diff options
Diffstat (limited to 'modules/system')
| -rw-r--r-- | modules/system/system.admin.inc | 8 | ||||
| -rw-r--r-- | modules/system/system.install | 11 | ||||
| -rw-r--r-- | modules/system/system.js | 2 | ||||
| -rw-r--r-- | modules/system/system.module | 2 |
4 files changed, 19 insertions, 4 deletions
diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc index 42fd311bfd5..315390cf21b 100644 --- a/modules/system/system.admin.inc +++ b/modules/system/system.admin.inc @@ -1487,7 +1487,8 @@ function system_rss_feeds_settings() { */ function system_date_time_settings() { drupal_add_js(drupal_get_path('module', 'system') .'/system.js', 'module'); - drupal_add_js(array('dateTime' => array('lookup' => url('admin/settings/date-time/lookup'))), 'setting'); + $ajax_path = 'admin/settings/date-time/lookup'; + drupal_add_js(array('dateTime' => array('lookup' => url($ajax_path, array('query' => array('token' => drupal_get_token($ajax_path)))))), 'setting'); // Date settings: $zones = _system_zonelist(); @@ -1646,6 +1647,11 @@ function system_date_time_settings_submit($form, &$form_state) { * Return the date for a given format string via Ajax. */ function system_date_time_lookup() { + // This callback is protected with a CSRF token because user input from the + // query string is reflected in the output. + if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'admin/settings/date-time/lookup')) { + return MENU_ACCESS_DENIED; + } $result = format_date(time(), 'custom', $_GET['format']); drupal_json($result); } diff --git a/modules/system/system.install b/modules/system/system.install index 33f4c4d3a63..9a4be939603 100644 --- a/modules/system/system.install +++ b/modules/system/system.install @@ -1061,7 +1061,7 @@ function system_schema() { 'default' => 0), 'session' => array( 'description' => 'The serialized contents of $_SESSION, an array of name/value pairs that persists across page requests by this session ID. Drupal loads $_SESSION from here at the start of each request and saves it at the end.', - 'type' => 'text', + 'type' => 'blob', 'not null' => FALSE, 'size' => 'big') ), @@ -2737,6 +2737,15 @@ function system_update_6055() { } /** + * Convert {session} data storage to blob. + */ +function system_update_6056() { + $ret = array(); + db_change_field($ret, 'sessions', 'session', 'session', array('type' => 'blob', 'not null' => FALSE, 'size' => 'big')); + return $ret; +} + +/** * @} End of "defgroup updates-6.x-extra". * The next series of updates should start at 7000. */ diff --git a/modules/system/system.js b/modules/system/system.js index 48fd016a5f9..24f998ca7d8 100644 --- a/modules/system/system.js +++ b/modules/system/system.js @@ -101,7 +101,7 @@ Drupal.behaviors.dateTime = function(context) { // Attach keyup handler to custom format inputs. $('input.custom-format:not(.date-time-processed)', context).addClass('date-time-processed').keyup(function() { var input = $(this); - var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?q=/) ? "&format=" : "?format=") + encodeURIComponent(input.val()); + var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?/) ? "&format=" : "?format=") + encodeURIComponent(input.val()); $.getJSON(url, function(data) { $("div.description span", input.parent()).html(data); }); diff --git a/modules/system/system.module b/modules/system/system.module index ccc638fc7af..37ac1f47831 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '6.38-dev'); +define('VERSION', '6.38'); /** * Core API compatibility. |