drupal.org - セキュリティアップデート
drupal 7.11
Last updated: February 1, 2012 - 22:11View usage statistics for this release
Maintenance and security release of the Drupal 7 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
No other fixes are included. For additional bugfixes, see Drupal 7.12 released alongside Drupal 7.11.
drupal 6.23
Last updated: February 1, 2012 - 22:10View usage statistics for this release
The twentythird maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
No other fixes are included. For additional bugfixes, see Drupal 6.24 released alongside Drupal 6.23.
forward 7.x-1.3
Last updated: February 1, 2012 - 02:31View usage statistics for this release
Release notes:
Add access control and flood control to prevent access bypass and CSRF vulnerabilities, plus additional minor fixes.
#251696: "Popular content" includes nodes user does not have access to
#1355598: Subject & body not changed
The upgrade is "code only" and does not require running the database update script.
IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration.
forward 6.x-1.21
Last updated: February 1, 2012 - 02:20View usage statistics for this release
Release notes:
Add access control and flood control to prevent access bypass and CSRF vulnerabilities, plus additional minor fixes.
#251696: "Popular content" includes nodes user does not have access to
#1355598: Subject & body not changed
The upgrade is "code only" and does not require running the database update script.
IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration.
commerce 7.x-1.2
Last updated: January 25, 2012 - 22:00View usage statistics for this release
Drupal Commerce 1.2 represents the efforts of 25 credited contributors and many others who reported bugs and usability improvements and helped test the solutions. This release primarily improves Drupal Commerce's performance and usability while including a variety of minor bug fixes, API improvements, and a minor security fix as described in SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS).
Read on for a brief description of the changes since Drupal Commerce 1.1, notes on updating from previous versions, and a full change log of commits.
Performance improvementsDrupal Commerce 1.2 includes some key performance improvements contributed by a few developers optimizing it for use on sites with transaction volumes reaching into the tens of thousands per day. These improvements include the introduction of a few static caches and checks to prevent unnecessary processing in the following areas:
- Currency formatting
- Recalculation of product prices in the shopping cart refresh
- Rendering of product fields injected into display nodes
Performance improvements also came in the form of new database indexes and a compound index to a variety of tables, particularly in conjunction with the foreign key declarations made in hook_schema() arrays for our tables. It was possible before in high performance scenarios for database deadlocks to occur because of collisions on revision columns when orders were being saved concurrently, so a fix was committed involving using NULL for these columns to mitigate the unique value restrictions.
Usability improvementsDrupal Commerce 1.2 includes many fixes to the default Views and a few configuration forms to simplify the on-site administration of customer profiles, products, and orders. Nearly every default View was changed in some way, with the most notable changes being the addition of exposed filters to help administrators find the items they're looking for in the Views. Additionally, we added a "Shopping carts" tab to the primary Orders View so store administrators will be able to locate shopping cart orders and orders in checkout without having to remove the default filter on the primary Orders View.
This release also brings the addition of product revision support, displayed on product edit forms in a "Change history" fieldset. This is the first step toward undoing accidental changes to product data, as every change can now be saved in a separate revision for future browsing and reversion.
Developer experience (DX) ImprovementsDevelopers will be delighted to note the following improvements:
- We completed the documentation of all the hooks defined by the Commerce modules or invoked in conjunction with Rules events in our .api.php files.
- We consolidated our CSS files into .base.css, .admin.css, and .theme.css files (a.k.a. BAT notation) to help themers find and target the CSS rules they want to override.
- Uninstallation has been brought up to date to conform to changes in Drupal 7.4+ and support reinstallation on the same database if necessary (still not recommended).
- The Views form methods were removed from the line item summary area handler, so it no longer triggers the Views form build process; instead we implemented a workaround to reorder Commerce area handlers with respect to Views form submit buttons, which was the only reason we used the form methods instead of the normal render methods before.
As always, updates should be tested in a non-production environment. Backup your files and database before putting Drupal Commerce 1.2 on it and running update.php. This new release involves a few updates to the database schema to add indexes and a new product revision table, and it includes a batch process to create the initial revisions for all of the products on your site. This process may take a while sites with large product catalogs, as it iterates over 50 products at a time performing an INSERT and an UPDATE query for each product.
Sites with custom modules may need to take into consideration two minor API changes:
- In a couple areas, such as tax rate and product reference select lists, we were sanitizing the values of the #options array in our form builder functions. However, the Forms API already sanitizes these values... but it only does it for select list form elements. If your module is altering a select list form element and changing its type (e.g. to a radios or checkboxes element), you are now responsible for sanitizing the values of the #options array in your alter function.
- hook_commerce_cart_order_is_cart() has been marked deprecated in favor of the new hook_commerce_cart_order_is_cart_alter() and will be removed in future versions.
From a site configuration standpoint, you now have the ability to enable product revisions by default (or not) on the product type configuration form. By default all product types will default to creating new revisions when edited via the UI.
Additionally, the changes to the default Views will not go into effect if you have already customized your Views. They amounted to adjusting some default sorts, adding exposed filters, and adding a "Shopping carts" tab to the Orders View. None are essential, but they do make on-site administration of customer profiles, products, and orders easier. If you have customized your Views, you would need to manually add these features to your Views or reset your Views and then recreate your changes on them.
Notes on the security announcementSites using Drupal Commerce 1.1 that gave product creation permissions to non-trusted users (e.g. marketplaces or multi-seller stores) may be vulnerable to cross site scripting as described in the security announcement.
This is only a problem if the site uses product display nodes that include the title or SKU of the referenced product in the node display through the Product Reference module's field injection feature. These sites must be updated to Drupal Commerce 1.2... but with all the good features packed in here, there's no reason for anyone to stay on 1.1. : )
Change logChanges since 7.x-1.1 (73 commits):
- #1207242 by rfay, rszrama: fix the product form submission routine to check the access type on the revision checkbox when determining whether or not to create a new revision.
- #1362412 by rszrama: remove an unnecessary check on an order's uid in the checkout access function so redirected payment methods will properly handle the return of anonymous customers when a payment notification has already been received and processed, causing a user to be created and associated with the order.
- Reset the default Rules when a payment method module is enabled.
- Implement preprocess hooks for the product SKU and title templates to sanitize SKUs and titles at that point instead of when the theme function is called.
- #1352774 by das-peter, amateescu: improve the performance of referenced product field injection by only rendering visible fields for the requested view mode.
- #1207242 by amateescu, skipyT, dpolant: add support for product revisions.
- Validate the order e-mail address when an edit form is submitted.
- #1256302 by bojanz, edmund.kwok: change the line item area summary handler back to a non-Views form rendering method and instead use a Views preprocess hook to rearrange Commerce area handlers in the footer with respect to the form submit buttons.
- #1219762 by dpolant, amateescu: add a Views filter handler for price amount columns so Views may include price filters that accept values in the appropriate major unit instead of the minor unit.
- #1029638 by mr.baileys, rszrama: create custom empty text area handlers for the Customers, Orders, and Products Views that create empty text messages with links to the various add forms and accommodate exposed filters returning no results, too.
- #1386816 by googletorp: rearrange and combine stylesheets for each module into .base.css, .admin.css, and .theme.css stylesheets for an improved theme experience.
- Do not sanitize the #options values of the select lists used to specify which View should be used in the cart contents pane settings and the line item reference field's display formatter settings.
- Do not sanitize the title of display inclusive tax rates when building the #options array for the select list altered onto product forms to input prices including the tax; it will be handled by form_select_options().
- Sanitize the display title of price components when the price field display formatter shows the breakdown of price components.
- #1331788 by dpolant: update the default checkout completion e-mail notification to use the [commerce-order:customer-url] token instead of building the URL in the message; deprecate the [commerce-order:url] token in favor of the more specific naming convention and add an admin-url token as well.
- #1403972 by bojanz, amateescu: implement hook_system_info_alter() in the Commerce module to workaround uninstallation changes in Drupal 7.4+, making uninstallation and reinstallation possible again.
- #1356958 by vasike: change the Tax module's implementation of hook_field_attach_load() to acknowledge the fact that field deletion will result in this hook being invoked without fully loading the entities passed in the parameter, requiring us to ensure field data exists before attempting to manipulate it.
- #1089328 by rszrama: do not double the sanitization of options list values for product reference field options when a select list widget is being used; same for product add menu items where we were double sanitizing product type titles.
- #1365202 by Fonant, willkaxu, rszrama: do not sanitize the #options values for the product selector element since the default type is a select list; the minor API change commented in-line is that if other modules are altering this element to a different form element type (like 'radios'), they are responsible for sanitizing the #options values, too.
- Fix a function name typo in the Order module.
- #1366976 by Damien Tournoud, mjpa, rszrama: allow hook_commerce_cart_order_id() to return FALSE indicating that the user does not have a valid cart order ID.
- #1322854 by Damien Tournoud, amateescu: minor API change - update hook_commerce_cart_order_is_cart() to allow modules to affirm an order is a cart instead of just deny it; also marked that hook as deprecated and added an alternate hook_commerce_cart_order_is_cart_alter() to be used instead.
- #1345052 by mr.baileys: avoid unnecessary product view mode creation for the view modes created via product reference field associations.
- #1402866 by amateescu: prevent notices in the Product Reference module's extra fields integration when there are no defined product types.
- #1260382 by amateescu: use the customer profile reference field instance name for related checkout pane to allow for retitling of customer profile checkout panes via the UI.
- #1274986 by amateescu: specify the proper access callback for the Rules event 'When an order is first paid in full' defined by the Payment module.
- #1363814 by bojanz, amateescu, Damien Tournoud: retain saved orders in the entity cache until the cache gets explicitly reset.
- #1363826 by Damien Tournoud, bojanz, amateescu: change the revision_id and order_number columns in the commerce_order table and order_number in the commerce_order_revision table to support NULL values to avoid database deadlocks when orders are inserted concurrently (caused by the UNIQUE constraint on the order_number column).
- #1408664 by bojanz: update the status property for products to be a boolean in its entity property info declaration.
- Fix the type column name for the uid_by_type index on the commerce_customer_profile table.
- #1388868 by darrylh, rszrama: add indexes to the customer profile table, including a combined index on uid and type.
- Add indexes to the line item table for Order ID and line item type.
- #1403906 by serialjaywalker: add indexes to foreign key columns for products, orders, and payment transactions.
- #1377746 by amateescu: only refresh a shopping cart order object on load if it represents the latest revision of the order.
- #1403212 by mr.baileys: fix some entity property info declaration for the Customer profile and Product entities.
- #1404882 by my.baileys: remove an unnecessary check_plain() call in t() where a % placeholder is being used.
- Filter the line items View for orders to only show product line items by default.
- Update the default line items View used in the display formatter for the line item reference field attached to orders.
- Update the Order payments View and change its date display to Drupal's short format, which includes the time instead of just the date.
- Update the main Customers View and add an exposed filter to filter the View by customer name.
- Move the creation of the Shopping Carts tab on the main Orders View to the Cart module and remove entirely the alteration of the default View by the Checkout module; it was unnecessary, as the tab only needs to appear when the shopping cart is being used.
- Change the default sort on the customer Orders View to be the order number descending instead of the created timestamp.
- Add the product status to the main Products View and an include an exposed filter to search by SKU fragments.
- #1400242 by mr.baileys: remove check_plain() calls from within two drupal_set_title() calls; they are redundant.
- #1068940 by amateescu: fix a CSS problem and strict PHP notice with respect to embedding the 'View order' form in the Views area handler.
- #1230114 by googletorp: Allow to use raw values product type in Views.
- Fix the default sort on the admin Orders View and add a separate tab for Shopping cart / Checkout orders; make use of the new 'View order' form area handler in the View's header.
- #737810 by dpolant: add unit tests for Order CRUD and define order property info for the hostname column.
- #1397096 by mr.baileys: only show the checkbox to include a checkout pane in the review pane if the checkout pane defines a review callback.
- #1068940 by dpolant, rszrama: add a 'View order' form Views area handler that redirects to the specified order view page on submission.
- #1380394 by fibero: add support for Kazakhstani Tenge (KZT).
- #1380714 by Artusamak: add context to the credit card issue number string.
- #1380738 by Artusamak: add missing t() calls around machine name strings in overviews.
- #1377754 by rszrama: remove instances of rowCount() from queries that count items in the database.
- #1377812 by Dippers: fix the default display formatter for customer profile reference fields to a formatter that actually exists.
- #1363838 by Damien Tournoud: Don't reload every product one by one when refreshing cart orders, because we have other methods in place now to prevent the duplicate sell price calculation of loaded products.
- #1363808 by Damien Tournoud: store currency info in a static cache so we don't hit the DB cache multiple times.
- #1356006 by fago, pcambra, rszrama: fix the property info definition for our reference fields by removing some unnecessary code for product reference fields and leaving the fields' query callbacks intact.
- Fix the Payment transaction amount field handler to ensure the amount is converted to a decimal value on output.
- Reorder the Configuration menu item to always appear at the bottom of the Store menu with a weight of 50.
- #1371718 by seddonym: rename hook implementations inside the Payment module.
- #1365622 by noland: fix an if statement to use == instead of = when checking if a currency should be converted to a decimal value for formatting.
- Add a missing parameter to commerce_round() in the line item action 'Divide the unit price by some amount.'
- #1362774 by iswilson: fix the parameter check in commerce_line_items_total().
- Add missing documentation for all the remaining hooks invoked directly by all the Commerce modules and ensure all hooks are represented in the various modules' implementations of hook_hook_info().
- Add missing documentation for Commerce hooks.
- #1357364 by rszrama: add missing documentation for Product hooks.
- #1115994 by jeff.maes: set a high #maxlength back on the product reference textfield widget to get around Drupal's default maxlength on textfields.
- #1345890 by pcambra, rszrama: alter entity queries to allow querying on the non-existent state column by rewriting property conditions for state to look for statuses in the specified state.
- #1356186 by rszrama, dpolant: add missing documentation for Customer hooks.
- #1356202 by rszrama, dpolant: add missing documentation for Checkout hooks.
- #1356232 by dpolant: add missing hook documentation for the Payment module.
- #1356168 by dpolant: add missing hook documentation for the Order module.
itunesuprofile 6.x-1.0-rc1
Last updated: January 20, 2012 - 21:50View usage statistics for this releaseIn this package Project Version Status Drupal core 6.22 Not secure (Recommended: 6.24) Arrange Fields 6.x-1.4 Update available (Recommended: 6.x-1.5) Active Tags 6.x-1.9 Up to date Administration menu 6.x-1.8 Up to date Chaos tool suite (ctools) 6.x-1.8 Up to date Content Construction Kit (CCK) 6.x-2.9 Up to date Content Taxonomy 6.x-1.0-rc2 Up to date Diff 6.x-2.3 Up to date DraggableViews 6.x-3.5 Up to date Features 6.x-1.2 Up to date FileField 6.x-3.10 Up to date getID3() 6.x-1.5 Up to date Google chart API 6.x-1.3 Up to date Install Profile API 6.x-2.1 Up to date jQuery UI 6.x-1.5 Up to date Link 6.x-2.9 Up to date LoginToboggan 6.x-1.10 Up to date Panels 6.x-3.10 Up to date Strongarm 6.x-2.1 Up to date Views 6.x-2.16 Up to date Views Bulk Operations (VBO) 6.x-1.12 Up to date Views Custom Field 6.x-1.0 Up to date
This is the first release candidate. It introduces a few improvements, as well as fixing several bugs.
Because the version of Panels previously included (3.9) contains security problems, upgrading is strongly encouraged.
To update from a previous version, see the project page for instructions.
KNOWN ISSUE: If some users are seeing some raw PHP code on screen instead of buttons/links, log in as administrator (user/1), go to admin/build/pages/nojs/operation/node_view/handlers/node_view_panel_context/content, and hit the "Update and Save" button at the bottom.
Changes since 6.x-1.0-beta4:
New features:
- Tracks can now have thumbnails, with a shipped default. There's a new menu item for configuring the default URLs to use for thumbnails. Included are 2 GPL-licensed png icons for the default track and collection thumbnails. When importing existing feeds, the <itunes:image> element is parsed and put into this new field (note that not many existing feeds contain this element).
- Collections now have a "Bulk edit" tab which allows for mass editing.
- Added "Hide item from feed" field that controls showing/hiding of tracks on XML feed. If upgrading, all current items will be set to "show". Note that "hidden" items are highlighted in the track listing under each collection.
- Added per-track stats report in collections' "stats" tab in sortable HTML table. Also can download this table as XLS file (actually an HTML file inside an .xls file)
- Added diff module to view changes within items' revisions.
Fixes and security updates:
- Upgrade to newest modules to comply with security updates and versions.
- Fixed: was not correctly saving collection image to FTP server at node creation time if FTP path different from default.
- Fixed: Was checking for "Editor" role instead of the correct "Content manager" role.
- Fixed: collection image URL not correct if image is a local file instead of a remote URL.
- Corrected the allowed file extensions allowed for media files (was allowing .avi, for instance).
- Changed getid3.module setting in feature, to not show warnings.
- Fixed variables itunesu_importer_nids_* storing information for all nodes, not just collection nodes
- Fixed itunes_feed_builder_update_6001() not properly updating block contents.
- Fixed bug: missing pager in 'all items' view
managesite 6.x-1.1
Last updated: January 19, 2012 - 21:25View usage statistics for this release
SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)
search_autocomplete 7.x-2.1
Last updated: January 19, 2012 - 18:50View usage statistics for this release
Fix for SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
Security Issue fix:
- Major SQL injection security issue fixed.
Major Issue fix:
- #1313178: Search Autocomplete Settings not Saved : settings where propagated to every forms instead of only child form.
Minor Issue fix:
- #1316596: Javascript Error : minor Javascript issue, fixed for old IE compatibility.
New functionality:
- #192424: Language sensitive Search Autocomplete : add new placeholder for potential language sensitive autocompletion.
commons_release 6.x-2.4
Last updated: January 19, 2012 - 03:15View usage statistics for this release
Commons 2.4 fixes security issues with contributed modules included in Commons and many other enhancements. Please see the release notes for more information.
quicktabs 7.x-3.3
Last updated: January 18, 2012 - 20:45View usage statistics for this release
SA-CONTRIB-2011-012 - Quicktabs - Cross Site Scripting (XSS)
quicktabs 6.x-3.1
Last updated: January 18, 2012 - 20:45View usage statistics for this release
SA-CONTRIB-2011-012 - Quicktabs - Cross Site Scripting (XSS)
quicktabs 6.x-2.1
Last updated: January 18, 2012 - 20:40View usage statistics for this release
SA-CONTRIB-2011-012 - Quicktabs - Cross Site Scripting (XSS)
panels 7.x-3.0
Last updated: January 18, 2012 - 20:10View usage statistics for this release
Changes since 7.x-3.0-alpha2:
- by Justin Klein Keane: Sanitize region names in admin view to prevent XSS attack via flexible layout creator. See SA-CONTRIB-2012-011 for more details.
- #979912: Remove theme code that can cause plugins to disappear during maintenance mode.
- Remove prefix from previous commit.
- #1178334 by jenlampton: Add template suggestions for panel pane based on pane type and subtype.
- Remove errant dbug message.
- #1132356 by Letharion: Fix panel node update 6001 to proper db_add_field for D7
- Remove the node override page wizard and instead encourage people to use panelizer or display suite.
- #1234616 by dlerman2: No way to validate layout settings on layouts that have settings.
- #1352798 by andypost: Ensure 1 column panel has 100% width.
- #1349118 by DamienMcKenna: Improve cache key generation for exported panels.
- #1261384 by MyXelf: Support D7 title_prefix and title_suffix on panes.
- #1277908 by ASupinski: Better pane counting on exports that will create more unique pane ids when exporting multiple panels.
- #1308954 by liquidcms: Increase #maxlength on panel title to facilitate use of tokens.
- #1306508 by inolen: Add naked style to regions.
- #1318142 by Steven Merrill: Add pane prefix/suffix to panels to facilitate ESI caching.
- #1079792 by Amitaibu: Exit render early if $content is NULL.
- #1298352 by zhgenti: Update css/js caching to D7 versions of drupal_add_js and drupal_add_css
- #1212670: Ensure simple cache respects the pager.
- #1150496: Fix strict notice with wrong set to display->cache_key
- #1254006 by jsacksick: Fix not updated call to drupal_clone
- #1241064 by pillarsdotnet: Ensure content object returned by ctools_content_render is in fact an object.
- #115610 by chsoney: Stylizer preview not working properly due to incorrect theme() call.
- #1144650 by Amitaibu: Fix notice if mini panel was deleted but still used in a panel somewhere.
- #1168382 by lyricnz: Three column stacked not in right category, update to new plugin style.
- #1308326 by Cyberwolf: Fix strict warnings with views integration.
- #1264404 by Pisco: Wrong signature on pane edit access settings form causes form misbehavior.
- #1159072 by DamienMcKenna: Fix doxygen on hook_default_apenls_renderer_pipeline
- #1195586 by swentel and entrigan: Fix missing display links.
- #1313642 by careernerd, droath. Adding a 'Administer panels styles' permission
- #1353904: Fix update 7301.
- Last commit broke add pane in back-end editor.
- #1212492 by letharion: Replace usage of non-existant variable with correct one
- Implement pane and region locking.
- Prevent Panels from messing up CTools cache plugins.
- Do not pretend to implement CTools cache plugins.
- Use non-reference to panes to avoid breaking during #ajax caching.
- $display is not the same as $this->display
- Allow display to have knowledge of the renderer.
- #956394: Database column for "layout" field too small for some custom layouts.
- #1106302: Saved Flexible layouts break if using only defaults.
- Serious visual and structural improvements to IPE button panel to facilitate adding more buttons.
- #1249332: Make IPE "customize this page" button themable.
- Remove unused "#form_context_id"
- Remove references to no longer used theme for panels_edit_display_form
- Throbber improvements.
- Switch to using dropdown buttons on mini panels and custom layouts.
- #1136254: Need to ctools_include(export) some reason in the layout machine name uniqueness test.
- Restore lost field region selector.
- Fix error with missing media in inline add_css.
- #1130300 by dereine: Panel fields should derive from fields, not the generic row.
- #1077976 by esmerel: added link to issue #887560 to README.TXT
- #1093852: Complete upgrade of reusable layouts.
- #1082098: Notice about missing style in style settings.
- Require permission to administer styles in order to administer styles.
- #1062290: "use_pager" notice when using simple cache.
- #1027724: Fix contextual links rendering even when contextual.module is not enabled.
- Structural changes to make form contexts work again.
- #959016: Fix the fallback for node_edit task.
- Create a theme callback to prevent Panels from accidentally changing themes when using AJAX modals.
- Removing translation directories
- Stripping CVS keywords
- #1008120: "classes" not passing through to rounded shadow pane stylizer style, preventing style from working.
- #954324 by EclipseGc: Fix broken delete statement in mini panel uninstall.
- #1056464 by EclipseGc: Fix broken delete statement in mini panel delete.
- #1025716: Panels fields broken in last update.
panels 6.x-3.10
Last updated: January 18, 2012 - 20:05View usage statistics for this release
Changes since 6.x-3.9:
- Security Advisory: SA-CONTRIB-2012-011 by Justin Klein Keane: Sanitize region names in admin view to prevent XSS attack via flexible layout creator.
- #979912: Remove theme code that can cause plugins to disappear during maintenance mode.
- Minor fix to caching spotted in d7
- #1241064 by pillarsdotnet: Ensure content object returned by ctools_content_render is in fact an object.
- #1082098 by mikeytown2: Fix notice with styles.
- #1159072 by DamienMcKenna: Fix doxygen on hook_default_apenls_renderer_pipeline
- #865840 by c4rl. Give the legacy error message an actual link
- #956394 by DamienMcKenna: Layout field too small for custom flexible.
- #1106302: Saved Flexible layouts break if using only defaults.
- Restore lost field region selector.
- #1130300 by dereine: Panel fields should derive from fields, not the generic row.
- Remove conflict from cherrypick
- Require permission to administer styles in order to administer styles.
- Fix notice caused by unsettings $_POST
- Removing translation directories
stickynote 7.x-1.1
Last updated: January 18, 2012 - 01:10View usage statistics for this release
Fixed csrf and xss vulnerability by adding confirmation and tokens for deletes and filtering user input.
revisioning 7.x-1.3
Last updated: January 17, 2012 - 03:30View usage statistics for this release
media 7.x-2.0-unstable3
Last updated: January 12, 2012 - 23:00View usage statistics for this release
This release should be used in conjunction with File entity 7.x-2.0-unstable3.
Changes since 7.x-2.0-unstable2:
- #985646: Use $entity->original instead of field_attach_upload() in mediafield_field_update().
- #1396490: Cleanup multiple edit code and comments.
- #1396490 by agentrickard, szantog, Dave Reid: Updated the multi form functionality.
- #1287302: If there are no files to display mediafield_field_formatter_view() should also return an empty array.
- #1354458: Fixed 'Cancel' button missing on he Upload and Web media browser tabs.
- Fixed file name XSS with theme_media_thumbnail().
- #Fixed media_field_widget_form() gets the 'uri_scheme' setting from instance settings when it should from field settings.
- #1359588: Fixed the file extension setting should be in mediafield_field_instance_settings_form() and not in the widget settings.
- #1324316: Explain why the media field is deprecated in the module description.
- #1344912: Added a cancel link on the import media page.
- #1247620 by wojtha, idflood: Fixed various undefind variables which cause minor bugs and PHP notices.
- #1335290: Fixed the media widget form should be unrestricted and not require the 'Edit file' permission.
- #1328652: Fixed fake cancel buttons not properly ordered on form-based browser plugins.
- #1342546: The Views media browser plugin did not check view access.
- #1317098: Fixed bugs in the fake submit handler exposed via the Views media browser.
- #1290556: Make it explicit that MediaInternetBaseHandler child classes should implement claim method.
- Added an update to enable the Views module since it is now a dependency and does not get automatically enabled.
- #1295448: Move the MediaBrowserInternet class out of media_internet.module to hopefully allow update.php to run.
- Fixed media_internet security issue with copying invalid remote files.
media 7.x-1.0-rc3
Last updated: January 12, 2012 - 22:55View usage statistics for this release
Changes since 7.x-1.0-rc2:
- Fixed the 'edit' operation link on admin/content/file should be using sentence case.
- #985646: Use $entity->original instead of field_attach_upload() in media_field_update().
- #1287302: If there are no files to display mediafield_field_formatter_view() should also return an empty array.
- Fixed file name XSS with theme_media_thumbnail().
- #1258286 by Berdir, Dave Reid: Add static cache to file_displays().
- #Fixed media_field_widget_form() gets the 'uri_scheme' setting from instance settings when it should from field settings.
- #1359588: Fixed the file extension setting should be in media_field_instance_settings_form() and not in the widget settings.
- #1347624: Added support for .webp files and the image/webp MIME type.
- Add image dimensions to the image file formatter.
- #1327398: Fixed the image file formatter should return output for any images that the current toolkit can support.
- #1174374 by das-peter, Pisco, Dave Reid: Backported the media.admin.js improvements from 7.x-2.x to fix bugs with local actions on admin/content/media.
- #1344912: Added a cancel link on the import media page.
- #1247620 by wojtha, idflood: Fixed various undefind variables which cause minor bugs and PHP notices.
- #1335290: Fixed the media widget form should be unrestricted and not require the 'Edit media' permission.
- #1290556: Make it explicit that MediaInternetBaseHandler child classes should implement claim method.
video_filter 7.x-3.0
Last updated: January 11, 2012 - 20:05View usage statistics for this release
Changes since beta 2:
- Bug #1241342: YT fullscreen button not showing. - by 7wonders & blackdog - Youtube fullscreen button lost when using flash player.
- Bug #1393498: Field validation for the TinyMCE-filter - By Drama - Field validation in TinyMCE.
- Feature #747074: Allow other modules to unset/remove default codecs by crea - Allow other modules to unset/remove default codecs.
- Feature #1257960: Let modules alter video parameters before processing by crea - Let modules alter video parameters before processing.
- Issue #1254578: Undefined variable: plugins in video_filter_wysiwyg_plugin() (line 497 of C:\wamp\www\autofest\sites\all\modules\video_filter\vi - reported by aceinthehole - fixed a PHP notice.
video_filter 6.x-3.0
Last updated: January 11, 2012 - 20:05View usage statistics for this release
Changes since beta 2:
- Bug #1241342: YT fullscreen button not showing. - by 7wonders & blackdog - Youtube fullscreen button lost when using flash player.
- Bug #1393498: Field validation for the TinyMCE-filter - By Drama - Field validation in TinyMCE.
- Feature #747074: Allow other modules to unset/remove default codecs by crea - Allow other modules to unset/remove default codecs.
- Feature #1257960: Let modules alter video parameters before processing by crea - Let modules alter video parameters before processing.
- Issue #1254578: Undefined variable: plugins in video_filter_wysiwyg_plugin() (line 497 of C:\wamp\www\autofest\sites\all\modules\video_filter\vi - reported by aceinthehole - fixed a PHP notice.
