Skip to content
Browse files

Update Drupal Core 6.25 ==> 6.28

  • Loading branch information...
1 parent 7a55474 commit c3aac2589aadf2a72caead4eff1e46f081b75b87 @kwcoffman kwcoffman committed Mar 25, 2013
Showing with 348 additions and 233 deletions.
  1. +13 −0 CHANGELOG.txt
  2. +8 −3 COPYRIGHT.txt
  3. +1 −1 MAINTAINERS.txt
  4. +2 −2 includes/bootstrap.inc
  5. +4 −0 includes/cache.inc
  6. +29 −14 includes/common.inc
  7. +3 −2 includes/database.mysql-common.inc
  8. +7 −7 includes/database.mysql.inc
  9. +6 −6 includes/database.mysqli.inc
  10. +5 −5 includes/database.pgsql.inc
  11. +5 −2 includes/file.inc
  12. +10 −5 includes/form.inc
  13. +1 −1 includes/install.mysql.inc
  14. +1 −1 includes/install.mysqli.inc
  15. +1 −1 includes/install.pgsql.inc
  16. +1 −4 includes/locale.inc
  17. +18 −6 includes/theme.inc
  18. +23 −0 misc/drupal.js
  19. +1 −1 misc/tabledrag.js
  20. +1 −1 misc/tableheader.js
  21. +3 −3 modules/aggregator/aggregator.info
  22. +3 −3 modules/block/block.info
  23. +3 −3 modules/blog/blog.info
  24. +3 −3 modules/blogapi/blogapi.info
  25. +2 −2 modules/blogapi/blogapi.install
  26. +3 −3 modules/book/book.info
  27. +8 −0 modules/book/book.pages.inc
  28. +3 −3 modules/color/color.info
  29. +0 −1 modules/comment/comment-wrapper.tpl.php
  30. +3 −3 modules/comment/comment.info
  31. +2 −2 modules/comment/comment.install
  32. +0 −1 modules/comment/comment.module
  33. +3 −3 modules/contact/contact.info
  34. +1 −1 modules/dblog/dblog.admin.inc
  35. +3 −3 modules/dblog/dblog.info
  36. +2 −2 modules/dblog/dblog.install
  37. +1 −1 modules/dblog/dblog.module
  38. +3 −3 modules/filter/filter.info
  39. +1 −1 modules/filter/filter.module
  40. +3 −3 modules/forum/forum.info
  41. +1 −1 modules/forum/forum.module
  42. +3 −3 modules/help/help.info
  43. +3 −3 modules/locale/locale.info
  44. +4 −4 modules/locale/locale.install
  45. +3 −3 modules/menu/menu.info
  46. +0 −1 modules/menu/menu.module
  47. +3 −3 modules/node/node.info
  48. +3 −0 modules/node/node.pages.inc
  49. +1 −1 modules/node/node.tpl.php
  50. +3 −3 modules/openid/openid.info
  51. +2 −2 modules/openid/openid.install
  52. +4 −2 modules/openid/openid.module
  53. +3 −3 modules/path/path.info
  54. +3 −3 modules/php/php.info
  55. +3 −3 modules/ping/ping.info
  56. +3 −3 modules/poll/poll.info
  57. +1 −1 modules/profile/profile-wrapper.tpl.php
  58. +3 −3 modules/profile/profile.info
  59. +3 −3 modules/search/search.info
  60. +1 −1 modules/search/search.module
  61. +3 −3 modules/statistics/statistics.info
  62. +2 −2 modules/statistics/statistics.install
  63. +3 −3 modules/syslog/syslog.info
  64. +1 −1 modules/system/system.admin.inc
  65. +3 −3 modules/system/system.info
  66. +3 −3 modules/system/system.install
  67. +3 −5 modules/system/system.module
  68. +3 −3 modules/taxonomy/taxonomy.info
  69. +3 −3 modules/throttle/throttle.info
  70. +3 −3 modules/tracker/tracker.info
  71. +3 −3 modules/translation/translation.info
  72. +3 −3 modules/trigger/trigger.info
  73. +3 −3 modules/update/update.info
  74. +3 −3 modules/upload/upload.info
  75. +2 −2 modules/upload/upload.module
  76. +15 −0 modules/user/user.admin.inc
  77. +3 −3 modules/user/user.info
  78. +26 −15 modules/user/user.module
  79. +1 −1 scripts/drupal.sh
  80. +3 −3 themes/bluemarine/bluemarine.info
  81. +3 −3 themes/chameleon/chameleon.info
  82. +3 −3 themes/chameleon/marvin/marvin.info
  83. +3 −3 themes/garland/garland.info
  84. +3 −3 themes/garland/minnelli/minnelli.info
  85. +3 −3 themes/pushbutton/pushbutton.info
  86. +4 −1 update.php
View
13 CHANGELOG.txt
@@ -1,4 +1,17 @@
+Drupal 6.28, 2013-01-16
+----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001.
+
+Drupal 6.27, 2012-12-19
+----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
+
+Drupal 6.26, 2012-05-02
+----------------------
+- Fixed a small number of bugs.
+- Made code documentation improvements.
+
Drupal 6.25, 2012-02-29
----------------------
- Fixed regressions introduced in Drupal 6.24 only.
View
11 COPYRIGHT.txt
@@ -1,5 +1,4 @@
-
-All Drupal code is Copyright 2001 - 2010 by the original authors.
+All Drupal code is Copyright 2001 - 2012 by the original authors.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -20,5 +19,11 @@ Drupal includes works under other copyright notices and distributed
according to the terms of the GNU General Public License or a compatible
license, including:
- jQuery - Copyright (c) 2008 - 2009 John Resig
+Javascript
+
+ Farbtastic - Copyright (c) 2007 Matt Farina
+
+ jQuery - Copyright (c) 2008 John Resig
+
+ jQuery Form - Copyright (c) 2007 Mike Alsup
View
2 MAINTAINERS.txt
@@ -57,7 +57,7 @@ M: Sammy Spets <sammys-drupal@synerger.com>
S: maintained
SECURITY COORDINATOR
-M: Heine Deelstra <hdeelstra@gmail.com>
+M: Greg Knaddison <http://drupal.org/user/36762>
S: maintained
STATISTICS MODULE
View
4 includes/bootstrap.inc
@@ -403,7 +403,7 @@ function conf_init() {
include_once './'. conf_path() .'/settings.php';
}
- // Ignore the placeholder url from default.settings.php.
+ // Ignore the placeholder URL from default.settings.php.
if (isset($db_url) && $db_url == 'mysql://username:password@localhost/databasename') {
$db_url = '';
}
@@ -442,7 +442,7 @@ function conf_init() {
}
else {
// Otherwise use $base_url as session name, without the protocol
- // to use the same session identifiers across http and https.
+ // to use the same session identifiers across HTTP and HTTPS.
list( , $session_name) = explode('://', $base_url, 2);
// We escape the hostname because it can be modified by a visitor.
if (!empty($_SERVER['HTTP_HOST'])) {
View
4 includes/cache.inc
@@ -9,6 +9,8 @@
* @param $table
* The table $table to store the data in. Valid core values are 'cache_filter',
* 'cache_menu', 'cache_page', or 'cache' for the default cache.
+ *
+ * @see cache_set()
*/
function cache_get($cid, $table = 'cache') {
global $user;
@@ -97,6 +99,8 @@ function cache_get($cid, $table = 'cache') {
* the given time, after which it behaves like CACHE_TEMPORARY.
* @param $headers
* A string containing HTTP header information for cached pages.
+ *
+ * @see cache_get()
*/
function cache_set($cid, $data, $table = 'cache', $expire = CACHE_PERMANENT, $headers = NULL) {
$serialized = 0;
View
43 includes/common.inc
@@ -176,7 +176,7 @@ function drupal_final_markup($content) {
* Add a feed URL for the current page.
*
* @param $url
- * A url for the feed.
+ * A URL for the feed.
* @param $title
* The title of the feed.
*/
@@ -296,13 +296,16 @@ function drupal_get_destination() {
* statement in your menu callback.
*
* @param $path
- * A Drupal path or a full URL.
+ * (optional) A Drupal path or a full URL, which will be passed to url() to
+ * compute the redirect for the URL.
* @param $query
- * A query string component, if any.
+ * (optional) A URL-encoded query string to append to the link, or an array of
+ * query key/value-pairs without any URL-encoding. Passed to url().
* @param $fragment
- * A destination fragment identifier (named anchor).
+ * (optional) A destination fragment identifier (named anchor).
* @param $http_response_code
- * Valid values for an actual "goto" as per RFC 2616 section 10.3 are:
+ * (optional) The HTTP status code to use for the redirection, defaults to
+ * 302. Valid values for an actual "goto" as per RFC 2616 section 10.3 are:
* - 301 Moved Permanently (the recommended value for most redirects)
* - 302 Found (default in Drupal and PHP, sometimes used for spamming search
* engines)
@@ -530,7 +533,7 @@ function drupal_http_request($url, $headers = array(), $method = 'GET', $data =
$defaults['Content-Length'] = 'Content-Length: '. $content_length;
}
- // If the server url has a user then attempt to use basic authentication
+ // If the server URL has a user then attempt to use basic authentication
if (isset($uri['user'])) {
$defaults['Authorization'] = 'Authorization: Basic '. base64_encode($uri['user'] . (!empty($uri['pass']) ? ":". $uri['pass'] : ''));
}
@@ -579,8 +582,10 @@ function drupal_http_request($url, $headers = array(), $method = 'GET', $data =
}
fclose($fp);
- // Parse response.
- list($split, $result->data) = explode("\r\n\r\n", $response, 2);
+ // Parse response headers from the response body.
+ // Be tolerant of malformed HTTP responses that separate header and body with
+ // \n\n or \r\r instead of \r\n\r\n. See http://drupal.org/node/183435
+ list($split, $result->data) = preg_split("/\r\n\r\n|\n\n|\r\r/", $response, 2);
$split = preg_split("/\r\n|\n|\r/", $split);
list($protocol, $code, $status_message) = explode(' ', trim(array_shift($split)), 3);
@@ -1420,8 +1425,9 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
* alternative than url().
*
* @param $path
- * The internal path or external URL being linked to, such as "node/34" or
- * "http://example.com/foo". A few notes:
+ * (optional) The internal path or external URL being linked to, such as
+ * "node/34" or "http://example.com/foo". The default value is equivalent to
+ * passing in '<front>'. A few notes:
* - If you provide a full URL, it will be considered an external URL.
* - If you provide only the path (e.g. "node/34"), it will be
* considered an internal link. In this case, it should be a system URL,
@@ -1437,7 +1443,8 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
* include them in $path, or use $options['query'] to let this function
* URL encode them.
* @param $options
- * An associative array of additional options, with the following elements:
+ * (optional) An associative array of additional options, with the following
+ * elements:
* - 'query': A URL-encoded query string to append to the link, or an array of
* query key/value-pairs without any URL-encoding.
* - 'fragment': A fragment identifier (named anchor) to append to the URL.
@@ -1589,6 +1596,14 @@ function drupal_attributes($attributes = array()) {
* internal links output by modules should be generated by this function if
* possible.
*
+ * However, for links enclosed in translatable text you should use t() and
+ * embed the HTML anchor tag directly in the translated string. For example:
+ * @code
+ * t('Visit the <a href="@url">settings</a> page', array('@url' => url('admin')));
+ * @endcode
+ * This keeps the context of the link title ('settings' in the example) for
+ * translators.
+ *
* @param $text
* The link text for the anchor tag.
* @param $path
@@ -2571,8 +2586,8 @@ function drupal_to_js($var) {
* (optional) If set, the variable will be converted to JSON and output.
*/
function drupal_json($var = NULL) {
- // We are returning JavaScript, so tell the browser.
- drupal_set_header('Content-Type: text/javascript; charset=utf-8');
+ // We are returning JSON, so tell the browser.
+ drupal_set_header('Content-Type: application/json');
if (isset($var)) {
echo drupal_to_js($var);
@@ -3822,7 +3837,7 @@ function drupal_flush_all_caches() {
* Changes the character added to all css/js files as dummy query-string,
* so that all browsers are forced to reload fresh files. We keep
* 20 characters history (FIFO) to avoid repeats, but only the first
- * (newest) character is actually used on urls, to keep them short.
+ * (newest) character is actually used on URLs, to keep them short.
* This is also called from update.php.
*/
function _drupal_flush_css_js() {
View
5 includes/database.mysql-common.inc
@@ -26,8 +26,9 @@
* and TRUE values to decimal 1.
*
* @return
- * A database query result resource, or FALSE if the query was not
- * executed correctly.
+ * Successful SELECT, SHOW, DESCRIBE, EXPLAIN, or other queries which return a
+ * set of results will return a database query result resource. Other
+ * successful queries will return TRUE and failing queries will return FALSE.
*/
function db_query($query) {
$args = func_get_args();
View
14 includes/database.mysql.inc
@@ -55,9 +55,9 @@ function db_connect($url) {
_db_error_page('Unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your <code>php.ini</code> to see how you can enable it.');
}
- // Decode url-encoded information in the db connection string
+ // Decode urlencoded information in the db connection string
$url['user'] = urldecode($url['user']);
- // Test if database url has a password.
+ // Test if database URL has a password.
$url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
$url['host'] = urldecode($url['host']);
$url['path'] = urldecode($url['path']);
@@ -176,7 +176,7 @@ function db_fetch_array($result) {
*
* @param $result
* A database query result resource, as returned from db_query().
- *
+ *
* @return
* The resulting field or FALSE.
*/
@@ -253,9 +253,9 @@ function db_query_range($query) {
/**
* Runs a SELECT query and stores its results in a temporary table.
*
- * Use this as a substitute for db_query() when the results need to stored
- * in a temporary table. Temporary tables exist for the duration of the page
- * request.
+ * Use this as a substitute for db_query() when the results need to be stored
+ * in a temporary table.
+ *
* User-supplied arguments to the query should be passed in as separate parameters
* so that they can be properly escaped to avoid SQL injection attacks.
*
@@ -274,10 +274,10 @@ function db_query_range($query) {
*
* NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
* and TRUE values to decimal 1.
- *
* @param $table
* The name of the temporary table to select into. This name will not be
* prefixed as there is no risk of collision.
+ *
* @return
* A database query result resource, or FALSE if the query was not executed
* correctly.
View
12 includes/database.mysqli.inc
@@ -61,9 +61,9 @@ function db_connect($url) {
$url = parse_url($url);
- // Decode url-encoded information in the db connection string
+ // Decode urlencoded information in the db connection string
$url['user'] = urldecode($url['user']);
- // Test if database url has a password.
+ // Test if database URL has a password.
$url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
$url['host'] = urldecode($url['host']);
$url['path'] = urldecode($url['path']);
@@ -253,9 +253,9 @@ function db_query_range($query) {
/**
* Runs a SELECT query and stores its results in a temporary table.
*
- * Use this as a substitute for db_query() when the results need to stored
- * in a temporary table. Temporary tables exist for the duration of the page
- * request.
+ * Use this as a substitute for db_query() when the results need to be stored
+ * in a temporary table.
+ *
* User-supplied arguments to the query should be passed in as separate parameters
* so that they can be properly escaped to avoid SQL injection attacks.
*
@@ -274,10 +274,10 @@ function db_query_range($query) {
*
* NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
* and TRUE values to decimal 1.
- *
* @param $table
* The name of the temporary table to select into. This name will not be
* prefixed as there is no risk of collision.
+ *
* @return
* A database query result resource, or FALSE if the query was not executed
* correctly.
View
10 includes/database.pgsql.inc
@@ -52,7 +52,7 @@ function db_connect($url) {
$url = parse_url($url);
$conn_string = '';
- // Decode url-encoded information in the db connection string
+ // Decode urlencoded information in the db connection string
if (isset($url['user'])) {
$conn_string .= ' user='. urldecode($url['user']);
}
@@ -287,9 +287,9 @@ function db_query_range($query) {
/**
* Runs a SELECT query and stores its results in a temporary table.
*
- * Use this as a substitute for db_query() when the results need to stored
- * in a temporary table. Temporary tables exist for the duration of the page
- * request.
+ * Use this as a substitute for db_query() when the results need to be stored
+ * in a temporary table.
+ *
* User-supplied arguments to the query should be passed in as separate parameters
* so that they can be properly escaped to avoid SQL injection attacks.
*
@@ -308,10 +308,10 @@ function db_query_range($query) {
*
* NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
* and TRUE values to decimal 1.
- *
* @param $table
* The name of the temporary table to select into. This name will not be
* prefixed as there is no risk of collision.
+ *
* @return
* A database query result resource, or FALSE if the query was not executed
* correctly.
View
7 includes/file.inc
@@ -38,7 +38,7 @@ define('FILE_STATUS_PERMANENT', 1);
* @return A string containing a URL that can be used to download the file.
*/
function file_create_url($path) {
- // Strip file_directory_path from $path. We only include relative paths in urls.
+ // Strip file_directory_path from $path. We only include relative paths in URLs.
if (strpos($path, file_directory_path() .'/') === 0) {
$path = trim(substr($path, strlen(file_directory_path())), '\\/');
}
@@ -403,6 +403,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
+ // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
+ $filename = str_replace(chr(0), '', $filename);
+
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
@@ -862,7 +865,7 @@ function file_transfer($source, $headers) {
}
// IE cannot download private files because it cannot store files downloaded
- // over https in the browser cache. The problem can be solved by sending
+ // over HTTPS in the browser cache. The problem can be solved by sending
// custom headers to IE. See http://support.microsoft.com/kb/323308/en-us
if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) {
drupal_set_header('Cache-Control: private');
View
15 includes/form.inc
@@ -41,8 +41,8 @@
*
* For information on the format of the structured arrays used to define forms,
* and more detailed explanations of the Form API workflow, see the
- * @link http://api.drupal.org/api/file/developer/topics/forms_api_reference.html/6 reference @endlink
- * and the @link http://drupal.org/node/204270 Form API guide. @endlink
+ * @link forms_api_reference.html reference @endlink and the
+ * @link http://drupal.org/node/204270 Form API guide. @endlink
*/
/**
@@ -305,6 +305,11 @@ function drupal_execute($form_id, &$form_state) {
$form = call_user_func_array('drupal_retrieve_form', $args);
$form['#post'] = $form_state['values'];
+
+ // Reset form validation.
+ $form_state['must_validate'] = TRUE;
+ form_set_error(NULL, '', TRUE);
+
drupal_prepare_form($form_id, $form, $form_state);
drupal_process_form($form_id, $form, $form_state);
}
@@ -575,7 +580,7 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
function drupal_validate_form($form_id, $form, &$form_state) {
static $validated_forms = array();
- if (isset($validated_forms[$form_id])) {
+ if (isset($validated_forms[$form_id]) && empty($form_state['must_validate'])) {
return;
}
@@ -1837,7 +1842,7 @@ function form_expand_ahah($element) {
if (is_string($ahah_binding['progress'])) {
$ahah_binding['progress'] = array('type' => $ahah_binding['progress']);
}
- // Change progress path to a full url.
+ // Change progress path to a full URL.
if (isset($ahah_binding['progress']['path'])) {
$ahah_binding['progress']['url'] = url($ahah_binding['progress']['path']);
}
@@ -2437,7 +2442,7 @@ function form_clean_id($id = NULL, $flush = FALSE) {
* clean code independence, ensuring that several batches submitted by
* different parts of the code (core / contrib modules) can be processed
* correctly while not interfering or having to cope with each other. Each
- * batch set gets to specify his own UI messages, operates on its own set
+ * batch set gets to specify its own UI messages, operates on its own set
* of operations and results, and triggers its own 'finished' callback.
* Batch sets are processed sequentially, with the progress bar starting
* fresh for every new set.
View
2 includes/install.mysql.inc
@@ -26,7 +26,7 @@ function drupal_test_mysql($url, &$success) {
$url = parse_url($url);
- // Decode url-encoded information in the db connection string.
+ // Decode urlencoded information in the db connection string.
$url['user'] = urldecode($url['user']);
$url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
$url['host'] = urldecode($url['host']);
View
2 includes/install.mysqli.inc
@@ -26,7 +26,7 @@ function drupal_test_mysqli($url, &$success) {
$url = parse_url($url);
- // Decode url-encoded information in the db connection string.
+ // Decode urlencoded information in the db connection string.
$url['user'] = urldecode($url['user']);
$url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
$url['host'] = urldecode($url['host']);
View
2 includes/install.pgsql.inc
@@ -27,7 +27,7 @@ function drupal_test_pgsql($url, &$success) {
$url = parse_url($url);
$conn_string = '';
- // Decode url-encoded information in the db connection string
+ // Decode urlencoded information in the db connection string
if (isset($url['user'])) {
$conn_string .= ' user='. urldecode($url['user']);
}
View
5 includes/locale.inc
@@ -1293,14 +1293,11 @@ function _locale_import_one_string($op, $value = NULL, $mode = NULL, $lang = NUL
// data untouched or if we don't have an existing plural formula.
$header = _locale_import_parse_header($value['msgstr']);
- // Get the plural formula and update in database.
+ // Get and store the plural formula if available.
if (isset($header["Plural-Forms"]) && $p = _locale_import_parse_plural_forms($header["Plural-Forms"], $file->filename)) {
list($nplurals, $plural) = $p;
db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", $nplurals, $plural, $lang);
}
- else {
- db_query("UPDATE {languages} SET plurals = %d, formula = '%s' WHERE language = '%s'", 0, '', $lang);
- }
}
$headerdone = TRUE;
}
View
24 includes/theme.inc
@@ -1191,12 +1191,24 @@ function theme_status_messages($display = NULL) {
}
/**
- * Return a themed set of links.
+ * Returns HTML for a set of links.
*
* @param $links
- * A keyed array of links to be themed.
+ * An associative array of links to be themed. The key for each link
+ * is used as its CSS class. Each link should be itself an array, with the
+ * following elements:
+ * - title: The link text.
+ * - href: The link URL. If omitted, the 'title' is shown as a plain text
+ * item in the links list.
+ * - html: (optional) Whether or not 'title' is HTML. If set, the title
+ * will not be passed through check_plain().
+ * - attributes: (optional) Attributes for the anchor, or for the <span> tag
+ * used in its place if no 'href' is supplied.
+ * If the 'href' element is supplied, the entire link array is passed to l()
+ * as its $options parameter.
* @param $attributes
- * A keyed array of attributes
+ * An associative array of attributes for the UL containing the list of links.
+ *
* @return
* A string containing an unordered list of links.
*/
@@ -1580,7 +1592,7 @@ function theme_more_help_link($url) {
*
* @see theme_feed_icon()
* @param $url
- * The url of the feed.
+ * The URL of the feed.
*/
function theme_xml_icon($url) {
if ($image = theme('image', 'misc/xml.png', t('XML feed'), t('XML feed'))) {
@@ -1592,7 +1604,7 @@ function theme_xml_icon($url) {
* Return code that emits an feed icon.
*
* @param $url
- * The url of the feed.
+ * The URL of the feed.
* @param $title
* A descriptive title of the feed.
*/
@@ -1606,7 +1618,7 @@ function theme_feed_icon($url, $title) {
* Returns code that emits the 'more' link used on blocks.
*
* @param $url
- * The url of the main page
+ * The URL of the main page
* @param $title
* A descriptive verb for the link, like 'Read more'
*/
View
23 misc/drupal.js
@@ -1,4 +1,27 @@
+/**
+ * Override jQuery.fn.init to guard against XSS attacks.
+ *
+ * See http://bugs.jquery.com/ticket/9521
+ */
+(function () {
+ var jquery_init = jQuery.fn.init;
+ jQuery.fn.init = function (selector, context, rootjQuery) {
+ // If the string contains a "#" before a "<", treat it as invalid HTML.
+ if (selector && typeof selector === 'string') {
+ var hash_position = selector.indexOf('#');
+ if (hash_position >= 0) {
+ var bracket_position = selector.indexOf('<');
+ if (bracket_position > hash_position) {
+ throw 'Syntax error, unrecognized expression: ' + selector;
+ }
+ }
+ }
+ return jquery_init.call(this, selector, context, rootjQuery);
+ };
+ jQuery.fn.init.prototype = jquery_init.prototype;
+})();
+
var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} };
/**
View
2 misc/tabledrag.js
@@ -1014,7 +1014,7 @@ Drupal.tableDrag.prototype.row.prototype.findSiblings = function(rowSettings) {
var siblings = new Array();
var directions = new Array('prev', 'next');
var rowIndentation = this.indents;
- for (var d in directions) {
+ for (var d = 0; d < directions.length; d++) {
var checkRow = $(this.element)[directions[d]]();
while (checkRow.length) {
// Check that the sibling contains a similar target field.
View
2 misc/tableheader.js
@@ -69,7 +69,7 @@ Drupal.behaviors.tableHeader = function (context) {
// Get the height of the header table and scroll up that amount.
if (prevAnchor != location.hash) {
if (location.hash != '') {
- var offset = $('td' + location.hash).offset();
+ var offset = $(document).find('td' + location.hash).offset();
if (offset) {
var top = offset.top;
var scrollLocation = top - $(e).height();
View
6 modules/aggregator/aggregator.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/block/block.info
@@ -4,8 +4,8 @@ package = Core - required
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/blog/blog.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/blogapi/blogapi.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/blogapi/blogapi.install
@@ -58,7 +58,7 @@ function blogapi_schema() {
}
/**
- * @defgroup updates-5.x-to-6.x Blog API updates from 5.x to 6.x
+ * @addtogroup updates-5.x-to-6.x
* @{
*/
@@ -118,7 +118,7 @@ function blogapi_update_6001() {
}
/**
- * @} End of "defgroup updates-5.x-to-6.x"
+ * @} End of "addtogroup updates-5.x-to-6.x".
* The next series of updates should start at 7000.
*/
View
6 modules/book/book.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
8 modules/book/book.pages.inc
@@ -39,6 +39,14 @@ function book_render() {
* in a format determined by the $type parameter.
*/
function book_export($type, $nid) {
+ // Check that the node exists and that the current user has access to it.
+ $node = node_load($nid);
+ if (!$node) {
+ return MENU_NOT_FOUND;
+ }
+ if (!node_access('view', $node)) {
+ return MENU_ACCESS_DENIED;
+ }
$type = drupal_strtolower($type);
View
6 modules/color/color.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
1 modules/comment/comment-wrapper.tpl.php
@@ -27,7 +27,6 @@
* - COMMENT_CONTROLS_HIDDEN
*
* @see template_preprocess_comment_wrapper()
- * @see theme_comment_wrapper()
*/
?>
<div id="comments">
View
6 modules/comment/comment.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/comment/comment.install
@@ -67,7 +67,7 @@ function comment_update_6003() {
}
/**
- * @defgroup updates-6.x-extra Extra system updates for 6.x
+ * @addtogroup updates-6.x-extra
* @{
*/
@@ -91,7 +91,7 @@ function comment_update_6005() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
1 modules/comment/comment.module
@@ -1819,7 +1819,6 @@ function theme_comment_post_forbidden($node) {
* Process variables for comment-wrapper.tpl.php.
*
* @see comment-wrapper.tpl.php
- * @see theme_comment_wrapper()
*/
function template_preprocess_comment_wrapper(&$variables) {
// Provide contextual information.
View
6 modules/contact/contact.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/dblog/dblog.admin.inc
@@ -79,7 +79,7 @@ function dblog_overview() {
format_date($dblog->timestamp, 'small'),
l(truncate_utf8(_dblog_format_message($dblog), 56, TRUE, TRUE), 'admin/reports/event/'. $dblog->wid, array('html' => TRUE)),
theme('username', $dblog),
- $dblog->link,
+ filter_xss($dblog->link),
),
// Attributes for tr
'class' => "dblog-". preg_replace('/[^a-z]/i', '-', $dblog->type) .' '. $classes[$dblog->severity]
View
6 modules/dblog/dblog.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/dblog/dblog.install
@@ -100,7 +100,7 @@ function dblog_schema() {
}
/**
- * @defgroup updates-6.x-extra Extra database logging updates for 6.x
+ * @addtogroup updates-6.x-extra
* @{
*/
@@ -114,6 +114,6 @@ function dblog_update_6000() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
2 modules/dblog/dblog.module
@@ -97,7 +97,7 @@ function dblog_init() {
/**
* Implementation of hook_cron().
*
- * Remove expired log messages and flood control events.
+ * Remove expired log messages.
*/
function dblog_cron() {
// Cleanup the watchdog table
View
6 modules/filter/filter.info
@@ -4,8 +4,8 @@ package = Core - required
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/filter/filter.module
@@ -746,7 +746,7 @@ function _filter_url_settings($format) {
/**
* URL filter. Automatically converts text web addresses (URLs, e-mail addresses,
- * ftp links, etc.) into hyperlinks.
+ * FTP links, etc.) into hyperlinks.
*/
function _filter_url($text, $format) {
// Pass length to regexp callback
View
6 modules/forum/forum.info
@@ -6,8 +6,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/forum/forum.module
@@ -690,7 +690,7 @@ function template_preprocess_forums(&$variables) {
// Check if the current user has the 'create' permission for this node type.
if (node_access('create', $type)) {
// Fetch the "General" name of the content type;
- // Push the link with title and url to the array.
+ // Push the link with title and URL to the array.
$forum_types[$type] = array('title' => t('Post new @node_type', array('@node_type' => node_get_types('name', $type))), 'href' => 'node/add/'. str_replace('_', '-', $type) .'/'. $variables['tid']);
}
}
View
6 modules/help/help.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/locale/locale.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
8 modules/locale/locale.install
@@ -15,7 +15,7 @@ function locale_install() {
}
/**
- * @defgroup updates-5.x-to-6.x Locale updates from 5.x to 6.x
+ * @addtogroup updates-5.x-to-6.x
* @{
*/
@@ -221,11 +221,11 @@ function locale_update_6006() {
}
/**
- * @} End of "defgroup updates-5.x-to-6.x"
+ * @} End of "addtogroup updates-5.x-to-6.x".
*/
/**
- * @defgroup updates-6.x-extra Locale updates for 6.x
+ * @addtogroup updates-6.x-extra
* @{
*/
@@ -239,7 +239,7 @@ function locale_update_6007() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
6 modules/menu/menu.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
1 modules/menu/menu.module
@@ -273,7 +273,6 @@ function menu_block($op = 'list', $delta = 0) {
if ($op == 'list') {
$blocks = array();
foreach ($menus as $name => $title) {
- // Default "Navigation" block is handled by user.module.
$blocks[$name]['info'] = check_plain($title);
// Menu blocks can't be cached because each menu item can have
// a custom access callback. menu.inc manages its own caching.
View
6 modules/node/node.info
@@ -4,8 +4,8 @@ package = Core - required
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
3 modules/node/node.pages.inc
@@ -14,6 +14,9 @@ function node_page_edit($node) {
return drupal_get_form($node->type .'_node_form', $node);
}
+/**
+ * Page callback: Displays add content links for available content types.
+ */
function node_add_page() {
$item = menu_get_item();
$content = system_admin_menu_block($item);
View
2 modules/node/node.tpl.php
@@ -15,7 +15,7 @@
* - $links: Themed links like "Read more", "Add new comment", etc. output
* from theme_links().
* - $name: Themed username of node author output from theme_username().
- * - $node_url: Direct url of the current node.
+ * - $node_url: Direct URL of the current node.
* - $terms: the themed list of taxonomy term links output from theme_links().
* - $submitted: themed submission information output from
* theme_node_submitted().
View
6 modules/openid/openid.info
@@ -4,8 +4,8 @@ version = VERSION
package = Core - optional
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/openid/openid.install
@@ -95,7 +95,7 @@ function openid_schema() {
}
/**
- * @defgroup updates-6.x-extra Extra openid updates for 6.x
+ * @addtogroup updates-6.x-extra
* @{
*/
@@ -139,6 +139,6 @@ function openid_update_6000() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
6 modules/openid/openid.module
@@ -499,6 +499,8 @@ function openid_association_request($public) {
}
function openid_authentication_request($claimed_id, $identity, $return_to = '', $assoc_handle = '', $version = 2) {
+ global $base_url;
+
module_load_include('inc', 'openid');
$ns = ($version == 2) ? OPENID_NS_2_0 : OPENID_NS_1_0;
@@ -512,10 +514,10 @@ function openid_authentication_request($claimed_id, $identity, $return_to = '',
);
if ($version == 2) {
- $request['openid.realm'] = url('', array('absolute' => TRUE));
+ $request['openid.realm'] = $base_url . '/';
}
else {
- $request['openid.trust_root'] = url('', array('absolute' => TRUE));
+ $request['openid.trust_root'] = $base_url . '/';
}
// Simple Registration
View
6 modules/path/path.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/php/php.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/ping/ping.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/poll/poll.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/profile/profile-wrapper.tpl.php
@@ -6,7 +6,7 @@
* profiles.
*
* This template is used when viewing a list of users. It can be a general
- * list for viewing all users with the url of "example.com/profile" or when
+ * list for viewing all users with the URL of "example.com/profile" or when
* viewing a set of users who share a specific value for a profile such
* as "example.com/profile/country/belgium".
*
View
6 modules/profile/profile.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/search/search.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/search/search.module
@@ -43,7 +43,7 @@ define('PREG_CLASS_SEARCH_EXCLUDE',
'\x{2ce5}-\x{2cff}\x{2d6f}\x{2e00}-\x{3005}\x{3007}-\x{303b}\x{303d}-\x{303f}'.
'\x{3099}-\x{309e}\x{30a0}\x{30fb}\x{30fd}\x{30fe}\x{3190}-\x{319f}\x{31c0}-'.
'\x{31cf}\x{3200}-\x{33ff}\x{4dc0}-\x{4dff}\x{a015}\x{a490}-\x{a716}\x{a802}'.
-'\x{a806}\x{a80b}\x{a823}-\x{a82b}\x{d800}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}'.
+'\x{a806}\x{a80b}\x{a823}-\x{a82b}\x{e000}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}'.
'\x{fd3f}\x{fdfc}-\x{fe6b}\x{feff}-\x{ff0f}\x{ff1a}-\x{ff20}\x{ff3b}-\x{ff40}'.
'\x{ff5b}-\x{ff65}\x{ff70}\x{ff9e}\x{ff9f}\x{ffe0}-\x{fffd}');
View
6 modules/statistics/statistics.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/statistics/statistics.install
@@ -118,7 +118,7 @@ function statistics_schema() {
}
/**
- * @defgroup updates-6.x-extra Extra statistics updates for 6.x
+ * @addtogroup updates-6.x-extra
* @{
*/
@@ -132,6 +132,6 @@ function statistics_update_6000() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
6 modules/syslog/syslog.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
2 modules/system/system.admin.inc
@@ -128,7 +128,7 @@ function system_admin_by_module() {
}
/**
- * Menu callback; displays a module's settings page.
+ * Menu callback: Displays the configuration overview page.
*/
function system_settings_overview() {
// Check database setup if necessary
View
6 modules/system/system.info
@@ -4,8 +4,8 @@ package = Core - required
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/system/system.install
@@ -1174,7 +1174,7 @@ function system_update_1022() {
}
/**
- * @} End of "defgroup updates-5.x-extra"
+ * @} End of "defgroup updates-5.x-extra".
*/
/**
@@ -2576,7 +2576,7 @@ function system_update_6047() {
}
/**
- * @} End of "defgroup updates-5.x-to-6.x"
+ * @} End of "defgroup updates-5.x-to-6.x".
*/
/**
@@ -2713,7 +2713,7 @@ function system_update_6055() {
}
/**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "defgroup updates-6.x-extra".
* The next series of updates should start at 7000.
*/
View
8 modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.25');
+define('VERSION', '6.28');
/**
* Core API compatibility.
@@ -1208,8 +1208,6 @@ function system_node_type($op, $info) {
* - A string containing a Drupal path.
* - An associative array with a 'path' key. Additional array values are
* passed as the $options parameter to l().
- * If the 'destination' query parameter is set in the URL when viewing a
- * confirmation form, that value will be used instead of $path.
* @param $description
* Additional text to display. Defaults to t('This action cannot be undone.').
* @param $yes
@@ -1959,8 +1957,8 @@ function _system_zonelist() {
function system_check_http_request() {
// Try to get the content of the front page via drupal_http_request().
$result = drupal_http_request(url('', array('absolute' => TRUE)), array(), 'GET', NULL, 0);
- // We only care that we get a http response - this means that Drupal
- // can make a http request.
+ // We only care that we get a HTTP response - this means that Drupal
+ // can make a HTTP request.
$works = isset($result->code) && ($result->code >= 100) && ($result->code < 600);
variable_set('drupal_http_request_fails', !$works);
return $works;
View
6 modules/taxonomy/taxonomy.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/throttle/throttle.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/tracker/tracker.info
@@ -5,8 +5,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/translation/translation.info
@@ -5,8 +5,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/trigger/trigger.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/update/update.info
@@ -4,8 +4,8 @@ version = VERSION
package = Core - optional
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 modules/upload/upload.info
@@ -4,8 +4,8 @@ package = Core - optional
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
4 modules/upload/upload.module
@@ -314,10 +314,10 @@ function upload_nodeapi(&$node, $op, $teaser = NULL) {
break;
case 'search result':
- return isset($node->files) && is_array($node->files) ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
+ return isset($node->files) && is_array($node->files) && user_access('view uploaded files') ? format_plural(count($node->files), '1 attachment', '@count attachments') : NULL;
case 'rss item':
- if (is_array($node->files)) {
+ if (is_array($node->files) && user_access('view uploaded files')) {
$files = array();
foreach ($node->files as $file) {
if ($file->list) {
View
15 modules/user/user.admin.inc
@@ -5,6 +5,21 @@
* Admin page callback file for the user module.
*/
+/**
+ * Page callback: Generates the appropriate user administration form.
+ *
+ * This function generates the user registration, multiple user cancellation,
+ * or filtered user list admin form, depending on the argument and the POST
+ * form values.
+ *
+ * @param string $callback_arg
+ * (optional) Indicates which form to build. Defaults to '', which will
+ * trigger the user filter form. If the POST value 'op' is present, this
+ * function uses that value as the callback argument.
+ *
+ * @return string
+ * A renderable form array for the respective request.
+ */
function user_admin($callback_arg = '') {
$op = isset($_POST['op']) ? $_POST['op'] : $callback_arg;
View
6 modules/user/user.info
@@ -4,8 +4,8 @@ package = Core - required
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
41 modules/user/user.module
@@ -540,7 +540,12 @@ function user_access($string, $account = NULL, $reset = FALSE) {
/**
* Checks for usernames blocked by user administration.
*
- * @return boolean TRUE for blocked users, FALSE for active.
+ * @param $name
+ * A string containing a name of the user.
+ *
+ * @return
+ * Object with property 'name' (the user name), if the user is blocked;
+ * FALSE if the user is not blocked.
*/
function user_is_blocked($name) {
$deny = db_fetch_object(db_query("SELECT name FROM {users} WHERE status = 0 AND name = LOWER('%s')", $name));
@@ -599,14 +604,17 @@ function user_search($op = 'search', $keys = NULL, $skip_access_check = FALSE) {
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
if (user_access('administer users')) {
- // Administrators can also search in the otherwise private email field.
+ // Administrators can also search in the otherwise private email
+ // field, and they don't need to be restricted to only active users.
$result = pager_query("SELECT name, uid, mail FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%') OR LOWER(mail) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name .' ('. $account->mail .')', 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}
}
else {
- $result = pager_query("SELECT name, uid FROM {users} WHERE LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
+ // Regular users can only search via user names, and we do not show
+ // them blocked accounts.
+ $result = pager_query("SELECT name, uid FROM {users} WHERE status = 1 AND LOWER(name) LIKE LOWER('%%%s%%')", 15, 0, NULL, $keys);
while ($account = db_fetch_object($result)) {
$find[] = array('title' => $account->name, 'link' => url('user/'. $account->uid, array('absolute' => TRUE)));
}
@@ -2180,22 +2188,25 @@ function user_preferred_language($account, $default = NULL) {
* @see drupal_mail()
*
* @param $op
- * The operation being performed on the account. Possible values:
- * 'register_admin_created': Welcome message for user created by the admin
- * 'register_no_approval_required': Welcome message when user self-registers
- * 'register_pending_approval': Welcome message, user pending admin approval
- * 'password_reset': Password recovery request
- * 'status_activated': Account activated
- * 'status_blocked': Account blocked
- * 'status_deleted': Account deleted
+ * The operation being performed on the account. Possible values:
+ * - 'register_admin_created': Welcome message for user created by the admin.
+ * - 'register_no_approval_required': Welcome message when user
+ * self-registers.
+ * - 'register_pending_approval': Welcome message, user pending admin
+ * approval.
+ * - 'password_reset': Password recovery request.
+ * - 'status_activated': Account activated.
+ * - 'status_blocked': Account blocked.
+ * - 'status_deleted': Account deleted.
*
* @param $account
- * The user object of the account being notified. Must contain at
- * least the fields 'uid', 'name', and 'mail'.
+ * The user object of the account being notified. Must contain at
+ * least the fields 'uid', 'name', and 'mail'.
* @param $language
- * Optional language to use for the notification, overriding account language.
+ * Optional language to use for the notification, overriding account language.
+ *
* @return
- * The return value from drupal_mail_send(), if ends up being called.
+ * The return value from drupal_mail_send(), if ends up being called.
*/
function _user_mail_notify($op, $account, $language = NULL) {
// By default, we always notify except for deleted and blocked.
View
2 scripts/drupal.sh
@@ -112,7 +112,7 @@ while ($param = array_shift($_SERVER['argv'])) {
$_REQUEST = $_GET;
}
- // set file to execute or Drupal path (clean urls enabled)
+ // set file to execute or Drupal path (clean URLs enabled)
if (isset($path['path']) && file_exists(substr($path['path'], 1))) {
$_SERVER['PHP_SELF'] = $_SERVER['REQUEST_URI'] = $path['path'];
$cmd = substr($path['path'], 1);
View
6 themes/bluemarine/bluemarine.info
@@ -4,8 +4,8 @@ version = VERSION
core = 6.x
engine = phptemplate
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 themes/chameleon/chameleon.info
@@ -11,8 +11,8 @@ stylesheets[all][] = common.css
version = VERSION
core = 6.x
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 themes/chameleon/marvin/marvin.info
@@ -6,8 +6,8 @@ version = VERSION
core = 6.x
base theme = chameleon
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 themes/garland/garland.info
@@ -6,8 +6,8 @@ engine = phptemplate
stylesheets[all][] = style.css
stylesheets[print][] = print.css
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 themes/garland/minnelli/minnelli.info
@@ -5,8 +5,8 @@ core = 6.x
base theme = garland
stylesheets[all][] = minnelli.css
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
6 themes/pushbutton/pushbutton.info
@@ -4,8 +4,8 @@ version = VERSION
core = 6.x
engine = phptemplate
-; Information added by drupal.org packaging script on 2012-02-29
-version = "6.25"
+; Information added by drupal.org packaging script on 2013-01-16
+version = "6.28"
project = "drupal"
-datestamp = "1330534547"
+datestamp = "1358370963"
View
5 update.php
@@ -183,6 +183,9 @@ function update_do_one($module, $number, &$context) {
$context['message'] = 'Updating '. check_plain($module) .' module';
}
+/**
+ * Renders a form with a list of available database updates.
+ */
function update_selection_page() {
$output = '<p>The version of Drupal you are updating from has been automatically detected. You can select a different version, but you should not need to.</p>';
$output .= '<p>Click Update to start the update process.</p>';
@@ -368,7 +371,7 @@ function update_info_page() {
update_task_list('info');
drupal_set_title('Drupal database update');
$token = drupal_get_token('update');
- $output = '<p>Use this utility to update your database whenever a new release of Drupal or a module is installed.</p><p>For more detailed information, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
+ $output = '<p>Use this utility to update your database whenever a new release of Drupal or a module is installed.</p><p>For more detailed information, see the <a href="http://drupal.org/upgrade">upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
$output .= "<ol>\n";
$output .= "<li><strong>Back up your database</strong>. This process will change your database values and in case of emergency you may need to revert to a backup.</li>\n";
$output .= "<li><strong>Back up your code</strong>. Hint: when backing up module code, do not leave that backup in the 'modules' or 'sites/*/modules' directories as this may confuse Drupal's auto-discovery mechanism.</li>\n";

0 comments on commit c3aac25

Please sign in to comment.
Something went wrong with that request. Please try again.