Index: includes/database.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/database.inc,v retrieving revision 1.92.2.1 diff -u -p -r1.92.2.1 database.inc --- includes/database.inc 8 Feb 2008 22:44:59 -0000 1.92.2.1 +++ includes/database.inc 9 Jul 2008 20:40:12 -0000 @@ -210,6 +210,11 @@ function _db_query_callback($match, $ini return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe case '%s': return db_escape_string(array_shift($args)); + case '%n': + // Numeric values have arbitrary precision, so can't be treated as float. + // is_numeric() allows hex values (0xFF), but they are not valid. + $value = trim(array_shift($args)); + return is_numeric($value) && !preg_match('/x/i', $value) ? $value : '0'; case '%%': return '%'; case '%f': @@ -238,7 +243,7 @@ function db_placeholders($arguments, $ty /** * Indicates the place holders that should be replaced in _db_query_callback(). */ -define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/'); +define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b|%n)/'); /** * Helper function for db_rewrite_sql. @@ -551,16 +556,14 @@ function db_type_placeholder($type) { case 'char': case 'text': case 'datetime': - return '\'%s\''; + return "'%s'"; case 'numeric': - // For 'numeric' values, we use '%s', not '\'%s\'' as with - // string types, because numeric values should not be enclosed - // in quotes in queries (though they can be, at least on mysql - // and pgsql). Numerics should only have [0-9.+-] and - // presumably no db's "escape string" function will mess with - // those characters. - return '%s'; + // Numeric values are arbitrary precision numbers. Syntacically, numerics + // should be specified directly in SQL. However, without single quotes + // the %s placeholder does not protect against non-numeric characters such + // as spaces which would expose us to SQL injection. + return '%n'; case 'serial': case 'int': Index: includes/locale.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/locale.inc,v retrieving revision 1.174 diff -u -p -r1.174 locale.inc --- includes/locale.inc 9 Jan 2008 21:36:13 -0000 1.174 +++ includes/locale.inc 9 Jul 2008 20:40:18 -0000 @@ -868,16 +868,36 @@ function locale_translate_edit_form_subm */ /** - * Delete a language string. + * String deletion confirmation page. */ -function locale_translate_delete($lid) { - db_query('DELETE FROM {locales_source} WHERE lid = %d', $lid); - db_query('DELETE FROM {locales_target} WHERE lid = %d', $lid); +function locale_translate_delete_page($lid) { + if ($source = db_fetch_object(db_query('SELECT * FROM {locales_source} WHERE lid = %d', $lid))) { + return drupal_get_form('locale_translate_delete_form', $source); + } + else { + return drupal_not_found(); + } +} + +/** + * User interface for the string deletion confirmation screen. + */ +function locale_translate_delete_form(&$form_state, $source) { + $form['lid'] = array('#type' => 'value', '#value' => $source->lid); + return confirm_form($form, t('Are you sure you want to delete the string "%source"?', array('%source' => $source->source)), 'admin/build/translate/search', t('Deleting the string will remove all translations of this string in all languages. This action cannot be undone.'), t('Delete'), t('Cancel')); +} + +/** + * Process string deletion submissions. + */ +function locale_translate_delete_form_submit($form, &$form_state) { + db_query('DELETE FROM {locales_source} WHERE lid = %d', $form_state['values']['lid']); + db_query('DELETE FROM {locales_target} WHERE lid = %d', $form_state['values']['lid']); // Force JavaScript translation file recreation for all languages. _locale_invalidate_js(); cache_clear_all('locale:', 'cache', TRUE); drupal_set_message(t('The string has been removed.')); - drupal_goto('admin/build/translate/search'); + $form_state['redirect'] = 'admin/build/translate/search'; } /** * @} End of "locale-translate-delete" Index: includes/theme.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/theme.inc,v retrieving revision 1.415.2.2 diff -u -p -r1.415.2.2 theme.inc --- includes/theme.inc 25 Mar 2008 11:55:08 -0000 1.415.2.2 +++ includes/theme.inc 9 Jul 2008 20:40:53 -0000 @@ -1106,7 +1106,7 @@ function theme_links($links, $attributes if (isset($link['href']) && ($link['href'] == $_GET['q'] || ($link['href'] == '' && drupal_is_front_page()))) { $class .= ' active'; } - $output .= '
  • '; + $output .= ' $class)) .'>'; if (isset($link['href'])) { // Pass in $link as $options, they share the same keys. Index: modules/filter/filter.module =================================================================== RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v retrieving revision 1.204.2.1 diff -u -p -r1.204.2.1 filter.module --- modules/filter/filter.module 9 Apr 2008 21:11:47 -0000 1.204.2.1 +++ modules/filter/filter.module 9 Jul 2008 20:40:38 -0000 @@ -932,7 +932,7 @@ function _filter_autop($text) { * for scripts and styles. */ function filter_xss_admin($string) { - return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')); + return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')); } /** Index: modules/locale/locale.module =================================================================== RCS file: /cvs/drupal/drupal/modules/locale/locale.module,v retrieving revision 1.212.2.1 diff -u -p -r1.212.2.1 locale.module --- modules/locale/locale.module 9 Apr 2008 21:11:48 -0000 1.212.2.1 +++ modules/locale/locale.module 9 Jul 2008 20:40:18 -0000 @@ -173,7 +173,7 @@ function locale_menu() { $items['admin/build/translate/delete/%'] = array( 'title' => 'Delete string', 'page callback' => 'locale_inc_callback', - 'page arguments' => array('locale_translate_delete', 4), // directly deletes, no confirmation + 'page arguments' => array('locale_translate_delete_page', 4), 'access arguments' => array('translate interface'), 'type' => MENU_CALLBACK, ); Index: modules/openid/openid.module =================================================================== RCS file: /cvs/drupal/drupal/modules/openid/openid.module,v retrieving revision 1.19.2.1 diff -u -p -r1.19.2.1 openid.module --- modules/openid/openid.module 9 Apr 2008 21:11:48 -0000 1.19.2.1 +++ modules/openid/openid.module 9 Jul 2008 20:40:30 -0000 @@ -28,8 +28,8 @@ function openid_menu() { ); $items['user/%user/openid/delete'] = array( 'title' => 'Delete OpenID', - 'page callback' => 'openid_user_delete', - 'page arguments' => array(1), + 'page callback' => 'drupal_get_form', + 'page arguments' => array('openid_user_delete_form', 1), 'access callback' => 'user_edit_access', 'access arguments' => array(1), 'type' => MENU_CALLBACK, Index: modules/openid/openid.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/openid/openid.pages.inc,v retrieving revision 1.5 diff -u -p -r1.5 openid.pages.inc --- modules/openid/openid.pages.inc 30 Jan 2008 22:11:22 -0000 1.5 +++ modules/openid/openid.pages.inc 9 Jul 2008 20:40:30 -0000 @@ -44,7 +44,7 @@ function openid_user_identities($account $result = db_query("SELECT * FROM {authmap} WHERE module='openid' AND uid=%d", $account->uid); while ($identity = db_fetch_object($result)) { - $rows[] = array($identity->authname, l(t('Delete'), 'user/'. $account->uid .'/openid/delete/'. $identity->aid)); + $rows[] = array(check_plain($identity->authname), l(t('Delete'), 'user/'. $account->uid .'/openid/delete/'. $identity->aid)); } $output = theme('table', $header, $rows); @@ -80,12 +80,33 @@ function openid_user_add_validate($form, } /** - * Menu callback; Delete the specified OpenID identity from the system. + * Present a confirmation form to delete the specified OpenID identity from the system. + * + * @ingroup forms + * @see openid_user_delete_form_submit() */ -function openid_user_delete($account, $aid = 0) { - db_query("DELETE FROM {authmap} WHERE uid=%d AND aid=%d AND module='openid'", $account->uid, $aid); +function openid_user_delete_form($form_state, $account, $aid = 0) { + $authname = db_result(db_query('SELECT authname FROM {authmap} WHERE uid = %d AND aid = %d', $account->uid, $aid)); + + $form = array(); + + $form['uid'] = array( + '#type' => 'value', + '#value' => $account->uid, + ); + + $form['aid'] = array( + '#type' => 'value', + '#value' => $aid, + ); + + return confirm_form($form, t('Are you sure you want to delete the OpenID %authname for %user?', array('%authname' => $authname, '%user' => $account->name)), 'user/'. $account->uid .'/openid'); +} + +function openid_user_delete_form_submit($form, &$form_state) { + db_query("DELETE FROM {authmap} WHERE uid = %d AND aid = %d AND module = 'openid'", $form_state['values']['uid'], $form_state['values']['aid']); if (db_affected_rows()) { drupal_set_message(t('OpenID deleted.')); } - drupal_goto('user/'. $account->uid .'/openid'); + $form_state['redirect'] = 'user/'. $form_state['values']['uid'] .'/openid'; } Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.892.2.2 diff -u -p -r1.892.2.2 user.module --- modules/user/user.module 9 Apr 2008 21:11:51 -0000 1.892.2.2 +++ modules/user/user.module 9 Jul 2008 20:40:44 -0000 @@ -1359,8 +1359,10 @@ function user_authenticate_finalize(&$ed // This is also used to invalidate one-time login links. $user->login = time(); db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid); - user_module_invoke('login', $edit, $user); + + // Regenerate the session ID to prevent against session fixation attacks. sess_regenerate(); + user_module_invoke('login', $edit, $user); } /**