Drupal 5.2

The second maintenance and security release of the 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming 6.0 release.

This release fixes two security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-017: Drupal 5.x CSRF (revisions revert/delete, menu disable, comment delete)
• SA-2007-018: XSS Drupal 4.7.x, 5.x

In addition to these security vulnerabilities, the following bugs have been fixed since the 5.1 release:

• #113286 by maynich: Added missing t().
• #113290 by maynich: Added missing t().
• #104175: Fix disappearing fieldset title in firefox.
• #115213 by dorpy: Fix E_ALL problem.
• #111537 by jpetso: Add #weight to content type editing screen buttons.
• #107346 by asaddi: Postgres consitency fix.
• #107051 by webchick: Avoid showing duplicates in 'Who's online' block.
• #117917 by chx, greg, webchick et al: fix problems with the automatic domain extraction -- prevents users from logging in.
• #118041 by kkaefer: Fixed small braino in url().
• #114745 by moonray: Fixed a sloppy if condition.
• #105405 by chx: Only display the web server information instead of attempting to check its randomness.
• #119128 by kkaefer: Use the correct argument for the theme configuration help.
• #120146 by abautu: TRUNCATE TABLE is not ANSI SQL.
• #32833 by fgm: Comment improvement.
• #112556 by RobRoy. Match maxlength with the database.
• #107358 by m3avrck, robert douglass, heine, eaton et al: Prevent multiple form processing: causing duplication of nodes/users.
• #122824 by PMunn: fixed SQL query to be compatible with PostgreSQL.
• #111830 by pwolanin: comment block sql incompatible with db_rewrite_sql.
• #114822 by Neil et al: revision flag was ignored.
• #124727 by Moshe: node_access_rebuild should reuse the update facility to reload itself.
• #68690 by mindless: new attachments not shown.
• #114103 by adixon: Weight profile fields below the account information for the user registration page.
• #52878 by ChrisKennedy: Make nicer links in function documentation.
• #122709 by kbahey: fixed SQL argument braino.
• #117953 by Matt Westgate: make blog module hook_profile_alter friendly.
• #121876 by Darren, Nedjo et al: drupal_to_js converts empty arrays to objects.
• #125418 by hunmonk: make #skip_duplicate_check easier to use.
• #105031: Allow both upper and lower case for allowed protocols in XSS checks.
• #123940 by Gman: anchor to comment form is mis-labeled.
• #109404 by effennel: fixed typo in code comments.
• #125636 by hunmonk: fixed duplication checking on confirm forms.
• #125804 by tostinni: search.css not always properly included.
• #127753 by ChrisKennedy and GreenMother: regex error with session.cookie_domain settings.
• #125805 by dvessel: get rid of the search scrollbar.
• #127941: Add index to users.created column.
• #130427 by scor: Include INSTALL.txt along with the other files in robots.txt
• #104969 by Wesley Tanaka: Sync the documentation comments.
• #124366: Change the default language codes for Norwegian Nynorsk and Norwegian Bokm√•l
• #111697 by wesley: Properly initialize time member of $user object to prevent warnings/errors.
• #127891 by dvessel: Layout variabe may end up not getting set.
• #130478 by Jaza: Improved code comments.
• #130946 by KarenS: Fixed undefined variable output.
• #107450 by webchick and fajerstarter: Code clean-up of blogapi.module.
• #131483 by kkaefer: E_NOTICE cleanup.
• #119114 by edkwh. Set the same profile values as the fields that were presented for user registration.
• #132789 by vdessel: fixed undefined variable.
• #133216 by meba: trying to get property of non-object on line 982.
• #133318 by hunmonk: drupal_get_messages() returning incorrect array value.
• #72564 by Gabor: locale bugfix: undefined variable.
• #133865 by alexis: incorrect form_set_error() calls.
• #87138: Disable mbstring encoding conversion in htaccess
• #133431 by alexis: Let formapi do the redirecting instead of doig it ourselves for user registration.
• #134697 by hunmonk: make table row coloring work in absence of numeric IDs.
• #101305 by bjaspan: work around IE textarea bug.
• #35177 by Stefan and profix898: added some logging to the taxonomy module.
• #126177 by AjK: fixed E_NOTICE because of sloppy array_merge_recursive().
• #134185 by Ralf Stamm: missing CVS IDs in files.
• #134364 by lyricnz: simplified SQL query
• #133083 by Zen: 'Shortcut icon settings' not using proper FAPI value.
• #126867 by dmitrig01: Made caching work with prefixing.
• #136202 by asimmonds: Fixed indefined variable notice.
• #90780 (comment #30) by chx: 404 for .../node/gibberish instead of the promoted nodes page.
• #137138 by jvandyk: Fixed problem with drupal_http_request() not setting the proper error code when a network effect occurs. Causes the XML-RPC backend to fail.
• #121425 by Chris Bray: Fixed capitalization glitch.
• #128600 by scott.mclewin and spatz4000: Ambigious field use in SQL query.
• #138000 by killes: removed global .
• #127109 by moonray with help from Zen: fixed UI glitch in node filter settings.
• #138376 by dww: fixed array vs. string bug when defining #default_value array for a multiselect.
• #136250: The upload directory might exist, but is not writable. Fix error message. Investigated with Moshe Weitzman and Gerhard Killesreiter.
• #138531 by bjaspan: Destroy existing sessions when a user password is changed.
• #133789 by John Albin: Drupal-generated email can look like spam.
• #139517 by Grugnog2: Improved code comment.
• #141204 by Wim Leers: fixing caching bug in taxonomy_node_get_terms().
• #141636 by Heine: Remove the duplicate submission check; it is an API change that should not have gone in.
• #100850 by dww: Properly save empty log messages when an existing node gets a revision saved.
• #133189 by Darren Oh: More forgiving test for empty date values.
• #109941 by morphir: Let browsers store form values.
• Code style: use get_t() to determine appropriate t() function.
• #136049 by lyricnz: Small performance improvement - removed some redundant fields.
• #141665 by ChrisKennedy: E_ALL fixes.
• simple phpdoc formatting fix in locale.inc
• #131538 by Jo Wouters: E_ALL fixes.
• #142619 by erdemkose: fixed E_ALL warnings.
• #142337 by drewish: fixed E_ALL problem.
• #141664 by ChrisKennedy: fixed E_ALL warning.
• #109150 by ff1 and webernet: fix rewrite rule.
• #109104 by Zen: ambiguous column reference with PostgreSQL.
• #140412 by quicksketch: use drupal_set_header() instead of header().
• #137724 by JohnAlbin: empty favicon causes duplicate page requests.
• #147034 by webchick: removed redundant dependency checking.
• #101927 by coofercat. Fix display of post information.
• #105885 by duncf. Correct comment formatting.
• #141957 by add1sun: improved consistency of messags.
• #103079 by yched: check_plain('') returned </p>
• #148744 by catch: fixed some code comments.
• #148974 by hunmonk: fixed whois online block on PostgreSQL.
• #150344 by webernet: language fixup.
• #145646 by lyricnz: select fields more strictly.
• #150671 by dmitrig01: Consistent code comment style.
• #150972 by alex_b: improved instructions on how to install cron.php properly.
• #145647 by lyricnz: Select only needed fields.
• #136067 by mkalkbrenner: Allow password confirm fields to be marked as required.
• #151491 by john vandyck: fixed notice with table sorting.
• #123807 by dvdweide and chx: Return not found instead of access denied in some cases.
• #141470 by chx: Page tagging vocabulary listings.
• #152469 by fgm: Fixed PHPdoc comment.
• #57106 (22) by Steven: Use changed date for search indexing, which is more reliable.
• #136837 by meba and pwolanin: Allow cache tables to be prefixed.
• #123577 by tostinni and dvdweide: Show access denied instead of empty page for browsing hidden profile fields.
• #155859 by Arancaytar: removed HTML from PHPdoc.
• #156392 by Gabor Hojtsy. Add comment module depenedency to tracker.
• #107023 by yas and asimmonds: Correct variables for updating Aggregator items.
• #102252 by Darren Oh and Arancaytar: Override a previous rule which displays the contents of all tags, including script.
• #56357 by JohnAlbin, et al: Improve cookie naming to prevent conflicting cookies set on the same domain name.
• #118730 by kaerast, kkaefer and webchick: Subtle but important documentation improvement.
• #119196 by douggreen: Apply file API common sense (permissions, file API functions instead of custom code) to files handled by color.module.
• #135926 by nancyw: Invoke hook_link() with correct arguments.
• #158133 by killes: Handle HAVING clauses in db_rewrite_sql().
• #138117 by gordon: Invoke hook_user('login') on registrations without email verification.
• #134308 by dww: The DB API does not handle prefixes with '.' in them well; do not allow that at install time.
• #108282 by vjordan: 4.7.6 wasn't mentioned in the 5.x change log.
• #158687 by drumm: fix URI encoding of some special chars
• #107822 by riccardoR: Content filtering ignores vocabularies with only one term.
• #108733 by add1sun: Whitespace cleanup.
• #114241 by ahoeben: Consistent page titles for adding and listing terms.
• #117217 by neclimdul: Always select correct radio button.
• #118066 by oremj: Do not depend on the database to give us the correct IDs.
• #160263 by Rok Zlender: unset() does not work with static variables.
• #147061 by pwolanin: Remove module-created node types when their module is removed.
• #124485 by Wesley Tanaka: CSS rules for comments should go in comment.css.
• #160107 by JohnAlbin: use the same session ID regardless of the protocol used to access the page (eg share sessions between http and https pages)
• #161963 by Gurpartap Singh: proper links to Drupal.org module and theme download pages
• #157942 by Bart Jansens: Make sure we have a node before granting access to it.
• #162149 by add1sun: Improve accuracy.