Drupal 6 RC2

CHANGELOG.txt

@@ -1,6 +1,6 @@
 // $Id$
 
-Drupal 6.0, xxxx-xx-xx (development version)
+Drupal 6.0-rc2, 2008-01-10
 ----------------------
 - New, faster and better menu system.
 - New watchdog as a hook functionality.
@@ -98,6 +98,18 @@ Drupal 6.0, xxxx-xx-xx (development version)
 - Removed old system updates. Updates from Drupal versions prior to 5.x will
   require upgrading to 5.x before upgrading to 6.x.
 
+Drupal 5.6, 2008-01-10
+----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
+
+Drupal 5.5, 2007-12-06
+----------------------
+- fixed missing missing brackets in a query in the user module.
+- fixed taxonomy feed bug introduced by SA-2007-031
+
 Drupal 5.4, 2007-12-05
 ----------------------
 - fixed a variety of small bugs.
@@ -201,6 +213,16 @@ Drupal 5.0, 2007-01-15
     * Added nested lists generation.
     * Added a self-clearing block class.
 
+Drupal 4.7.11, 2008-01-10
+-------------------------
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
+
+Drupal 4.7.10, 2007-12-06
+-------------------------
+- fixed taxonomy feed bug introduced by SA-2007-031
+
 Drupal 4.7.9, 2007-12-05
 ------------------------
 - fixed a security issue (SQL injection), see SA-2007-031

INSTALL.txt

@@ -14,7 +14,7 @@ CONTENTS OF THIS FILE
 REQUIREMENTS
 ------------
 
-Drupal requires a web server, PHP 4 (4.3.3 or greater) or PHP 5
+Drupal requires a web server, PHP 4 (4.3.5 or greater) or PHP 5
 (http://www.php.net/) and either MySQL (http://www.mysql.com/) or PostgreSQL
 (http://www.postgresql.org/). The Apache web server and MySQL database are
 recommended; other web server and database combinations such as IIS and

includes/bootstrap.inc

@@ -665,9 +665,48 @@ function referer_uri() {
 
 /**
  * Encode special characters in a plain-text string for display as HTML.
+ *
+ * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Internet Explorer 6.
  */
 function check_plain($text) {
-  return htmlspecialchars($text, ENT_QUOTES);
+  return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+}
+
+/**
+ * Checks whether a string is valid UTF-8.
+ *
+ * All functions designed to filter input should use drupal_validate_utf8
+ * to ensure they operate on valid UTF-8 strings to prevent bypass of the
+ * filter.
+ *
+ * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
+ * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
+ * bytes. When these subsequent bytes are HTML control characters such as
+ * quotes or angle brackets, parts of the text that were deemed safe by filters
+ * end up in locations that are potentially unsafe; An onerror attribute that
+ * is outside of a tag, and thus deemed safe by a filter, can be interpreted
+ * by the browser as if it were inside the tag.
+ *
+ * This function exploits preg_match behaviour (since PHP 4.3.5) when used
+ * with the u modifier, as a fast way to find invalid UTF-8. When the matched
+ * string contains an invalid byte sequence, it will fail silently.
+ *
+ * preg_match may not fail on 4 and 5 octet sequences, even though they
+ * are not supported by the specification.
+ *
+ * The specific preg_match behaviour is present since PHP 4.3.5.
+ *
+ * @param $text
+ *   The text to check.
+ * @return
+ *   TRUE if the text is valid UTF-8, FALSE if not.
+ */
+function drupal_validate_utf8($text) {
+  if (strlen($text) == 0) {
+    return TRUE;
+  }
+  return (preg_match('/^./us', $text) == 1);
 }
 
 /**

includes/common.inc

@@ -577,7 +577,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
     return;
   }
 
-  if ($errno & (E_ALL)) {
+  if ($errno & (E_ALL ^ E_NOTICE)) {
     $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning');
 
     // For database errors, we want the line number/file name of the place that

modules/aggregator/aggregator.admin.inc

@@ -176,15 +176,31 @@ function aggregator_form_feed_submit($form, &$form_state) {
   }
 }
 
+function aggregator_admin_remove_feed($form_state, $feed) {
+  return confirm_form(
+    array(
+      'feed' => array(
+        '#type' => 'value',
+        '#value' => $feed,
+      ),
+    ),
+    t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => $feed['title'])),
+    'admin/content/aggregator',
+    t('This action cannot be undone.'),
+    t('Remove items'),
+    t('Cancel')
+  );
+}
+
 /**
- * Menu callback; removes all items from a feed, then redirects to the overview page.
+ * Remove all items from a feed and redirect to the overview page.
  *
  * @param $feed
  *   An associative array describing the feed to be cleared.
  */
-function aggregator_admin_remove_feed($feed) {
-  aggregator_remove($feed);
-  drupal_goto('admin/content/aggregator');
+function aggregator_admin_remove_feed_submit($form, &$form_state) {
+  aggregator_remove($form_state['values']['feed']);
+  $form_state['redirect'] = 'admin/content/aggregator';
 }
 
 /**

modules/aggregator/aggregator.module

@@ -106,8 +106,8 @@ function aggregator_menu() {
   );
   $items['admin/content/aggregator/remove/%aggregator_feed'] = array(
     'title' => 'Remove items',
-    'page callback' => 'aggregator_admin_remove_feed',
-    'page arguments' => array(4),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('aggregator_admin_remove_feed', 4),
     'access arguments' => array('administer news feeds'),
     'type' => MENU_CALLBACK,
     'file' => 'aggregator.admin.inc',

modules/filter/filter.module

@@ -953,6 +953,11 @@ function filter_xss_admin($string) {
  *   The format to use.
  */
 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
+  // site scripting issues on Internet Explorer 6.
+  if (!drupal_validate_utf8($string)) {
+    return '';
+  }
   // Store the input format
   _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)

modules/system/system.install

@@ -52,6 +52,10 @@ function system_requirements($phase) {
     $requirements['webserver']['description'] = $t('Unable to determine your web server type and version. Drupal might not work properly.');
     $requirements['webserver']['severity'] = REQUIREMENT_WARNING;
   }
+  if (ini_get('register_globals')) {
+    $requirements['php']['description'] = $t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.');
+    $requirements['php']['severity'] = REQUIREMENT_ERROR;
+  }
 
   // Test PHP version
   $requirements['php'] = array(

modules/system/system.module

@@ -9,7 +9,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.0-dev');
+define('VERSION', '6.0-rc2');
 
 /**
  * Core API compatibility.
@@ -19,7 +19,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '6.x');
 /**
  * Minimum supported version of PHP.
  */
-define('DRUPAL_MINIMUM_PHP',    '4.3.3');
+define('DRUPAL_MINIMUM_PHP',    '4.3.5');
 
 /**
  * Minimum recommended value of PHP memory_limit.