Drupal 5.13

The thirteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-073 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 5.12 release:

• #318102 by Damien Tournoud and Dave Reid: hook_exit() not invoked for some cached requests.
• #278821 by teezee. More isset() checking.
• #293612 by egfrith, Bart Jansens: let user_authenticate() be called without cookies previously set; allows web service modules to start a session with the authentication.
• #123556 by maartenvg and dvdweide. Do not show empty user info categories.
• #294450 by blakehall. Match up DB and form max length.
• More code style removing trivial differences with 6.x.
• #195161 by mcarbone with some modifications: only show 'login to post comments' if logging in actually lets you post comments. Backport by salvis.
• - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
• #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
• #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
• #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
• #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.