mike  2006-08-02 16:45  Drupal   

I was checking out the 4.7.3 Drupal release that was included with the recent XSS vulnerability in user module security fix.

Here's the complete list of changes, from CHANGELOG.txt:

// $Id: CHANGELOG.txt,v 1.117.2.6 2006/08/02 18:13:26 killes Exp $

Drupal 4.7.3, 2006-08-02
------------------------
- fixed security issue (XSS), see SA-2006-011

Here are the contents of the patch :

Index: modules/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/Attic/user.module,v
retrieving revision 1.612.2.15
diff -u -p -r1.612.2.15 user.module
--- modules/user.module	16 Jul 2006 18:26:56 -0000	1.612.2.15
+++ modules/user.module	2 Aug 2006 18:09:22 -0000
@@ -900,7 +900,7 @@ function user_login($msg = '') {
 
   // Display login form:
   if ($msg) {
-    $form['message'] = array('#value' => "
$msg
");
+    $form['message'] = array('#value' => '
'. check_plain($msg) .'
');
   }
   unset($_GET['time']);
   $form['#action'] = url($_GET['q'], drupal_get_destination());

Out of curiousity, I did a complete comparison between the 4.7.2 and 4.7.3 distros.

Needless to say, there are many more changes than the one described in the changelog.

I've generatd a unified diff and an HTML file difference report of changes between 4.7.2 and 4.7.3 using the excellent Beyond Compare from Scooter Software.