Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Related to SA-CORE-2009-005 the page.tpl.php contains insecure code.
As an alternate solution if you are unable to upgrade immediately, you can alter your page template following the pattern in the core changes. Open your theme's main page.tpl.php file as well as any other page templates like page-node.tpl.php or page-front.tpl.php and move the line that is printing $head (
<?php print $head ?>) above line with the<title>tag, so that it is the first item after the<head>.
Comments
Comment #1
sillygwailoComment #2
sillygwailoI created a 1.1 release for both the Drupal 6 and Drupal 5 (forthcoming) branches which fixes this. The fix is in the dev release for both branches as well.
Comment #3
gábor hojtsy@BENNYSOFT: note that as you copy-pasted, fixing themes was just suggested as a stop-gap solution until people can update their Drupal core versions. As the quote starts: "As an alternate solution if you are unable to upgrade immediately...". Mobile theme is and was not vulnerable once you upgraded your Drupal site, while most themes were vulnerable before you updated your Drupal site to the latest Drupal core.
So this makes this a non-security fix, also not critical. Since the Drupal core fix was designed to implicitly fix all themes, this is just a cosmetic change on the Drupal 5 and 6 versions of the theme. How Drupal 7 will handle this situation is still a question, but that is still far off.
Comment #4
Anonymous (not verified) commentedI never marked this as a security fix. The title was inappropriate.
That's the point. I can't check, whether all sites using this theme are at the proper level of security.
I wanted to give a note only. However, I will refrain from it in the future. I'm not so familiar with Drupal like you. ;-)
Comment #5
gábor hojtsyYup, the title marked it a security issue :) Corrected it now.