Hello world, as mentioned last week, I'd like to go ahead and release Drupal 4.5.7 and 4.6.5 to fix the various URL problems introduced by the new XSS filter code. Before I do so, I'd like to know if anyone has been using the head of the DRUPAL-4-6 branch in a production environment? If so, are there any known problems or is it safe to release? If not, would you be willing to upgrade your Drupal 4.6 sites to the head of DRUPAL-4-6 to help test? I don't have a Drupal 4.6 site myself, so I'm looking for help testing. Please provide some feedback. Thanks. -- Dries Buytaert :: http://www.buytaert.net/
Op dinsdag 06 december 2005 09:20, schreef Dries Buytaert:
Hello world,
as mentioned last week, I'd like to go ahead and release Drupal 4.5.7 and 4.6.5 to fix the various URL problems introduced by the new XSS filter code. Before I do so, I'd like to know if anyone has been using the head of the DRUPAL-4-6 branch in a production environment? If so, are there any known problems or is it safe to release? If not, would you be willing to upgrade your Drupal 4.6 sites to the head of DRUPAL-4-6 to help test? I don't have a Drupal 4.6 site myself, so I'm looking for help testing. Please provide some feedback. Thanks.
I will update later tonight. I haven't seen any mayor issues, other than the imeeidately found+fixed textarea bug. Not a very large environment, just about 15 sites, using a wide range of cases. Are there any things I should pay attention to in detail? Bèr
On Tuesday 06 December 2005 10:20, Dries Buytaert wrote:
would you be willing to upgrade your Drupal 4.6 sites to the head of DRUPAL-4-6 to help test?
If there are no database changes between 4.6.3 and DRUPAL-4-6 HEAD then perhaps I can help to beta-test it on portal.wikinerds.org. Please tell me whether there are any database changes. -- NSK Founder of the Wikinerds Community http://www.wikinerds.org/
If there are no database changes between 4.6.3 and DRUPAL-4-6 HEAD then perhaps I can help to beta-test it on portal.wikinerds.org. Please tell me whether there are any database changes.
There are no database changes. -- Dries Buytaert :: http://www.buytaert.net/
On Tuesday 06 December 2005 16:20, Dries Buytaert wrote:
If there are no database changes between 4.6.3 and DRUPAL-4-6 HEAD There are no database changes.
I just finished setting up DRUPAL-4-6-HEAD on a live production site (after a total backup, of course!). At first glance it seems to work ok. You can also have a look and help test 4.6-HEAD on production environment. The site where 4-6-HEAD is installed is http://portal.wikinerds.org/ I will post another message and file bug reports if I find anything wrong. -- NSK Founder of the Wikinerds Community http://www.wikinerds.org/
Perhaps this is out of line, but if another 4.6 release is soon to be released, can someone take a look at this patch? http://drupal.org/node/38889 Without the patch, there are big problems with multiple database connections .. mostly that the cache doesn't work. It'd be really nice to have the patch merged in to the next version so it's one less customization required. Thanks! :) -Rowan
On 06 Dec 2005, at 18:52, Rowan Kerr wrote:
Perhaps this is out of line, but if another 4.6 release is soon to be released, can someone take a look at this patch? http://drupal.org/node/38889
Without the patch, there are big problems with multiple database connections .. mostly that the cache doesn't work. It'd be really nice to have the patch merged in to the next version so it's one less customization required.
This patch has been committed to CVS HEAD and DRUPAL-4-6. People using the HEAD of the DRUPAL-4-6 are encouraged to update once more. No database changes, so a simple 'cvs -q up -AdP' should do the trick. Please report back. Thanks. -- Dries Buytaert :: http://www.buytaert.net/
I'm using the 4.6-cvs version on two very basic sites (simple Corporate-sites) and it works well there
i use it with 4 production sites and have no (new) problems, however there is still a old one: http://drupal.org/node/29548 without this drupal sends emails to the email address "" with no user information and a new generated password on php5 systems, if a users enters invalid user information the patch for the 4.6 branch still applies. and as i already pointed out here: http://drupal.org/node/38964 i think, there should be a note somewhere, that drupal 4.6 isn't php5.1 compatible, or a the issue fixed, as xtemplate is still the standard engine for the 4.6 branch. (unfortunately i don't know xtemplate..) regards, fago
I just upgraded to 4.6.4 and checked 4.6.4 at cvs also and noticed that valid_input_data() function in common.inc is missing. Some modules do use this function thus are not working with that change. banner.module is one of them. Was this necessary because of the recent security vulnerabilities? In any case a work arround would need to be anounced. Robert Garrigós Dries Buytaert wrote:
Hello world,
as mentioned last week, I'd like to go ahead and release Drupal 4.5.7 and 4.6.5 to fix the various URL problems introduced by the new XSS filter code. Before I do so, I'd like to know if anyone has been using the head of the DRUPAL-4-6 branch in a production environment? If so, are there any known problems or is it safe to release? If not, would you be willing to upgrade your Drupal 4.6 sites to the head of DRUPAL-4-6 to help test? I don't have a Drupal 4.6 site myself, so I'm looking for help testing. Please provide some feedback. Thanks.
-- Dries Buytaert :: http://www.buytaert.net/
On Thu, 08 Dec 2005 01:15:18 +0100, Robert Garrigós Castro <robert@garrigos.org> wrote:
I just upgraded to 4.6.4 and checked 4.6.4 at cvs also and noticed that valid_input_data() function in common.inc is missing. Some modules do use this function thus are not working with that change. banner.module is one of them. Was this necessary because of the recent security vulnerabilities? In any case a work arround would need to be anounced.
Sorry for not announcing. valid_input_data was broken beyond repair. Filter on output please. This was the preferred way anyways, now it's mandatory. If you need more information do not hesitate to write the list again. Thanks Karoly Negyesi
On 12/7/05, Karoly Negyesi <karoly@negyesi.net> wrote:
On Thu, 08 Dec 2005 01:15:18 +0100, Robert Garrigós Castro <robert@garrigos.org> wrote:
I just upgraded to 4.6.4 and checked 4.6.4 at cvs also and noticed that valid_input_data() function in common.inc is missing. Some modules do use this function thus are not working with that change. banner.module is one of them. Was this necessary because of the recent security vulnerabilities? In any case a work arround would need to be anounced.
Sorry for not announcing.
valid_input_data was broken beyond repair.
Filter on output please. This was the preferred way anyways, now it's mandatory. If you need more information do not hesitate to write the list again.
I don't think it will be that big a deal. I checked out a copy of the 4.6 branch of contrib/modules and greped for "valid_input_data" and it only turned up in four modules: css/css.module: if (!valid_input_data($node->css_css)) { customerror/patches/common.inc.4.6.3:function valid_input_data($data) { customerror/patches/common.inc.4.6.3: if (!valid_input_data($key) || !valid_input_data($value)) { customerror/patches/common.inc.4.6.3: if (!valid_input_data($_GET) customerror/patches/common.inc.4.6.3: || !valid_input_data($_POST) customerror/patches/common.inc.4.6.3: || !valid_input_data($_COOKIE) customerror/patches/common.inc.4.6.3: || !valid_input_data($_FILES)) { evaluation/patched_files/common.inc:function valid_input_data($data) { evaluation/patched_files/common.inc: if (!valid_input_data($key) || !valid_input_data($value)) { evaluation/patched_files/common.inc: if (!valid_input_data($_GET) evaluation/patched_files/common.inc: || !valid_input_data($_POST) evaluation/patched_files/common.inc: || !valid_input_data($_COOKIE) evaluation/patched_files/common.inc: || !valid_input_data($_FILES)) { image_import/TODO.txt: of the uploaded files using valid_input_data(). Two of those (customerror and evaluation) were because they had copies of common.inc sitting around. Image_import had a hit in a todo file. I'll open a bug for the instance in the CSS module. andrew
On Wednesday 07 December 2005 19:57, andrew morton wrote:
image_import/TODO.txt: of the uploaded files using valid_input_data().
Hi, I'm the maintainer for that one. Thanks for the heads-up. As you noted, the change doesn't break the module because it wasn't actually implemented yet. :-) Scott -- ------------------------------------------------------------------------------- Scott Courtney Drupal user name: "syscrusher" http://drupal.org/user/9184 scott at 4th dot com Drupal projects: http://drupal.org/project/user/9184 Sandbox: http://cvs.drupal.org/viewcvs/drupal/contributions/sandbox/syscrusher
participants (10)
-
andrew morton -
Bèr Kessels -
Dries Buytaert -
fago -
Karoly Negyesi -
NSK -
Robert Garrigós Castro -
Rowan Kerr -
Syscrusher -
Tobias Maier