Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.977
diff -u -9 -p -r1.977 user.module
--- modules/user/user.module	20 Apr 2009 04:41:35 -0000	1.977
+++ modules/user/user.module	23 Apr 2009 20:06:55 -0000
@@ -808,19 +808,19 @@ function user_perm() {
 
 /**
  * Implementation of hook_file_download().
  *
  * Ensure that user pictures (avatars) are always downloadable.
  */
 function user_file_download($filepath) {
   if (strpos($filepath, variable_get('user_picture_path', 'pictures') . '/picture-') === 0) {
     $info = image_get_info(file_create_path($filepath));
-    return array('Content-type: ' . $info['mime_type']);
+    return array('Content-Type' => $info['mime_type']);
   }
 }
 
 /**
  * Implementation of hook_file_references().
  */
 function user_file_references($file) {
   // Determine if the file is used by this module.
   $count = db_query('SELECT COUNT(*) FROM {users} WHERE picture = :fid', array(':fid' => $file->fid))->fetchField();
@@ -1173,19 +1173,19 @@ function template_preprocess_user_pictur
       if (!empty($account->picture->filepath)) {
         $filepath = $account->picture->filepath;
       }
     }
     elseif (variable_get('user_picture_default', '')) {
       $filepath = variable_get('user_picture_default', '');
     }
     if (isset($filepath)) {
       $alt = t("@user's picture", array('@user' => $account->name ? $account->name : variable_get('anonymous', t('Anonymous'))));
-      $variables['picture'] = theme('image', $filepath, $alt, $alt, '', FALSE);
+      $variables['picture'] = theme('image', file_create_url($filepath), $alt, $alt, '', FALSE);
       if (!empty($account->uid) && user_access('access user profiles')) {
         $attributes = array('attributes' => array('title' => t('View user profile.')), 'html' => TRUE);
         $variables['picture'] = l($variables['picture'], "user/$account->uid", $attributes);
       }
     }
   }
 }
 
 /**
Index: modules/system/system.api.php
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.api.php,v
retrieving revision 1.27
diff -u -9 -p -r1.27 system.api.php
--- modules/system/system.api.php	21 Apr 2009 05:07:08 -0000	1.27
+++ modules/system/system.api.php	23 Apr 2009 20:06:55 -0000
@@ -1243,20 +1243,20 @@ function hook_file_delete($file) {
 function hook_file_download($filepath) {
   // Check if the file is controlled by the current module.
   $filepath = file_create_path($filepath);
   $result = db_query("SELECT f.* FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
   if ($file = db_fetch_object($result)) {
     if (!user_access('view uploaded files')) {
       return -1;
     }
     return array(
-      'Content-Type: ' . $file->filemime,
-      'Content-Length: ' . $file->filesize,
+      'Content-Type' => $file->filemime,
+      'Content-Length' => $file->filesize,
     );
   }
 }
 
 /**
  * Check installation requirements and do status reporting.
  *
  * This hook has two closely related uses, determined by the $phase argument:
  * checking installation requirements ($phase == 'install')
Index: sites/default/default.settings.php
===================================================================
RCS file: /cvs/drupal/drupal/sites/default/default.settings.php,v
retrieving revision 1.23
diff -u -9 -p -r1.23 default.settings.php
--- sites/default/default.settings.php	19 Apr 2009 19:10:08 -0000	1.23
+++ sites/default/default.settings.php	23 Apr 2009 20:06:55 -0000
@@ -270,18 +270,37 @@ $conf = array(
  * in the X-Forwarded-For headers only if Remote IP address is one of
  * these, that is the request reaches the web server from one of your
  * reverse proxies. Otherwise, the client could directly connect to
  * your web server spoofing the X-Forwarded-For headers.
  */
 #   'reverse_proxy_addresses' => array('a.b.c.d', ...), // Leave the comma here.
 );
 
 /**
+ * Page caching:
+ *
+ * By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page
+ * views. This tells a HTTP proxy that it may return a page from its local
+ * cache without contacting the web server, if the user sends the same Cookie
+ * header as the user who originally requested the cached page. Without "Vary:
+ * Cookie", authenticated users would also be served the anonymous page from
+ * the cache. If the site has mostly anonymous users except a few known
+ * editors/administrators, the Vary header can be omitted. This allows for
+ * better caching in HTTP proxies (including reverse proxies), i.e. even if
+ * clients send different cookies, they still get content served from the cache
+ * if aggressive caching is enabled and the minimum cache time is non-zero.
+ * However, authenticated users should access the site directly (i.e. not use an
+ * HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid
+ * getting cached pages from the proxy.
+ */
+# $conf['omit_vary_cookie'] = TRUE;
+
+/**
  * String overrides:
  *
  * To override specific strings on your site with or without enabling locale
  * module, add an entry to this list. This functionality allows you to change
  * a small number of your site's default English language interface strings.
  *
  * Remove the leading hash signs to enable.
  */
 # $conf['locale_custom_strings_en'] = array(
Index: modules/upload/upload.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/upload/upload.module,v
retrieving revision 1.232
diff -u -9 -p -r1.232 upload.module
--- modules/upload/upload.module	11 Apr 2009 22:19:45 -0000	1.232
+++ modules/upload/upload.module	23 Apr 2009 20:06:55 -0000
@@ -150,20 +150,20 @@ function _upload_file_limits($user) {
 /**
  * Implementation of hook_file_download().
  */
 function upload_file_download($filepath) {
   $filepath = file_create_path($filepath);
   $file = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = :path", array(':path' => $filepath))->fetchObject();
 
   if ($file && user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
     return array(
-      'Content-Type: ' . $file->filemime,
-      'Content-Length: ' . $file->filesize,
+      'Content-Type' => $file->filemime,
+      'Content-Length' => $file->filesize,
     );
   }
   else {
     return -1;
   }
 }
 
 /**
  * Save new uploads and store them in the session to be associated to the node
Index: modules/upload/upload.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/upload/upload.test,v
retrieving revision 1.16
diff -u -9 -p -r1.16 upload.test
--- modules/upload/upload.test	22 Apr 2009 09:57:10 -0000	1.16
+++ modules/upload/upload.test	23 Apr 2009 20:06:55 -0000
@@ -45,18 +45,23 @@ class UploadTestCase extends DrupalWebTe
     $this->uploadFile($node, $files[1]);
 
     // Check to see that uploaded file is listed in detail page and actually accessible.
     $this->assertText(basename($files[0]), basename($files[0]) . ' found on node.');
     $this->assertText(basename($files[1]), basename($files[1]) . ' found on node.');
 
     $this->checkUploadedFile(basename($files[0]));
     $this->checkUploadedFile(basename($files[1]));
 
+    // Check that files are also accessible when using private files.
+    variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE);
+    $this->checkUploadedFile(basename($files[0]));
+    $this->checkUploadedFile(basename($files[1]));
+
     // Assure that the attachment link appears on teaser view and has correct count.
     $node = node_load($node->nid);
     $teaser = drupal_render(node_build($node, TRUE));
     $this->assertTrue(strpos($teaser, format_plural(2, '1 attachment', '@count attachments')), 'Attachments link found on node teaser.');
 
     // Fetch db record and use fid to rename and delete file.
     $upload = db_fetch_object(db_query('SELECT fid, description FROM {upload} WHERE nid = %d', array($node->nid)));
     if ($upload) {
       // Rename file.
@@ -189,21 +194,22 @@ class UploadTestCase extends DrupalWebTe
   }
 
   /**
    * Check that uploaded file is accessible and verify the contents against the original.
    *
    * @param string $filename Name of file to verify.
    */
   function checkUploadedFile($filename) {
     global $base_url;
-    $file = realpath(file_directory_path() . '/' . $filename);
-    $this->drupalGet($base_url . '/' . file_directory_path() . '/' . $filename, array('external' => TRUE));
+    $file = file_directory_path() . '/' . $filename;
+    $this->drupalGet(file_create_url($file), array('external' => TRUE));
     $this->assertResponse(array(200), 'Uploaded ' . $filename . ' is accessible.');
+    $this->assertTrue(strpos($this->drupalGetHeader('Content-Type'), 'text/plain') === 0, t('MIME type is text/plain.'));
     $this->assertEqual(file_get_contents($file), $this->drupalGetContent(), 'Uploaded contents of ' . $filename . ' verified.');
     // Verify file actually is readable and writeable by PHP.
     $this->assertTrue(is_readable($file), t('Uploaded file is readable.'));
     $this->assertTrue(is_writeable($file), t('Uploaded file is writeable.'));
   }
 
   /**
    * Get the role id of the 'simpletest' role associated with a SimpleTest test user.
    *