-        if (window.location.hash && $(window.location.hash, this).length) {
-          tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane');
+        if (window.location.hash && $(this).find(window.location.hash).length) {
+          tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane');
         }
         else {
           tab_focus = $('> .vertical-tabs-pane:first', this);

diff --git a/modules/aggregator/aggregator.info b/modules/aggregator/aggregator.info
@@ -7,8 +7,8 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/aggregator/tests/aggregator_test.info b/modules/aggregator/tests/aggregator_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/block/block.info b/modules/block/block.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/block/tests/block_test.info b/modules/block/tests/block_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/block/tests/themes/block_test_theme/block_test_theme.info b/modules/block/tests/themes/block_test_theme/block_test_theme.info
@@ -13,8 +13,8 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/blog/blog.info b/modules/blog/blog.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/book/book.info b/modules/book/book.info
@@ -7,8 +7,8 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc
@@ -38,6 +38,15 @@ function book_render() {
  *   format determined by the $type parameter.
  */
 function book_export($type, $nid) {
+  // Check that the node exists and that the current user has access to it.
+  $node = node_load($nid);
+  if (!$node) {
+    return MENU_NOT_FOUND;
+  }
+  if (!node_access('view', $node)) {
+    return MENU_ACCESS_DENIED;
+  }
+
   $type = drupal_strtolower($type);
 
   $export_function = 'book_export_' . $type;

diff --git a/modules/book/book.test b/modules/book/book.test
@@ -258,6 +258,13 @@ class BookTestCase extends DrupalWebTestCase {
     // Try getting the URL directly, and verify it fails.
     $this->drupalGet('book/export/html/' . $this->book->nid);
     $this->assertResponse('403', t('Anonymous user properly forbidden.'));
+
+    // Now grant anonymous users permission to view the printer-friendly
+    // version and verify that node access restrictions still prevent them from
+    // seeing it.
+    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
+    $this->drupalGet('book/export/html/' . $this->book->nid);
+    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
   }
 
   /**

diff --git a/modules/color/color.info b/modules/color/color.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/comment/comment.info b/modules/comment/comment.info
@@ -9,8 +9,8 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/contact/contact.info b/modules/contact/contact.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/contextual/contextual.info b/modules/contextual/contextual.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/dashboard/dashboard.info b/modules/dashboard/dashboard.info
@@ -7,8 +7,8 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/dblog/dblog.info b/modules/dblog/dblog.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/field.info b/modules/field/field.info
@@ -10,8 +10,8 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/field_sql_storage/field_sql_storage.info b/modules/field/modules/field_sql_storage/field_sql_storage.info
@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/list/list.info b/modules/field/modules/list/list.info
@@ -7,8 +7,8 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/list/tests/list_test.info b/modules/field/modules/list/tests/list_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/number/number.info b/modules/field/modules/number/number.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = number.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/options/options.info b/modules/field/modules/options/options.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = options.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/modules/text/text.info b/modules/field/modules/text/text.info
@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = text.test
 required = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field/tests/field_test.info b/modules/field/tests/field_test.info
@@ -6,8 +6,8 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/field_ui/field_ui.info b/modules/field_ui/field_ui.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/file/file.info b/modules/file/file.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/file/tests/file_module_test.info b/modules/file/tests/file_module_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"
 
diff --git a/modules/filter/filter.info b/modules/filter/filter.info
@@ -7,8 +7,8 @@ files[] = filter.test
 required = TRUE
 configure = admin/config/content/formats
 
-; Information added by drupal.org packaging script on 2012-12-19
-version = "7.18"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "7.19"
 project = "drupal"
-datestamp = "1355944003"
+datestamp = "1358374870"