Drupal 6.38 (SA-CORE-2016-001) by agerard, Alan Evans, benjy, catch, chx, dalin, Damien Tournoud, DamienMcKenna, Dave Cohen, Dave Reid, David Jardin, David_Rothstein, dmitrig01, dsnopek, effulgentsia, fgm, greggles, Gábor Hojtsy, Harry Taheem, Heine, John Morahan, Juho Nurminen 2NS, klausi, larowlan, nagba, Pere Orga, plach, pwolanin, quicksketch, rickmanelius, scor, sun, Tarpinder Grewal, YesCT6.386.x

4 files changed, 19 insertions, 4 deletions

diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc
index 42fd311bfd5..315390cf21b 100644
--- a/modules/system/system.admin.inc
+++ b/modules/system/system.admin.inc
@@ -1487,7 +1487,8 @@ function system_rss_feeds_settings() {
  */
 function system_date_time_settings() {
   drupal_add_js(drupal_get_path('module', 'system') .'/system.js', 'module');
-  drupal_add_js(array('dateTime' => array('lookup' => url('admin/settings/date-time/lookup'))), 'setting');
+  $ajax_path = 'admin/settings/date-time/lookup';
+  drupal_add_js(array('dateTime' => array('lookup' => url($ajax_path, array('query' => array('token' => drupal_get_token($ajax_path)))))), 'setting');
 
   // Date settings:
   $zones = _system_zonelist();
@@ -1646,6 +1647,11 @@ function system_date_time_settings_submit($form, &$form_state) {
  * Return the date for a given format string via Ajax.
  */
 function system_date_time_lookup() {
+  // This callback is protected with a CSRF token because user input from the
+  // query string is reflected in the output.
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'admin/settings/date-time/lookup')) {
+    return MENU_ACCESS_DENIED;
+  }
   $result = format_date(time(), 'custom', $_GET['format']);
   drupal_json($result);
 }
diff --git a/modules/system/system.install b/modules/system/system.install
index 33f4c4d3a63..9a4be939603 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -1061,7 +1061,7 @@ function system_schema() {
         'default' => 0),
       'session' => array(
         'description' => 'The serialized contents of $_SESSION, an array of name/value pairs that persists across page requests by this session ID. Drupal loads $_SESSION from here at the start of each request and saves it at the end.',
-        'type' => 'text',
+        'type' => 'blob',
         'not null' => FALSE,
         'size' => 'big')
       ),
@@ -2737,6 +2737,15 @@ function system_update_6055() {
 }
 
 /**
+ * Convert {session} data storage to blob.
+ */
+function system_update_6056() {
+  $ret = array();
+  db_change_field($ret, 'sessions', 'session', 'session', array('type' => 'blob', 'not null' => FALSE, 'size' => 'big'));
+  return $ret;
+}
+
+/**
  * @} End of "defgroup updates-6.x-extra".
  * The next series of updates should start at 7000.
  */
diff --git a/modules/system/system.js b/modules/system/system.js
index 48fd016a5f9..24f998ca7d8 100644
--- a/modules/system/system.js
+++ b/modules/system/system.js
@@ -101,7 +101,7 @@ Drupal.behaviors.dateTime = function(context) {
   // Attach keyup handler to custom format inputs.
   $('input.custom-format:not(.date-time-processed)', context).addClass('date-time-processed').keyup(function() {
     var input = $(this);
-    var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?q=/) ? "&format=" : "?format=") + encodeURIComponent(input.val());
+    var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?/) ? "&format=" : "?format=") + encodeURIComponent(input.val());
     $.getJSON(url, function(data) {
       $("div.description span", input.parent()).html(data);
     });
diff --git a/modules/system/system.module b/modules/system/system.module
index ccc638fc7af..37ac1f47831 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.38-dev');
+define('VERSION', '6.38');
 
 /**
  * Core API compatibility.