? files ? sites/default/settings.php Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.199 diff -u -p -r1.199 bootstrap.inc --- includes/bootstrap.inc 11 Nov 2007 16:14:45 -0000 1.199 +++ includes/bootstrap.inc 22 Nov 2007 18:39:25 -0000 @@ -237,7 +237,7 @@ function conf_path($require_settings = T } $confdir = 'sites'; - $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); + $uri = explode('/', $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']); $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); for ($i = count($uri) - 1; $i > 0; $i--) { for ($j = count($server); $j > 0; $j--) { @@ -299,9 +299,8 @@ function conf_init() { // characters allowed in hostnames. $base_url = $base_root .= '://'. preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']); - // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not // be modified by a visitor. - if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { + if ($dir = trim(dirname(htmlentities($_SERVER['PHP_SELF'])), '\,/')) { $base_path = "/$dir"; $base_url .= $base_path; $base_path .= '/'; @@ -682,13 +681,13 @@ function request_uri() { } else { if (isset($_SERVER['argv'])) { - $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['argv'][0]; + $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['argv'][0]; } elseif (isset($_SERVER['QUERY_STRING'])) { - $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING']; + $uri = $_SERVER['PHP_SELF'] .'?'. $_SERVER['QUERY_STRING']; } else { - $uri = $_SERVER['SCRIPT_NAME']; + $uri = $_SERVER['PHP_SELF']; } } Index: modules/system/system.install =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.install,v retrieving revision 1.190 diff -u -p -r1.190 system.install --- modules/system/system.install 21 Nov 2007 09:49:36 -0000 1.190 +++ modules/system/system.install 22 Nov 2007 18:39:25 -0000 @@ -305,9 +305,10 @@ function system_install() { // anyways. So we insert the superuser here, the uid is 2 here for now, but // very soon it will be changed to 1. db_query("INSERT INTO {users} (name, mail, created, data) VALUES('%s', '%s', %d, '%s')", 'placeholder-for-uid-1', 'placeholder-for-uid-1', time(), serialize(array())); - // This sets the above two users to 1 -1 = 0 (anonymous) and - // 2- 1 = 1 (superuser). We skip uid 2 but that's not a big problem. - db_query('UPDATE {users} SET uid = uid - 1'); + // This sets the above two users uid 0 (anonymous). We avoid an explicit 0. + db_query("UPDATE {users} SET uid = uid - uid WHERE name = '%s'", ''); + // This sets uid 1 (superuser). We skip uid 2 but that's not a big problem. + db_query("UPDATE {users} SET uid = 1 WHERE name = '%s'", 'placeholder-for-uid-1'); db_query("INSERT INTO {role} (name) VALUES ('%s')", 'anonymous user'); db_query("INSERT INTO {role} (name) VALUES ('%s')", 'authenticated user');