diff options
author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-17 21:47:14 +0000 |
---|---|---|
committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-17 21:47:14 +0000 |
commit | a3f3cb346bebb09dd89f31705c43c0c7d5c690d1 (patch) | |
tree | afdf7c9e25ac03eae91fa15fc0328bd57474cbab /includes | |
parent | 988d4f505a8896df226660f37286c7f0bbe01e01 (diff) | |
download | brdo-a3f3cb346bebb09dd89f31705c43c0c7d5c690d1.tar.gz brdo-a3f3cb346bebb09dd89f31705c43c0c7d5c690d1.tar.bz2 |
Drupal 6.0-beta 2 release with all Drupal 5.3 security fixes applied
Diffstat (limited to 'includes')
-rw-r--r-- | includes/common.inc | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/includes/common.inc b/includes/common.inc index 7055fbbd4..6b07f20e3 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -268,11 +268,8 @@ function drupal_get_destination() { * 'user login'-block in a sidebar. The function drupal_get_destination() * can be used to help set the destination URL. * - * It is advised to use drupal_goto() instead of PHP's header(), because - * drupal_goto() will append the user's session ID to the URI when PHP is - * compiled with "--enable-trans-sid". In addition, Drupal will ensure that - * messages set by drupal_set_message() and other session data are written to - * the database before the user is redirected. + * Drupal will ensure that messages set by drupal_set_message() and other + * session data are written to the database before the user is redirected. * * This function ends the request; use it rather than a print theme('page') * statement in your menu callback. @@ -305,6 +302,8 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response } $url = url($path, array('query' => $query, 'fragment' => $fragment, 'absolute' => TRUE)); + // Remove newlines from the URL to avoid header injection attacks. + $url = str_replace(array("\n", "\r"), '', $url); // Allow modules to react to the end of the page request before redirecting. module_invoke_all('exit', $url); @@ -558,7 +557,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) { return; } - if ($errno & (E_ALL)) { + if ($errno & (E_ALL ^ E_NOTICE)) { $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning'); // For database errors, we want the line number/file name of the place that |