Merge tag '6.28' of http://git.drupal.org/project/drupal into 6.28

Drupal 6.28 release

Resolved Conflicts:
	CHANGELOG.txt
	includes/file.inc

CHANGELOG.txt

@@ -1,3 +1,8 @@
+
+Drupal 6.28, 2013-01-16
+----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-001.
+
 Drupal 6.27, 2012-12-19
 ----------------------
 - Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.

COPYRIGHT.txt

@@ -1,5 +1,4 @@
-
-All Drupal code is Copyright 2001 - 2010 by the original authors.
+All Drupal code is Copyright 2001 - 2012 by the original authors.
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -20,5 +19,11 @@ Drupal includes works under other copyright notices and distributed
 according to the terms of the GNU General Public License or a compatible
 license, including:
 
-  jQuery - Copyright (c) 2008 - 2009 John Resig
+Javascript
+
+  Farbtastic - Copyright (c) 2007 Matt Farina
+
+  jQuery - Copyright (c) 2008 John Resig
+
+  jQuery Form - Copyright (c) 2007 Mike Alsup
 

MAINTAINERS.txt

@@ -57,7 +57,7 @@ M: Sammy Spets <sammys-drupal@synerger.com>
 S: maintained
 
 SECURITY COORDINATOR
-M: Heine Deelstra <hdeelstra@gmail.com>
+M: Greg Knaddison <http://drupal.org/user/36762>
 S: maintained
 
 STATISTICS MODULE

includes/bootstrap.inc

@@ -411,7 +411,7 @@ function conf_init() {
     include_once './'. conf_path() .'/settings.php';
   }
 
-  // Ignore the placeholder url from default.settings.php.
+  // Ignore the placeholder URL from default.settings.php.
   if (isset($db_url) && $db_url == 'mysql://username:password@localhost/databasename') {
     $db_url = '';
   }
@@ -450,7 +450,7 @@ function conf_init() {
   }
   else {
     // Otherwise use $base_url as session name, without the protocol
-    // to use the same session identifiers across http and https.
+    // to use the same session identifiers across HTTP and HTTPS.
     list( , $session_name) = explode('://', $base_url, 2);
     // We escape the hostname because it can be modified by a visitor.
     if (!empty($_SERVER['HTTP_HOST'])) {

includes/common.inc

@@ -169,7 +169,7 @@ function drupal_final_markup($content) {
  * Add a feed URL for the current page.
  *
  * @param $url
- *   A url for the feed.
+ *   A URL for the feed.
  * @param $title
  *   The title of the feed.
  */
@@ -289,14 +289,16 @@ function drupal_get_destination() {
  * statement in your menu callback.
  *
  * @param $path
- *   A Drupal path or a full URL.
+ *   (optional) A Drupal path or a full URL, which will be passed to url() to
+ *   compute the redirect for the URL.
  * @param $query
- *   A URL-encoded query string to append to the link, or an array of query
- *   key/value-pairs without any URL-encoding. Passed to url().
+ *   (optional) A URL-encoded query string to append to the link, or an array of
+ *   query key/value-pairs without any URL-encoding. Passed to url().
  * @param $fragment
- *   A destination fragment identifier (named anchor).
+ *   (optional) A destination fragment identifier (named anchor).
  * @param $http_response_code
- *   Valid values for an actual "goto" as per RFC 2616 section 10.3 are:
+ *   (optional) The HTTP status code to use for the redirection, defaults to
+ *   302. Valid values for an actual "goto" as per RFC 2616 section 10.3 are:
  *   - 301 Moved Permanently (the recommended value for most redirects)
  *   - 302 Found (default in Drupal and PHP, sometimes used for spamming search
  *         engines)
@@ -524,7 +526,7 @@ function drupal_http_request($url, $headers = array(), $method = 'GET', $data =
     $defaults['Content-Length'] = 'Content-Length: '. $content_length;
   }
 
-  // If the server url has a user then attempt to use basic authentication
+  // If the server URL has a user then attempt to use basic authentication
   if (isset($uri['user'])) {
     $defaults['Authorization'] = 'Authorization: Basic '. base64_encode($uri['user'] . (!empty($uri['pass']) ? ":". $uri['pass'] : ''));
   }
@@ -1416,8 +1418,9 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
  * alternative than url().
  *
  * @param $path
- *   The internal path or external URL being linked to, such as "node/34" or
- *   "http://example.com/foo". A few notes:
+ *   (optional) The internal path or external URL being linked to, such as
+ *   "node/34" or "http://example.com/foo". The default value is equivalent to
+ *   passing in '<front>'. A few notes:
  *   - If you provide a full URL, it will be considered an external URL.
  *   - If you provide only the path (e.g. "node/34"), it will be
  *     considered an internal link. In this case, it should be a system URL,
@@ -1433,7 +1436,8 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
  *     include them in $path, or use $options['query'] to let this function
  *     URL encode them.
  * @param $options
- *   An associative array of additional options, with the following elements:
+ *   (optional) An associative array of additional options, with the following
+ *   elements:
  *   - 'query': A URL-encoded query string to append to the link, or an array of
  *     query key/value-pairs without any URL-encoding.
  *   - 'fragment': A fragment identifier (named anchor) to append to the URL.
@@ -1585,6 +1589,14 @@ function drupal_attributes($attributes = array()) {
  * internal links output by modules should be generated by this function if
  * possible.
  *
+ * However, for links enclosed in translatable text you should use t() and
+ * embed the HTML anchor tag directly in the translated string. For example:
+ * @code
+ * t('Visit the <a href="@url">settings</a> page', array('@url' => url('admin')));
+ * @endcode
+ * This keeps the context of the link title ('settings' in the example) for
+ * translators.
+ *
  * @param $text
  *   The link text for the anchor tag.
  * @param $path
@@ -3822,7 +3834,7 @@ function drupal_flush_all_caches() {
  * Changes the character added to all css/js files as dummy query-string,
  * so that all browsers are forced to reload fresh files. We keep
  * 20 characters history (FIFO) to avoid repeats, but only the first
- * (newest) character is actually used on urls, to keep them short.
+ * (newest) character is actually used on URLs, to keep them short.
  * This is also called from update.php.
  */
 function _drupal_flush_css_js() {

includes/database.mysql.inc

@@ -55,9 +55,9 @@ function db_connect($url) {
     _db_error_page('Unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your <code>php.ini</code> to see how you can enable it.');
   }
 
-  // Decode url-encoded information in the db connection string
+  // Decode urlencoded information in the db connection string
   $url['user'] = urldecode($url['user']);
-  // Test if database url has a password.
+  // Test if database URL has a password.
   $url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
   $url['host'] = urldecode($url['host']);
   $url['path'] = urldecode($url['path']);

includes/database.mysqli.inc

@@ -61,9 +61,9 @@ function db_connect($url) {
 
   $url = parse_url($url);
 
-  // Decode url-encoded information in the db connection string
+  // Decode urlencoded information in the db connection string
   $url['user'] = urldecode($url['user']);
-  // Test if database url has a password.
+  // Test if database URL has a password.
   $url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
   $url['host'] = urldecode($url['host']);
   $url['path'] = urldecode($url['path']);

includes/database.pgsql.inc

@@ -52,7 +52,7 @@ function db_connect($url) {
   $url = parse_url($url);
   $conn_string = '';
 
-  // Decode url-encoded information in the db connection string
+  // Decode urlencoded information in the db connection string
   if (isset($url['user'])) {
     $conn_string .= ' user='. urldecode($url['user']);
   }

includes/file.inc

@@ -872,7 +872,7 @@ function file_save_data($data, $dest, $replace = FILE_EXISTS_RENAME) {
 /**
  * Set the status of a file.
  *
- * @param $file 
+ * @param $file
  *   A Drupal file object.
  * @param $status
  *   A status value to set the file to. One of:
@@ -901,9 +901,9 @@ function file_transfer($source, $headers) {
   if (ob_get_level()) {
     ob_end_clean();
   }
-  
+
   // IE cannot download private files because it cannot store files downloaded
-  // over https in the browser cache. The problem can be solved by sending
+  // over HTTPS in the browser cache. The problem can be solved by sending
   // custom headers to IE. See http://support.microsoft.com/kb/323308/en-us
   if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) {
     drupal_set_header('Cache-Control: private');

includes/form.inc

@@ -41,8 +41,8 @@
  *
  * For information on the format of the structured arrays used to define forms,
  * and more detailed explanations of the Form API workflow, see the
- * @link http://api.drupal.org/api/file/developer/topics/forms_api_reference.html/6 reference @endlink
- * and the @link http://drupal.org/node/204270 Form API guide. @endlink
+ * @link forms_api_reference.html reference @endlink and the
+ * @link http://drupal.org/node/204270 Form API guide. @endlink
  */
 
 /**
@@ -1842,7 +1842,7 @@ function form_expand_ahah($element) {
     if (is_string($ahah_binding['progress'])) {
       $ahah_binding['progress'] = array('type' => $ahah_binding['progress']);
     }
-    // Change progress path to a full url.
+    // Change progress path to a full URL.
     if (isset($ahah_binding['progress']['path'])) {
       $ahah_binding['progress']['url'] = url($ahah_binding['progress']['path']);
     }

includes/install.mysql.inc

@@ -26,7 +26,7 @@ function drupal_test_mysql($url, &$success) {
 
   $url = parse_url($url);
 
-  // Decode url-encoded information in the db connection string.
+  // Decode urlencoded information in the db connection string.
   $url['user'] = urldecode($url['user']);
   $url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
   $url['host'] = urldecode($url['host']);

includes/install.mysqli.inc

@@ -26,7 +26,7 @@ function drupal_test_mysqli($url, &$success) {
 
   $url = parse_url($url);
 
-  // Decode url-encoded information in the db connection string.
+  // Decode urlencoded information in the db connection string.
   $url['user'] = urldecode($url['user']);
   $url['pass'] = isset($url['pass']) ? urldecode($url['pass']) : '';
   $url['host'] = urldecode($url['host']);

includes/install.pgsql.inc

@@ -27,7 +27,7 @@ function drupal_test_pgsql($url, &$success) {
   $url = parse_url($url);
   $conn_string = '';
 
-  // Decode url-encoded information in the db connection string
+  // Decode urlencoded information in the db connection string
   if (isset($url['user'])) {
     $conn_string .= ' user='. urldecode($url['user']);
   }

includes/theme.inc

@@ -1592,7 +1592,7 @@ function theme_more_help_link($url) {
  *
  * @see theme_feed_icon()
  * @param $url
- *   The url of the feed.
+ *   The URL of the feed.
  */
 function theme_xml_icon($url) {
   if ($image = theme('image', 'misc/xml.png', t('XML feed'), t('XML feed'))) {
@@ -1604,7 +1604,7 @@ function theme_xml_icon($url) {
  * Return code that emits an feed icon.
  *
  * @param $url
- *   The url of the feed.
+ *   The URL of the feed.
  * @param $title
  *   A descriptive title of the feed.
   */
@@ -1618,7 +1618,7 @@ function theme_feed_icon($url, $title) {
  * Returns code that emits the 'more' link used on blocks.
  *
  * @param $url
- *   The url of the main page
+ *   The URL of the main page
  * @param $title
  *   A descriptive verb for the link, like 'Read more'
  */

misc/drupal.js

@@ -1,4 +1,27 @@
 
+/**
+ * Override jQuery.fn.init to guard against XSS attacks.
+ *
+ * See http://bugs.jquery.com/ticket/9521
+ */
+(function () {
+  var jquery_init = jQuery.fn.init;
+  jQuery.fn.init = function (selector, context, rootjQuery) {
+    // If the string contains a "#" before a "<", treat it as invalid HTML.
+    if (selector && typeof selector === 'string') {
+      var hash_position = selector.indexOf('#');
+      if (hash_position >= 0) {
+        var bracket_position = selector.indexOf('<');
+        if (bracket_position > hash_position) {
+          throw 'Syntax error, unrecognized expression: ' + selector;
+        }
+      }
+    }
+    return jquery_init.call(this, selector, context, rootjQuery);
+  };
+  jQuery.fn.init.prototype = jquery_init.prototype;
+})();
+
 var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} };
 
 /**

misc/tableheader.js

@@ -69,7 +69,7 @@ Drupal.behaviors.tableHeader = function (context) {
     // Get the height of the header table and scroll up that amount.
     if (prevAnchor != location.hash) {
       if (location.hash != '') {
-        var offset = $('td' + location.hash).offset();
+        var offset = $(document).find('td' + location.hash).offset();
         if (offset) {
           var top = offset.top;
           var scrollLocation = top - $(e).height();

modules/blogapi/blogapi.install

@@ -58,7 +58,7 @@ function blogapi_schema() {
 }
 
 /**
- * @defgroup updates-5.x-to-6.x Blog API updates from 5.x to 6.x
+ * @addtogroup updates-5.x-to-6.x
  * @{
  */
 
@@ -118,7 +118,7 @@ function blogapi_update_6001() {
 }
 
 /**
- * @} End of "defgroup updates-5.x-to-6.x"
+ * @} End of "addtogroup updates-5.x-to-6.x".
  * The next series of updates should start at 7000.
  */
 

modules/book/book.pages.inc

@@ -39,6 +39,14 @@ function book_render() {
  *   in a format determined by the $type parameter.
  */
 function book_export($type, $nid) {
+  // Check that the node exists and that the current user has access to it.
+  $node = node_load($nid);
+  if (!$node) {
+    return MENU_NOT_FOUND;
+  }
+  if (!node_access('view', $node)) {
+    return MENU_ACCESS_DENIED;
+  }
 
   $type = drupal_strtolower($type);
 

modules/comment/comment-wrapper.tpl.php

@@ -27,7 +27,6 @@
  *   - COMMENT_CONTROLS_HIDDEN
  *
  * @see template_preprocess_comment_wrapper()
- * @see theme_comment_wrapper()
  */
 ?>
 <div id="comments">

modules/comment/comment.install

@@ -67,7 +67,7 @@ function comment_update_6003() {
 }
 
 /**
- * @defgroup updates-6.x-extra Extra system updates for 6.x
+ * @addtogroup updates-6.x-extra
  * @{
  */
 
@@ -91,7 +91,7 @@ function comment_update_6005() {
 }
 
 /**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
  * The next series of updates should start at 7000.
  */
 

modules/comment/comment.module

@@ -1823,7 +1823,6 @@ function theme_comment_post_forbidden($node) {
  * Process variables for comment-wrapper.tpl.php.
  *
  * @see comment-wrapper.tpl.php
- * @see theme_comment_wrapper()
  */
 function template_preprocess_comment_wrapper(&$variables) {
   // Provide contextual information.

modules/dblog/dblog.install

@@ -100,7 +100,7 @@ function dblog_schema() {
 }
 
 /**
- * @defgroup updates-6.x-extra Extra database logging updates for 6.x
+ * @addtogroup updates-6.x-extra
  * @{
  */
 
@@ -114,6 +114,6 @@ function dblog_update_6000() {
 }
 
 /**
- * @} End of "defgroup updates-6.x-extra"
+ * @} End of "addtogroup updates-6.x-extra".
  * The next series of updates should start at 7000.
  */

modules/dblog/dblog.module

@@ -97,7 +97,7 @@ function dblog_init() {
 /**
  * Implementation of hook_cron().
  *
- * Remove expired log messages and flood control events.
+ * Remove expired log messages.
  */
 function dblog_cron() {
   // Cleanup the watchdog table