Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package drupal7 My upload includes two important security fixes plus several minor reliability fixes, backported respectively from versions 7.33 and 7.34. Debdiff attached, or available via anonscm: https://anonscm.debian.org/cgit/collab-maint/drupal7.git/diff/?id=debian/7.32-1%2bdeb8u1&id2=debian/7.32-1 I don't know how rigurous this "pre-approval" is, but I checked this with jmw yesterday on IRC. Thanks! unblock drupal7/7.32-1+deb8u1 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog --- drupal7-7.32/debian/changelog 2014-10-15 11:34:54.000000000 -0500 +++ drupal7-7.32/debian/changelog 2014-11-21 13:28:18.000000000 -0600 @@ -1,3 +1,14 @@ +drupal7 (7.32-1+deb8u1) unstable; urgency=high + + * Updated the VCS URL in debian/control as git.debian.org is deprecated + * Debian has frozen! We will start backporting the important fixes to + 7.32 + * Backported from 7.34: SA-CORE-2014-006 (Session hijacking CVE-2014- + 9015, Denial of service CVE-2014-9016) + * Several minor reliability fixes backported from 7.33 + + -- Gunnar Wolf <gw...@debian.org> Wed, 15 Oct 2014 12:45:29 -0500 + drupal7 (7.32-1) unstable; urgency=critical * New upstream release diff -Nru drupal7-7.32/debian/control drupal7-7.32/debian/control --- drupal7-7.32/debian/control 2014-10-15 11:34:54.000000000 -0500 +++ drupal7-7.32/debian/control 2014-11-21 13:28:18.000000000 -0600 @@ -6,7 +6,7 @@ Build-Depends: debhelper (>= 7.0.50~), yui-compressor Homepage: http://www.drupal.org/ Standards-Version: 3.9.6.0 -Vcs-Git: git://git.debian.org/git/collab-maint/drupal7.git +Vcs-Git: git://anonscm.debian.org/collab-maint/drupal7.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/drupal7.git Package: drupal7 diff -Nru drupal7-7.32/debian/patches/ajax_throbber_align drupal7-7.32/debian/patches/ajax_throbber_align --- drupal7-7.32/debian/patches/ajax_throbber_align 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/ajax_throbber_align 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,112 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Fixes alignment issue in the Ajax progress throbber + Fixed a bug which caused the Ajax progress throbber to appear misaligned in + many situatons (minor styling change). + . + Fixes Drupal issue #1069152 + . + Backported from 7.33. +Index: drupal7/modules/system/system.base-rtl.css +=================================================================== +--- drupal7.orig/modules/system/system.base-rtl.css ++++ drupal7/modules/system/system.base-rtl.css +@@ -9,10 +9,10 @@ + */ + /* Animated throbber */ + html.js input.form-autocomplete { +- background-position: 0% 2px; ++ background-position: 0% center; + } + html.js input.throbbing { +- background-position: 0% -18px; ++ background-position: 0% center; + } + + /** +Index: drupal7/modules/system/system.base.css +=================================================================== +--- drupal7.orig/modules/system/system.base.css ++++ drupal7/modules/system/system.base.css +@@ -31,12 +31,13 @@ + } + /* Animated throbber */ + html.js input.form-autocomplete { +- background-image: url(../../misc/throbber.gif); +- background-position: 100% 2px; /* LTR */ ++ background-image: url(../../misc/throbber-inactive.png); ++ background-position: 100% center; /* LTR */ + background-repeat: no-repeat; + } + html.js input.throbbing { +- background-position: 100% -18px; /* LTR */ ++ background-image: url(../../misc/throbber-active.gif); ++ background-position: 100% center; /* LTR */ + } + + /** +@@ -164,7 +165,7 @@ table.sticky-header { + display: inline-block; + } + .ajax-progress .throbber { +- background: transparent url(../../misc/throbber.gif) no-repeat 0px -18px; ++ background: transparent url(../../misc/throbber-active.gif) no-repeat 0px center; + float: left; /* LTR */ + height: 15px; + margin: 2px; +Index: drupal7/themes/bartik/css/style.css +=================================================================== +--- drupal7.orig/themes/bartik/css/style.css ++++ drupal7/themes/bartik/css/style.css +@@ -1326,14 +1326,6 @@ input.form-button-disabled:active, + color: #717171; + } + +-/* Animated throbber */ +-html.js input.form-autocomplete { +- background-position: 100% 4px; /* LTR */ +-} +-html.js input.throbbing { +- background-position: 100% -16px; /* LTR */ +-} +- + /* Comment form */ + .comment-form label { + float: left; /* LTR */ +Index: drupal7/themes/seven/style.css +=================================================================== +--- drupal7.orig/themes/seven/style.css ++++ drupal7/themes/seven/style.css +@@ -709,12 +709,7 @@ select.form-select:focus { + color: #000; + border-color: #ace; + } +-html.js input.form-autocomplete { +- background-position: 100% 4px; +-} +-html.js input.throbbing { +- background-position: 100% -16px; +-} ++ + ul.action-links { + margin: 1em 0; + padding: 0 20px 0 20px; /* LTR */ +Index: drupal7/themes/bartik/css/style-rtl.css +=================================================================== +--- drupal7.orig/themes/bartik/css/style-rtl.css ++++ drupal7/themes/bartik/css/style-rtl.css +@@ -225,10 +225,10 @@ ul.action-links li a { + + /* Animated throbber */ + html.js input.form-autocomplete { +- background-position: 1% 4px; ++ background-position: 1% center; + } + html.js input.throbbing { +- background-position: 1% -16px; ++ background-position: 1% center; + } + + /* Comment form */ diff -Nru drupal7-7.32/debian/patches/db_sanitize_orderby drupal7-7.32/debian/patches/db_sanitize_orderby --- drupal7-7.32/debian/patches/db_sanitize_orderby 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/db_sanitize_orderby 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,71 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Fixes Drupal issue #829464 + Security improvement: Made the database API's orderBy() method sanitize the + sort direction ("ASC" or "DESC") for queries built with db_select(), so that + calling code does not have to. + . + Backported from 7.33. +Index: drupal7/includes/database/select.inc +=================================================================== +--- drupal7.orig/includes/database/select.inc ++++ drupal7/includes/database/select.inc +@@ -377,7 +377,8 @@ interface SelectQueryInterface extends Q + * @param $field + * The field on which to order. + * @param $direction +- * The direction to sort. Legal values are "ASC" and "DESC". ++ * The direction to sort. Legal values are "ASC" and "DESC". Any other value ++ * will be converted to "ASC". + * @return SelectQueryInterface + * The called object. + */ +@@ -1384,6 +1385,8 @@ class SelectQuery extends Query implemen + } + + public function orderBy($field, $direction = 'ASC') { ++ // Only allow ASC and DESC, default to ASC. ++ $direction = strtoupper($direction) == 'DESC' ? 'DESC' : 'ASC'; + $this->order[$field] = $direction; + return $this; + } +Index: drupal7/includes/tablesort.inc +=================================================================== +--- drupal7.orig/includes/tablesort.inc ++++ drupal7/includes/tablesort.inc +@@ -46,10 +46,9 @@ class TableSort extends SelectQueryExten + // Based on code from db_escape_table(), but this can also contain a dot. + $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']); + +- // Sort order can only be ASC or DESC. +- $sort = drupal_strtoupper($ts['sort']); +- $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : ''; +- $this->orderBy($field, $sort); ++ // orderBy() will ensure that only ASC/DESC values are accepted, so we ++ // don't need to sanitize that here. ++ $this->orderBy($field, $ts['sort']); + } + return $this; + } +Index: drupal7/modules/simpletest/tests/database_test.test +=================================================================== +--- drupal7.orig/modules/simpletest/tests/database_test.test ++++ drupal7/modules/simpletest/tests/database_test.test +@@ -1947,6 +1947,15 @@ class DatabaseSelectOrderedTestCase exte + + $this->assertEqual($num_records, 4, 'Returned the correct number of rows.'); + } ++ ++ /** ++ * Tests that the sort direction is sanitized properly. ++ */ ++ function testOrderByEscaping() { ++ $query = db_select('test')->orderBy('name', 'invalid direction'); ++ $order_bys = $query->getOrderBy(); ++ $this->assertEqual($order_bys['name'], 'ASC', 'Invalid order by direction is converted to ASC.'); ++ } + } + + /** diff -Nru drupal7-7.32/debian/patches/dont_lose_user_pictures drupal7-7.32/debian/patches/dont_lose_user_pictures --- drupal7-7.32/debian/patches/dont_lose_user_pictures 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/dont_lose_user_pictures 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,56 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Avoid losing user pictures when re-saving + Fixed a bug which caused user pictures to be removed from the user object + after saving, and resulted in data loss if the user account was subsequently + re-saved. + . + Fixes Drupal issue #935592 + . + Backported from 7.33. +Index: drupal7/modules/user/user.module +=================================================================== +--- drupal7.orig/modules/user/user.module ++++ drupal7/modules/user/user.module +@@ -501,12 +501,17 @@ function user_save($account, $edit = arr + file_usage_delete($account->original->picture, 'user', 'user', $account->uid); + file_delete($account->original->picture); + } ++ // Save the picture object, if it is set. drupal_write_record() expects ++ // $account->picture to be a FID. ++ $picture = empty($account->picture) ? NULL : $account->picture; + $account->picture = empty($account->picture->fid) ? 0 : $account->picture->fid; + + // Do not allow 'uid' to be changed. + $account->uid = $account->original->uid; + // Save changes to the user table. + $success = drupal_write_record('users', $account, 'uid'); ++ // Restore the picture object. ++ $account->picture = $picture; + if ($success === FALSE) { + // The query failed - better to abort the save than risk further + // data loss. +Index: drupal7/modules/user/user.test +=================================================================== +--- drupal7.orig/modules/user/user.test ++++ drupal7/modules/user/user.test +@@ -1127,6 +1127,17 @@ class UserPictureTestCase extends Drupal + + $pic_path2 = $this->saveUserPicture($image); + $this->assertNotEqual($pic_path, $pic_path2, 'Filename of second picture is different.'); ++ ++ // Check if user picture has a valid file ID after saving the user. ++ $account = user_load($this->user->uid, TRUE); ++ $this->assertTrue(is_object($account->picture), 'User picture object is valid after user load.'); ++ $this->assertNotNull($account->picture->fid, 'User picture object has a FID after user load.'); ++ $this->assertTrue(is_file($account->picture->uri), 'File is located in proper directory after user load.'); ++ user_save($account); ++ // Verify that the user save does not destroy the user picture object. ++ $this->assertTrue(is_object($account->picture), 'User picture object is valid after user save.'); ++ $this->assertNotNull($account->picture->fid, 'User picture object has a FID after user save.'); ++ $this->assertTrue(is_file($account->picture->uri), 'File is located in proper directory after user save.'); + } + } + diff -Nru drupal7-7.32/debian/patches/fix_bootstrap_phase drupal7-7.32/debian/patches/fix_bootstrap_phase --- drupal7-7.32/debian/patches/fix_bootstrap_phase 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/fix_bootstrap_phase 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,65 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Fixes Drupal issue #667098 + Fixed a bug which caused drupal_get_bootstrap_phase() to abort the bootstrap + when called early in the page request. + . + Backported from 7.33. + +Index: drupal7/includes/bootstrap.inc +=================================================================== +--- drupal7.orig/includes/bootstrap.inc ++++ drupal7/includes/bootstrap.inc +@@ -2176,7 +2176,7 @@ function drupal_anonymous_user() { + * drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); + * @endcode + * +- * @param $phase ++ * @param int $phase + * A constant telling which phase to bootstrap to. When you bootstrap to a + * particular phase, all earlier phases are run automatically. Possible + * values: +@@ -2189,11 +2189,11 @@ function drupal_anonymous_user() { + * - DRUPAL_BOOTSTRAP_LANGUAGE: Finds out the language of the page. + * - DRUPAL_BOOTSTRAP_FULL: Fully loads Drupal. Validates and fixes input + * data. +- * @param $new_phase ++ * @param boolean $new_phase + * A boolean, set to FALSE if calling drupal_bootstrap from inside a + * function called from drupal_bootstrap (recursion). + * +- * @return ++ * @return int + * The most recently completed phase. + */ + function drupal_bootstrap($phase = NULL, $new_phase = TRUE) { +@@ -2215,12 +2215,13 @@ function drupal_bootstrap($phase = NULL, + // bootstrap state. + static $stored_phase = -1; + +- // When not recursing, store the phase name so it's not forgotten while +- // recursing. +- if ($new_phase) { +- $final_phase = $phase; +- } + if (isset($phase)) { ++ // When not recursing, store the phase name so it's not forgotten while ++ // recursing but take care of not going backwards. ++ if ($new_phase && $phase >= $stored_phase) { ++ $final_phase = $phase; ++ } ++ + // Call a phase if it has not been called before and is below the requested + // phase. + while ($phases && $phase > $stored_phase && $final_phase > $stored_phase) { +@@ -2508,7 +2509,7 @@ function _drupal_bootstrap_page_header() + * @see drupal_bootstrap() + */ + function drupal_get_bootstrap_phase() { +- return drupal_bootstrap(); ++ return drupal_bootstrap(NULL, FALSE); + } + + /** diff -Nru drupal7-7.32/debian/patches/fix_field_has_data_return drupal7-7.32/debian/patches/fix_field_has_data_return --- drupal7-7.32/debian/patches/fix_field_has_data_return 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/fix_field_has_data_return 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,108 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Avoid data loss on entities with revisions due to wrong return code + Fixed a bug in which field_has_data() did not return TRUE for fields that + only had data in older entity revisions, leading to loss of the field's data + when the field configuration was edited. + . + Fixes Drupal issue #2278583 + . + Backported from 7.33. +Index: drupal7/modules/field/field.module +=================================================================== +--- drupal7.orig/modules/field/field.module ++++ drupal7/modules/field/field.module +@@ -947,14 +947,17 @@ function field_get_items($entity_type, $ + */ + function field_has_data($field) { + $query = new EntityFieldQuery(); +- return (bool) $query +- ->fieldCondition($field) ++ $query = $query->fieldCondition($field) + ->range(0, 1) + ->count() + // Neutralize the 'entity_field_access' query tag added by + // field_sql_storage_field_storage_query(). The result cannot depend on the + // access grants of the current user. +- ->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT') ++ ->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT'); ++ ++ return (bool) $query ++ ->execute() || (bool) $query ++ ->age(FIELD_LOAD_REVISION) + ->execute(); + } + +Index: drupal7/modules/field/tests/field.test +=================================================================== +--- drupal7.orig/modules/field/tests/field.test ++++ drupal7/modules/field/tests/field.test +@@ -485,6 +485,66 @@ class FieldAttachStorageTestCase extends + } + + /** ++ * Test field_has_data(). ++ */ ++ function testFieldHasData() { ++ $entity_type = 'test_entity'; ++ $langcode = LANGUAGE_NONE; ++ ++ $field_name = 'field_1'; ++ $field = array('field_name' => $field_name, 'type' => 'test_field'); ++ $field = field_create_field($field); ++ ++ $this->assertFalse(field_has_data($field), "No data should be detected."); ++ ++ $instance = array( ++ 'field_name' => $field_name, ++ 'entity_type' => 'test_entity', ++ 'bundle' => 'test_bundle' ++ ); ++ $instance = field_create_instance($instance); ++ $table = _field_sql_storage_tablename($field); ++ $revision_table = _field_sql_storage_revision_tablename($field); ++ ++ $columns = array('entity_type', 'entity_id', 'revision_id', 'delta', 'language', $field_name . '_value'); ++ ++ $eid = 0; ++ ++ // Insert values into the field revision table. ++ $query = db_insert($revision_table)->fields($columns); ++ $query->values(array($entity_type, $eid, 0, 0, $langcode, 1)); ++ $query->execute(); ++ ++ $this->assertTrue(field_has_data($field), "Revision data only should be detected."); ++ ++ $field_name = 'field_2'; ++ $field = array('field_name' => $field_name, 'type' => 'test_field'); ++ $field = field_create_field($field); ++ ++ $this->assertFalse(field_has_data($field), "No data should be detected."); ++ ++ $instance = array( ++ 'field_name' => $field_name, ++ 'entity_type' => 'test_entity', ++ 'bundle' => 'test_bundle' ++ ); ++ $instance = field_create_instance($instance); ++ $table = _field_sql_storage_tablename($field); ++ $revision_table = _field_sql_storage_revision_tablename($field); ++ ++ $columns = array('entity_type', 'entity_id', 'revision_id', 'delta', 'language', $field_name . '_value'); ++ ++ $eid = 1; ++ ++ // Insert values into the field table. ++ $query = db_insert($table)->fields($columns); ++ $query->values(array($entity_type, $eid, 0, 0, $langcode, 1)); ++ $query->execute(); ++ ++ $this->assertTrue(field_has_data($field), "Values only in field table should be detected."); ++ } ++ ++ /** + * Test field_attach_delete(). + */ + function testFieldAttachDelete() { diff -Nru drupal7-7.32/debian/patches/SA-CORE-2014-006 drupal7-7.32/debian/patches/SA-CORE-2014-006 --- drupal7-7.32/debian/patches/SA-CORE-2014-006 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/SA-CORE-2014-006 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,79 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Fixes SA-CORE-2014-006 (Session hijacking, Denial of service) + Backporting the diff between versions 7.33 and 7.34, applying it to + the currently frozen version (7.32). For further details, the + advisory is in: + . + http://drupal.org/SA-CORE-2014-006 + This fix coves CVE-2014-9015 and CVE-2014-9016. + +Index: drupal7/includes/password.inc +=================================================================== +--- drupal7.orig/includes/password.inc ++++ drupal7/includes/password.inc +@@ -140,7 +140,7 @@ function _password_enforce_log2_boundari + * @param $algo + * The string name of a hashing algorithm usable by hash(), like 'sha256'. + * @param $password +- * The plain-text password to hash. ++ * Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash. + * @param $setting + * An existing hash or the output of _password_generate_salt(). Must be + * at least 12 characters (the settings and salt). +@@ -150,6 +150,10 @@ function _password_enforce_log2_boundari + * The return string will be truncated at DRUPAL_HASH_LENGTH characters max. + */ + function _password_crypt($algo, $password, $setting) { ++ // Prevent DoS attacks by refusing to hash large passwords. ++ if (strlen($password) > 512) { ++ return FALSE; ++ } + // The first 12 characters of an existing hash are its setting string. + $setting = substr($setting, 0, 12); + +Index: drupal7/includes/session.inc +=================================================================== +--- drupal7.orig/includes/session.inc ++++ drupal7/includes/session.inc +@@ -79,7 +79,7 @@ function _drupal_session_read($sid) { + // Handle the case of first time visitors and clients that don't store + // cookies (eg. web crawlers). + $insecure_session_name = substr(session_name(), 1); +- if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) { ++ if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) { + $user = drupal_anonymous_user(); + return ''; + } +Index: drupal7/modules/simpletest/tests/password.test +=================================================================== +--- drupal7.orig/modules/simpletest/tests/password.test ++++ drupal7/modules/simpletest/tests/password.test +@@ -57,4 +57,25 @@ class PasswordHashingTest extends Drupal + $this->assertFalse(user_needs_new_hash($account), 'Re-hashed password does not need a new hash.'); + $this->assertTrue(user_check_password($password, $account), 'Password check succeeds with re-hashed password.'); + } ++ ++ /** ++ * Verifies that passwords longer than 512 bytes are not hashed. ++ */ ++ public function testLongPassword() { ++ $password = str_repeat('x', 512); ++ $result = user_hash_password($password); ++ $this->assertFalse(empty($result), '512 byte long password is allowed.'); ++ $password = str_repeat('x', 513); ++ $result = user_hash_password($password); ++ $this->assertFalse($result, '513 byte long password is not allowed.'); ++ // Check a string of 3-byte UTF-8 characters. ++ $password = str_repeat('€', 170); ++ $result = user_hash_password($password); ++ $this->assertFalse(empty($result), '510 byte long password is allowed.'); ++ $password .= 'xx'; ++ $this->assertFalse(empty($result), '512 byte long password is allowed.'); ++ $password = str_repeat('€', 171); ++ $result = user_hash_password($password); ++ $this->assertFalse($result, '513 byte long password is not allowed.'); ++ } + } diff -Nru drupal7-7.32/debian/patches/series drupal7-7.32/debian/patches/series --- drupal7-7.32/debian/patches/series 2014-10-15 11:34:54.000000000 -0500 +++ drupal7-7.32/debian/patches/series 2014-11-21 13:28:18.000000000 -0600 @@ -1,2 +1,9 @@ cronjob.patch debian_security_warning +SA-CORE-2014-006 +fix_bootstrap_phase +unicode_for_php_5.6 +db_sanitize_orderby +ajax_throbber_align +fix_field_has_data_return +dont_lose_user_pictures diff -Nru drupal7-7.32/debian/patches/unicode_for_php_5.6 drupal7-7.32/debian/patches/unicode_for_php_5.6 --- drupal7-7.32/debian/patches/unicode_for_php_5.6 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.32/debian/patches/unicode_for_php_5.6 2014-11-21 13:28:18.000000000 -0600 @@ -0,0 +1,34 @@ +Origin: vendor +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2014-11-21 +Description: Fixes Drupal issue #2332295 + Fixed a bug in the Unicode requirements check which prevented installing Drupal on PHP 5.6. + . + Backported from 7.33. + +Index: drupal7/includes/unicode.inc +=================================================================== +--- drupal7.orig/includes/unicode.inc ++++ drupal7/includes/unicode.inc +@@ -116,11 +116,15 @@ function _unicode_check() { + if (ini_get('mbstring.encoding_translation') != 0) { + return array(UNICODE_ERROR, $t('Multibyte string input conversion in PHP is active and must be disabled. Check the php.ini <em>mbstring.encoding_translation</em> setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for more information.', array('@url' => 'http://www.php.net/mbstring'))); + } +- if (ini_get('mbstring.http_input') != 'pass') { +- return array(UNICODE_ERROR, $t('Multibyte string input conversion in PHP is active and must be disabled. Check the php.ini <em>mbstring.http_input</em> setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for more information.', array('@url' => 'http://www.php.net/mbstring'))); +- } +- if (ini_get('mbstring.http_output') != 'pass') { +- return array(UNICODE_ERROR, $t('Multibyte string output conversion in PHP is active and must be disabled. Check the php.ini <em>mbstring.http_output</em> setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for more information.', array('@url' => 'http://www.php.net/mbstring'))); ++ // mbstring.http_input and mbstring.http_output are deprecated and empty by ++ // default in PHP 5.6. ++ if (version_compare(PHP_VERSION, '5.6.0') == -1) { ++ if (ini_get('mbstring.http_input') != 'pass') { ++ return array(UNICODE_ERROR, $t('Multibyte string input conversion in PHP is active and must be disabled. Check the php.ini <em>mbstring.http_input</em> setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for more information.', array('@url' => 'http://www.php.net/mbstring'))); ++ } ++ if (ini_get('mbstring.http_output') != 'pass') { ++ return array(UNICODE_ERROR, $t('Multibyte string output conversion in PHP is active and must be disabled. Check the php.ini <em>mbstring.http_output</em> setting. Please refer to the <a href="@url">PHP mbstring documentation</a> for more information.', array('@url' => 'http://www.php.net/mbstring'))); ++ } + } + + // Set appropriate configuration
