// $Id: CHANGELOG.txt,v 1.253.2.31 2009/07/01 20:51:55 goba Exp $ Drupal 6.13, 2009-07-01 ---------------------- - Fixed security issues (Cross site scripting, Input format access bypass and Password leakage in URL), see SA-CORE-2009-007. - Fixed a variety of small bugs. Drupal 6.12, 2009-05-13 ---------------------- - Fixed security issues (Cross site scripting), see SA-CORE-2009-006. - Fixed a variety of small bugs. Drupal 6.11, 2009-04-29 ---------------------- - Fixed security issues (Cross site scripting and limited information disclosure), see SA-CORE-2009-005 - Fixed performance issues with the menu router cache, the update status cache and improved cache invalidation - Fixed a variety of small bugs. Drupal 6.10, 2009-02-25 ---------------------- - Fixed a security issue, (Local file inclusion on Windows), see SA-CORE-2009-003 - Fixed node_feed() so custom fields can show up in RSS feeds. - Improved PostgreSQL compatibility. - Fixed a variety of small bugs. Drupal 6.9, 2009-01-14 ---------------------- - Fixed security issues, (Access Bypass, Validation Bypass and Hardening against SQL injection), see SA-CORE-2009-001 - Made HTTP request checking more robust and informative. - Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell scripts. - Removed t() calls from all schema documentation. Suggested best practice changed for contributed modules, see http://drupal.org/node/322731. - Fixed a variety of small bugs. Drupal 6.8, 2008-12-11 ---------------------- - Removed a previous change incompatible with PHP 5.1.x and lower. Drupal 6.7, 2008-12-10 ---------------------- - Fixed security issues, (Cross site request forgery and Cross site scripting), see SA-2008-073 - Updated robots.txt and .htaccess to match current file use. - Fixed a variety of small bugs. Drupal 6.6, 2008-10-22 ---------------------- - Fixed security issues, (File inclusion, Cross site scripting), see SA-2008-067 - Fixed a variety of small bugs. Drupal 6.5, 2008-10-08 ---------------------- - Fixed security issues, (File upload access bypass, Access rules bypass, BlogAPI access bypass), see SA-2008-060. - Fixed a variety of small bugs. Drupal 6.4, 2008-08-13 ---------------------- - Fixed a security issue (Cross site scripting, Arbitrary file uploads via BlogAPI, Cross site request forgeries and Various Upload module vulnerabilities), see SA-2008-047. - Improved error messages during installation. - Fixed a bug that prevented AHAH handlers to be attached to radios widgets. - Fixed a variety of small bugs. Drupal 6.3, 2008-07-09 ---------------------- - Fixed security issues, (Cross site scripting, cross site request forgery, session fixation and SQL injection), see SA-2008-044. - Slightly modified installation process to prevent file ownership issues on shared hosts. - Improved PostgreSQL compatibility (rewritten queries; custom blocks). - Upgraded to jQuery 1.2.6. - Performance improvements to search, menu handling and form API caches. - Fixed Views compatibility issues (Views for Drupal 6 requires Drupal 6.3+). - Fixed a variety of small bugs. Drupal 6.2, 2008-04-09 ---------------------- - Fixed a variety of small bugs. - Fixed a security issue (Access bypasses), see SA-2008-026. Drupal 6.1, 2008-02-27 ---------------------- - Fixed a variety of small bugs. - Fixed a security issue (Cross site scripting), see SA-2008-018. Drupal 6.0, 2008-02-13 ---------------------- - New, faster and better menu system. - New watchdog as a hook functionality. * New hook_watchdog that can be implemented by any module to route log messages to various destinations. * Expands the severity levels from 3 (Error, Warning, Notice) to the 8 levels defined in RFC 3164. * The watchdog module is now called dblog, and is optional, but enabled by default in the default install profile. * Extended the database log module so log messages can be filtered. * Added syslog module: useful for monitoring large Drupal installations. - Added optional e-mail notifications when users are approved, blocked, or deleted. - Drupal works with error reporting set to E_ALL. - Added scripts/drupal.sh to execute Drupal code from the command line. Useful to use Drupal as a framework to build command-line tools. - Made signature support optional and made it possible to theme signatures. - Made it possible to filter the URL aliases on the URL alias administration screen. - Language system improvements: * Support for right to left languages. * Language detection based on parts of the URL. * Browser based language detection. * Made it possible to specify a node's language. * Support for translating posts on the site to different languages. * Language dependent path aliases. * Automatically import translations when adding a new language. * JavaScript interface translation. * Automatically import a module's translation upon enabling that module. - Moved "PHP input filter" to a standalone module so it can be deleted for security reasons. - Usability: * Improved handling of teasers in posts. * Added sticky table headers. * Check for clean URL support automatically with JavaScript. * Removed default/settings.php. Instead the installer will create it from default.settings.php. * Made it possible to configure your own date formats. * Remember anonymous comment posters. * Only allow modules and themes to be enabled that have explicitly been ported to the correct core API version. * Can now specify the minimum PHP version required for a module within the .info file. * Drupal core no longer requires CREATE TEMPORARY TABLES or LOCK TABLES database rights. * Dynamically check password strength and confirmation. * Refactored poll administration. * Implemented drag-and-drop positioning for blocks, menu items, taxonomy vocabularies and terms, forums, profile fields, and input format filters. - Theme system: * Added .info files to themes and made it easier to specify regions and features. * Added theme registry: modules can directly provide .tpl.php files for their themes without having to create theme_ functions. * Used the Garland theme for the installation and maintenance pages. * Added theme preprocess functions for themes that are templates. * Added support for themeable functions in JavaScript. - Refactored update.php to a generic batch API to be able to run time-consuming operations in multiple subsequent HTTP requests. - Installer: * Themed the installer with the Garland theme. * Added form to provide initial site information during installation. * Added ability to provide extra installation steps programmatically. * Made it possible to import interface translations at install time. - Added the HTML corrector filter: * Fixes faulty and chopped off HTML in postings. * Tags are now automatically closed at the end of the teaser. - Performance: * Made it easier to conditionally load .include files and split up many core modules. * Added a JavaScript aggregator. * Added block-level caching, improving performance for both authenticated and anonymous users. * Made Drupal work correctly when running behind a reverse proxy like Squid or Pound. - File handling improvements: * Entries in the files table are now keyed to a user instead of a node. * Added reusable validation functions to check for uploaded file sizes, extensions, and image resolution. * Added ability to create and remove temporary files during a cron job. - Forum improvements: * Any node type may now be posted in a forum. - Taxonomy improvements: * Descriptions for terms are now shown on taxonomy/term pages as well as RSS feeds. * Added versioning support to categories by associating them with node revisions. - Added support for OpenID. - Added support for triggering configurable actions. - Added the Update status module to automatically check for available updates and warn sites if they are missing security updates or newer versions. Sites deploying from CVS should use http://drupal.org/project/cvs_deploy. Advanced settings provided by http://drupal.org/project/update_advanced. - Upgraded the core JavaScript library to jQuery version 1.2.3. - Added a new Schema API, which provides built-in support for core and contributed modules to work with databases other than MySQL. - Removed drupal.module. The functionality lives on as the Site network contributed module (http://drupal.org/project/site_network). - Removed old system updates. Updates from Drupal versions prior to 5.x will require upgrading to 5.x before upgrading to 6.x. Drupal 5.19, 2009-07-01 ----------------------- - Fixed security issues (Cross site scripting and Password leakage in URL), see SA-CORE-2009-007. - Fixed a variety of small bugs. Drupal 5.18, 2009-05-13 ---------------------- - Fixed security issues (Cross site scripting), see SA-CORE-2009-006. - Fixed a variety of small bugs. Drupal 5.17, 2009-04-29 ----------------------- - Fixed security issues (Cross site scripting and limited information disclosure) see SA-CORE-2009-005. - Fixed a variety of small bugs. Drupal 5.16, 2009-02-25 ----------------------- - Fixed a security issue, (Local file inclusion on Windows), see SA-CORE-2009-004. - Fixed a variety of small bugs. Drupal 5.15, 2009-01-14 ---------------------- - Fixed security issues, (Hardening against SQL injection), see SA-CORE-2009-001 - Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell scripts. - Fixed a variety of small bugs. Drupal 5.14, 2008-12-11 ---------------------- - Removed a previous change incompatible with PHP 5.1.x and lower. Drupal 5.13, 2008-12-10 ----------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site request forgery and Cross site scripting), see SA-2008-073 - updated robots.txt and .htaccess to match current file use. Drupal 5.12, 2008-10-22 ----------------------- - fixed security issues, (File inclusion), see SA-2008-067 Drupal 5.11, 2008-10-08 ----------------------- - fixed a variety of small bugs. - fixed security issues, (File upload access bypass, Access rules bypass, BlogAPI access bypass, Node validation bypass), see SA-2008-060 Drupal 5.10, 2008-08-13 ----------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site scripting, Arbitrary file uploads via BlogAPI and Cross site request forgery), see SA-2008-047 Drupal 5.9, 2008-07-23 ---------------------- - fixed a variety of small bugs. - fixed security issues, (Session fixation), see SA-2008-046 Drupal 5.8, 2008-07-09 ---------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044 Drupal 5.7, 2008-01-28 ---------------------- - fixed the input format configuration page. - fixed a variety of small bugs. Drupal 5.6, 2008-01-10 ---------------------- - fixed a variety of small bugs. - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 5.5, 2007-12-06 ---------------------- - fixed missing missing brackets in a query in the user module. - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 5.4, 2007-12-05 ---------------------- - fixed a variety of small bugs. - fixed a security issue (SQL injection), see SA-2007-031 Drupal 5.3, 2007-10-17 ---------------------- - fixed a variety of small bugs. - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Arbitrary code execution via installer), see SA-2007-025 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (User deletion cross site request forgery), see SA-2007-029 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 5.2, 2007-07-26 ---------------------- - changed hook_link() $teaser argument to match documentation. - fixed a variety of small bugs. - fixed a security issue (cross-site request forgery), see SA-2007-017 - fixed a security issue (cross-site scripting), see SA-2007-018 Drupal 5.1, 2007-01-29 ---------------------- - fixed security issue (code execution), see SA-2007-005 - fixed a variety of small bugs. Drupal 5.0, 2007-01-15 ---------------------- - Completely retooled the administration page * /Admin now contains an administration page which may be themed * Reorganised administration menu items by task and by module * Added a status report page with detailed PHP/MySQL/Drupal information - Added web-based installer which can: * Check installation and run-time requirements * Automatically generate the database configuration file * Install pre-made 'install profiles' or distributions * Import the database structure with automatic table prefixing * Be localized - Added new default Garland theme - Added color module to change some themes' color schemes - Included the jQuery JavaScript library 1.0.4 and converted all core JavaScript to use it - Introduced the ability to alter mail sent from system - Module system: * Added .info files for module meta-data * Added support for module dependencies * Improved module installation screen * Moved core modules to their own directories * Added support for module uninstalling - Added support for different cache backends - Added support for a generic "sites/all" directory. - Usability: * Added support for auto-complete forms (AJAX) to user profiles. * Made it possible to instantly assign roles to newly created user accounts. * Improved configurability of the contact forms. * Reorganized the settings pages. * Made it easy to investigate popular search terms. * Added a 'select all' checkbox and a range select feature to administration tables. * Simplified the 'break' tag to split teasers from body. * Use proper capitalization for titles, menu items and operations. - Integrated urlfilter.module into filter.module - Block system: * Extended the block visibility settings with a role specific setting. * Made it possible to customize all block titles. - Poll module: * Optionally allow people to inspect all votes. * Optionally allow people to cancel their vote. - Distributed authentication: * Added default server option. - Added default robots.txt to control crawlers. - Database API: * Added db_table_exists(). - Blogapi module: * 'Blogapi new' and 'blogapi edit' nodeapi operations. - User module: * Added hook_profile_alter(). * E-mail verification is made optional. * Added mass editing and filtering on admin/user/user. - PHP Template engine: * Add the ability to look for a series of suggested templates. * Look for page templates based upon the path. * Look for block templates based upon the region, module, and delta. - Content system: * Made it easier for node access modules to work well with each other. * Added configurable content types. * Changed node rendering to work with structured arrays. - Performance: * Improved session handling: reduces database overhead. * Improved access checking: reduces database overhead. * Made it possible to do memcached based session management. * Omit sidebars when serving a '404 - Page not found': saves CPU cycles and bandwidth. * Added an 'aggressive' caching policy. * Added a CSS aggregator and compressor (up to 40% faster page loads). - Removed the archive module. - Upgrade system: * Created space for update branches. - Forms API: * Made it possible to programmatically submit forms. * Improved api for multistep forms. - Theme system: * Split up and removed drupal.css. * Added nested lists generation. * Added a self-clearing block class. Drupal 4.7.11, 2008-01-10 ------------------------- - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 4.7.10, 2007-12-06 ------------------------- - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 4.7.9, 2007-12-05 ------------------------ - fixed a security issue (SQL injection), see SA-2007-031 Drupal 4.7.8, 2007-10-17 ---------------------- - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 4.7.7, 2007-07-26 ------------------------ - fixed security issue (XSS), see SA-2007-018 Drupal 4.7.6, 2007-01-29 ------------------------ - fixed security issue (code execution), see SA-2007-005 Drupal 4.7.5, 2007-01-05 ------------------------ - Fixed security issue (XSS), see SA-2007-001 - Fixed security issue (DoS), see SA-2007-002 Drupal 4.7.4, 2006-10-18 ------------------------ - Fixed security issue (XSS), see SA-2006-024 - Fixed security issue (CSRF), see SA-2006-025 - Fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.7.3, 2006-08-02 ------------------------ - Fixed security issue (XSS), see SA-2006-011 Drupal 4.7.2, 2006-06-01 ------------------------ - Fixed critical upload issue, see SA-2006-007 - Fixed taxonomy XSS issue, see SA-2006-008 - Fixed a variety of small bugs. Drupal 4.7.1, 2006-05-24 ------------------------ - Fixed critical SQL issue, see SA-2006-005 - Fixed a serious upgrade related bug. - Fixed a variety of small bugs. Drupal 4.7.0, 2006-05-01 ------------------------ - Added free tagging support. - Added a site-wide contact form. - Theme system: * Added the PHPTemplate theme engine and removed the Xtemplate engine. * Converted the bluemarine theme from XTemplate to PHPTemplate. * Converted the pushbutton theme from XTemplate to PHPTemplate. - Usability: * Reworked the 'request new password' functionality. * Reworked the node and comment edit forms. * Made it easy to add nodes to the navigation menu. * Added site 'offline for maintenance' feature. * Added support for auto-complete forms (AJAX). * Added support for collapsible page sections (JS). * Added support for resizable text fields (JS). * Improved file upload functionality (AJAX). * Reorganized some settings pages. * Added friendly database error screens. * Improved styling of update.php. - Refactored the forms API. * Made it possible to alter, extend or theme forms. - Comment system: * Added support for "mass comment operations" to ease repetitive tasks. * Comment moderation has been removed. - Node system: * Reworked the revision functionality. * Removed the bookmarklet code. Third-party modules can now handle This. - Upgrade system: * Allows contributed modules to plug into the upgrade system. - Profiles: * Added a block to display author information along with posts. * Added support for private profile fields. - Statistics module: * Added the ability to track page generation times. * Made it possible to block certain IPs/hostnames. - Block system: * Added support for theme-specific block regions. - Syndication: * Made the aggregator module parse Atom feeds. * Made the aggregator generate RSS feeds. * Added RSS feed settings. - XML-RPC: * Replaced the XML-RPC library by a better one. - Performance: * Added 'loose caching' option for high-traffic sites. * Improved performance of path aliasing. * Added the ability to track page generation times. - Internationalization: * Improved Unicode string handling API. * Added support for PHP's multibyte string module. - Added support for PHP5's 'mysqli' extension. - Search module: * Made indexer smarter and more robust. * Added advanced search operators (e.g. phrase, node type, ...). * Added customizable result ranking. - PostgreSQL support: * Removed dependency on PL/pgSQL procedural language. - Menu system: * Added support for external URLs. - Queue module: * Removed from core. - HTTP handling: * Added support for a tolerant Base URL. * Output URIs relative to the root, without a base tag. Drupal 4.6.11, 2007-01-05 ------------------------- - Fixed security issue (XSS), see SA-2007-001 - Fixed security issue (DoS), see SA-2007-002 Drupal 4.6.10, 2006-10-18 ------------------------ - Fixed security issue (XSS), see SA-2006-024 - Fixed security issue (CSRF), see SA-2006-025 - Fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.6.9, 2006-08-02 ------------------------ - Fixed security issue (XSS), see SA-2006-011 Drupal 4.6.8, 2006-06-01 ------------------------ - Fixed critical upload issue, see SA-2006-007 - Fixed taxonomy XSS issue, see SA-2006-008 Drupal 4.6.7, 2006-05-24 ------------------------ - Fixed critical SQL issue, see SA-2006-005 Drupal 4.6.6, 2006-03-13 ------------------------ - Fixed bugs, including 4 security vulnerabilities. Drupal 4.6.5, 2005-12-12 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.6.4, 2005-11-30 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.6.3, 2005-08-15 ------------------------ - Fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.6.2, 2005-06-29 ------------------------ - Fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.6.1, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.6.0, 2005-04-15 ------------------------ - PHP5 compliance - Search: * Added UTF-8 support to make it work with all languages. * Improved search indexing algorithm. * Improved search output. * Impose a throttle on indexing of large sites. * Added search block. - Syndication: * Made the ping module ping pingomatic.com which, in turn, will ping all the major ping services. * Made Drupal generate RSS 2.0 feeds. * Made RSS feeds extensible. * Added categories to RSS feeds. * Added enclosures to RSS feeds. - Flood control mechanism: * Added a mechanism to throttle certain operations. - Usability: * Refactored the block configuration pages. * Refactored the statistics pages. * Refactored the watchdog pages. * Refactored the throttle module configuration. * Refactored the access rules page. * Refactored the content administration page. * Introduced forum configuration pages. * Added a 'add child page' link to book pages. - Contact module: * Added a simple contact module that allows users to contact each other using e-mail. - Multi-site configuration: * Made it possible to run multiple sites from a single code base. - Added an image API: enables better image handling. - Block system: * Extended the block visibility settings. - Theme system: * Added new theme functions. - Database backend: * The PEAR database backend is no longer supported. - Performance: * Improved performance of the forum topics block. * Improved performance of the tracker module. * Improved performance of the node pages. - Documentation: * Improved and extended PHPDoc/Doxygen comments. Drupal 4.5.8, 2006-03-13 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.5.7, 2005-12-12 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.5.6, 2005-11-30 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.5.5, 2005-08-15 ------------------------ - Fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.5.4, 2005-06-29 ------------------------ - Fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.5.3, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.5.2, 2005-01-15 ------------------------ - Fixed bugs: a cross-site scripting (XSS) vulnerability has been fixed. Drupal 4.5.1, 2004-12-01 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.5.0, 2004-10-18 ------------------------ - Navigation: * Made it possible to add, delete, rename and move menu items. * Introduced tabs and subtabs for local tasks. * Reorganized the navigation menus. - User management: * Added support for multiple roles per user. * Made it possible to add custom profile fields. * Made it possible to browse user profiles by field. - Node system: * Added support for node-level permissions. - Comment module: * Made it possible to leave contact information without having to register. - Upload module: * Added support for uploading documents (includes images). - Forum module: * Added support for sticky forum topics. * Made it possible to track forum topics. - Syndication: * Added support for RSS ping-notifications of http://technorati.com/. * Refactored the categorization of syndicated news items. * Added an URL alias for 'rss.xml'. * Improved date parsing. - Database backend: * Added support for multiple database connections. * The PostgreSQL backend does no longer require PEAR. - Theme system: * Changed all GIFs to PNGs. * Reorganised the handling of themes, template engines, templates and styles. * Unified and extended the available theme settings. * Added theme screenshots. - Blocks: * Added 'recent comments' block. * Added 'categories' block. - Blogger API: * Added support for auto-discovery of blogger API via RSD. - Performance: * Added support for sending gzip compressed pages. * Improved performance of the forum module. - Accessibility: * Improved the accessibility of the archive module's calendar. * Improved form handling and error reporting. * Added HTTP redirects to prevent submitting twice when refreshing right after a form submission. - Refactored 403 (forbidden) handling and added support for custom 403 pages. - Documentation: * Added PHPDoc/Doxygen comments. - Filter system: * Added support for using multiple input formats on the site * Expanded the embedded PHP-code feature so it can be used everywhere * Added support for role-dependant filtering, through input formats - UI translation: * Managing translations is now completely done through the administration interface * Added support for importing/exporting gettext .po files Drupal 4.4.3, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.4.2, 2004-07-04 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.4.1, 2004-05-01 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.4.0, 2004-04-01 ------------------------ - Added support for the MetaWeblog API and MovableType extensions. - Added a file API: enables better document management. - Improved the watchdog and search module to log search keys. - News aggregator: * Added support for conditional GET. * Added OPML feed subscription list. * Added support for , , , , and . - Comment module: * Made it possible to disable the "comment viewing controls". - Performance: * Improved module loading when serving cached pages. * Made it possible to automatically disable modules when under heavy load. * Made it possible to automatically disable blocks when under heavy load. * Improved performance and memory footprint of the locale module. - Theme system: * Made all theme functions start with 'theme_'. * Made all theme functions return their output. * Migrated away from using the BaseTheme class. * Added many new theme functions and refactored existing theme functions. * Added avatar support to 'Xtemplate'. * Replaced theme 'UnConeD' by 'Chameleon'. * Replaced theme 'Marvin' by 'Pushbutton'. - Usability: * Added breadcrumb navigation to all pages. * Made it possible to add context-sensitive help to all pages. * Replaced drop-down menus by radio buttons where appropriate. * Removed the 'magic_quotes_gpc = 0' requirement. * Added a 'book navigation' block. - Accessibility: * Made themes degrade gracefully in absence of CSS. * Grouped form elements using '
' and '' tags. * Added '