Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.427 diff -u -p -r1.427 bootstrap.inc --- includes/bootstrap.inc 12 Oct 2010 03:10:03 -0000 1.427 +++ includes/bootstrap.inc 15 Oct 2010 03:57:37 -0000 @@ -19,7 +19,7 @@ define('DRUPAL_CORE_COMPATIBILITY', '7.x /** * Minimum supported version of PHP. */ -define('DRUPAL_MINIMUM_PHP', '5.2.5'); +define('DRUPAL_MINIMUM_PHP', '5.2.4'); /** * Minimum recommended value of PHP memory_limit. Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.236 diff -u -p -r1.236 file.inc --- includes/file.inc 12 Oct 2010 03:10:03 -0000 1.236 +++ includes/file.inc 15 Oct 2010 03:57:37 -0000 @@ -122,11 +122,11 @@ function file_get_stream_wrappers($filte else { $wrappers[$scheme]['override'] = FALSE; } - if (($info['type'] & STREAM_WRAPPERS_REMOTE) == STREAM_WRAPPERS_REMOTE) { - stream_wrapper_register($scheme, $info['class'], STREAM_IS_URL); + if (($info['type'] & STREAM_WRAPPERS_LOCAL) == STREAM_WRAPPERS_LOCAL) { + stream_wrapper_register($scheme, $info['class']); } else { - stream_wrapper_register($scheme, $info['class']); + stream_wrapper_register($scheme, $info['class'], STREAM_IS_URL); } } // Pre-populate the static cache with the filters most typically used. Index: includes/stream_wrappers.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/stream_wrappers.inc,v retrieving revision 1.20 diff -u -p -r1.20 stream_wrappers.inc --- includes/stream_wrappers.inc 17 Aug 2010 22:05:22 -0000 1.20 +++ includes/stream_wrappers.inc 15 Oct 2010 03:57:37 -0000 @@ -65,6 +65,11 @@ define('STREAM_WRAPPERS_VISIBLE', 0x0010 define('STREAM_WRAPPERS_HIDDEN', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE); /** + * Stream wrapper type flag -- hidden, readable and writeable using local files. + */ +define('STREAM_WRAPPERS_LOCAL_HIDDEN', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_HIDDEN); + +/** * Stream wrapper type flag -- visible, readable and writeable. */ define('STREAM_WRAPPERS_WRITE_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_WRITE | STREAM_WRAPPERS_VISIBLE); @@ -75,9 +80,14 @@ define('STREAM_WRAPPERS_WRITE_VISIBLE', define('STREAM_WRAPPERS_READ_VISIBLE', STREAM_WRAPPERS_READ | STREAM_WRAPPERS_VISIBLE); /** + * Stream wrapper type flag -- visible, readable and writeable using remote files. + */ +define('STREAM_WRAPPERS_NORMAL', STREAM_WRAPPERS_REMOTE | STREAM_WRAPPERS_WRITE_VISIBLE); + +/** * Stream wrapper type flag -- visible, readable and writeable using local files. */ -define('STREAM_WRAPPERS_NORMAL', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_WRITE_VISIBLE); +define('STREAM_WRAPPERS_LOCAL_NORMAL', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_WRITE_VISIBLE); /** * Generic PHP stream wrapper interface. Index: includes/database/database.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/database/database.inc,v retrieving revision 1.140 diff -u -p -r1.140 database.inc --- includes/database/database.inc 3 Oct 2010 01:29:40 -0000 1.140 +++ includes/database/database.inc 15 Oct 2010 03:57:37 -0000 @@ -1293,6 +1293,9 @@ abstract class Database { /** * Gets the connection object for the specified database key and target. * + * Note: do not use the setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE) on the + * returned object because of http://bugs.php.net/bug.php?id=43139. + * * @param $target * The database target name. * @param $key Index: modules/system/system.install =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.install,v retrieving revision 1.518 diff -u -p -r1.518 system.install --- modules/system/system.install 12 Oct 2010 02:50:03 -0000 1.518 +++ modules/system/system.install 15 Oct 2010 03:57:38 -0000 @@ -77,6 +77,14 @@ function system_requirements($phase) { // If PHP is old, it's not safe to continue with the requirements check. return $requirements; } + // Check that htmlspecialchars() is secure if the site is running any PHP + // version older than 5.2.5. + elseif (version_compare($phpversion, '5.2.5') < 0 && strlen(@htmlspecialchars(chr(0xC0) . chr(0xAF), ENT_QUOTES, 'UTF-8'))) { + $requirements['php']['description'] = $t('Your PHP installation is too old. Drupal requires at least PHP 5.2.5, or PHP @version with the htmlspecialchars security patch backported.', array('@version' => DRUPAL_MINIMUM_PHP)); + $requirements['php']['severity'] = REQUIREMENT_ERROR; + // If PHP is old, it's not safe to continue with the requirements check. + return $requirements; + } // Test PHP register_globals setting. $requirements['php_register_globals'] = array( Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.980 diff -u -p -r1.980 system.module --- modules/system/system.module 13 Oct 2010 17:09:00 -0000 1.980 +++ modules/system/system.module 15 Oct 2010 03:57:38 -0000 @@ -1553,12 +1553,13 @@ function system_stream_wrappers() { 'name' => t('Public files'), 'class' => 'DrupalPublicStreamWrapper', 'description' => t('Public local files served by the webserver.'), + 'type' => STREAM_WRAPPERS_LOCAL_NORMAL, ), 'temporary' => array( 'name' => t('Temporary files'), 'class' => 'DrupalTemporaryStreamWrapper', 'description' => t('Temporary local files for upload and previews.'), - 'type' => STREAM_WRAPPERS_HIDDEN, + 'type' => STREAM_WRAPPERS_LOCAL_HIDDEN, ), ); @@ -1568,6 +1569,7 @@ function system_stream_wrappers() { 'name' => t('Private files'), 'class' => 'DrupalPrivateStreamWrapper', 'description' => t('Private local files served by Drupal.'), + 'type' => STREAM_WRAPPERS_LOCAL_NORMAL, ); }