--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package drupal7
My upload includes two important security fixes plus several minor
reliability fixes, backported respectively from versions 7.33 and
7.34.
Debdiff attached, or available via anonscm:
https://anonscm.debian.org/cgit/collab-maint/drupal7.git/diff/?id=debian/7.32-1%2bdeb8u1&id2=debian/7.32-1
I don't know how rigurous this "pre-approval" is, but I checked this
with jmw yesterday on IRC.
Thanks!
unblock drupal7/7.32-1+deb8u1
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog
--- drupal7-7.32/debian/changelog 2014-10-15 11:34:54.000000000 -0500
+++ drupal7-7.32/debian/changelog 2014-11-21 13:28:18.000000000 -0600
@@ -1,3 +1,14 @@
+drupal7 (7.32-1+deb8u1) unstable; urgency=high
+
+ * Updated the VCS URL in debian/control as git.debian.org is deprecated
+ * Debian has frozen! We will start backporting the important fixes to
+ 7.32
+ * Backported from 7.34: SA-CORE-2014-006 (Session hijacking CVE-2014-
+ 9015, Denial of service CVE-2014-9016)
+ * Several minor reliability fixes backported from 7.33
+
+ -- Gunnar Wolf <gw...@debian.org> Wed, 15 Oct 2014 12:45:29 -0500
+
drupal7 (7.32-1) unstable; urgency=critical
* New upstream release
diff -Nru drupal7-7.32/debian/control drupal7-7.32/debian/control
--- drupal7-7.32/debian/control 2014-10-15 11:34:54.000000000 -0500
+++ drupal7-7.32/debian/control 2014-11-21 13:28:18.000000000 -0600
@@ -6,7 +6,7 @@
Build-Depends: debhelper (>= 7.0.50~), yui-compressor
Homepage: http://www.drupal.org/
Standards-Version: 3.9.6.0
-Vcs-Git: git://git.debian.org/git/collab-maint/drupal7.git
+Vcs-Git: git://anonscm.debian.org/collab-maint/drupal7.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/drupal7.git
Package: drupal7
diff -Nru drupal7-7.32/debian/patches/ajax_throbber_align
drupal7-7.32/debian/patches/ajax_throbber_align
--- drupal7-7.32/debian/patches/ajax_throbber_align 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/ajax_throbber_align 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,112 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Fixes alignment issue in the Ajax progress throbber
+ Fixed a bug which caused the Ajax progress throbber to appear misaligned in
+ many situatons (minor styling change).
+ .
+ Fixes Drupal issue #1069152
+ .
+ Backported from 7.33.
+Index: drupal7/modules/system/system.base-rtl.css
+===================================================================
+--- drupal7.orig/modules/system/system.base-rtl.css
++++ drupal7/modules/system/system.base-rtl.css
+@@ -9,10 +9,10 @@
+ */
+ /* Animated throbber */
+ html.js input.form-autocomplete {
+- background-position: 0% 2px;
++ background-position: 0% center;
+ }
+ html.js input.throbbing {
+- background-position: 0% -18px;
++ background-position: 0% center;
+ }
+
+ /**
+Index: drupal7/modules/system/system.base.css
+===================================================================
+--- drupal7.orig/modules/system/system.base.css
++++ drupal7/modules/system/system.base.css
+@@ -31,12 +31,13 @@
+ }
+ /* Animated throbber */
+ html.js input.form-autocomplete {
+- background-image: url(../../misc/throbber.gif);
+- background-position: 100% 2px; /* LTR */
++ background-image: url(../../misc/throbber-inactive.png);
++ background-position: 100% center; /* LTR */
+ background-repeat: no-repeat;
+ }
+ html.js input.throbbing {
+- background-position: 100% -18px; /* LTR */
++ background-image: url(../../misc/throbber-active.gif);
++ background-position: 100% center; /* LTR */
+ }
+
+ /**
+@@ -164,7 +165,7 @@ table.sticky-header {
+ display: inline-block;
+ }
+ .ajax-progress .throbber {
+- background: transparent url(../../misc/throbber.gif) no-repeat 0px -18px;
++ background: transparent url(../../misc/throbber-active.gif) no-repeat 0px
center;
+ float: left; /* LTR */
+ height: 15px;
+ margin: 2px;
+Index: drupal7/themes/bartik/css/style.css
+===================================================================
+--- drupal7.orig/themes/bartik/css/style.css
++++ drupal7/themes/bartik/css/style.css
+@@ -1326,14 +1326,6 @@ input.form-button-disabled:active,
+ color: #717171;
+ }
+
+-/* Animated throbber */
+-html.js input.form-autocomplete {
+- background-position: 100% 4px; /* LTR */
+-}
+-html.js input.throbbing {
+- background-position: 100% -16px; /* LTR */
+-}
+-
+ /* Comment form */
+ .comment-form label {
+ float: left; /* LTR */
+Index: drupal7/themes/seven/style.css
+===================================================================
+--- drupal7.orig/themes/seven/style.css
++++ drupal7/themes/seven/style.css
+@@ -709,12 +709,7 @@ select.form-select:focus {
+ color: #000;
+ border-color: #ace;
+ }
+-html.js input.form-autocomplete {
+- background-position: 100% 4px;
+-}
+-html.js input.throbbing {
+- background-position: 100% -16px;
+-}
++
+ ul.action-links {
+ margin: 1em 0;
+ padding: 0 20px 0 20px; /* LTR */
+Index: drupal7/themes/bartik/css/style-rtl.css
+===================================================================
+--- drupal7.orig/themes/bartik/css/style-rtl.css
++++ drupal7/themes/bartik/css/style-rtl.css
+@@ -225,10 +225,10 @@ ul.action-links li a {
+
+ /* Animated throbber */
+ html.js input.form-autocomplete {
+- background-position: 1% 4px;
++ background-position: 1% center;
+ }
+ html.js input.throbbing {
+- background-position: 1% -16px;
++ background-position: 1% center;
+ }
+
+ /* Comment form */
diff -Nru drupal7-7.32/debian/patches/db_sanitize_orderby
drupal7-7.32/debian/patches/db_sanitize_orderby
--- drupal7-7.32/debian/patches/db_sanitize_orderby 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/db_sanitize_orderby 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,71 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Fixes Drupal issue #829464
+ Security improvement: Made the database API's orderBy() method sanitize the
+ sort direction ("ASC" or "DESC") for queries built with db_select(), so that
+ calling code does not have to.
+ .
+ Backported from 7.33.
+Index: drupal7/includes/database/select.inc
+===================================================================
+--- drupal7.orig/includes/database/select.inc
++++ drupal7/includes/database/select.inc
+@@ -377,7 +377,8 @@ interface SelectQueryInterface extends Q
+ * @param $field
+ * The field on which to order.
+ * @param $direction
+- * The direction to sort. Legal values are "ASC" and "DESC".
++ * The direction to sort. Legal values are "ASC" and "DESC". Any other
value
++ * will be converted to "ASC".
+ * @return SelectQueryInterface
+ * The called object.
+ */
+@@ -1384,6 +1385,8 @@ class SelectQuery extends Query implemen
+ }
+
+ public function orderBy($field, $direction = 'ASC') {
++ // Only allow ASC and DESC, default to ASC.
++ $direction = strtoupper($direction) == 'DESC' ? 'DESC' : 'ASC';
+ $this->order[$field] = $direction;
+ return $this;
+ }
+Index: drupal7/includes/tablesort.inc
+===================================================================
+--- drupal7.orig/includes/tablesort.inc
++++ drupal7/includes/tablesort.inc
+@@ -46,10 +46,9 @@ class TableSort extends SelectQueryExten
+ // Based on code from db_escape_table(), but this can also contain a
dot.
+ $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']);
+
+- // Sort order can only be ASC or DESC.
+- $sort = drupal_strtoupper($ts['sort']);
+- $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : '';
+- $this->orderBy($field, $sort);
++ // orderBy() will ensure that only ASC/DESC values are accepted, so we
++ // don't need to sanitize that here.
++ $this->orderBy($field, $ts['sort']);
+ }
+ return $this;
+ }
+Index: drupal7/modules/simpletest/tests/database_test.test
+===================================================================
+--- drupal7.orig/modules/simpletest/tests/database_test.test
++++ drupal7/modules/simpletest/tests/database_test.test
+@@ -1947,6 +1947,15 @@ class DatabaseSelectOrderedTestCase exte
+
+ $this->assertEqual($num_records, 4, 'Returned the correct number of
rows.');
+ }
++
++ /**
++ * Tests that the sort direction is sanitized properly.
++ */
++ function testOrderByEscaping() {
++ $query = db_select('test')->orderBy('name', 'invalid direction');
++ $order_bys = $query->getOrderBy();
++ $this->assertEqual($order_bys['name'], 'ASC', 'Invalid order by direction
is converted to ASC.');
++ }
+ }
+
+ /**
diff -Nru drupal7-7.32/debian/patches/dont_lose_user_pictures
drupal7-7.32/debian/patches/dont_lose_user_pictures
--- drupal7-7.32/debian/patches/dont_lose_user_pictures 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/dont_lose_user_pictures 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,56 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Avoid losing user pictures when re-saving
+ Fixed a bug which caused user pictures to be removed from the user object
+ after saving, and resulted in data loss if the user account was subsequently
+ re-saved.
+ .
+ Fixes Drupal issue #935592
+ .
+ Backported from 7.33.
+Index: drupal7/modules/user/user.module
+===================================================================
+--- drupal7.orig/modules/user/user.module
++++ drupal7/modules/user/user.module
+@@ -501,12 +501,17 @@ function user_save($account, $edit = arr
+ file_usage_delete($account->original->picture, 'user', 'user',
$account->uid);
+ file_delete($account->original->picture);
+ }
++ // Save the picture object, if it is set. drupal_write_record() expects
++ // $account->picture to be a FID.
++ $picture = empty($account->picture) ? NULL : $account->picture;
+ $account->picture = empty($account->picture->fid) ? 0 :
$account->picture->fid;
+
+ // Do not allow 'uid' to be changed.
+ $account->uid = $account->original->uid;
+ // Save changes to the user table.
+ $success = drupal_write_record('users', $account, 'uid');
++ // Restore the picture object.
++ $account->picture = $picture;
+ if ($success === FALSE) {
+ // The query failed - better to abort the save than risk further
+ // data loss.
+Index: drupal7/modules/user/user.test
+===================================================================
+--- drupal7.orig/modules/user/user.test
++++ drupal7/modules/user/user.test
+@@ -1127,6 +1127,17 @@ class UserPictureTestCase extends Drupal
+
+ $pic_path2 = $this->saveUserPicture($image);
+ $this->assertNotEqual($pic_path, $pic_path2, 'Filename of second
picture is different.');
++
++ // Check if user picture has a valid file ID after saving the user.
++ $account = user_load($this->user->uid, TRUE);
++ $this->assertTrue(is_object($account->picture), 'User picture object is
valid after user load.');
++ $this->assertNotNull($account->picture->fid, 'User picture object has a
FID after user load.');
++ $this->assertTrue(is_file($account->picture->uri), 'File is located in
proper directory after user load.');
++ user_save($account);
++ // Verify that the user save does not destroy the user picture object.
++ $this->assertTrue(is_object($account->picture), 'User picture object is
valid after user save.');
++ $this->assertNotNull($account->picture->fid, 'User picture object has a
FID after user save.');
++ $this->assertTrue(is_file($account->picture->uri), 'File is located in
proper directory after user save.');
+ }
+ }
+
diff -Nru drupal7-7.32/debian/patches/fix_bootstrap_phase
drupal7-7.32/debian/patches/fix_bootstrap_phase
--- drupal7-7.32/debian/patches/fix_bootstrap_phase 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/fix_bootstrap_phase 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,65 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Fixes Drupal issue #667098
+ Fixed a bug which caused drupal_get_bootstrap_phase() to abort the bootstrap
+ when called early in the page request.
+ .
+ Backported from 7.33.
+
+Index: drupal7/includes/bootstrap.inc
+===================================================================
+--- drupal7.orig/includes/bootstrap.inc
++++ drupal7/includes/bootstrap.inc
+@@ -2176,7 +2176,7 @@ function drupal_anonymous_user() {
+ * drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
+ * @endcode
+ *
+- * @param $phase
++ * @param int $phase
+ * A constant telling which phase to bootstrap to. When you bootstrap to a
+ * particular phase, all earlier phases are run automatically. Possible
+ * values:
+@@ -2189,11 +2189,11 @@ function drupal_anonymous_user() {
+ * - DRUPAL_BOOTSTRAP_LANGUAGE: Finds out the language of the page.
+ * - DRUPAL_BOOTSTRAP_FULL: Fully loads Drupal. Validates and fixes input
+ * data.
+- * @param $new_phase
++ * @param boolean $new_phase
+ * A boolean, set to FALSE if calling drupal_bootstrap from inside a
+ * function called from drupal_bootstrap (recursion).
+ *
+- * @return
++ * @return int
+ * The most recently completed phase.
+ */
+ function drupal_bootstrap($phase = NULL, $new_phase = TRUE) {
+@@ -2215,12 +2215,13 @@ function drupal_bootstrap($phase = NULL,
+ // bootstrap state.
+ static $stored_phase = -1;
+
+- // When not recursing, store the phase name so it's not forgotten while
+- // recursing.
+- if ($new_phase) {
+- $final_phase = $phase;
+- }
+ if (isset($phase)) {
++ // When not recursing, store the phase name so it's not forgotten while
++ // recursing but take care of not going backwards.
++ if ($new_phase && $phase >= $stored_phase) {
++ $final_phase = $phase;
++ }
++
+ // Call a phase if it has not been called before and is below the
requested
+ // phase.
+ while ($phases && $phase > $stored_phase && $final_phase > $stored_phase)
{
+@@ -2508,7 +2509,7 @@ function _drupal_bootstrap_page_header()
+ * @see drupal_bootstrap()
+ */
+ function drupal_get_bootstrap_phase() {
+- return drupal_bootstrap();
++ return drupal_bootstrap(NULL, FALSE);
+ }
+
+ /**
diff -Nru drupal7-7.32/debian/patches/fix_field_has_data_return
drupal7-7.32/debian/patches/fix_field_has_data_return
--- drupal7-7.32/debian/patches/fix_field_has_data_return 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/fix_field_has_data_return 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,108 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Avoid data loss on entities with revisions due to wrong return
code
+ Fixed a bug in which field_has_data() did not return TRUE for fields that
+ only had data in older entity revisions, leading to loss of the field's data
+ when the field configuration was edited.
+ .
+ Fixes Drupal issue #2278583
+ .
+ Backported from 7.33.
+Index: drupal7/modules/field/field.module
+===================================================================
+--- drupal7.orig/modules/field/field.module
++++ drupal7/modules/field/field.module
+@@ -947,14 +947,17 @@ function field_get_items($entity_type, $
+ */
+ function field_has_data($field) {
+ $query = new EntityFieldQuery();
+- return (bool) $query
+- ->fieldCondition($field)
++ $query = $query->fieldCondition($field)
+ ->range(0, 1)
+ ->count()
+ // Neutralize the 'entity_field_access' query tag added by
+ // field_sql_storage_field_storage_query(). The result cannot depend on
the
+ // access grants of the current user.
+- ->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT')
++ ->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT');
++
++ return (bool) $query
++ ->execute() || (bool) $query
++ ->age(FIELD_LOAD_REVISION)
+ ->execute();
+ }
+
+Index: drupal7/modules/field/tests/field.test
+===================================================================
+--- drupal7.orig/modules/field/tests/field.test
++++ drupal7/modules/field/tests/field.test
+@@ -485,6 +485,66 @@ class FieldAttachStorageTestCase extends
+ }
+
+ /**
++ * Test field_has_data().
++ */
++ function testFieldHasData() {
++ $entity_type = 'test_entity';
++ $langcode = LANGUAGE_NONE;
++
++ $field_name = 'field_1';
++ $field = array('field_name' => $field_name, 'type' => 'test_field');
++ $field = field_create_field($field);
++
++ $this->assertFalse(field_has_data($field), "No data should be detected.");
++
++ $instance = array(
++ 'field_name' => $field_name,
++ 'entity_type' => 'test_entity',
++ 'bundle' => 'test_bundle'
++ );
++ $instance = field_create_instance($instance);
++ $table = _field_sql_storage_tablename($field);
++ $revision_table = _field_sql_storage_revision_tablename($field);
++
++ $columns = array('entity_type', 'entity_id', 'revision_id', 'delta',
'language', $field_name . '_value');
++
++ $eid = 0;
++
++ // Insert values into the field revision table.
++ $query = db_insert($revision_table)->fields($columns);
++ $query->values(array($entity_type, $eid, 0, 0, $langcode, 1));
++ $query->execute();
++
++ $this->assertTrue(field_has_data($field), "Revision data only should be
detected.");
++
++ $field_name = 'field_2';
++ $field = array('field_name' => $field_name, 'type' => 'test_field');
++ $field = field_create_field($field);
++
++ $this->assertFalse(field_has_data($field), "No data should be detected.");
++
++ $instance = array(
++ 'field_name' => $field_name,
++ 'entity_type' => 'test_entity',
++ 'bundle' => 'test_bundle'
++ );
++ $instance = field_create_instance($instance);
++ $table = _field_sql_storage_tablename($field);
++ $revision_table = _field_sql_storage_revision_tablename($field);
++
++ $columns = array('entity_type', 'entity_id', 'revision_id', 'delta',
'language', $field_name . '_value');
++
++ $eid = 1;
++
++ // Insert values into the field table.
++ $query = db_insert($table)->fields($columns);
++ $query->values(array($entity_type, $eid, 0, 0, $langcode, 1));
++ $query->execute();
++
++ $this->assertTrue(field_has_data($field), "Values only in field table
should be detected.");
++ }
++
++ /**
+ * Test field_attach_delete().
+ */
+ function testFieldAttachDelete() {
diff -Nru drupal7-7.32/debian/patches/SA-CORE-2014-006
drupal7-7.32/debian/patches/SA-CORE-2014-006
--- drupal7-7.32/debian/patches/SA-CORE-2014-006 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/SA-CORE-2014-006 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,79 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Fixes SA-CORE-2014-006 (Session hijacking, Denial of service)
+ Backporting the diff between versions 7.33 and 7.34, applying it to
+ the currently frozen version (7.32). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2014-006
+ This fix coves CVE-2014-9015 and CVE-2014-9016.
+
+Index: drupal7/includes/password.inc
+===================================================================
+--- drupal7.orig/includes/password.inc
++++ drupal7/includes/password.inc
+@@ -140,7 +140,7 @@ function _password_enforce_log2_boundari
+ * @param $algo
+ * The string name of a hashing algorithm usable by hash(), like 'sha256'.
+ * @param $password
+- * The plain-text password to hash.
++ * Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to
hash.
+ * @param $setting
+ * An existing hash or the output of _password_generate_salt(). Must be
+ * at least 12 characters (the settings and salt).
+@@ -150,6 +150,10 @@ function _password_enforce_log2_boundari
+ * The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
+ */
+ function _password_crypt($algo, $password, $setting) {
++ // Prevent DoS attacks by refusing to hash large passwords.
++ if (strlen($password) > 512) {
++ return FALSE;
++ }
+ // The first 12 characters of an existing hash are its setting string.
+ $setting = substr($setting, 0, 12);
+
+Index: drupal7/includes/session.inc
+===================================================================
+--- drupal7.orig/includes/session.inc
++++ drupal7/includes/session.inc
+@@ -79,7 +79,7 @@ function _drupal_session_read($sid) {
+ // Handle the case of first time visitors and clients that don't store
+ // cookies (eg. web crawlers).
+ $insecure_session_name = substr(session_name(), 1);
+- if (!isset($_COOKIE[session_name()]) &&
!isset($_COOKIE[$insecure_session_name])) {
++ if (empty($sid) || (!isset($_COOKIE[session_name()]) &&
!isset($_COOKIE[$insecure_session_name]))) {
+ $user = drupal_anonymous_user();
+ return '';
+ }
+Index: drupal7/modules/simpletest/tests/password.test
+===================================================================
+--- drupal7.orig/modules/simpletest/tests/password.test
++++ drupal7/modules/simpletest/tests/password.test
+@@ -57,4 +57,25 @@ class PasswordHashingTest extends Drupal
+ $this->assertFalse(user_needs_new_hash($account), 'Re-hashed password
does not need a new hash.');
+ $this->assertTrue(user_check_password($password, $account), 'Password
check succeeds with re-hashed password.');
+ }
++
++ /**
++ * Verifies that passwords longer than 512 bytes are not hashed.
++ */
++ public function testLongPassword() {
++ $password = str_repeat('x', 512);
++ $result = user_hash_password($password);
++ $this->assertFalse(empty($result), '512 byte long password is allowed.');
++ $password = str_repeat('x', 513);
++ $result = user_hash_password($password);
++ $this->assertFalse($result, '513 byte long password is not allowed.');
++ // Check a string of 3-byte UTF-8 characters.
++ $password = str_repeat('€', 170);
++ $result = user_hash_password($password);
++ $this->assertFalse(empty($result), '510 byte long password is allowed.');
++ $password .= 'xx';
++ $this->assertFalse(empty($result), '512 byte long password is allowed.');
++ $password = str_repeat('€', 171);
++ $result = user_hash_password($password);
++ $this->assertFalse($result, '513 byte long password is not allowed.');
++ }
+ }
diff -Nru drupal7-7.32/debian/patches/series drupal7-7.32/debian/patches/series
--- drupal7-7.32/debian/patches/series 2014-10-15 11:34:54.000000000 -0500
+++ drupal7-7.32/debian/patches/series 2014-11-21 13:28:18.000000000 -0600
@@ -1,2 +1,9 @@
cronjob.patch
debian_security_warning
+SA-CORE-2014-006
+fix_bootstrap_phase
+unicode_for_php_5.6
+db_sanitize_orderby
+ajax_throbber_align
+fix_field_has_data_return
+dont_lose_user_pictures
diff -Nru drupal7-7.32/debian/patches/unicode_for_php_5.6
drupal7-7.32/debian/patches/unicode_for_php_5.6
--- drupal7-7.32/debian/patches/unicode_for_php_5.6 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.32/debian/patches/unicode_for_php_5.6 2014-11-21
13:28:18.000000000 -0600
@@ -0,0 +1,34 @@
+Origin: vendor
+Forwarded: not-needed
+From: Gunnar Wolf <gw...@debian.org>
+Last-Update: 2014-11-21
+Description: Fixes Drupal issue #2332295
+ Fixed a bug in the Unicode requirements check which prevented installing
Drupal on PHP 5.6.
+ .
+ Backported from 7.33.
+
+Index: drupal7/includes/unicode.inc
+===================================================================
+--- drupal7.orig/includes/unicode.inc
++++ drupal7/includes/unicode.inc
+@@ -116,11 +116,15 @@ function _unicode_check() {
+ if (ini_get('mbstring.encoding_translation') != 0) {
+ return array(UNICODE_ERROR, $t('Multibyte string input conversion in PHP
is active and must be disabled. Check the php.ini
<em>mbstring.encoding_translation</em> setting. Please refer to the <a
href="@url">PHP mbstring documentation</a> for more information.', array('@url'
=> 'http://www.php.net/mbstring')));
+ }
+- if (ini_get('mbstring.http_input') != 'pass') {
+- return array(UNICODE_ERROR, $t('Multibyte string input conversion in PHP
is active and must be disabled. Check the php.ini <em>mbstring.http_input</em>
setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for
more information.', array('@url' => 'http://www.php.net/mbstring')));
+- }
+- if (ini_get('mbstring.http_output') != 'pass') {
+- return array(UNICODE_ERROR, $t('Multibyte string output conversion in PHP
is active and must be disabled. Check the php.ini <em>mbstring.http_output</em>
setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for
more information.', array('@url' => 'http://www.php.net/mbstring')));
++ // mbstring.http_input and mbstring.http_output are deprecated and empty by
++ // default in PHP 5.6.
++ if (version_compare(PHP_VERSION, '5.6.0') == -1) {
++ if (ini_get('mbstring.http_input') != 'pass') {
++ return array(UNICODE_ERROR, $t('Multibyte string input conversion in
PHP is active and must be disabled. Check the php.ini
<em>mbstring.http_input</em> setting. Please refer to the <a href="@url">PHP
mbstring documentation</a> for more information.', array('@url' =>
'http://www.php.net/mbstring')));
++ }
++ if (ini_get('mbstring.http_output') != 'pass') {
++ return array(UNICODE_ERROR, $t('Multibyte string output conversion in
PHP is active and must be disabled. Check the php.ini
<em>mbstring.http_output</em> setting. Please refer to the <a href="@url">PHP
mbstring documentation</a> for more information.', array('@url' =>
'http://www.php.net/mbstring')));
++ }
+ }
+
+ // Set appropriate configuration
--- End Message ---
