Releases for Drupal

The second maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities and also changes APIs. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-026 - Drupal core - Drupal core - Access bypass

In addition to this security vulnerability, the following bugs have been fixed since the 6.0 release:

• #228120 by jvandyk: typo in documentation in comment.tpl.php
• #226480 by gpk: fix wording on when node access rebuild button is displayed in node_configure()
• #229817 by mcarrera: l() attributes were not properly specified in theme.inc's theme_username()
• #234403 by alienbrain: PHP.net documents we should use CRLF in mail headers, so do that
• #226555 by jvandyk, Rok Zlender: fix notice level error in xmlrpc.inc
• #204415 by chx: actually use 'administer content types' permission for node type editing instead of 'administer nodes'
• #234699 by hass: theme_link() did not mark frontpage links active properly
• #237717 by hass: missing t() in system_clear_cache_submit()
• #232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)
• #226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big
• #231587 by pwolanin, killes: (performance) use two level cache in menus, instead of storing very large amounts of data multiple times
• #239196 by jvandyk and myself: missing status check on nodes in search indexing counter
• rolling back #234403 by Bevan and damz: we should keep using LF in mail headers, without CR, CRLF causes problems
• #238564 by scor: two missing t() calls in update.module
• #241629 by solotandem: dblog module left one more row in, when cleaning up in cron
• #244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed

The first maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-018 - Drupal core - Cross site scripting

In addition to this security vulnerability, the following bugs have been fixed since the 6.0 release:

• #189568 by dvessel: module .css files were not overriden from theme .info files
• #212608 by stefgosselin, webchick, slightly modified: get rid of notice when sorting blocks (minor)
• #218513 by moshe weitzman, Pancho: code documentation formatting fixes for menu.inc (minor)
• #220827 by Arancaytar, ax: fix code comments in _menu_navigation_links_rebuild() (minor)
• #227548 by Heine, AjK: misuse of db_escape_string(), when db_escape_table() should have been used

See the official release announcement.

For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc4

The following bugs have been fixed since the previous release candidate:

• #215992 by dww: provide information for upgrades from Drupal 5 with update status module
• #216632 by webernet, dww: more accessible update information screen
• #200028 by dww: trivial syntax fix in cache clearing
• #216890 by gpk with documentation from myself: blog API clients do not pass on the teaser_include flag, so only act on that flag, if we have it
• #157652 by beginner, Steven Merrill and killes: block_user() had a global user object and a user parameter colliding
• #216404 by Rob Loach: path_nodeapi() only worked for users with permissions, although node loading requires the path to be loaded
• #216858 by jvandyk, moshe weitzman: fix plain wrong and misleading user module phpdoc blocks
• #216061 by Eaton: nid was not set in node creation (programatic node creation regression)
• #217324 by Takafumi: trivial missing t() in taxonomy module
• #216750 by dww: Security releases from higher branches were not ignored in all cases (critical)
• #172597 by Rob Loach: minor double escaping in profile module
• #197833 by gdevlugt: node filtering theme function was not applied (minor)
• #204071 by Pancho: use UTF-8 aware string length counting in node_teaser() (minor)
• #117748 by quicksketch: short fix to trim() required fields for validation, with documentation
• #217180 by Gerhard Killesreiter: remove outdated information on Debian package maintainer
• #215858 by pwolanin: localized menu options were saved into the database, avoid this by using different variable names / array keys
• #216238 by theborg: theme descriptions were not translated properly (minor)
• #117748 rollback: this was not well tested
• #217926 by dropcube: Garland and Minnelli was updated for Drupal 6, but their code comments were not (minor)
• #215958 by pwolanin: fix form API link in PHP filter module help (minor)
• #217771 by dww: avoid confusing wrapping of release dates in update status module (minor)
• #215858 follow up by pwolanin: fix a fatal error in book module breadcrumb creation (critical)
• #218319 by moshe weitzman: translated menu link altering was not possible (critical regression)
• #214513 by Lynn: break was missing in system_send_email_action(), causing the action code to fall over to a different context (critical)
• #210131 by John Resig, dvessel with several testers: jQuery 1.2.3
• #218436 by scor: update jQuery copyright year number as well in COPYRIGHT.txt (minor)
• #218471 by pwolanin: exclude unpublished nodes from menus and books (critical)
• #215858 follow up by pwolanin: external links were not properly localizing options (critical)
• #218054 by pukku, Arancaytar: precision and scale arguments were not in proper order in SQL generation (critical)
• #218539 by keith.smith: more prominent mention of the security awareness / documentation of Drupal
• #218313 by jvandyk: uppercase forum topic sort ordering (minor)
• #218116 by greggles: better documentation for session_save_session() for security education
• #218403 by dmaz: avoid duplication in search index, when the database collation makes the words collide (critical)
• #218915 by jakeg, keith.smith: arry syntax error in watchdog() use in file_save_upload()
• #215308 by Pancho: 'Testing clean URLs...' was not removed in all cases when being checked
• #216515 by chx and myself: cached forms made all subsequent forms on the page cached (critical); and a comment op check was buggy
• #214209 patch by pwolanin and myself: do not allow users to post type of posts they are not configured to be able to post with Blog API (critical)
• #217508 by boydjd, Pancho, keith.smith: incorrect and misleading of use i.e., where e.g. should have been used
• #216813 by David_Rothstein, chx, pwolanin: primary and secondary links were broken on upgrade
• #219366 by pwolanin: let external links appear in the system admin blocks
• #219334 report by catch, patch by myself: upload table created in upgrade and upload table created by upload module enabled later collides
• #117748 by webchick, Pancho, Rob Loach, pwolanin: required field values were not properly trim()ed on validation
• #216904 by theborg, pwolanin: items were not properly ordered in tabledrag.js when more then the number of possible values
• #211979 by theborg, chx, pwolanin: menu items moved out of the navigation menu were not found as parents
• #184926 by Rob Loach: offline message was displayed to admin right after switching offline mode off
• #139290 by dgtlmoon, msameer, ChrisKennedy, Freso, Rob Loach, matt@antinomia, Arancaytar: blog page was blank when user / site had no blog posts to display
• #216511 by vladimir.dolgopolov: XHTML validation failed due to a misused & (minor)
• #209240 by gopherspidey, soxofaan: fix settings file checking for multisite setups, and a bad file name used in an error message
• #219380 by chx: bring back support for queries without WHERE clause to db_rewrite_sql() (regression)

For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc3

This release candidate fixes a security vulnerability. Those running the previous release candidate are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0

In addition to this security vulnerability, the following bugs have been fixed since the first release candidate:

• #208427 report by Pancho, patch by dvessel: strpos() parameters were flipped in color module, resulting in bad colors
• #208197 by dvessel: back to cloning the table header only in tableheader.js (fixes radio button issues and Safari 2 crashing)
• - Patch #210140 by dww: fixed code comment: 'default_major' is now deprecated in favor of 'supported_majors'.
• - Patch #209236 by traxer: added a validation function for the poll form.
• - Patch #206495 by jvandyk: improved consistency of trigger descriptions.
• - Patch #208926 by keith.smith: fixed broken link. The external link to the RSS specification changed.
• - Patch #115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
• - Patch #209034 by theborg: fixed small code style error that generates warnings.
• - Patch #210141 by dww (with some modifications by me): implement hook_flush_caches().
• #201540 follow up by zoo33: move jpeg quality validation to where it belongs, so it is only called if the current image toolkit requires it
• #209584 by Rob Loach: 404/403 validation is also done in runtime so to allow more flexibility here, remove the submission time validation
• #209045 by keith.smith: small typo in INSTALL.txt
• #208991 by JirkaRybka: target sticky table headers to Drupal output tables only, so it won't sticky random tables in other site content
• #190729 by aufumy, Pasqualle, slightly modified: report incompatibility early, if the dependencies key is not an array in the .info file
• #209077 by bec: missing initialization for the placeholders array in drupal_write_record()
• #200674 by scor, catch: update.php should inform users if their memory limit will possibly result in a WSOD
• #196630 follow up by JirkaRybka: fix theme location information in maintenance theming, so IE6 fix CSS is loaded properly
• #189785 by dropcube: anonymous users did not have permission to view the personal contact form, so catch them early
• #210141 follow up by dww: cleaning up some code comments
• #201641 by Ralf Stamm, Pancho: sort themes by their .info name, not their file name (just like modules)
• #208938 by bjaspan, scor: use schema PI for index updates instead of database dependent code
• #210211 by chx, theborg: removing the broken admin user search, which would provide the same as the public facing user search anyway
• #210260 by dropcube: kill notice when anonymous users uses site-wide contact form
• #208991 follow up by dvessel: forgot to mark the blocks table with sticky-enabled
• #209242 by dww: local .info file changes (ie. updated code) was not taken properly into account in update module
• #201641 by Ralf Stamm, Pancho: sort admin themes by info name as well
• #209720 by theborg: avoid processing resizable teasers before teaser.js is run and the proper wrappers are in place
• #211060 by boydjd: do not display the taxonomy-term-description div when there is no description
• #208602 by KarenS: add support for aborting all updates of one module, when a critical error happens
• #211322 by keith.smith: drag and drop documentation for input formats was missing, damn
• #211322 follow up by catch: forums also support drag and drop, mention in changelog
• #211443 by dropcube: kill a feed warning on taxonomy pages
• #200210 by gaele: more accessible color contrast in Garland error messages
• #210936 by Pancho: some padding around taxonomy descriptions on taxonomy pages, so that they get more breathing space
• #211067 by webchick: blogapi_mt_get_post_categories() not using taxonomy_node_get_terms() properly
• #211359 by chx: make dead menu items disappear on a Drupal 6 upgrade
• #211353 follow up by JirkaRybka: ensure that on upgrades, if the file_directory_path was not set, set it to the Drupal 5 default
• #210479 by catch, dvessel: add newlines to list items, so inline display and RTL issues are resolved
• #208498 by pwolanin: remove pager from menu admin page (for big menus, you will need to use a contrib module)
• #208602 follow up by myself and webernet: invert conditional to properly update schema versions, when needed
• #212285 by wrwrwr: hr should be treated as a block level tag
• #211404 by dvessel: improve tableheader.js performance in all browsers, solves freeze in IE7
• #195283 by pwolanin: code documentation for the 'forms' function group
• #211876 by hass: typo in profile module docs
• #212050 by keith.smith: JS compression was removed, but not from the changelog
• #209409 by Heine, webernet, dww: more accurate register globals value checking
• #210335 by keith.smith: highly confusing example in trigger module help, use a better one instead
• #206778 follow up by dvessel: better filtering for subtheme files
• #211403 by dww: Removed fallback code for determining the project based on the directory.
• #211053 by momendo: poll submission and editing field columns fixed
• #119038 by ximo, Pancho: user role editing usability: include disabled checkbox for authenticated role
• #212813 by dww: link project status information to the admin/reports/updates page (usability)
• #212409 by theborg: avoid calling check_plain() twice on menu links
• Outdated use of watchdog() noticed while creating translation templates
• #213172 by skiquel: let color module run properly without a base image
• #213064 by dvessel: fix sticky table headers bug when resizing
• #194494 by Jax, slightly expanded: unify empty password handling is MySQL and MySQLi installer and runtime drivers
• #208768 by dvessel, Arancaytar: language direction should be in the HTML source, so it is more accessible even without CSS
• Three remaining instances of t() use in system module update code removed.
• #204411 by catch: elevate MySQL requirements to 4.1.1 (the first production MySQL 4.1.x was 4.1.5 anyway)
• #107375 follow up by zeta-zoo: fixed incorrect description for MySQL's 'Select_range_check'
• #213319 by add1sun: minor code documentation fix at template_preprocess_block()
• #211742 by theborg, chx: detect and solve the problem when blocks are assigned to invalid regions (happens in theme development)
• #212921 by fgm: remove unused reference on update_process_info_list() parameter list, which causes strict warnings in PHP 5
• #205067 by asimmonds: kill notice in install.php when the profile is not yet set
• #204411 by chx, slightly modified: heal a possible MySQL import error when the anonymous user becomes broken
• #194327 by dvessel, David_Rothstein, catch, theborg: IE form submission button correction was buggy
• #212126 report by salvis, patch by myself: allow clearing of drupal_html_to_text() URL list, so it can be used multiple times on the page
• #214213 by keith.smith: fix broken link in INSTALL.txt
• #205523 by assimonds: (minor) add missing CVS Id tags
• #213150 by Lynn: fix HTML validation problem with node term listings
• #214058 by catch, Arancaytar: forum form alter was mistakenly dropping the parent field in all taxonomy forms
• #187075 by dvessel: do not compute a breadcrumb for the home page (regression)
• #200028 by agentrickard, dww: cache more project module data, so there is less burden on Drupal when generating admin pages (performance)
• #214579 by keith.smith: vocabulary drag and drop was not properly documented (string change)
• #204415 by Lynn, traxer, pwolanin: migrate node type URLs to a path model based on menu paths, so conflicts between action and node type names are not a problem
• #212864 suggestion by pp, patch by gdevlugt: use format_date() for RSS item dates instead of date() to honor site time zone settings
• #172571 by fgm, slightly modified: document that theme_xml_icon() was superceded in most cases by theme_feed_icon()
• #207330 by c960657: allow custom URL rewriter to work on base_url and fix urlencoding of front page URL with a path prefix
• #208888 by jvandyk: set access time when externally authenticated user first logs in
• #206955 follow up by merlinofchaos: avoid misusing default values for image buttons
• #206881 by ScoutBaker: (minor) fix whitespace at TRANSLATION_ENABLED, so the phpdoc shows up properly
• #214922 by Eaton: fix code typo which prevented from image buttons in a tree form from working
• #213657 by dopry and moshe weitzman: typo in rss feed build mode and better link handling
• #207029 by JohnAlbin: some menu item properties were not passed along for theming (regression)
• #213517 by ax: inline documentation cleanup, fixing four unclosed @defgroups
• #193331 by ufku: the replace parameter was not used in file_save_upload() as documented, fix this
• Translating menu items and taxonomies is not a core feature, so do not mislead users. Noticed while translating to Hungarian.
• #213664 by chx, theborg: menu item not expanded on front page
• #210219 by htalvitie, yched: initialize block caching properties properly on install (and update bugos RC2 sites as well)
• #210219 follow by myself: update_sql() does not support placeholders, so we should compose our own SQL ourselfs
• #215303 by Pancho, slightly modified: clean URL test support text was not green if not using JS
• #214292 by theborg: collapse.js alters the default submit buttons in forms in Internet Explorer
• #215361 by bec: phpdoc for menu_load_objects(), _menu_item_localize() and _menu_link_translate()
• #202382 by Pasqualle and Pancho: phpdoc improvements and code style fixes in node module
• #215252 by bdragon: reset the cache flush variable before the cache is flushed, so busy sites will not attempt multiple cache flushes at a time
• #208556 by Pancho: fix broken display of OpenID links
• #215335 by jvandyk: fix user_login_submit() phpdoc
• #79018 by pwolanin, catch, Morbus Iff: document how can one hide CHANGELOG.txt, etc. to improve security a slight bit
• #207863 by mikey_p, Pancho: use module_load_include() as intended
• #214329 by starbow: avoid attaching scroll behavior multiple times
• #215454 by keith.smith: cleaning up some language in INSTALL.txt
• #215848 by simonc: SMALLTEXT is not a valid MySQL type, TINYTEXT is there instead
• #208858 by theborg, gdevlugt: fix forum node and comment counting, taking term revisioning into account
• #216014 report by meba, patch by myself: menu_install() did not use get_t() for its menu item creation
• #105405 by chx, Pancho: (regression) remove web server version checking; it is not in Drupal 5; Apache 1.3 is surpassed for a long time now
• #215127 by chx, webernet, catch; testing by theborg: menu item parenting was broken when moving menu items
• #216042 by Eaton: provide the complete form to element validators as well (critical regression for CCK)
• #216022 reported by johnnysxip, patch by walkah: (SA-2008-016) OpenID - Incorrect claimed_id returned for OpenID 2.0 and other minor OpenID 2.0 compliance fixes
• #200028 follow up by dww: clear update module cache on update.php run as well

The 7th maintenance release of the Drupal 5 series. Only fixes for bugs have been committed. New features are only added to in-development versions of Drupal.

The following bugs have been fixed since the 5.6 release:

• #208700 by pwolanin. Fix bad backport of #194579. Modified to use Form API.
• #118569 by bevan: document how should one set RewriteBase, if under a VirtualDocumentRoot. Backport by Bart Jansens.
• - Patch #115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
• #209409 by Heine, webernet, dww: more accurate register globals value checking

For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc2

This release candidate fixes security vulnerabilities. Those running the previous release candidate are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-005 - Drupal core - Cross site request forgery
• SA-2008-006 - Drupal core - Cross site scripting (UTF8)
• SA-2008-007 - Drupal core - Cross site scripting (register_globals)

In addition to this security vulnerability, the following bugs have been fixed since the first release candidate:

• #199241 by bjaspan, Heine: fix documentation on how confirm forms are constructed; port of Drupal 5 fix
• #202925 report by beholder, patch by myself: (notice fix) only consider languages with a host set when comparing with the current host in domain language negotiation
• #202895 by cwgordon7, theborg: fix node revision view page load argumnets
• #194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
• #200921 by Pancho: code consistency change, renaming an internal variable in drupal_get_schema() for better developer docs
• #202997 by JirkaRybka: more specific CSS selector for draggable links
• #202967 by catch: kill notice on forum page
• #181195 by hunmonk and Pasqualle: node type related variables were not properly renamed, when node type names changed
• #203274 by Pasqualle: remove excessive witespace from our code (minor)
• #195176 by chx: form_set_error doxygen was misleading
• #194310 by JirkaRybka: t() was misused in update.php (we should not use t() in the update process)
• #194946 by dmitrig01, Pasqualle: christmas cleanup (some code style issues fixed)
• #198234 by bjaspan: fix improper type maps for numeric and char values in schema API
• #154517 follow up by Desbeers: path_form_alter() was not path alias language aware
• #203482 by Desbeers: block module HTML typo in help (outside t())
• #203316 by douggreen: schema docs for the search_node_links table
• #173656 by qucksketch: fix upload form ordering and delete buttons on preview, among smaller issues
• #203660 by keith.smith: missing 'a' tag name in 'a href='
• - Patch #174226 by keith.smith, pwolanin et al al -- and greatly simplified by me: added a copyright notice.
• #197722 by catch, hwsong3i: remove 4.7 to 5.x updates; we only support direct updates from 5.x to 6.x
• - Patch #203509 by pwolanin, chx, cwgordon7 et al: fixed menu inheritenace.
• - Patch #176748 by pwolanin, Rob Loach: fixed broken breadcrumbs.
• #191914 by chx: admin check was missing from menu user_register_access()
• #204081 by chx: check menu arguments by type, so type casting will not cause problems
• #203794 by douggreen: nonexistent dependencies should not be considered on the dependency checker
• #176748 follow up by pwolanin: fix bad breadcrumbs and missing/wrong titles
• Reported at http://groups.drupal.org/node/7843 : language direction was not translated in the overview (it is in the form, so no new string for translators)
• Reported at http://groups.drupal.org/node/7843 by kkaefer: t() was used in install.php in place of st()
• #152497 by bjaspan, with more docs from myself: user_external_login() was not updated to latest login process
• #194369 by lots of contributors: move default files directory to sites/default/files which can be created automatically on install, so no need to bug the user about it, making the install process easier
• - Patch #204083 by pwolanin: PHPdoc improvement.
• - Patch #194369 by webernet: fixed the default files directory on multi-site setups.
• - Patch #203316 by mooffie and douggreen: improved schema documentation.
• - Patch #204221 by webernet: code style fixes.
• #203941 reported and tested by Takafumi, patch by myself: trigger assocations should be removed when deleting an advanced action
• #204420 by webernet: do not show messages about status problems to those who will not be able to click and go to the reports
• - Patch #204456 by Keith: mentioned drag and drop support in the CHANGELOG.txt.
• - Patch #204488 by Desbeers: Garland was still using deprected CSS class names: watchdog -> dblog.
• - Patch #204955 by chx: fixed E_ALL warning.
• - Patch #204996 by chx: fixed access check and warning in poll module.
• - Patch #204900 by webernet: code style fixes. Likely my last patch of the year. Fiew. Thanks all, and see you on the other side. :)
• #204996 by chx: poll bar theme gets NULL as default, so use that here as well
• #204344 by marcingy: path aliases were not alled as default home page
• #203846 by pwolanin and jvandyk: PHP 4 does not allow omitting an object when it is passed by reference, so we need to live with dummy object passing with actions for object-less actions to support PHP 4
• White space problem found while gathering background info for #204420
• #199373 report by avskip, patch by myself, testing by keith.smith: forum node type was not re-added to the forum vocabulary when the module is re-enabled (after being disabled)
• #204420 follow up by webernet: fix bad permission check introduced for update module message
• #205199 by David_Rothstein: leftover links were not removed in the reindexing process properly (search module)
• #203582 by David_Rothstein: some core hook_access() implementations are not using the passed in account
• #205134 by damz: fix not translatable use of t() in update module
• #205138 by pwolanin: require node types in forums vocab, fix help text parameter name (outside t())
• #205075 report by ktabuer, patch by myself, testing by ktauber and Lynn: book block throws notice when used on non-book-node page (with a little bit of code cleanup)
• #205334 by hass: if more then 5 languages are available, use a dropdown not a radio button list (usability)
• #181125 follow up by beginner: book.js should have been removed earlier in #181125, was a commit mistake
• #135329 follow up: rolling back some of the user password request form changes, so user names in email address format (eg. site_network module) will still work
• #204872 report by hass, patch by myself: Mode radio button in locale import had bad default value
• #50901 by chx: do not allow user login under maintenance mode, if the logged in user has no site config permission
• #201017 by chx: AHAH callbacks were not working for regular buttons
• #168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
• #205334 follow up by myself: options were improperly counted in language list (minor)
• #205795 by douggreen: search result normalization used a wrong calculation
• #205843 report by asimmonds, patch by chx: menu_valid_path() was used as an API function, but was located in menu.module, move to menu.inc
• #202955 by chx: menu_rebuild() needs to be called after maintenance mode, because stale data might end up in menu tables in maintenance mode
• - Patch #202078 by chx: fixed poll AHAH problem with caching.
• #198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
• #195161 by mcarbone with some modifications: only show 'login to post comments' if logging in actually lets you post comments
• #201141 by yched: instead of 'HTTP error 200' messages when a PHP error occurs, actually display the PHP error message
• #206272 report by yojoe, patch by myself: user provided data in menu titles should be check_plain()-ed not t()-ed
• #195161 follow up by keith.smith: fix typo in code comment
• #206232 by chx with a bit of cleanup: add in-memory reset clearing to locale() to help it interact with simpletests, which are not reloading the Drupal instance on form submits
• #206281 by keith.smith: document that people should look into the new system requirements when they upgrade
• #206232 follow up by chx: set locale() cache to NULL when resetting
• #197720 by nedjo, scor, keith.smith, catch: inform installing users about PHP memory requirements of Drupal 6
• #199809 by theborg: comment templates were not checking status properly (fix notice, allows themes to theme in-preview comments differently)
• - Patch #206512 by jvandyk: fixed grammar mistake in status message.
• - Patch #206470 by David_Rothstein: fix book permission upgrade.
• - Patch #206434 by meba: added missing doc in string.
• - Patch #199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
• - Patch #206418 by meba: fixed typo - 'sever' should be 'server'.
• - Patch #205465 by jvandyk: add missing index on comment table.
• #205602 by theborg: disabled languages were included in the language lookup logic
• #206510 by pwolanin, chx: menu title arguments were not properly stored when they were empty
• - Patch #203222 by Pascalle: added missing message type to watchdog call.
• #206820 by catch, keith.smith: forum delete confirm form was saying it deleted posts, but it does not
• #205920 by douggreen: short term searches were returning wrong results
• #206670 by keith.smith and myself: node type names have their underscores converted to hyphens in node/add links
• #202821 by marco.robotangel: display messages above help in all core themes for consistent user feedback (usability)
• #200777 by JirkaRybka: theme settings form relied on _POST[] and stored irrelevant formapi keys as theme settings
• #197720 follow up by keith.smith, scor: include php.ini path in memory limit messages
• #207170 by hswong3i slightly modified: drupal_write_record() did not return FALSE on query failure and had bad documentation on the returned values
• #199946 by JirkaRybka: append a short query string to CSS and JS files, changing on upgrades, so on core/module/theme upgrades, browser caches will 'flush'
• #204946 by theborg, keith.smith: only tell users their language setting will be used for interface presentation, when this actually happens
• #164532 follow up by pwolanin, David Strauss, catch and myself, testing also by hswong3i: some indexes added before Drupal 6 RC1 were too unique, and our code did not back them, so we should not add those indexes
• #207569 by ScoutBaker (minor code style): clean up @see usage in phpdoc blocks
• #205792 by yched: fix contradictory messages after node access rebuild
• #195091 by Rowanw: (usability) swap enabled and expanded checkbox in menu admin and allow setting elements without children to be expanded
• #207372 by Pancho, pwolanin, chx: remove duplicate query from menu_enable()
• #151910 by chx: support subqueries in db_rewrite_sql() - now that we use subqueries even in core, this was critical
• #204756 by dvessel: textarea.js assumed #disabled fields are to be hidden
• #197720 follow up by myself: cleaning up the memory_limit requirement check, use dollar t
• #207731 by Pancho: adding brackets to some default form values, for consistency
• #153998 by David_Rothstein and myself: clean up permissions in book, blog, blogapi, forum and locale modules
• #194590 by scor, JirkaRybka, attiks, dvessel; with heavy testing by catch: fix a dozen issues with sticky table headers
• #207931 by ScoutBaker: some links in update.module were pointing to 'logs' instead of 'reports'
• #207868 by cwgordon7, webernet and myself: SQL status page was using wrong property names
• #207947 by Rok Zlender: whitespace missing between error messages in file.inc
• #206021 by dropcube and myself: language content type settings were not properly namespaced
• #201667 by theborg, quicksketch, gpk, catch: fix bugs with teaser splitter in JS and no-JS mode
• #207982 by domasj: Lithuanian native language name was incorrect
• #207779 report by meba, patch by myself: missing plural formatting in forum module, and a counter display fix as well
• #201667 follow up by keith.smith: typo in code comment
• #207991 by Rok Zlender: xmlrpc_date did not parse dates well
• #206778 by dvessel: prevent themes from using their sub-theme's templates, when not intended
• #197186 by dww, testing by catch, webernet, greggles: (critical security functionality) update.module did not inform users when their current release became revoked/not supported
• #207990 by soxofaan: fix notice on node/add page for anonymous users
• #206021 follow up by keith.smith, dropcube: better code comments in locale update
• #204705 by pwolanin: abort user_save on SQL errors, to avoid data corruption
• #201667 follow up by gpk: minor code comment and whitespace cleanup
• #206078 by Pancho, traxer: order roles with system roles first (usability)
• #194590 follow up by theborg, catch: avoid cloning the sticky table headers with the same id value
• #202997 follow up by quicksketch: the table drag CSS selector was not specific enough in the RTL sheet
• #208492 report and testing by KarenS, patch by myself: book upgrade should not use the book API
• #207908 by chx, docs by jvandyk: menu title custom translation was not invoked properly
• #208262 by jvandyk: better name for variable signing a menu rebuild requirement
• #18954 by kkaefer, Pancho: built-in role names were not translated and some user_roles() call cleanups
• #18954 follow up by myself: restore user role name editing
• #208542 by KarenS, webernet: save old actions table when upgrading from Drupal 5 with a previous actions install

The eleventh maintenance and security release of the Drupal 4.7 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-005 - Drupal core - Cross site request forgery
• SA-2008-006 - Drupal core - Cross site scripting (UTF8)
• SA-2008-007 - Drupal core - Cross site scripting (register_globals)

In addition to this security vulnerability, the following bugs have been fixed since the 5.3 release:

• #168315, backport
• #89218, backport
• #204855, backport

The sixth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-005 - Drupal core - Cross site request forgery
• SA-2008-006 - Drupal core - Cross site scripting (UTF8)
• SA-2008-007 - Drupal core - Cross site scripting (register_globals)

In addition to this security vulnerability, the following bugs have been fixed since the 5.5 release:

• #173858 by Gábor Hojtsy: skip UTF-8 BOM when importing locale files
• #179164 by Heine: sort modules by name on the module admin page
• #199640 by webernet: (usability) add option to select no taxonomy term in multiselect forms, not to rely on browser trickery
• #199084 by chx: better conformance with ISO date formats in our xmlrpc code
• #173459 by Dave Cohen. Backport of #78487 by FredCK, forngren and bjaspan: document support in url() and l() and proper active class support for .
• #89218 by Gábor Hojtsy. Properly initialize a counter variable and fix poll editing.
• #64388 by Gábor Hojtsy. Add missing db_rewrite_sql(); not a security issue since it is a count() query.
• #200338 by m3avrck and quicksketch: fix transparent GIF resizing
• #194652 by Heine: specify explicit accept-charset for forms to avoid browser guessing
• #182410 by greggles: HTTP Basic authentication username and password was parsed in drupal_http_request() but then not used in the request
• - Patch #201894 by David Rothstein: fixed typo in user output.
• #180126 by mmoreno, drewish and scor: add realpath() call to file_save_data(), so Windows will create temporary files properly
• #115689 by chx: new content types should not overwrite old ones. Backport by Pancho.
• #203727 by Arancaytar. More effectively use hook API.
• #204855 by webernet. Add missing * in documentation.
• #168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
• - Patch #199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
• #194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
• #166433 by Ralf Stamm. Use correct menu item type for revsion confirm pages.
• #58806 by fwalch and wicksteedc. Do not override MENU_VISIBLE_IF_HAS_CHILDREN on editing.
• Partial backport of #112715 to fix #124641.

See http://drupal.org/drupal-6.0-rc1 for more information.

The tenth maintenance release of the Drupal 4.7 series. Only fixes for bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

Bug fixed:

* Fixed taxonomy feed bug introduced by SA-2007-031

The fifth maintenance release of the Drupal 5 series. Only fixes for bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

• Fixed missing missing brackets in a query in the user module.
• Fixed taxonomy feed bug introduced by SA-2007-031

See release notes at http://drupal.org/drupal-6.0-beta4

The fourth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled

In addition to this security vulnerability, the following bugs have been fixed since the 5.3 release:

• #178478 by scor: typo in text displyed when the DB is installed but not accessible
• - Patch #122759 by Robrecht: fixed broken query in upgrade path.
• #55277 by catch and JirkaRybka: when flat comment view is used, order comments by cid (ie. original submission order) instead of timestamp (ie. last editing time order) to avoid comments jumping around when being edited
• - Patch #181063 by chx and bjaspan: fixed problem with drupal_bootstrap() not booting to the proper level.
• #184668 by hazexp, Remove unnecessary ';'
• Patch #182728 by Darren Oh: improved PHPdoc of db_rewrite_sql().
• #93425 by bjaspan: remove pre-Drupal 4.6 era destination handling cruft carried over in comment module
• #154388 (backport of #172262) by JirkaRybka. Better globals handling in install system, so the choosen profile and language are remembered.
• #171117 by JirkaRybka: set access time for admin created or edited accounts so they are exempt from the spam protection we have for accounts never logged in
• Patch #168829 by Neil Drumm: fixed link in documentation.
• #165924 by odious. Use accurate count query for user list.
• #187601 by Bart Jansens. Use correct HTTP status codes for redirects.
• #180109 by JirkaRybka: overcome browser quirk to detect when no taxonomy term was selected
• #134984 by mikesmullin. Fix x2 coordinate for rendering gradients.

The ninth maintenance and security release of the Drupal 4.7 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled

See release notes at http://drupal.org/drupal-6.0-beta3

See release notes at http://drupal.org/drupal-6.0-beta2

The eigth maintenance and security release of the Drupal 4.7 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

This release fixes five security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-024 - Drupal Core - HTTP response splitting
• SA-2007-026 - Drupal Core - Cross site scripting via uploads
• SA-2007-030 - Drupal Core - API handling of unpublished comment

Some bug fixes were also included in this release:

• #91404, Footer CSS fix, patch by blakehall
• #133789, rolled back due to problems, see #165732

The third maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

This release fixes five security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-024 - Drupal Core - HTTP response splitting
• SA-2007-025 - Drupal Core - Arbitrary code execution via installer.
• SA-2007-026 - Drupal Core - Cross site scripting via uploads
• SA-2007-029 - Drupal Core - User deletion cross site request forgery
• SA-2007-030 - Drupal Core - API handling of unpublished comment

In addition to these security vulnerabilities, the following bugs have been fixed since the 5.2 release:

• #163092 by Wesley Tanaka. Add forum css only to pages which need it.
• #163458 by heyrocker. Make sure the user object has roles before checking them.
• #164974 by ricflomag. Better use of t().
• #165604 by mvc. Redirect to home page after user registration requiring admin approval.
• #150759 by hass. Remove @charset rules for aggregated stylesheets, which were incorrect and confused Safari.
• #167284 by Heine and pwolanin. Avoid abusing %s for lists.
• #91404, Footer CSS fix, patch by blakehall
• #174270 by kkaefer. Make user filter translatbale.
• #171536 by pillarsdotnet. Correct id for {user_roles} in Postgres.
• #106115 by sparr: restore previously present 16x16 (and add 32x32) favicon size, so when a shortcut is saved, a nice icon is used
• #117151 by profix898 and thePanz: the second part of our FilesMatch list contained complete file names which should be protected (eg. Tag), but should not match parts of the file names (eg. Tagging.txt)
• #168429 by gaele: there is no settings module, fixing reference to system module in help text
• #177829 by jjeff: search indexing did not invoke the nodeapi alter hook, so what the user seen and what was indexed was different
• #171747 by chx. More correct wording since some modules will actually work despite warning.
• #160603 by nancyw and Freso: variable search_cron_limit was not removed on search uninstall
• #112064 by Dave Cohen and pwolanin: do not cache installer redirects, so live Drupal pages will be visible instead of cached installer pages
• #180559 by hunmonk: do not try to display the comment addition form at th end of comments, if we are already on the page, so it is displayed anyway
• #110511 by bjaspan: poll listing page should have a 'count_sql' because the original query uses group by, so it is not countable properly
• #63990 by hunmonk. Append to instead of overwrite #suffix.
• #183390 by hunmonk: forms should use form_state['redirect'] for redirection, not drupal_goto() - fix this in comment_admin_overview_submit()
• #183388 by hunmonk. Fix syntax error.
• - Patch #178999 by JohnAlbin, sun and sammys: fixed race condition with drupal_goto().
• #183357 by Freso: hide administration pages links on module help pages if there are no admin links for the module
• #172588 by Tresler, Freso and webernet: add missing help page for color module

See the release notes at http://drupal.org/drupal-6.0-beta1

The seventh maintenance and security release of the 4.7.x series. Only fixes for a security vulnerability and other bugs have been committed. New features are only being added to the forthcoming 6.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2007-018: XSS Drupal 4.7.x, 5.x

In addition to this security vulnerability, the several bugs have been fixed since the 4.7.6 release:

• #32833 by fgm: Fixed documentation error.
• #114103 by adixon: New profile fields added to registration form show above Account Information.
• #117917 by webchick: Improved documentation for cookie domain.
• #68690 by mindless: New attachments not shown in node preview.
• #121876 by Darren Oh: drupal_to_js() converts empty arrays to objects.
• #133865 by Alexis: Incorrect use of form_set_error in user_login_validate().
• #130215: backport of #60664, 'Comment: duplicate ...' in watchdog, even when editing a comment.
• #101305 by bjaspan: textarea.js is incompatible with IE.
• #150972 by alex_b: limit wget to 1 run per second.
• #133789 by John Albin (port by Omar Abdel-Wahab): Drupal-generated email can look like spam (to SPF).
• #103079 by yched: check_plain('') returns </p>.
• #158687 by drumm: Fix Drupal.encodeURIComponent() and drupal_urlencode() edge cases.

The second maintenance and security release of the 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming 6.0 release.

This release fixes two security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-017: Drupal 5.x CSRF (revisions revert/delete, menu disable, comment delete)
• SA-2007-018: XSS Drupal 4.7.x, 5.x

In addition to these security vulnerabilities, the following bugs have been fixed since the 5.1 release:

• #113286 by maynich: Added missing t().
• #113290 by maynich: Added missing t().
• #104175: Fix disappearing fieldset title in firefox.
• #115213 by dorpy: Fix E_ALL problem.
• #111537 by jpetso: Add #weight to content type editing screen buttons.
• #107346 by asaddi: Postgres consitency fix.
• #107051 by webchick: Avoid showing duplicates in 'Who's online' block.
• #117917 by chx, greg, webchick et al: fix problems with the automatic domain extraction -- prevents users from logging in.
• #118041 by kkaefer: Fixed small braino in url().
• #114745 by moonray: Fixed a sloppy if condition.
• #105405 by chx: Only display the web server information instead of attempting to check its randomness.
• #119128 by kkaefer: Use the correct argument for the theme configuration help.
• #120146 by abautu: TRUNCATE TABLE is not ANSI SQL.
• #32833 by fgm: Comment improvement.
• #112556 by RobRoy. Match maxlength with the database.
• #107358 by m3avrck, robert douglass, heine, eaton et al: Prevent multiple form processing: causing duplication of nodes/users.
• #122824 by PMunn: fixed SQL query to be compatible with PostgreSQL.
• #111830 by pwolanin: comment block sql incompatible with db_rewrite_sql.
• #114822 by Neil et al: revision flag was ignored.
• #124727 by Moshe: node_access_rebuild should reuse the update facility to reload itself.
• #68690 by mindless: new attachments not shown.
• #114103 by adixon: Weight profile fields below the account information for the user registration page.
• #52878 by ChrisKennedy: Make nicer links in function documentation.
• #122709 by kbahey: fixed SQL argument braino.
• #117953 by Matt Westgate: make blog module hook_profile_alter friendly.
• #121876 by Darren, Nedjo et al: drupal_to_js converts empty arrays to objects.
• #125418 by hunmonk: make #skip_duplicate_check easier to use.
• #105031: Allow both upper and lower case for allowed protocols in XSS checks.
• #123940 by Gman: anchor to comment form is mis-labeled.
• #109404 by effennel: fixed typo in code comments.
• #125636 by hunmonk: fixed duplication checking on confirm forms.
• #125804 by tostinni: search.css not always properly included.
• #127753 by ChrisKennedy and GreenMother: regex error with session.cookie_domain settings.
• #125805 by dvessel: get rid of the search scrollbar.
• #127941: Add index to users.created column.
• #130427 by scor: Include INSTALL.txt along with the other files in robots.txt
• #104969 by Wesley Tanaka: Sync the documentation comments.
• #124366: Change the default language codes for Norwegian Nynorsk and Norwegian Bokm√•l
• #111697 by wesley: Properly initialize time member of $user object to prevent warnings/errors.
• #127891 by dvessel: Layout variabe may end up not getting set.
• #130478 by Jaza: Improved code comments.
• #130946 by KarenS: Fixed undefined variable output.
• #107450 by webchick and fajerstarter: Code clean-up of blogapi.module.
• #131483 by kkaefer: E_NOTICE cleanup.
• #119114 by edkwh. Set the same profile values as the fields that were presented for user registration.
• #132789 by vdessel: fixed undefined variable.
• #133216 by meba: trying to get property of non-object on line 982.
• #133318 by hunmonk: drupal_get_messages() returning incorrect array value.
• #72564 by Gabor: locale bugfix: undefined variable.
• #133865 by alexis: incorrect form_set_error() calls.
• #87138: Disable mbstring encoding conversion in htaccess
• #133431 by alexis: Let formapi do the redirecting instead of doig it ourselves for user registration.
• #134697 by hunmonk: make table row coloring work in absence of numeric IDs.
• #101305 by bjaspan: work around IE textarea bug.
• #35177 by Stefan and profix898: added some logging to the taxonomy module.
• #126177 by AjK: fixed E_NOTICE because of sloppy array_merge_recursive().
• #134185 by Ralf Stamm: missing CVS IDs in files.
• #134364 by lyricnz: simplified SQL query
• #133083 by Zen: 'Shortcut icon settings' not using proper FAPI value.
• #126867 by dmitrig01: Made caching work with prefixing.
• #136202 by asimmonds: Fixed indefined variable notice.
• #90780 (comment #30) by chx: 404 for .../node/gibberish instead of the promoted nodes page.
• #137138 by jvandyk: Fixed problem with drupal_http_request() not setting the proper error code when a network effect occurs. Causes the XML-RPC backend to fail.
• #121425 by Chris Bray: Fixed capitalization glitch.
• #128600 by scott.mclewin and spatz4000: Ambigious field use in SQL query.
• #138000 by killes: removed global .
• #127109 by moonray with help from Zen: fixed UI glitch in node filter settings.
• #138376 by dww: fixed array vs. string bug when defining #default_value array for a multiselect.
• #136250: The upload directory might exist, but is not writable. Fix error message. Investigated with Moshe Weitzman and Gerhard Killesreiter.
• #138531 by bjaspan: Destroy existing sessions when a user password is changed.
• #133789 by John Albin: Drupal-generated email can look like spam.
• #139517 by Grugnog2: Improved code comment.
• #141204 by Wim Leers: fixing caching bug in taxonomy_node_get_terms().
• #141636 by Heine: Remove the duplicate submission check; it is an API change that should not have gone in.
• #100850 by dww: Properly save empty log messages when an existing node gets a revision saved.
• #133189 by Darren Oh: More forgiving test for empty date values.
• #109941 by morphir: Let browsers store form values.
• Code style: use get_t() to determine appropriate t() function.
• #136049 by lyricnz: Small performance improvement - removed some redundant fields.
• #141665 by ChrisKennedy: E_ALL fixes.
• simple phpdoc formatting fix in locale.inc
• #131538 by Jo Wouters: E_ALL fixes.
• #142619 by erdemkose: fixed E_ALL warnings.
• #142337 by drewish: fixed E_ALL problem.
• #141664 by ChrisKennedy: fixed E_ALL warning.
• #109150 by ff1 and webernet: fix rewrite rule.
• #109104 by Zen: ambiguous column reference with PostgreSQL.
• #140412 by quicksketch: use drupal_set_header() instead of header().
• #137724 by JohnAlbin: empty favicon causes duplicate page requests.
• #147034 by webchick: removed redundant dependency checking.
• #101927 by coofercat. Fix display of post information.
• #105885 by duncf. Correct comment formatting.
• #141957 by add1sun: improved consistency of messags.
• #103079 by yched: check_plain('') returned </p>
• #148744 by catch: fixed some code comments.
• #148974 by hunmonk: fixed whois online block on PostgreSQL.
• #150344 by webernet: language fixup.
• #145646 by lyricnz: select fields more strictly.
• #150671 by dmitrig01: Consistent code comment style.
• #150972 by alex_b: improved instructions on how to install cron.php properly.
• #145647 by lyricnz: Select only needed fields.
• #136067 by mkalkbrenner: Allow password confirm fields to be marked as required.
• #151491 by john vandyck: fixed notice with table sorting.
• #123807 by dvdweide and chx: Return not found instead of access denied in some cases.
• #141470 by chx: Page tagging vocabulary listings.
• #152469 by fgm: Fixed PHPdoc comment.
• #57106 (22) by Steven: Use changed date for search indexing, which is more reliable.
• #136837 by meba and pwolanin: Allow cache tables to be prefixed.
• #123577 by tostinni and dvdweide: Show access denied instead of empty page for browsing hidden profile fields.
• #155859 by Arancaytar: removed HTML from PHPdoc.
• #156392 by Gabor Hojtsy. Add comment module depenedency to tracker.
• #107023 by yas and asimmonds: Correct variables for updating Aggregator items.
• #102252 by Darren Oh and Arancaytar: Override a previous rule which displays the contents of all tags, including script.
• #56357 by JohnAlbin, et al: Improve cookie naming to prevent conflicting cookies set on the same domain name.
• #118730 by kaerast, kkaefer and webchick: Subtle but important documentation improvement.
• #119196 by douggreen: Apply file API common sense (permissions, file API functions instead of custom code) to files handled by color.module.
• #135926 by nancyw: Invoke hook_link() with correct arguments.
• #158133 by killes: Handle HAVING clauses in db_rewrite_sql().
• #138117 by gordon: Invoke hook_user('login') on registrations without email verification.
• #134308 by dww: The DB API does not handle prefixes with '.' in them well; do not allow that at install time.
• #108282 by vjordan: 4.7.6 wasn't mentioned in the 5.x change log.
• #158687 by drumm: fix URI encoding of some special chars
• #107822 by riccardoR: Content filtering ignores vocabularies with only one term.
• #108733 by add1sun: Whitespace cleanup.
• #114241 by ahoeben: Consistent page titles for adding and listing terms.
• #117217 by neclimdul: Always select correct radio button.
• #118066 by oremj: Do not depend on the database to give us the correct IDs.
• #160263 by Rok Zlender: unset() does not work with static variables.
• #147061 by pwolanin: Remove module-created node types when their module is removed.
• #124485 by Wesley Tanaka: CSS rules for comments should go in comment.css.
• #160107 by JohnAlbin: use the same session ID regardless of the protocol used to access the page (eg share sessions between http and https pages)
• #161963 by Gurpartap Singh: proper links to Drupal.org module and theme download pages
• #157942 by Bart Jansens: Make sure we have a node before granting access to it.
• #162149 by add1sun: Improve accuracy.

The HEAD of the Drupal core CVS repository is now open for the forthcoming 7.x series. This is a development snapshot release for the 7.x series. This is not stable, and production sites should not run this code. However, users wishing to help test and develop the next version of Drupal are encouraged to use this for test sites.

The 1st maintenance and security release of the 5 series.

The 6th maintenance and security release of the 4.7 series.

See the official release announcement.

Changes since DRUPAL-5-0-RC-1:

• #103563: Restore removing of HTML comments in filter_xss()
• Teeny tiny API change: pass normalized ranking score out of node_search()
• #103519: Allow dot in database table prefix.
• #103784 by Gabor: fixed translation problems.
• #103785 by Goba: fix blog.module confusion.
• #103969 by Gabor: documentation corrections.
• #101455 by vjordan, greggles and all: clarified instructions in README.txt
• #103864: Fix color picker help link.
• #103811 by kkaefer: replace %url with @url.
• #103946 by kkaefer: fixed broken help text.
• #103937 by kkaefer: dropdown list items on mass user editing page not translated.
• #103717 by profix88: unable to edit blocks for administration theme when it is not enabled.
• #69111 by robertDouglass. Speed up the new comments block.
• #45453 by ChrisKennedy. Clear up the username field description.
• #102040 by Jose A Reyero. Clean up search menu items, fixing .../search/user under certain permissions.
• #103187 by dvessle: remove stray p.error.
• #104280 by dww: node_form_add_preview() broken if you alter the Preview button at all.
• #104349: Remove erronous 'break' statement
• #103826 by kkaefer and ChrisKennedy. Improve the welcome page translatability.
• #104309 by jvandyck: documentation improvements.
• #103462 by jvandyck: documentation and grammar clean up.
• #104516 by Chris: made RSS feeds validate.
• #82178 by ChrisKennedy: fixed grippie on IE6.
• #104598 by ChrisKennedy: validate max length of textfields.
• #104693 by ChrisKennedy: send proper HTTP headers: HTTP/1.0 -> HTTP/1.1.
• #104618 by robertDouglas and jvandyk: fixed node caching.
• #103604 by ufku: IE6 fix for Garland.
• Removing trailing whitespace.
• #104575 by pwolanin and kkaefer: cleanup variables before saving.
• #88707 by chx: Make menu_set_active_item a complete inner redirection.
• #104729 by dww et al: node_form_add_preview() destroys existing prefix values
• #104882 by dww: fixing forum topic teasers.
• #104951 by Gabor: corrected the documentation. Page.module no longer
  exists.
• #104833 by RobRoy: upgrade to jQuery 1.0.4.
• #100957 by chx: clean up drupal_lookup_path()
• #104437 by kkaefer: corrected help texts.
• #104833 by webernet: mention correct jQuery version in CHANGELOG.txt
• #104617 by robertDouglass. Use more efficient style which hits the static cache.
• #102170 by ChrisKennedy. Make username and email field #maxlengths consistent.
• #104107 by ChrisKennedy. Clear all of the DB caches in update.php.
• #104508 by Steven. Use standard SQL for updating post grants.
• #105178 by ChrisKennedy. Remove an extra a word.
• #19891 by edkwh. Make forum and container names links in forum administration.
• #60664 by Heine. Only check if new comments are duplicates.
• #105210 by myself. Check the correct hook for grant rebuild UI.
• #100747 by ankur: confirm_form() does not allow empty description strings.
• #105253 by RobRoy: corrected maxlength setting for feeds.
• #105164 by kkaefer: image quality settings toggle.
• #105216 by dww: profiles where no longer being themed due to missing CSS.
• #104346 by pwolanin. Load all content type information instead of an overly-minimal set for node type resetting.
• #105303 by Gabor Hojtsy. Improve translation converage for installation.
• #105309 by Gabor Hojtsy. Translate language name selection on user edit pages.
• #29107 by asimmonds. Remove non-rendered padding on taxonomy links which caused clickability issues in IE.
• Fix update.js after id cleanup patch
• #100249 by webchick: properly initialize variable.
• #85979 by RobRoy, keith.smith, fgm and webchick: improve documentation of db_next_id().
• #105461 by jvandyk: fixed code comments.
• #105300 by Gabor Hojtsy. Avoid serving .po files.
• #24023 (follow up): Add API function for dealing with form API #options arrays.
• #86384 by AjK and Steve McKenzie. Catch backspace in autocomplete fields.
• #100963 by Eaton. Use new pattern for node rendering in printer-friendly version.
• #44276 by dww. Include updated posts in tracker calculations.
• #90738 by jjeff and ChrisKennedy. first and last are not mutually exclusive.
• #104352 by pwolanin. Dissallow the type name '0' which confuses Drupal.
• #105698 by dww. Edit permissions links for all roles, including anonymous and authenticated.
• #97640: Do not xss filter locale strings on import or edit.
• #105757 by kkaefer: Min word count = 0 has no effect because body is always required.
• #105540 by souvent22: small SQL optimization.
• #105454 by kkaefer, ChrisKennedy, RobRoy et al: fixed update paths.
• #102011 by mfer et al: UPGRADE.txt improvements. Made some changes of my own.
• #103371 by drewish. More consistent and correct calling of node_invoke(..., 'view').
• #105216 by dww and merlin: fixed CSS comment.
• #77971 by jvandyck, drumm, et al: move logging to exit hook
• #105368 by ChrisKennedy: Clarify that settings.php is set to RO on install.
• #105889: fix parse error in locale.inc
• #105855: Require MySQL 4.0. MySQL 3.23 is no longer supported by the vendor.
• #102599 by ChrisKennedy: fixed rare 'call to undefined function' in the installer.
• #104537: Fix autocomplete dropdown positioning in IE6 and IE7.
• #105368 by KarenS and Morbus: clarify settings.php permissions.
• #105851 by dww. Complete the list of CVS meta files.
• #105726 by moshe weitzman. Remove necessity to hard-code theme engine directories since they can change.
• #48415 by nickl. Correct count query for Top visitors page.
• #18870 by zen. Only allow the new comment anchor to be output forthe first new comment.
• #101757 by ChrisKennedy. 1 byte instead of 1 bytes.
• Rollback MySQL requirement check.
• #105937 by Gabor: fixed caching bug with enabling and disabling themes/modules. My last commit of the year ...
• #106232 by chx. Add spaces for code style.
• #106266 by webchick. Blob and text columns can't have default values in MySQL.
• #98720 by chx. Better checking of selected options.
• #104693 by ChrisKennedy: pragma dates back from previous protocal.
• #103164 by davea and RobRoy: made downloads work on IE6. Send correct headers.
• #106370 by naquah and chx: fixed query rewriting in presence of OR-clause.
• #106405 by yched: fixed typo in PHPdoc.
• #106351 by hickory: fixed comment forms.
• #104763 by RobRoy: better defaults for page and story.
• #104156 by chromeyellow and Heine: avoid redundant SQL queries.
• Still used 'themetastic' inside style.css comment. Changed to 'garland'.
• #86737: Security htaccess fix needs to be created with group permissions set.
• #104693 by Chris: switch back to HTTP/1.0 headers.
• #106428 by RobRoy: corrected the welcome text.
• #100563 by m3avrck: improved phpDoc of drupal_add_css.
• #100563: Clarify documentation for CSS preprocessor.
• #107015: Code consistency, capitalization of class names.
• #107097 by webernet: remove bogus xhtml from string.
• #24023 by dww: rename form_get_option_key() and fix its behavior.
• #80085: Don't show user picture form on registration pages (chx / webchick)
• #107306 by webernet: fixed incomplete break-tag clean up.
• #107234 by webchick: documentation improvements.
• #106550 by webchick: new version schema.
• #75916 by pcwick: block user/login page.
• #107375 by Jax: removing space.
• #107231 by webchick: mention site offline status in upgrade documentation.
• #107611 by Steven. Fix bug triggered by pressing enter while results are being fetched.
• #106245 by webchick. Replace 'node' with post.
• #106607 by anantagati. Add the user picture for node previews.
• Cleanup form attributes.
• #107443 by webchick. Proper . placement.
• #107768 by Morbus Iff. Show help for content types containing '_'.
• #107788 by Uwe: alignment fixes.
• #104506 by m3vrick: better cache headers for static files.
• #108130: Don't allow empty autocomplete searches
• Fix button alignment on watchdog form in Garland.
• #38451: Maintain node options when a non-admin edits a node.
• #108215: Fading elements in IE causes text to bleed.
• #107966 by Ralf: consistent length of textfields.
• #108186: Fix install.php on Firefox (caching issue)

Fifth maintenance and security release of the Drupal 4.7 release series.

Latest and greatest of the 4.6 releases. Also probably the last. Consider upgrading.

This version is no longer supported.

Changes since DRUPAL-5-0-BETA-2:

• #8716 by webchick et al: small usability improvement: don't show empty tables.
• #16798 by profix898: flush the page cache when someone changes his user profile.
• #18616: allow longer role names.
• #26552 by Heine. Add child page to unpublished book nodes doesn't work, so remove the link.
• #27906 by mikeryan: added Brazilian-Portugese support.
• #40871: Allow class on checkboxes/radios group container.
• #49926: Allow break tag usage with PHP format, don't cut off otherwise.
• #51314 by kjartan, eafarris, et al: hide the last comment bloc