diff -Naur drupal-5.0/.htaccess drupal-5.23/.htaccess --- drupal-5.0/.htaccess 2007-01-09 10:27:10.000000000 +0100 +++ drupal-5.23/.htaccess 2009-02-26 08:03:29.000000000 +0100 @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. - + Order allow,deny @@ -13,9 +13,14 @@ # Follow symbolic links in this directory. Options +FollowSymLinks -# Customized error messages. +# Make Drupal handle any 404 errors. ErrorDocument 404 /index.php +# Force simple error message for requests for non-existent favicon.ico. + + ErrorDocument 404 "The requested file favicon.ico was not found. + + # Set the default handler. DirectoryIndex index.php @@ -27,6 +32,9 @@ php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 + php_value mbstring.http_input pass + php_value mbstring.http_output pass + php_value mbstring.encoding_translation 0 # PHP 4, Apache 2. @@ -34,6 +42,9 @@ php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 + php_value mbstring.http_input pass + php_value mbstring.http_output pass + php_value mbstring.encoding_translation 0 # PHP 5, Apache 1 and 2. @@ -41,6 +52,9 @@ php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 + php_value mbstring.http_input pass + php_value mbstring.http_output pass + php_value mbstring.encoding_translation 0 # Requires mod_expires to be enabled. @@ -57,22 +71,31 @@ RewriteEngine on - # If your site can be accessed both with and without the prefix www. you - # can use one of the following settings to force user to use only one option: + # If your site can be accessed both with and without the 'www.' prefix, you + # can use one of the following settings to redirect users to your preferred + # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option: # - # If you want the site to be accessed WITH the www. only, adapt and - # uncomment the following: + # To redirect all users to access the site WITH the 'www.' prefix, + # (http://example.com/... will be redirected to http://www.example.com/...) + # adapt and uncomment the following: # RewriteCond %{HTTP_HOST} ^example\.com$ [NC] - # RewriteRule .* http://www.example.com/ [L,R=301] + # RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301] # - # If you want the site to be accessed only WITHOUT the www. prefix, adapt - # and uncomment the following: + # To redirect all users to access the site WITHOUT the 'www.' prefix, + # (http://www.example.com/... will be redirected to http://example.com/...) + # uncomment and adapt the following: # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC] - # RewriteRule .* http://example.com/ [L,R=301] + # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301] - # Modify the RewriteBase if you are using Drupal in a subdirectory and - # the rewrite rules are not working properly. - #RewriteBase /drupal + # Modify the RewriteBase if you are using Drupal in a subdirectory or in a + # VirtualDocumentRoot and the rewrite rules are not working properly. + # For example if your site is at http://example.com/drupal uncomment and + # modify the following line: + # RewriteBase /drupal + # + # If your site is running in a VirtualDocumentRoot at http://example.com/, + # uncomment the following line: + # RewriteBase / # Rewrite old-style URLs of the form 'node.php?id=x'. #RewriteCond %{REQUEST_FILENAME} !-f @@ -86,10 +109,11 @@ #RewriteCond %{QUERY_STRING} ^mod=([^&]+)$ #RewriteRule module.php index.php?q=%1 [L] - # Rewrite current-style URLs of the form 'index.php?q=x'. + # Rewrite current-style URLs of the form 'x' to the form 'index.php?q=x'. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] -# $Id: .htaccess,v 1.81 2007/01/09 09:27:10 dries Exp $ +# $Id: .htaccess,v 1.81.2.6 2009/02/26 07:03:29 drumm Exp $ diff -Naur drupal-5.0/CHANGELOG.txt drupal-5.23/CHANGELOG.txt --- drupal-5.0/CHANGELOG.txt 2007-01-15 13:11:23.000000000 +0100 +++ drupal-5.23/CHANGELOG.txt 2010-08-11 22:37:49.000000000 +0200 @@ -1,4 +1,136 @@ -// $Id: CHANGELOG.txt,v 1.173.2.1 2007/01/15 12:11:23 unconed Exp $ +// $Id: CHANGELOG.txt,v 1.173.2.50 2010/08/11 20:37:49 drumm Exp $ + +Drupal 5.23, 2010-08-11 +----------------------- +- Fixed security issues (File download access bypass, Comment unpublishing + bypass), see SA-CORE-2010-002. + +Drupal 5.22, 2010-03-03 +----------------------- +- Fixed security issues (Open redirection, Locale module cross site scripting, + Blocked user session regeneration), see SA-CORE-2010-001. + +Drupal 5.21, 2009-12-16 +----------------------- +- Fixed a security issue (Cross site scripting), see SA-CORE-2009-009. +- Fixed a variety of small bugs. + +Drupal 5.20, 2009-09-16 +----------------------- +- Avoid security problems resulting from writing Drupal 6-style menu + declarations. +- Fixed security issues (session fixation), see SA-CORE-2009-008. +- Fixed a variety of small bugs. + +Drupal 5.19, 2009-07-01 +----------------------- +- Fixed security issues (Cross site scripting and Password leakage in URL), see + SA-CORE-2009-007. +- Fixed a variety of small bugs. + +Drupal 5.18, 2009-05-13 +----------------------- +- Fixed security issues (Cross site scripting), see SA-CORE-2009-006. +- Fixed a variety of small bugs. + +Drupal 5.17, 2009-04-29 +----------------------- +- Fixed security issues (Cross site scripting and limited information + disclosure) see SA-CORE-2009-005. +- Fixed a variety of small bugs. + +Drupal 5.16, 2009-02-25 +----------------------- +- Fixed a security issue, (Local file inclusion on Windows), see SA-CORE-2009-004. +- Fixed a variety of small bugs. + +Drupal 5.15, 2009-01-14 +----------------------- +- Fixed security issues, (Hardening against SQL injection), see + SA-CORE-2009-001 +- Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell + scripts. +- Fixed a variety of small bugs. + +Drupal 5.14, 2008-12-11 +----------------------- +- removed a previous change incompatible with PHP 5.1.x and lower. + +Drupal 5.13, 2008-12-10 +----------------------- +- fixed a variety of small bugs. +- fixed security issues, (Cross site request forgery and Cross site scripting), see SA-2008-073 +- updated robots.txt and .htaccess to match current file use. + +Drupal 5.12, 2008-10-22 +----------------------- +- fixed security issues, (File inclusion), see SA-2008-067 + +Drupal 5.11, 2008-10-08 +----------------------- +- fixed a variety of small bugs. +- fixed security issues, (File upload access bypass, Access rules bypass, + BlogAPI access bypass, Node validation bypass), see SA-2008-060 + +Drupal 5.10, 2008-08-13 +----------------------- +- fixed a variety of small bugs. +- fixed security issues, (Cross site scripting, Arbitrary file uploads via + BlogAPI and Cross site request forgery), see SA-2008-047 + +Drupal 5.9, 2008-07-23 +---------------------- +- fixed a variety of small bugs. +- fixed security issues, (Session fixation), see SA-2008-046 + +Drupal 5.8, 2008-07-09 +---------------------- +- fixed a variety of small bugs. +- fixed security issues, (Cross site scripting, cross site request forgery, and + session fixation), see SA-2008-044 + +Drupal 5.7, 2008-01-28 +---------------------- +- fixed the input format configuration page. +- fixed a variety of small bugs. + +Drupal 5.6, 2008-01-10 +---------------------- +- fixed a variety of small bugs. +- fixed a security issue (Cross site request forgery), see SA-2008-005 +- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 +- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 + +Drupal 5.5, 2007-12-06 +---------------------- +- fixed missing missing brackets in a query in the user module. +- fixed taxonomy feed bug introduced by SA-2007-031 + +Drupal 5.4, 2007-12-05 +---------------------- +- fixed a variety of small bugs. +- fixed a security issue (SQL injection), see SA-2007-031 + +Drupal 5.3, 2007-10-17 +---------------------- +- fixed a variety of small bugs. +- fixed a security issue (HTTP response splitting), see SA-2007-024 +- fixed a security issue (Arbitrary code execution via installer), see SA-2007-025 +- fixed a security issue (Cross site scripting via uploads), see SA-2007-026 +- fixed a security issue (User deletion cross site request forgery), see SA-2007-029 +- fixed a security issue (API handling of unpublished comment), see SA-2007-030 + +Drupal 5.2, 2007-07-26 +---------------------- +- changed hook_link() $teaser argument to match documentation. +- fixed a variety of small bugs. +- fixed a security issue (cross-site request forgery), see SA-2007-017 +- fixed a security issue (cross-site scripting), see SA-2007-018 + +Drupal 5.1, 2007-01-29 +---------------------- +- fixed security issue (code execution), see SA-2007-005 +- fixed a variety of small bugs. Drupal 5.0, 2007-01-15 ------------------------ @@ -77,6 +209,61 @@ * added nested lists generation. * added a self-clearing block class. +Drupal 4.7.11, 2008-01-10 +------------------------- +- fixed a security issue (Cross site request forgery), see SA-2008-005 +- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 +- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 + +Drupal 4.7.10, 2007-12-06 +------------------------- +- fixed taxonomy feed bug introduced by SA-2007-031 + +Drupal 4.7.9, 2007-12-05 +------------------------ +- fixed a security issue (SQL injection), see SA-2007-031 + +Drupal 4.7.8, 2007-10-17 +------------------------ +- fixed a security issue (HTTP response splitting), see SA-2007-024 +- fixed a security issue (Cross site scripting via uploads), see SA-2007-026 +- fixed a security issue (API handling of unpublished comment), see SA-2007-030 + +Drupal 4.7.7, 2007-07-26 +------------------------ +- fixed security issue (XSS), see SA-2007-018 + +Drupal 4.7.6, 2007-01-29 +------------------------ +- fixed security issue (code execution), see SA-2007-005 + +Drupal 4.7.5, 2007-01-05 +------------------------ +- fixed security issue (XSS), see SA-2007-001 +- fixed security issue (DoS), see SA-2007-002 + +Drupal 4.7.4, 2006-10-18 +------------------------ +- fixed security issue (XSS), see SA-2006-024 +- fixed security issue (CSRF), see SA-2006-025 +- fixed security issue (Form action attribute injection), see SA-2006-026 + +Drupal 4.7.3, 2006-08-02 +------------------------ +- fixed security issue (XSS), see SA-2006-011 + +Drupal 4.7.2, 2006-06-01 +------------------------ +- fixed critical upload issue, see SA-2006-007 +- fixed taxonomy XSS issue, see SA-2006-008 +- fixed a variety of small bugs. + +Drupal 4.7.1, 2006-05-24 +------------------------ +- fixed critical SQL issue, see SA-2006-005 +- fixed a serious upgrade related bug. +- fixed a variety of small bugs. + Drupal 4.7.0, 2006-05-01 ------------------------ - added free tagging support. @@ -144,6 +331,30 @@ * added support for a tolerant Base URL. * output URIs relative to the root, without a base tag. +Drupal 4.6.11, 2007-01-05 +------------------------- +- fixed security issue (XSS), see SA-2007-001 +- fixed security issue (DoS), see SA-2007-002 + +Drupal 4.6.10, 2006-10-18 +------------------------ +- fixed security issue (XSS), see SA-2006-024 +- fixed security issue (CSRF), see SA-2006-025 +- fixed security issue (Form action attribute injection), see SA-2006-026 + +Drupal 4.6.9, 2006-08-02 +------------------------ +- fixed security issue (XSS), see SA-2006-011 + +Drupal 4.6.8, 2006-06-01 +------------------------ +- fixed critical upload issue, see SA-2006-007 +- fixed taxonomy XSS issue, see SA-2006-008 + +Drupal 4.6.7, 2006-05-24 +------------------------ +- fixed critical SQL issue, see SA-2006-005 + Drupal 4.6.6, 2006-03-13 ------------------------ - fixed bugs, including 4 security vulnerabilities. diff -Naur drupal-5.0/INSTALL.txt drupal-5.23/INSTALL.txt --- drupal-5.0/INSTALL.txt 2007-01-08 12:59:16.000000000 +0100 +++ drupal-5.23/INSTALL.txt 2008-01-10 23:14:24.000000000 +0100 @@ -1,4 +1,4 @@ -// $Id: INSTALL.txt,v 1.39 2007/01/08 11:59:16 dries Exp $ +// $Id: INSTALL.txt,v 1.39.2.3 2008/01/10 22:14:24 drumm Exp $ CONTENTS OF THIS FILE --------------------- @@ -22,7 +22,7 @@ REQUIREMENTS ------------ -Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5 +Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5 (http://www.php.net/) and either MySQL (http://www.mysql.com/) or PostgreSQL (http://www.postgresql.org/). The Apache web server and MySQL database are recommended; other web server and database combinations such as IIS and @@ -120,7 +120,7 @@ following example crontab line will activate the cron tasks automatically on the hour: - 0 * * * * wget -O - -q http://www.example.com/cron.php + 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php More information about the cron scripts are available in the admin help pages and in the Drupal handbook at drupal.org. Example scripts can be found in the @@ -134,10 +134,10 @@ Use your administration panel to enable and configure services. For example: -General Settings administer > site configuration > site information -Enable Modules administer > site configuration > modules -Set User Permissions administer > users management > access control -Configure Themes administer > site building > themes +General Settings Administer > Site configuration > Site information +Enable Modules Administer > Site building > Modules +Set User Permissions Administer > User management > Access control +Configure Themes Administer > Site building > Themes For more information on configuration options, read the instructions which accompany the different configuration settings and consult the various help diff -Naur drupal-5.0/LICENSE.txt drupal-5.23/LICENSE.txt --- drupal-5.0/LICENSE.txt 2006-07-09 13:33:06.000000000 +0200 +++ drupal-5.23/LICENSE.txt 2009-01-14 06:56:37.000000000 +0100 @@ -1,14 +1,13 @@ -// $Id: LICENSE.txt,v 1.5 2006/07/09 11:33:06 dries Exp $ +// $Id: LICENSE.txt,v 1.5.2.1 2009/01/14 05:56:37 drumm Exp $ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. - Preamble + Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public @@ -58,7 +57,7 @@ The precise terms and conditions for copying, distribution and modification follow. - GNU GENERAL PUBLIC LICENSE + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains @@ -257,7 +256,7 @@ of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. - NO WARRANTY + NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN @@ -279,9 +278,9 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - END OF TERMS AND CONDITIONS + END OF TERMS AND CONDITIONS - How to Apply These Terms to Your New Programs + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it @@ -305,10 +304,9 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. diff -Naur drupal-5.0/includes/bootstrap.inc drupal-5.23/includes/bootstrap.inc --- drupal-5.0/includes/bootstrap.inc 2007-01-15 12:52:02.000000000 +0100 +++ drupal-5.23/includes/bootstrap.inc 2009-04-30 02:13:48.000000000 +0200 @@ -1,5 +1,5 @@ 0; $i--) { for ($j = count($server); $j > 0; $j--) { @@ -230,11 +230,47 @@ } /** - * Loads the configuration and sets the base URL correctly. + * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe. + * + * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters + * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is + * lowercased. + * + * @return + * TRUE if only containing valid characters, or FALSE otherwise. + */ +function drupal_valid_http_host($host) { + return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host); +} + +/** + * Loads the configuration and sets the base URL, cookie domain, and + * session name correctly. */ function conf_init() { - global $db_url, $db_prefix, $base_url, $base_path, $base_root, $conf, $installed_profile; + global $base_url, $base_path, $base_root; + + // Export the following settings.php variables to the global namespace + global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile; $conf = array(); + + if (isset($_SERVER['HTTP_HOST'])) { + // As HTTP_HOST is user input, ensure it only contains characters allowed + // in hostnames. See RFC 952 (and RFC 2181). + // $_SERVER['HTTP_HOST'] is lowercased here per specifications. + $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); + if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) { + // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. + header('HTTP/1.1 400 Bad Request'); + exit; + } + } + else { + // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is + // defined for E_ALL compliance. + $_SERVER['HTTP_HOST'] = ''; + } + include_once './'. conf_path() .'/settings.php'; if (isset($base_url)) { @@ -250,8 +286,12 @@ else { // Create base URL $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; + $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST']; - if ($dir = trim(dirname($_SERVER['PHP_SELF']), '\,/')) { + + // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not + // be modified by a visitor. + if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { $base_path = "/$dir"; $base_url .= $base_path; $base_path .= '/'; @@ -260,6 +300,47 @@ $base_path = '/'; } } + + if (!$cookie_domain) { + // If the $cookie_domain is empty, try to use the session.cookie_domain. + $cookie_domain = ini_get('session.cookie_domain'); + } + if ($cookie_domain) { + // If the user specifies the cookie domain, also use it for session name. + $session_name = $cookie_domain; + } + else { + // Otherwise use $base_url as session name, without the protocol + // to use the same session identifiers across http and https. + list( , $session_name) = explode('://', $base_url, 2); + // We try to set the cookie domain to the hostname. + // We escape the hostname because it can be modified by a visitor. + if (!empty($_SERVER['HTTP_HOST'])) { + $cookie_domain = check_plain($_SERVER['HTTP_HOST']); + } + } + // To prevent session cookies from being hijacked, a user can configure the + // SSL version of their website to only transfer session cookies via SSL by + // using PHP's session.cookie_secure setting. The browser will then use two + // separate session cookies for the HTTPS and HTTP versions of the site. So we + // must use different session identifiers for HTTPS and HTTP to prevent a + // cookie collision. + if (ini_get('session.cookie_secure')) { + $session_name .= 'SSL'; + } + // Strip leading periods, www., and port numbers from cookie domain. + $cookie_domain = ltrim($cookie_domain, '.'); + if (strpos($cookie_domain, 'www.') === 0) { + $cookie_domain = substr($cookie_domain, 4); + } + $cookie_domain = explode(':', $cookie_domain); + $cookie_domain = '.'. $cookie_domain[0]; + // Per RFC 2109, cookie domains must contain at least one dot other than the + // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. + if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { + ini_set('session.cookie_domain', $cookie_domain); + } + session_name('SESS'. md5($session_name)); } /** @@ -487,7 +568,7 @@ function drupal_page_header() { header("Expires: Sun, 19 Nov 1978 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); - header("Cache-Control: no-store, no-cache, must-revalidate"); + header("Cache-Control: store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", FALSE); } @@ -515,7 +596,7 @@ header('HTTP/1.1 304 Not Modified'); // All 304 responses must send an etag if the 200 response for the same object contained an etag header("Etag: $etag"); - exit(); + return; } // Send appropriate response: @@ -583,9 +664,48 @@ /** * Encode special characters in a plain-text string for display as HTML. + * + * Uses drupal_validate_utf8 to prevent cross site scripting attacks on + * Internet Explorer 6. */ function check_plain($text) { - return htmlspecialchars($text, ENT_QUOTES); + return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : ''; +} + +/** + * Checks whether a string is valid UTF-8. + * + * All functions designed to filter input should use drupal_validate_utf8 + * to ensure they operate on valid UTF-8 strings to prevent bypass of the + * filter. + * + * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented + * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent + * bytes. When these subsequent bytes are HTML control characters such as + * quotes or angle brackets, parts of the text that were deemed safe by filters + * end up in locations that are potentially unsafe; An onerror attribute that + * is outside of a tag, and thus deemed safe by a filter, can be interpreted + * by the browser as if it were inside the tag. + * + * This function exploits preg_match behaviour (since PHP 4.3.5) when used + * with the u modifier, as a fast way to find invalid UTF-8. When the matched + * string contains an invalid byte sequence, it will fail silently. + * + * preg_match may not fail on 4 and 5 octet sequences, even though they + * are not supported by the specification. + * + * The specific preg_match behaviour is present since PHP 4.3.5. + * + * @param $text + * The text to check. + * @return + * TRUE if the text is valid UTF-8, FALSE if not. + */ +function drupal_validate_utf8($text) { + if (strlen($text) == 0) { + return TRUE; + } + return (preg_match('/^./us', $text) == 1); } /** @@ -599,12 +719,14 @@ } else { if (isset($_SERVER['argv'])) { - $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['argv'][0]; + $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0]; } else { - $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['QUERY_STRING']; + $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING']; } } + // Prevent multiple slashes to avoid cross site requests via the FAPI. + $uri = '/'. ltrim($uri, '/'); return $uri; } @@ -677,6 +799,11 @@ * (optional) Only return messages of this type. * @param $clear_queue * (optional) Set to FALSE if you do not want to clear the messages queue + * @return + * An associative array, the key is the message type, the value an array + * of messages. If the $type parameter is passed, you get only that type, + * or an empty array if there are no such messages. If $type is not passed, + * all message types are returned, or an empty array if none exist. */ function drupal_get_messages($type = NULL, $clear_queue = TRUE) { if ($messages = drupal_set_message()) { @@ -684,7 +811,9 @@ if ($clear_queue) { unset($_SESSION['messages'][$type]); } - return array($type => $messages[$type]); + if (isset($messages[$type])) { + return array($type => $messages[$type]); + } } else { if ($clear_queue) { @@ -742,6 +871,7 @@ $user->roles = array(); $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user'; $user->session = $session; + $user->cache = 0; return $user; } @@ -767,11 +897,9 @@ function drupal_bootstrap($phase) { static $phases = array(DRUPAL_BOOTSTRAP_CONFIGURATION, DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE, DRUPAL_BOOTSTRAP_DATABASE, DRUPAL_BOOTSTRAP_ACCESS, DRUPAL_BOOTSTRAP_SESSION, DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE, DRUPAL_BOOTSTRAP_PATH, DRUPAL_BOOTSTRAP_FULL); - while (!is_null($current_phase = array_shift($phases))) { + while (!empty($phases) && $phase >= $phases[0]) { + $current_phase = array_shift($phases); _drupal_bootstrap($current_phase); - if ($phase == $current_phase) { - return; - } } } diff -Naur drupal-5.0/includes/cache.inc drupal-5.23/includes/cache.inc --- drupal-5.0/includes/cache.inc 2006-11-10 08:26:27.000000000 +0100 +++ drupal-5.23/includes/cache.inc 2009-07-10 07:41:24.000000000 +0200 @@ -1,5 +1,5 @@ data)) { // If the data is permanent or we're not enforcing a minimum cache lifetime // always return the cached data. @@ -92,9 +93,9 @@ */ function cache_set($cid, $table = 'cache', $data, $expire = CACHE_PERMANENT, $headers = NULL) { db_lock_table($table); - db_query("UPDATE {%s} SET data = %b, created = %d, expire = %d, headers = '%s' WHERE cid = '%s'", $table, $data, time(), $expire, $headers, $cid); + db_query("UPDATE {". $table. "} SET data = %b, created = %d, expire = %d, headers = '%s' WHERE cid = '%s'", $data, time(), $expire, $headers, $cid); if (!db_affected_rows()) { - @db_query("INSERT INTO {%s} (cid, data, created, expire, headers) VALUES ('%s', %b, %d, %d, '%s')", $table, $cid, $data, time(), $expire, $headers); + @db_query("INSERT INTO {". $table. "} (cid, data, created, expire, headers) VALUES ('%s', %b, %d, %d, '%s')", $cid, $data, time(), $expire, $headers); } db_unlock_tables(); } @@ -133,34 +134,34 @@ // cached data that was cached before the timestamp. $user->cache = time(); - $cache_flush = variable_get('cache_flush', 0); + $cache_flush = variable_get('cache_flush_'. $table, 0); if ($cache_flush == 0) { // This is the first request to clear the cache, start a timer. - variable_set('cache_flush', time()); + variable_set('cache_flush_'. $table, time()); } else if (time() > ($cache_flush + variable_get('cache_lifetime', 0))) { - // Clear the cache for everyone, cache_flush_delay seconds have + // Clear the cache for everyone, cache_lifetime seconds have // passed since the first request to clear the cache. - db_query("DELETE FROM {%s} WHERE expire != %d AND expire < %d", $table, CACHE_PERMANENT, time()); - variable_set('cache_flush', 0); + db_query("DELETE FROM {". $table. "} WHERE expire != %d AND expire < %d", CACHE_PERMANENT, time()); + variable_set('cache_flush_'. $table, 0); } } else { // No minimum cache lifetime, flush all temporary cache entries now. - db_query("DELETE FROM {%s} WHERE expire != %d AND expire < %d", $table, CACHE_PERMANENT, time()); + db_query("DELETE FROM {". $table. "} WHERE expire != %d AND expire < %d", CACHE_PERMANENT, time()); } } else { if ($wildcard) { if ($cid == '*') { - db_query("TRUNCATE TABLE {%s}", $table); + db_query("DELETE FROM {". $table. "}"); } else { - db_query("DELETE FROM {%s} WHERE cid LIKE '%s%%'", $table, $cid); + db_query("DELETE FROM {". $table. "} WHERE cid LIKE '%s%%'", $cid); } } else { - db_query("DELETE FROM {%s} WHERE cid = '%s'", $table, $cid); + db_query("DELETE FROM {". $table. "} WHERE cid = '%s'", $cid); } } } diff -Naur drupal-5.0/includes/common.inc drupal-5.23/includes/common.inc --- drupal-5.0/includes/common.inc 2007-01-11 00:30:07.000000000 +0100 +++ drupal-5.23/includes/common.inc 2010-03-04 01:16:02.000000000 +0100 @@ -1,5 +1,5 @@ ]*>/i', "\$0\n", $content, 1); +} + +/** * Add a feed URL for the current page. * * @param $url @@ -197,8 +206,6 @@ * The array to be processed e.g. $_GET * @param $exclude * The array filled with keys to be excluded. Use parent[child] to exclude nested items. - * @param $urlencode - * If TRUE, the keys and values are both urlencoded. * @param $parent * Should not be passed, only used in recursive calls * @return @@ -269,9 +276,8 @@ * 'user login'-block in a sidebar. The function drupal_get_destination() * can be used to help set the destination URL. * - * It is advised to use drupal_goto() instead of PHP's header(), because - * drupal_goto() will append the user's session ID to the URI when PHP is - * compiled with "--enable-trans-sid". + * Drupal will ensure that messages set by drupal_set_message() and other + * session data are written to the database before the user is redirected. * * This function ends the request; use it rather than a print theme('page') * statement in your menu callback. @@ -296,18 +302,35 @@ * @see drupal_get_destination() */ function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) { + + $destination = FALSE; if (isset($_REQUEST['destination'])) { - extract(parse_url(urldecode($_REQUEST['destination']))); + $destination = $_REQUEST['destination']; } else if (isset($_REQUEST['edit']['destination'])) { - extract(parse_url(urldecode($_REQUEST['edit']['destination']))); + $destination = $_REQUEST['edit']['destination']; + } + + if ($destination) { + // Do not redirect to an absolute URL originating from user input. + $colonpos = strpos($destination, ':'); + $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos))); + if (!$absolute) { + extract(parse_url(urldecode($destination))); + } } $url = url($path, $query, $fragment, TRUE); + // Remove newlines from the URL to avoid header injection attacks. + $url = str_replace(array("\n", "\r"), '', $url); // Before the redirect, allow modules to react to the end of the page request. module_invoke_all('exit', $url); + // Even though session_write_close() is registered as a shutdown function, we + // need all session data written to the database before redirecting. + session_write_close(); + header('Location: '. $url, TRUE, $http_response_code); // The "Location" header sends a REDIRECT status code to the http @@ -349,8 +372,10 @@ menu_set_active_item(''); } - if (empty($return)) { + if (empty($return) || $return == MENU_NOT_FOUND || $return == MENU_ACCESS_DENIED) { drupal_set_title(t('Page not found')); + menu_set_active_item(''); + $return = ''; } // To conserve CPU and bandwidth, omit the blocks print theme('page', $return, FALSE); @@ -363,7 +388,7 @@ drupal_set_header('HTTP/1.1 403 Forbidden'); watchdog('access denied', check_plain($_GET['q']), WATCHDOG_WARNING); -// Keep old path for reference + // Keep old path for reference if (!isset($_REQUEST['destination'])) { $_REQUEST['destination'] = $_GET['q']; } @@ -378,8 +403,9 @@ menu_set_active_item(''); } - if (empty($return)) { + if (empty($return) || $return == MENU_NOT_FOUND || $return == MENU_ACCESS_DENIED) { drupal_set_title(t('Access denied')); + menu_set_active_item(''); $return = t('You are not authorized to access this page.'); } print theme('page', $return); @@ -411,6 +437,19 @@ // Parse the URL, and make sure we can handle the schema. $uri = parse_url($url); + + if ($uri == FALSE) { + $result->error = 'unable to parse URL'; + $result->code = -1001; + return $result; + } + + if (!isset($uri['scheme'])) { + $result->error = 'missing schema'; + $result->code = -1002; + return $result; + } + switch ($uri['scheme']) { case 'http': $port = isset($uri['port']) ? $uri['port'] : 80; @@ -425,12 +464,14 @@ break; default: $result->error = 'invalid schema '. $uri['scheme']; + $result->code = -1003; return $result; } // Make sure the socket opened properly. if (!$fp) { $result->error = trim($errno .' '. $errstr); + $result->code = -$errno; return $result; } @@ -450,6 +491,11 @@ 'Content-Length' => 'Content-Length: '. strlen($data) ); + // If the server url has a user then attempt to use basic authentication + if (isset($uri['user'])) { + $defaults['Authorization'] = 'Authorization: Basic '. base64_encode($uri['user'] . (!empty($uri['pass']) ? ":". $uri['pass'] : '')); + } + foreach ($headers as $header => $value) { $defaults[$header] = $header .': '. $value; } @@ -544,11 +590,11 @@ } if ($errno & (E_ALL ^ E_NOTICE)) { - $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning'); + $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error'); $entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.'; // Force display of error messages in update.php - if (variable_get('error_level', 1) == 1 || strstr($_SERVER['PHP_SELF'], 'update.php')) { + if (variable_get('error_level', 1) == 1 || strstr($_SERVER['SCRIPT_NAME'], 'update.php')) { drupal_set_message($entry, 'error'); } @@ -629,8 +675,8 @@ /** * Translate strings to the current locale. * - * All human-readable text that will be displayed somewhere within a page should be - * run through the t() function. + * Human-readable text that will be displayed somewhere within a page should + * be run through the t() function. * * Examples: * @code @@ -666,27 +712,27 @@ * $message[] = t("If you don't want to receive such e-mails, you can change your settings at !url.", array('!url' => url("user/$account->uid", NULL, NULL, TRUE))); * @endcode * - * - @variable, which indicates that the text should be run through check_plain, - * to strip out HTML characters. Use this for any output that's displayed within - * a Drupal page. + * - @variable, which indicates that the text should be run through + * check_plain, to escape HTML characters. Use this for any output that's + * displayed within a Drupal page. * @code * drupal_set_title($title = t("@name's blog", array('@name' => $account->name))); * @endcode * - * - %variable, which indicates that the string should be highlighted with - * theme_placeholder() which shows up by default as emphasized. + * - %variable, which indicates that the string should be HTML escaped and + * highlighted with theme_placeholder() which shows up by default as + * emphasized. * @code - * watchdog('mail', t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name))); + * $message = t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name)); * @endcode * * When using t(), try to put entire sentences and strings in one t() call. * This makes it easier for translators, as it provides context as to what - * each word refers to. HTML markup within translation strings is allowed, - * but should be avoided if possible. The exception is embedded links; link - * titles add additional context for translators so should be kept in the main - * string. + * each word refers to. HTML markup within translation strings is allowed, but + * should be avoided if possible. The exception are embedded links; link + * titles add a context for translators, so should be kept in the main string. * - * Here is an example of an incorrect use if t(): + * Here is an example of incorrect usage of t(): * @code * $output .= t('

Go to the @contact-page.

', array('@contact-page' => l(t('contact page'), 'contact'))); * @endcode @@ -696,7 +742,7 @@ * $output .= '

'. t('Go to the contact page.', array('@contact-page' => url('contact'))) .'

'; * @endcode * - * Also avoid escaping quotation marks wherever possible. + * Avoid escaping quotation marks wherever possible. * * Incorrect: * @code @@ -708,6 +754,101 @@ * $output .= t("Don't click me."); * @endcode * + * Because t() is designed for handling code-based strings, in almost all + * cases, the actual string and not a variable must be passed through t(). + * + * Extraction of translations is done based on the strings contained in t() + * calls. If a variable is passed through t(), the content of the variable + * cannot be extracted from the file for translation. + * + * Incorrect: + * @code + * $message = 'An error occurred.'; + * drupal_set_message(t($message), 'error'); + * $output .= t($message); + * @endcode + * + * Correct: + * @code + * $message = t('An error occurred.'); + * drupal_set_message($message, 'error'); + * $output .= $message; + * @endcode + * + * The only case in which variables can be passed safely through t() is when + * code-based versions of the same strings will be passed through t() (or + * otherwise extracted) elsewhere. + * + * In some cases, modules may include strings in code that can't use t() + * calls. For example, a module may use an external PHP application that + * produces strings that are loaded into variables in Drupal for output. + * In these cases, module authors may include a dummy file that passes the + * relevant strings through t(). This approach will allow the strings to be + * extracted. + * + * Sample external (non-Drupal) code: + * @code + * class Time { + * public $yesterday = 'Yesterday'; + * public $today = 'Today'; + * public $tomorrow = 'Tomorrow'; + * } + * @endcode + * + * Sample dummy file. + * @code + * // Dummy function included in example.potx.inc. + * function example_potx() { + * $strings = array( + * t('Yesterday'), + * t('Today'), + * t('Tomorrow'), + * ); + * // No return value needed, since this is a dummy function. + * } + * @endcode + * + * Having passed strings through t() in a dummy function, it is then + * okay to pass variables through t(). + * + * Correct (if a dummy file was used): + * @code + * $time = new Time(); + * $output .= t($time->today); + * @endcode + * + * However tempting it is, custom data from user input or other non-code + * sources should not be passed through t(). Doing so leads to the following + * problems and errors: + * - The t() system doesn't support updates to existing strings. When user + * data is updated, the next time it's passed through t() a new record is + * created instead of an update. The database bloats over time and any + * existing translations are orphaned with each update. + * - The t() system assumes any data it receives is in English. User data may + * be in another language, producing translation errors. + * - The "Built-in interface" text group in the locale system is used to + * produce translations for storage in .po files. When non-code strings are + * passed through t(), they are added to this text group, which is rendered + * inaccurate since it is a mix of actual interface strings and various user + * input strings of uncertain origin. + * + * Incorrect: + * @code + * $item = item_load(); + * $output .= check_plain(t($item['title'])); + * @endcode + * + * Instead, translation of these data can be done through the locale system, + * either directly or through helper functions provided by contributed + * modules. + * @see hook_locale() + * + * During installation, st() is used in place of t(). Code that may be called + * during installation or during normal operation should use the get_t() + * helper function. + * @see st() + * @see get_t() + * * @param $string * A string containing the English string to translate. * @param $args @@ -780,7 +921,7 @@ * * This function should only be used on actual URLs. It should not be used for * Drupal menu paths, which can contain arbitrary characters. - * + * Valid values per RFC 3986. * @param $url * The URL to verify. * @param $absolute @@ -789,12 +930,26 @@ * TRUE if the URL is in a valid format. */ function valid_url($url, $absolute = FALSE) { - $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,;~=#&%\+]'; if ($absolute) { - return preg_match("/^(http|https|ftp):\/\/". $allowed_characters ."+$/i", $url); + return (bool)preg_match(" + /^ # Start at the beginning of the text + (?:ftp|https?):\/\/ # Look for ftp, http, or https schemes + (?: # Userinfo (optional) which is typically + (?:(?:[\w\.\-\+!$&'\(\)*\+,;=]|%[0-9a-f]{2})+:)* # a username or a username and password + (?:[\w\.\-\+%!$&'\(\)*\+,;=]|%[0-9a-f]{2})+@ # combination + )? + (?: + (?:[a-z0-9\-\.]|%[0-9a-f]{2})+ # A domain name or a IPv4 address + |(?:\[(?:[0-9a-f]{0,4}:)*(?:[0-9a-f]{0,4})\]) # or a well formed IPv6 address + ) + (?::[0-9]+)? # Server port number (optional) + (?:[\/|\?] + (?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2}) # The path and query (optional) + *)? + $/xi", $url); } else { - return preg_match("/^". $allowed_characters ."+$/i", $url); + return (bool)preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url); } } @@ -1164,7 +1319,7 @@ static $script; static $clean_url; - if (empty($script)) { + if (!isset($script)) { // On some web servers, such as IIS, we can't omit "index.php". So, we // generate "index.php?q=foo" instead of "?q=foo" on anything that is not // Apache. @@ -1262,7 +1417,7 @@ * an HTML string containing a link to the given path. */ function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) { - if ($path == $_GET['q']) { + if (($path == $_GET['q']) || ($path == '' && drupal_is_front_page())) { if (isset($attributes['class'])) { $attributes['class'] .= ' active'; } @@ -1511,6 +1666,8 @@ foreach ($type as $file => $cache) { if ($cache) { $contents = file_get_contents($file); + // Remove multiple charset declarations for standards compliance (and fixing Safari problems) + $contents = preg_replace('/^@charset\s+[\'"](\S*)\b[\'"];/i', '', $contents); // Return the path to where this CSS file originated from, stripping off the name of the file at the end of the path. $path = base_path() . substr($file, 0, strrpos($file, '/')) .'/'; // Wraps all @import arguments in url(). @@ -1545,6 +1702,8 @@ */ function drupal_clear_css_cache() { file_scan_directory(file_create_path('css'), '.*', array('.', '..', 'CVS'), 'file_delete', TRUE); + // Clear the page cache, so cached pages do not reference nonexistent CSS. + cache_clear_all(); } /** @@ -1644,10 +1803,10 @@ * are added to the page. Then, all settings are output, followed by 'inline' * JavaScript code. * - * @parameter $scope + * @param $scope * (optional) The scope for which the JavaScript rules should be returned. * Defaults to 'header'. - * @parameter $javascript + * @param $javascript * (optional) An array with all JavaScript code. Defaults to the default * JavaScript array for the given scope. * @return @@ -1699,14 +1858,17 @@ array('\r', '\n', '\x3c', '\x3e', '\x26'), addslashes($var)) .'"'; case 'array': - if (array_keys($var) === range(0, sizeof($var) - 1)) { + // Arrays in JSON can't be associative. If the array is empty or if it + // has sequential whole number keys starting with 0, it's not associative + // so we can go ahead and convert it as an array. + if (empty ($var) || array_keys($var) === range(0, sizeof($var) - 1)) { $output = array(); foreach ($var as $v) { $output[] = drupal_to_js($v); } return '[ '. implode(', ', $output) .' ]'; } - // Fall through + // Otherwise, fall through to convert the array as an object. case 'object': $output = array(); foreach ($var as $k => $v) { @@ -1728,17 +1890,19 @@ * Notes: * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature' * in Apache where it 404s on any path containing '%2F'. - * - mod_rewrite's unescapes %-encoded ampersands and hashes when clean URLs - * are used, which are interpreted as delimiters by PHP. These characters are - * double escaped so PHP will still see the encoded version. + * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean + * URLs are used, which are interpreted as delimiters by PHP. These + * characters are double escaped so PHP will still see the encoded version. + * - With clean URLs, Apache changes '//' to '/', so every second slash is + * double escaped. * * @param $text * String to encode */ function drupal_urlencode($text) { if (variable_get('clean_url', '0')) { - return str_replace(array('%2F', '%26', '%23'), - array('/', '%2526', '%2523'), + return str_replace(array('%2F', '%26', '%23', '//'), + array('/', '%2526', '%2523', '/%252F'), urlencode($text)); } else { @@ -1891,8 +2055,7 @@ /** * Send an e-mail message, using Drupal variables and default settings. - * More information in the - * PHP function reference for mail() + * More information in the PHP function reference for mail() * @param $mailkey * A key to identify the mail sent, for altering. * @param $to @@ -1908,7 +2071,7 @@ * @param $body * Message to be sent. Drupal will format the correct line endings for you. * @param $from - * Sets From, Reply-To, Return-Path and Error-To to this value, if given. + * Sets From to this value, if given. * @param $headers * Associative array containing the headers to add. This is typically * used to add extra headers (From, Cc, and Bcc). @@ -1923,8 +2086,15 @@ 'Content-Transfer-Encoding' => '8Bit', 'X-Mailer' => 'Drupal' ); - if (isset($from)) { - $defaults['From'] = $defaults['Reply-To'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $from; + // To prevent e-mail from looking like spam, the addresses in the Sender and + // Return-Path headers should have a domain authorized to use the originating + // SMTP server. Errors-To is redundant, but shouldn't hurt. + $default_from = variable_get('site_mail', ini_get('sendmail_from')); + if ($default_from) { + $defaults['From'] = $defaults['Sender'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $default_from; + } + if ($from) { + $defaults['From'] = $from; } $headers = array_merge($defaults, $headers); // Custom hook traversal to allow pass by reference @@ -1938,26 +2108,24 @@ return drupal_mail_wrapper($mailkey, $to, $subject, $body, $from, $headers); } else { - /* - ** Note: if you are having problems with sending mail, or mails look wrong - ** when they are received you may have to modify the str_replace to suit - ** your systems. - ** - \r\n will work under dos and windows. - ** - \n will work for linux, unix and BSDs. - ** - \r will work for macs. - ** - ** According to RFC 2646, it's quite rude to not wrap your e-mails: - ** - ** "The Text/Plain media type is the lowest common denominator of - ** Internet e-mail, with lines of no more than 997 characters (by - ** convention usually no more than 80), and where the CRLF sequence - ** represents a line break [MIME-IMT]." - ** - ** CRLF === \r\n - ** - ** http://www.rfc-editor.org/rfc/rfc2646.txt - ** - */ + // Note: if you are having problems with sending mail, or mails look wrong + // when they are received you may have to modify the str_replace to suit + // your systems. + // - \r\n will work under dos and windows. + // - \n will work for linux, unix and BSDs. + // - \r will work for macs. + // + // According to RFC 2646, it's quite rude to not wrap your e-mails: + // + // "The Text/Plain media type is the lowest common denominator of + // Internet e-mail, with lines of no more than 997 characters (by + // convention usually no more than 80), and where the CRLF sequence + // represents a line break [MIME-IMT]." + // + // CRLF === \r\n + // + // http://www.rfc-editor.org/rfc/rfc2646.txt + $mimeheaders = array(); foreach ($headers as $name => $value) { $mimeheaders[] = $name .': '. mime_header_encode($value); diff -Naur drupal-5.0/includes/database.inc drupal-5.23/includes/database.inc --- drupal-5.0/includes/database.inc 2007-01-03 11:59:02.000000000 +0100 +++ drupal-5.23/includes/database.inc 2008-01-07 01:55:44.000000000 +0100 @@ -1,5 +1,5 @@ We were unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your PHP.ini to see how you can enable it.

For more help, see the Installation and upgrading handbook. If you are unsure what these terms mean you should probably contact your hosting provider.

'); exit; } - $url = parse_url($url); - // Decode url-encoded information in the db connection string $url['user'] = urldecode($url['user']); // Test if database url has a password. @@ -100,7 +106,7 @@ drupal_set_header('HTTP/1.1 503 Service Unavailable'); drupal_set_title('Unable to connect to database server'); print theme('maintenance_page', '

If you still have to install Drupal, proceed to the installation page.

-

If you have already finished installed Drupal, this either means that the username and password information in your settings.php file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.

+

If you have already finished installing Drupal, this either means that the username and password information in your settings.php file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.

The MySQL error was: '. theme('placeholder', mysql_error()) .'.

Currently, the username is '. theme('placeholder', $url['user']) .' and the database server is '. theme('placeholder', $url['host']) .'.