drupal 5.3

The third maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 6.0 release.

This release fixes five security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcements:

• SA-2007-024 - Drupal Core - HTTP response splitting
• SA-2007-025 - Drupal Core - Arbitrary code execution via installer.
• SA-2007-026 - Drupal Core - Cross site scripting via uploads
• SA-2007-029 - Drupal Core - User deletion cross site request forgery
• SA-2007-030 - Drupal Core - API handling of unpublished comment

In addition to these security vulnerabilities, the following bugs have been fixed since the 5.2 release:

• #163092 by Wesley Tanaka. Add forum css only to pages which need it.
• #163458 by heyrocker. Make sure the user object has roles before checking them.
• #164974 by ricflomag. Better use of t().
• #165604 by mvc. Redirect to home page after user registration requiring admin approval.
• #150759 by hass. Remove @charset rules for aggregated stylesheets, which were incorrect and confused Safari.
• #167284 by Heine and pwolanin. Avoid abusing %s for lists.
• #91404, Footer CSS fix, patch by blakehall
• #174270 by kkaefer. Make user filter translatbale.
• #171536 by pillarsdotnet. Correct id for {user_roles} in Postgres.
• #106115 by sparr: restore previously present 16x16 (and add 32x32) favicon size, so when a shortcut is saved, a nice icon is used
• #117151 by profix898 and thePanz: the second part of our FilesMatch list contained complete file names which should be protected (eg. Tag), but should not match parts of the file names (eg. Tagging.txt)
• #168429 by gaele: there is no settings module, fixing reference to system module in help text
• #177829 by jjeff: search indexing did not invoke the nodeapi alter hook, so what the user seen and what was indexed was different
• #171747 by chx. More correct wording since some modules will actually work despite warning.
• #160603 by nancyw and Freso: variable search_cron_limit was not removed on search uninstall
• #112064 by Dave Cohen and pwolanin: do not cache installer redirects, so live Drupal pages will be visible instead of cached installer pages
• #180559 by hunmonk: do not try to display the comment addition form at th end of comments, if we are already on the page, so it is displayed anyway
• #110511 by bjaspan: poll listing page should have a 'count_sql' because the original query uses group by, so it is not countable properly
• #63990 by hunmonk. Append to instead of overwrite #suffix.
• #183390 by hunmonk: forms should use form_state['redirect'] for redirection, not drupal_goto() - fix this in comment_admin_overview_submit()
• #183388 by hunmonk. Fix syntax error.
• - Patch #178999 by JohnAlbin, sun and sammys: fixed race condition with drupal_goto().
• #183357 by Freso: hide administration pages links on module help pages if there are no admin links for the module
• #172588 by Tresler, Freso and webernet: add missing help page for color module