Maintenance and security release of the Drupal 6 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
This is the last community-supported release of Drupal 6, which has now reached its end of life.
Because this is the last release, it also includes some small documentation improvements (that were previously on the development branch) in addition to the security fixes. No other fixes are included.
Besides documentation fixes, no changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
Major changes since 6.37:
- The drupal_goto() function will no longer attempt to decode URLs passed to it via the "destination" query parameter in the URL. This could affect destination query parameters that were encoded using drupal_urlencode() before placing them on the page, but this should not be common since the drupal_urlencode() documentation already warned that using it in this manner could lead to unwanted double encoding.
The "system.multicall" method in Drupal's XML-RPC server has changed such that, by default, it only supports one call for each distinct RPC method (in other words, within a single XML-RPC request you may call four different methods but you can no longer call the same method four times). No changes have been made to Drupal's XML-RPC client code that is used for making XML-RPC requests from your site to other XML-RPC servers; this only affects calls from other servers to your Drupal site. This was not a commonly used feature, but if you have a use case that requires multiple calls to the same XML-RPC method in a single request, a new "xmlrpc_multicall_duplicate_method_limit" variable has been provided that allows you to do so. For example, in settings.php:
// Allow the same method to be called up to 10 times in a single // "system.multicall" request. $conf['xmlrpc_multicall_duplicate_method_limit'] = 10;
// Setting the variable to 0 or lower will remove the limit and restore the // prior behavior, although this also weakens protection against brute-force // attacks. $conf['xmlrpc_multicall_duplicate_method_limit'] = 0;