Drupal 6.14 and 5.20 released, fixing security issues More information can be found -> HERE Drupal 6.14 and 5.20, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download. Both releases fix some other smaller issues as well. Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. Important update notes It is important to run update.php. These releases did not change the .htaccess, robots.txt and (default.)settings.php files, so you can keep your existing files intact, if you have modifications in them. Drupal 6.14 Release Note * SA-CORE-2009-008 - Drupal core - Multiple vulnerabilities * #482646 follow up by Dave Reid: only check the db prefix for simpletest if it was a string (not running a multisite) * #284392 by Passionate_Lass, Anselm Heaton, tassoman, agentrickard: DISTINCT handling in db_distinct_field()'s MySQL implementations was resulting in bogus queries * #310139 by fonant, c960657, pwolanin: drupal_urlencode() and Drupal.encodeURIComponent was used to encode query strings and other components it should not have been used for * #499254 by chx: Drupal lacked support for positive integer values in database queries, beyond PHP_INT_MAX; caused issues with twitter integration and big numbers in general * #392688 by will_in_wi, jeffschuler, jhodgdon: document type argument on action_save() * #293322 by minorOffense: Incorrectly documented parameter name on flood_is_allowed() * #265265 by neochief, jhodgdon: missing phpdoc @code tags on PHP code examples in form.inc and actions.inc * #409994 by Wesley Tanaka, jhodgdon: better documentation on how the cid and wildcard arguments interact on cache_clear_all() * #495964 by jhodgdon: theme_admin_block_content() had wrong argument name documented * #506096 by axjo: node.tpl.php mistakenly mentions theme_user(); should reference theme_username() instead * #280240 by skiminki, casperbiering, anypost, pwolanin: Only add Content-Length if we actually have any content or if it is a POST or PUT request. * #359276 by lyricnz, Heine, Frando: Fix named entity handling in filter_xss(), so it does not clash with other entities and result in wrong encoding * #454462 by JohnAlbin: MODULE_preprocess_maintenance_page() functions were never called, even if the database is online * #276615 by JacobSingh, Robin Monks, mikeytown2: drupal_clear_css_cache() should not be called on all invocations to the themes admin page; should be called only on submit - consistent with the modules admin page * #295895 by Michelle, JohnAlbin: Garland mistakenly used phptemplate_comment_wrapper() to override comment-wrapper.tpl.php; should use a preprocess function instead to complement the core comment-wrapper.tpl.php * #517606 by jerdiggity, JuliaKM: minimal whitespace fix in user.module * #107824 by Frando, heyrocker, Dave Reid, AlexisWilke, andypost: the dblog referer and the statistics url columns were not in line with how we store URLs elsewhere (like the dblog location column); could result in data loss due to length truncation * #480044 by JohnAlbin: fix system component listing lookup priorities, so the sites/all/* items will override the profile shipped items as documented * #107824 follow up by myself: ensure that the newly added updates are in the 6.x-extra group and not disguised as 5.x to 6.x updates * #302240 by fago: forms were rebuilt on validation errors and when #ahah was used #cache was turned on, but form storage was not actually stored * #395132 by jhodgdon: Fix phpdoc comment on poll_node_form_submit(); there is no hook_submit() in Drupal 6 and this gets called based on the form's key * #232321 by munzirtaha, brianV: There is no body field in the node table, so fix misleading example in database.inc to query for node.nid instead * #315047 by Island Usurper, Crell, brianV, Josh Waihi: names of database columns were not escaped when changed; caused problems with using reserved words * #334826 by maartenvg, Dave Reid, brianV: when editing an anonymous comment, the uid was set to NULL, which is not valid as a database value for the uid; set to zero * #346450 by snoble, Damien Tournoud, Dave Reid, Josh Waihi, neilnz: the 'length' Schema API property was documented to be only applicable to string types but was applied to others nonetheless; should only apply to char, varchar and text * #318453 by svdoord and ahmed.othman, slightly modified: ensure that the user registration guidelines show above form fields added by the profile module by setting a low enough weight * #371458 by Gerhard Killesreiter, David Strauss, Damien Tournoud, smk-ka, catch, febbraro: add index on tab_root, weight and title in menu_router to improve performance of retrieving tabs * #537276 by tic2000, alex.k: feed titles in blog_feed_user() and blog_feed_last() were concatenated English strings, lacked translatability * #336627 by EliseVanLooij, Tresler, jhodgdon: node_type_form_validate() was documented to implement hook_form_validate() but is just a function called back due to how it is named after the form ID, no such hook exists * #332890 by Alan D., sharda_ram, andypost: slightly better documentation for base_url in settings.php * #530950 by catch, andypost: use \!isset() instead of is_null() in user_access() to be consistent and more performant * #215080 by robertDouglass, jaydub, drifter, Dave Reid, andypost: added index on system table's name and type column to improve bootstrap performance * #470998 by cwgordon7, bleen18, Psicomante: Fix top padding for logo in Garland, so the logo is placed at the right position with the background * #550770 by dww: bump year numbers in COPYRIGHT.txt to 2009 * #538032 by Gerhard Killesreiter, webchick: document the pcre limitation which might result in empty looking posts; include examples to fix on a Drupal deployment * #493678 by threexk, tic2000: fix issue with disappearing Garland tabs in Internet Explorer * #551574 by ramsey, emmajane: cross-link variable_*() functions via phpdoc @see comments * #534480 by solotandem, jhodgdon: fix phpdoc documentation of what $delimiter means in drupal_get_content() * #360830 by sammys: fix block update query in system_update_6027() which was casting block deltas to integers when filling in the cache values so did not apply to string deltas; fixed PostgreSQL incompatibility of the update * #489762 by JohnAlbin: include subtheme and base theme list with processed theme .info file data; prerequisite to improve theme security and fix a possible WSOD on theme selection * #292565 second follow up by John Morahan: fix login destination again on 403/404 pages and make the search form work there if displayed * #290887 by atuyo60, Wanjee, Dave Reid: fix stale blog module permission that was left untouched in one place only, but renamed elsewhere * #193383 by JirkaRybka, Arancaytar, Bart Jansens, gpk, TheRec: check correctly for function_exists() on set_time_limit() instead of infering that safe_mode has an effect on it or that that is the only thing which might disable time limit setting * #228971 by maq0r, JuliaKM: as of December, 2007, Venezuela is GMT/UTC-0430, but that timezone was not in the list of our supported zones * #555128 by Dave Reid: Fix node_access() return value to work how it is documented and include a slight performance improvement * #447916 by jhodgdon: fix minor spelling error on taxonomy_check_vocabulary_hierarchy()'s phpdoc * #228971 follow up by drumm: forward port -2.5h timezone from Drupal 5, made time zone list consistent with Drupal 5 * - Patch #578470 by jbrauer, Gabor, Dries: XML-RPC error handling was incomplete. * #360605 by Berdir et al.: make Drupal core work with PHP 5.3.0 out of the box (fixes for incompatibilities introduced with PHP 5.3.0) * #193366 follow up (rollback) by Anthony Hersey, Senpai, moshe weitzman: remove all cache clearing feature of the system module listing page; instead point to the performance page where we have a dedicated button for this; the trick caused lots of issues with speed * #460594 by nonsie, LiliVG, elliotttf: node_assign_owner_action_form() limited username input to 7 characters, while usernames are limited to 60 chars Drupal 5.20 Release Note * SA-CORE-2009-008 Drupal core - Multiple vulnerabilities * Backport of #227228 by andypost, et al. Per-table cache_flush variables to avoid not flushing all but the first table when multiple tables are cleared. * #141965 by jeffschuler: taxonomy_term_path() and its phpdoc block was separated by one blank line, thus disconnecting it for the API docs parser. * #472160 by chx and Heine. Deny D6-style access elements. * #109513 backport by Freso. Create temporary mysql tables in memory. * #292565 second follow up by John Morahan: fix login destination again on 403/404 pages and make the search form work there if displayed * #228971 by maq0r, JuliaKM: as of December, 2007, Venezuela is GMT/UTC-0430, but that timezone was not in the list of our supported zones * #493678 by threexk, tic2000: fix issue with disappearing Garland tabs in Internet Explorer * Patch #578470 by jbrauer, Gabor, Dries: XML-RPC error handling was incomplete.