Index: modules/system/system.module
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/system/system.module,v
retrieving revision 1.827
diff -u -p -r1.827 system.module
--- modules/system/system.module	27 Oct 2009 04:16:39 -0000	1.827
+++ modules/system/system.module	28 Oct 2009 09:35:49 -0000
@@ -1492,7 +1492,18 @@ function system_run_authorized($callback
   }
 
   // Finally, redirect to authorize.php.
-  drupal_goto($base_url . '/authorize.php');
+  drupal_goto($base_url . '/authorize.php', array('https' => TRUE));
+}
+
+/**
+ * Use authorize.php to run batch_process().
+ *
+ * @see batch_process()
+ */
+function system_authorized_batch_process() {
+  global $base_url, $base_secure_url;
+  $authorize_url = (variable_get('https', FALSE) ? $base_secure_url : $base_url) . '/authorize.php';
+  batch_process($authorize_url, $authorize_url . '?batch=1');
 }
 
 /**
Index: modules/update/update.authorize.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/modules/update/update.authorize.inc,v
retrieving revision 1.2
diff -u -p -r1.2 update.authorize.inc
--- modules/update/update.authorize.inc	22 Oct 2009 00:52:03 -0000	1.2
+++ modules/update/update.authorize.inc	28 Oct 2009 09:35:41 -0000
@@ -24,8 +24,6 @@
  *   - 'local_url': The locally installed location of new code to update with.
  */
 function update_authorize_run_update($filetransfer, $projects) {
-  global $base_url;
-
   $operations = array();
   foreach ($projects as $project => $project_info) {
     $operations[] = array(
@@ -49,7 +47,7 @@ function update_authorize_run_update($fi
 
   batch_set($batch);
   // Invoke the batch via authorize.php.
-  batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1');
+  system_authorized_batch_process();
 }
 
 /**
@@ -67,8 +65,6 @@ function update_authorize_run_update($fi
  *   already been downloaded and extracted into.
  */
 function update_authorize_run_install($filetransfer, $project, $updater_name, $local_url) {
-  global $base_url;
-
   $operations[] = array(
     'update_authorize_batch_copy_project',
     array(
@@ -91,8 +87,7 @@ function update_authorize_run_install($f
   batch_set($batch);
 
   // Invoke the batch via authorize.php.
-  batch_process($base_url . '/authorize.php', $base_url . '/authorize.php?batch=1');
-
+  system_authorized_batch_process();
 }
 
 /**
cvs diff: Diffing includes
Index: includes/authorize.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/authorize.inc,v
retrieving revision 1.3
diff -u -p -r1.3 authorize.inc
--- includes/authorize.inc	27 Oct 2009 03:27:00 -0000	1.3
+++ includes/authorize.inc	28 Oct 2009 09:38:00 -0000
@@ -10,10 +10,12 @@
  * Build the form for choosing a FileTransfer type and supplying credentials.
  */
 function authorize_filetransfer_form($form_state) {
-  global $base_url;
+  global $base_url, $is_https;
   $form = array();
 
-  $form['#action'] = $base_url . '/authorize.php';
+  // If possible, we want to post this form securely via https.
+  $form['#https'] = TRUE;
+
   // CSS we depend on lives in modules/system/maintenance.css, which is loaded
   // via the default maintenance theme.
   $form['#attached']['js'][] = $base_url . '/misc/authorize.js';
@@ -26,6 +28,16 @@ function authorize_filetransfer_form($fo
   $available_backends = $_SESSION['authorize_filetransfer_backends'];
   uasort($available_backends, 'drupal_sort_weight');
 
+  if (!$is_https) {
+    if (isset($available_backends['ssh']) && !variable_get('allow_ssh_authorization_over_http', FALSE)) {
+      drupal_set_message(t('WARNING: you are not using an encrypted connection via https, so your password will be sent in plain text over the network. The SSH backend was disabled to protect the integrity of your password.'), 'error');
+      unset($available_backends['ssh']);
+    }
+    else {
+      drupal_set_message(t('WARNING: you are not using an encrypted connection via https, so your password will be sent in plain text over the network.'), 'error');
+    }
+  }
+
   // Decide on a default backend.
   if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) {
     $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default'];
Index: includes/common.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/common.inc,v
retrieving revision 1.1031
diff -u -p -r1.1031 common.inc
--- includes/common.inc	27 Oct 2009 19:29:12 -0000	1.1031
+++ includes/common.inc	28 Oct 2009 09:28:12 -0000
@@ -2352,10 +2352,10 @@ function _format_date_callback(array $ma
  *   - 'alias': Defaults to FALSE. Whether the given path is a URL alias
  *     already.
  *   - 'external': Whether the given path is an external URL.
- *   - 'language': An optional language object. Used to build the URL to link to
- *     and look up the proper alias for the link.
+ *   - 'language': An optional language object. Used to build the URL to link
+ *     to and look up the proper alias for the link.
  *   - 'https': Whether this URL should point to a secure location. If not
- *     specified, the current scheme is used, so the user stays on http or https
+ *     defined, the current scheme is used, so the user stays on http or https
  *     respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
  *     only be enforced when the variable 'https' is set to TRUE.
  *   - 'base_url': Only used internally, to modify the base URL when a language
@@ -2376,14 +2376,15 @@ function url($path = NULL, array $option
     'query' => array(),
     'absolute' => FALSE,
     'alias' => FALSE,
-    'https' => FALSE,
     'prefix' => ''
   );
 
   if (!isset($options['external'])) {
     // Return an external link if $path contains an allowed absolute URL.
-    // Only call the slow filter_xss_bad_protocol if $path contains a ':' before
-    // any / ? or #.
+    // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+    // before any / ? or #.
+    // Note: we could use menu_path_is_external($path) here, but that would
+    // requre another function call, and performance inside url() is critical.
     $colonpos = strpos($path, ':');
     $options['external'] = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path));
   }
@@ -2411,6 +2412,14 @@ function url($path = NULL, array $option
     if ($options['query']) {
       $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']);
     }
+    if (isset($options['https']) && variable_get('https', FALSE)) {
+      if ($options['https'] === TRUE) {
+        $path = str_replace('http://', 'https://', $path);
+      }
+      elseif ($options['https'] === FALSE) {
+        $path = str_replace('https://', 'http://', $path);
+      }
+    }
     // Reassemble.
     return $path . $options['fragment'];
   }
@@ -2489,6 +2498,25 @@ function url($path = NULL, array $option
 }
 
 /**
+ * Return TRUE if a path is external (e.g. http://example.com).
+ *
+ * Note: this function uses the menu_* namespace as if it was part of the Menu
+ * API in menu.inc. However, it has nothing directly to do with the menu
+ * system itself, it's just a generic helper function to test if a URL is
+ * absolute or not. Since this function is called by the Form API, code that
+ * runs at a reduced bootstrap would need to include all of menu.inc just for
+ * this tiny function.
+ *
+ * @todo Rename this to url_is_external() for Drupal 8.
+ */
+function menu_path_is_external($path) {
+  $colonpos = strpos($path, ':');
+  // Only call the slow filter_xss_bad_protocol if $path contains a ':'
+  // before any / ? or #.
+  return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
+}
+
+/**
  * Format an attribute string to insert in a tag.
  *
  * Each array key and its value will be formatted into an HTML attribute string.
Index: includes/menu.inc
===================================================================
RCS file: /Users/wright/drupal/local_repo/drupal/includes/menu.inc,v
retrieving revision 1.357
diff -u -p -r1.357 menu.inc
--- includes/menu.inc	17 Oct 2009 11:39:15 -0000	1.357
+++ includes/menu.inc	28 Oct 2009 08:36:28 -0000
@@ -3187,14 +3187,6 @@ function _menu_router_save($menu, $masks
 }
 
 /**
- * Returns TRUE if a path is external (e.g. http://example.com).
- */
-function menu_path_is_external($path) {
-  $colonpos = strpos($path, ':');
-  return $colonpos !== FALSE && !preg_match('![/?#]!', substr($path, 0, $colonpos)) && filter_xss_bad_protocol($path, FALSE) == check_plain($path);
-}
-
-/**
  * Checks whether the site is in maintenance mode.
  *
  * This function will log the current user out and redirect to front page
cvs diff: Diffing includes/database
cvs diff: Diffing includes/database/mysql
cvs diff: Diffing includes/database/pgsql
cvs diff: Diffing includes/database/sqlite
cvs diff: Diffing includes/filetransfer