diff -Naur drupal-5.2/.htaccess drupal-5.23/.htaccess
--- drupal-5.2/.htaccess	2007-05-21 03:34:59.000000000 +0200
+++ drupal-5.23/.htaccess	2009-02-26 08:03:29.000000000 +0100
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "(\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
+<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
   Order allow,deny
 </FilesMatch>
 
@@ -13,9 +13,14 @@
 # Follow symbolic links in this directory.
 Options +FollowSymLinks
 
-# Customized error messages.
+# Make Drupal handle any 404 errors.
 ErrorDocument 404 /index.php
 
+# Force simple error message for requests for non-existent favicon.ico.
+<Files favicon.ico>
+  ErrorDocument 404 "The requested file favicon.ico was not found.
+</Files>
+
 # Set the default handler.
 DirectoryIndex index.php
 
@@ -78,13 +83,19 @@
   #
   # To redirect all users to access the site WITHOUT the 'www.' prefix,
   # (http://www.example.com/... will be redirected to http://example.com/...)
-  # adapt and uncomment the following:
+  # uncomment and adapt the following:
   # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
   # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
 
-  # Modify the RewriteBase if you are using Drupal in a subdirectory and
-  # the rewrite rules are not working properly.
-  #RewriteBase /drupal
+  # Modify the RewriteBase if you are using Drupal in a subdirectory or in a
+  # VirtualDocumentRoot and the rewrite rules are not working properly.
+  # For example if your site is at http://example.com/drupal uncomment and
+  # modify the following line:
+  # RewriteBase /drupal
+  #
+  # If your site is running in a VirtualDocumentRoot at http://example.com/,
+  # uncomment the following line:
+  # RewriteBase /
 
   # Rewrite old-style URLs of the form 'node.php?id=x'.
   #RewriteCond %{REQUEST_FILENAME} !-f
@@ -98,10 +109,11 @@
   #RewriteCond %{QUERY_STRING} ^mod=([^&]+)$
   #RewriteRule module.php index.php?q=%1 [L]
 
-  # Rewrite current-style URLs of the form 'index.php?q=x'.
+  # Rewrite current-style URLs of the form 'x' to the form 'index.php?q=x'.
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
+  RewriteCond %{REQUEST_URI} !=/favicon.ico
   RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
 </IfModule>
 
-# $Id: .htaccess,v 1.81.2.2 2007/05/21 01:34:59 drumm Exp $
+# $Id: .htaccess,v 1.81.2.6 2009/02/26 07:03:29 drumm Exp $
diff -Naur drupal-5.2/CHANGELOG.txt drupal-5.23/CHANGELOG.txt
--- drupal-5.2/CHANGELOG.txt	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/CHANGELOG.txt	2010-08-11 22:37:49.000000000 +0200
@@ -1,4 +1,124 @@
-// $Id: CHANGELOG.txt,v 1.173.2.8 2007/07/26 19:16:45 drumm Exp $
+// $Id: CHANGELOG.txt,v 1.173.2.50 2010/08/11 20:37:49 drumm Exp $
+
+Drupal 5.23, 2010-08-11
+-----------------------
+- Fixed security issues (File download access bypass, Comment unpublishing
+  bypass), see SA-CORE-2010-002.
+
+Drupal 5.22, 2010-03-03
+-----------------------
+- Fixed security issues (Open redirection, Locale module cross site scripting,
+  Blocked user session regeneration), see SA-CORE-2010-001.
+
+Drupal 5.21, 2009-12-16
+-----------------------
+- Fixed a security issue (Cross site scripting), see SA-CORE-2009-009.
+- Fixed a variety of small bugs.
+
+Drupal 5.20, 2009-09-16
+-----------------------
+- Avoid security problems resulting from writing Drupal 6-style menu
+  declarations.
+- Fixed security issues (session fixation), see SA-CORE-2009-008.
+- Fixed a variety of small bugs.
+
+Drupal 5.19, 2009-07-01
+-----------------------
+- Fixed security issues (Cross site scripting and Password leakage in URL), see
+  SA-CORE-2009-007.          
+- Fixed a variety of small bugs.
+
+Drupal 5.18, 2009-05-13
+-----------------------
+- Fixed security issues (Cross site scripting), see SA-CORE-2009-006.
+- Fixed a variety of small bugs.
+
+Drupal 5.17, 2009-04-29
+-----------------------
+- Fixed security issues (Cross site scripting and limited information
+  disclosure) see SA-CORE-2009-005.
+- Fixed a variety of small bugs.
+
+Drupal 5.16, 2009-02-25
+-----------------------
+- Fixed a security issue, (Local file inclusion on Windows), see SA-CORE-2009-004.
+- Fixed a variety of small bugs.
+
+Drupal 5.15, 2009-01-14
+-----------------------
+- Fixed security issues, (Hardening against SQL injection), see
+  SA-CORE-2009-001
+- Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell
+  scripts.
+- Fixed a variety of small bugs.
+
+Drupal 5.14, 2008-12-11
+-----------------------
+- removed a previous change incompatible with PHP 5.1.x and lower.
+
+Drupal 5.13, 2008-12-10
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site request forgery and Cross site scripting), see SA-2008-073
+- updated robots.txt and .htaccess to match current file use.
+
+Drupal 5.12, 2008-10-22
+-----------------------
+- fixed security issues, (File inclusion), see SA-2008-067
+
+Drupal 5.11, 2008-10-08
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (File upload access bypass, Access rules bypass,
+  BlogAPI access bypass, Node validation bypass), see SA-2008-060
+
+Drupal 5.10, 2008-08-13
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site scripting, Arbitrary file uploads via
+  BlogAPI and Cross site request forgery), see SA-2008-047
+
+Drupal 5.9, 2008-07-23
+----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Session fixation), see SA-2008-046
+
+Drupal 5.8, 2008-07-09
+----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (Cross site scripting, cross site request forgery, and
+  session fixation), see SA-2008-044
+
+Drupal 5.7, 2008-01-28
+----------------------
+- fixed the input format configuration page.
+- fixed a variety of small bugs.
+
+Drupal 5.6, 2008-01-10
+----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
+
+Drupal 5.5, 2007-12-06
+----------------------
+- fixed missing missing brackets in a query in the user module.
+- fixed taxonomy feed bug introduced by SA-2007-031
+
+Drupal 5.4, 2007-12-05
+----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (SQL injection), see SA-2007-031
+
+Drupal 5.3, 2007-10-17
+----------------------
+- fixed a variety of small bugs.
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Arbitrary code execution via installer), see SA-2007-025
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (User deletion cross site request forgery), see SA-2007-029
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
 
 Drupal 5.2, 2007-07-26
 ----------------------
@@ -89,6 +209,26 @@
     * added nested lists generation.
     * added a self-clearing block class.
 
+Drupal 4.7.11, 2008-01-10
+-------------------------
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
+
+Drupal 4.7.10, 2007-12-06
+-------------------------
+- fixed taxonomy feed bug introduced by SA-2007-031
+
+Drupal 4.7.9, 2007-12-05
+------------------------
+- fixed a security issue (SQL injection), see SA-2007-031
+
+Drupal 4.7.8, 2007-10-17
+------------------------
+- fixed a security issue (HTTP response splitting), see SA-2007-024
+- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
+- fixed a security issue (API handling of unpublished comment), see SA-2007-030
+
 Drupal 4.7.7, 2007-07-26
 ------------------------
 - fixed security issue (XSS), see SA-2007-018
diff -Naur drupal-5.2/INSTALL.txt drupal-5.23/INSTALL.txt
--- drupal-5.2/INSTALL.txt	2007-07-26 07:29:58.000000000 +0200
+++ drupal-5.23/INSTALL.txt	2008-01-10 23:14:24.000000000 +0100
@@ -1,4 +1,4 @@
-// $Id: INSTALL.txt,v 1.39.2.2 2007/07/26 05:29:58 drumm Exp $
+// $Id: INSTALL.txt,v 1.39.2.3 2008/01/10 22:14:24 drumm Exp $
 
 CONTENTS OF THIS FILE
 ---------------------
@@ -22,7 +22,7 @@
 REQUIREMENTS
 ------------
 
-Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5
+Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5
 (http://www.php.net/) and either MySQL (http://www.mysql.com/) or PostgreSQL
 (http://www.postgresql.org/). The Apache web server and MySQL database are
 recommended; other web server and database combinations such as IIS and
diff -Naur drupal-5.2/LICENSE.txt drupal-5.23/LICENSE.txt
--- drupal-5.2/LICENSE.txt	2006-07-09 13:33:06.000000000 +0200
+++ drupal-5.23/LICENSE.txt	2009-01-14 06:56:37.000000000 +0100
@@ -1,14 +1,13 @@
-// $Id: LICENSE.txt,v 1.5 2006/07/09 11:33:06 dries Exp $
+// $Id: LICENSE.txt,v 1.5.2.1 2009/01/14 05:56:37 drumm Exp $
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
 
-        GNU GENERAL PUBLIC LICENSE
-           Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-          Preamble
+			    Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -58,7 +57,7 @@
   The precise terms and conditions for copying, distribution and
 modification follow.
 
-        GNU GENERAL PUBLIC LICENSE
+		    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -257,7 +256,7 @@
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-          NO WARRANTY
+			    NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -279,9 +278,9 @@
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-         END OF TERMS AND CONDITIONS
+		     END OF TERMS AND CONDITIONS
 
-      How to Apply These Terms to Your New Programs
+	    How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -305,10 +304,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
diff -Naur drupal-5.2/includes/bootstrap.inc drupal-5.23/includes/bootstrap.inc
--- drupal-5.2/includes/bootstrap.inc	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/includes/bootstrap.inc	2009-04-30 02:13:48.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: bootstrap.inc,v 1.145.2.6 2007/07/26 19:16:45 drumm Exp $
+// $Id: bootstrap.inc,v 1.145.2.14 2009/04/30 00:13:48 drumm Exp $
 
 /**
  * @file
@@ -230,6 +230,20 @@
 }
 
 /**
+ * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
+ *
+ * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters
+ * allowed in hostnames.  See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is
+ * lowercased.
+ *
+ * @return
+ *  TRUE if only containing valid characters, or FALSE otherwise.
+ */
+function drupal_valid_http_host($host) {
+  return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host);
+}
+
+/**
  * Loads the configuration and sets the base URL, cookie domain, and
  * session name correctly.
  */
@@ -240,6 +254,23 @@
   global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
   $conf = array();
 
+  if (isset($_SERVER['HTTP_HOST'])) {
+    // As HTTP_HOST is user input, ensure it only contains characters allowed
+    // in hostnames. See RFC 952 (and RFC 2181).
+    // $_SERVER['HTTP_HOST'] is lowercased here per specifications.
+    $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
+    if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {
+      // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
+      header('HTTP/1.1 400 Bad Request');
+      exit;
+    }
+  }
+  else {
+    // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
+    // defined for E_ALL compliance.
+    $_SERVER['HTTP_HOST'] = '';
+  }
+
   include_once './'. conf_path() .'/settings.php';
 
   if (isset($base_url)) {
@@ -256,9 +287,7 @@
     // Create base URL
     $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
 
-    // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains
-    // characters allowed in hostnames.
-    $base_url = $base_root .= '://'. preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']);
+    $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST'];
 
     // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
     // be modified by a visitor.
@@ -290,6 +319,15 @@
       $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
     }
   }
+  // To prevent session cookies from being hijacked, a user can configure the
+  // SSL version of their website to only transfer session cookies via SSL by
+  // using PHP's session.cookie_secure setting. The browser will then use two
+  // separate session cookies for the HTTPS and HTTP versions of the site. So we
+  // must use different session identifiers for HTTPS and HTTP to prevent a
+  // cookie collision.
+  if (ini_get('session.cookie_secure')) {
+    $session_name .= 'SSL';
+  }
   // Strip leading periods, www., and port numbers from cookie domain.
   $cookie_domain = ltrim($cookie_domain, '.');
   if (strpos($cookie_domain, 'www.') === 0) {
@@ -558,7 +596,7 @@
     header('HTTP/1.1 304 Not Modified');
     // All 304 responses must send an etag if the 200 response for the same object contained an etag
     header("Etag: $etag");
-    exit();
+    return;
   }
 
   // Send appropriate response:
@@ -626,9 +664,48 @@
 
 /**
  * Encode special characters in a plain-text string for display as HTML.
+ *
+ * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Internet Explorer 6.
  */
 function check_plain($text) {
-  return htmlspecialchars($text, ENT_QUOTES);
+  return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+}
+
+/**
+ * Checks whether a string is valid UTF-8.
+ *
+ * All functions designed to filter input should use drupal_validate_utf8
+ * to ensure they operate on valid UTF-8 strings to prevent bypass of the
+ * filter.
+ *
+ * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
+ * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
+ * bytes. When these subsequent bytes are HTML control characters such as
+ * quotes or angle brackets, parts of the text that were deemed safe by filters
+ * end up in locations that are potentially unsafe; An onerror attribute that
+ * is outside of a tag, and thus deemed safe by a filter, can be interpreted
+ * by the browser as if it were inside the tag.
+ *
+ * This function exploits preg_match behaviour (since PHP 4.3.5) when used
+ * with the u modifier, as a fast way to find invalid UTF-8. When the matched
+ * string contains an invalid byte sequence, it will fail silently.
+ *
+ * preg_match may not fail on 4 and 5 octet sequences, even though they
+ * are not supported by the specification.
+ *
+ * The specific preg_match behaviour is present since PHP 4.3.5.
+ *
+ * @param $text
+ *   The text to check.
+ * @return
+ *   TRUE if the text is valid UTF-8, FALSE if not.
+ */
+function drupal_validate_utf8($text) {
+  if (strlen($text) == 0) {
+    return TRUE;
+  }
+  return (preg_match('/^./us', $text) == 1);
 }
 
 /**
@@ -648,6 +725,8 @@
       $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
     }
   }
+  // Prevent multiple slashes to avoid cross site requests via the FAPI.
+  $uri = '/'. ltrim($uri, '/');
 
   return $uri;
 }
@@ -818,11 +897,9 @@
 function drupal_bootstrap($phase) {
   static $phases = array(DRUPAL_BOOTSTRAP_CONFIGURATION, DRUPAL_BOOTSTRAP_EARLY_PAGE_CACHE, DRUPAL_BOOTSTRAP_DATABASE, DRUPAL_BOOTSTRAP_ACCESS, DRUPAL_BOOTSTRAP_SESSION, DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE, DRUPAL_BOOTSTRAP_PATH, DRUPAL_BOOTSTRAP_FULL);
 
-  while (!is_null($current_phase = array_shift($phases))) {
+  while (!empty($phases) && $phase >= $phases[0]) {
+    $current_phase = array_shift($phases);
     _drupal_bootstrap($current_phase);
-    if ($phase == $current_phase) {
-      return;
-    }
   }
 }
 
diff -Naur drupal-5.2/includes/cache.inc drupal-5.23/includes/cache.inc
--- drupal-5.2/includes/cache.inc	2007-06-27 05:35:48.000000000 +0200
+++ drupal-5.23/includes/cache.inc	2009-07-10 07:41:24.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: cache.inc,v 1.5.2.4 2007/06/27 03:35:48 drumm Exp $
+// $Id: cache.inc,v 1.5.2.6 2009/07/10 05:41:24 drumm Exp $
 
 /**
  * Return data from the persistent cache.
@@ -14,11 +14,12 @@
   global $user;
 
   // Garbage collection necessary when enforcing a minimum cache lifetime
-  $cache_flush = variable_get('cache_flush', 0);
+  $cache_flush = variable_get('cache_flush_'. $table, 0);
   if ($cache_flush && ($cache_flush + variable_get('cache_lifetime', 0) <= time())) {
+    // Reset the variable immediately to prevent a meltdown in heavy load situations.
+    variable_set('cache_flush_'. $table, 0);
     // Time to flush old cache data
     db_query("DELETE FROM {". $table ."} WHERE expire != %d AND expire <= %d", CACHE_PERMANENT, $cache_flush);
-    variable_set('cache_flush', 0);
   }
 
   $cache = db_fetch_object(db_query("SELECT data, created, headers, expire FROM {". $table ."} WHERE cid = '%s'", $key));
@@ -133,16 +134,16 @@
       // cached data that was cached before the timestamp.
       $user->cache = time();
 
-      $cache_flush = variable_get('cache_flush', 0);
+      $cache_flush = variable_get('cache_flush_'. $table, 0);
       if ($cache_flush == 0) {
         // This is the first request to clear the cache, start a timer.
-        variable_set('cache_flush', time());
+        variable_set('cache_flush_'. $table, time());
       }
       else if (time() > ($cache_flush + variable_get('cache_lifetime', 0))) {
-        // Clear the cache for everyone, cache_flush_delay seconds have
+        // Clear the cache for everyone, cache_lifetime seconds have
         // passed since the first request to clear the cache.
         db_query("DELETE FROM {". $table. "} WHERE expire != %d AND expire < %d", CACHE_PERMANENT, time());
-        variable_set('cache_flush', 0);
+        variable_set('cache_flush_'. $table, 0);
       }
     }
     else {
diff -Naur drupal-5.2/includes/common.inc drupal-5.23/includes/common.inc
--- drupal-5.2/includes/common.inc	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/includes/common.inc	2010-03-04 01:16:02.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: common.inc,v 1.611.2.9 2007/07/26 19:16:45 drumm Exp $
+// $Id: common.inc,v 1.611.2.26 2010/03/04 00:16:02 drumm Exp $
 
 /**
  * @file
@@ -152,6 +152,15 @@
 }
 
 /**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+  // Make sure that the charset is always specified as the first element of the
+  // head region to prevent encoding-based attacks.
+  return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**
  * Add a feed URL for the current page.
  *
  * @param $url
@@ -267,9 +276,8 @@
  * 'user login'-block in a sidebar. The function drupal_get_destination()
  * can be used to help set the destination URL.
  *
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid".
+ * Drupal will ensure that messages set by drupal_set_message() and other
+ * session data are written to the database before the user is redirected.
  *
  * This function ends the request; use it rather than a print theme('page')
  * statement in your menu callback.
@@ -294,18 +302,35 @@
  * @see drupal_get_destination()
  */
 function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) {
+
+  $destination = FALSE;
   if (isset($_REQUEST['destination'])) {
-    extract(parse_url(urldecode($_REQUEST['destination'])));
+    $destination = $_REQUEST['destination'];
   }
   else if (isset($_REQUEST['edit']['destination'])) {
-    extract(parse_url(urldecode($_REQUEST['edit']['destination'])));
+    $destination = $_REQUEST['edit']['destination'];
+  }
+
+  if ($destination) {
+    // Do not redirect to an absolute URL originating from user input.
+    $colonpos = strpos($destination, ':');
+    $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos)));
+    if (!$absolute) {
+      extract(parse_url(urldecode($destination)));
+    }
   }
 
   $url = url($path, $query, $fragment, TRUE);
+  // Remove newlines from the URL to avoid header injection attacks.
+  $url = str_replace(array("\n", "\r"), '', $url);
 
   // Before the redirect, allow modules to react to the end of the page request.
   module_invoke_all('exit', $url);
 
+  // Even though session_write_close() is registered as a shutdown function, we
+  // need all session data written to the database before redirecting.
+  session_write_close();
+
   header('Location: '. $url, TRUE, $http_response_code);
 
   // The "Location" header sends a REDIRECT status code to the http
@@ -347,8 +372,10 @@
     menu_set_active_item('');
   }
 
-  if (empty($return)) {
+  if (empty($return) || $return == MENU_NOT_FOUND || $return == MENU_ACCESS_DENIED) {
     drupal_set_title(t('Page not found'));
+    menu_set_active_item('');
+    $return = '';
   }
   // To conserve CPU and bandwidth, omit the blocks
   print theme('page', $return, FALSE);
@@ -361,7 +388,7 @@
   drupal_set_header('HTTP/1.1 403 Forbidden');
   watchdog('access denied', check_plain($_GET['q']), WATCHDOG_WARNING);
 
-// Keep old path for reference
+  // Keep old path for reference
   if (!isset($_REQUEST['destination'])) {
     $_REQUEST['destination'] = $_GET['q'];
   }
@@ -376,8 +403,9 @@
     menu_set_active_item('');
   }
 
-  if (empty($return)) {
+  if (empty($return) || $return == MENU_NOT_FOUND || $return == MENU_ACCESS_DENIED) {
     drupal_set_title(t('Access denied'));
+    menu_set_active_item('');
     $return = t('You are not authorized to access this page.');
   }
   print theme('page', $return);
@@ -410,6 +438,18 @@
   // Parse the URL, and make sure we can handle the schema.
   $uri = parse_url($url);
 
+  if ($uri == FALSE) {
+    $result->error = 'unable to parse URL';
+    $result->code = -1001;
+    return $result;
+  }
+
+  if (!isset($uri['scheme'])) {
+    $result->error = 'missing schema';
+    $result->code = -1002;
+    return $result;
+  }
+
   switch ($uri['scheme']) {
     case 'http':
       $port = isset($uri['port']) ? $uri['port'] : 80;
@@ -424,6 +464,7 @@
       break;
     default:
       $result->error = 'invalid schema '. $uri['scheme'];
+      $result->code = -1003;
       return $result;
   }
 
@@ -450,6 +491,11 @@
     'Content-Length' => 'Content-Length: '. strlen($data)
   );
 
+  // If the server url has a user then attempt to use basic authentication
+  if (isset($uri['user'])) {
+    $defaults['Authorization'] = 'Authorization: Basic '. base64_encode($uri['user'] . (!empty($uri['pass']) ? ":". $uri['pass'] : ''));
+  }
+
   foreach ($headers as $header => $value) {
     $defaults[$header] = $header .': '. $value;
   }
@@ -544,7 +590,7 @@
   }
 
   if ($errno & (E_ALL ^ E_NOTICE)) {
-    $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning');
+    $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
     $entry = $types[$errno] .': '. $message .' in '. $filename .' on line '. $line .'.';
 
     // Force display of error messages in update.php
@@ -629,8 +675,8 @@
 /**
  * Translate strings to the current locale.
  *
- * All human-readable text that will be displayed somewhere within a page should be
- * run through the t() function.
+ * Human-readable text that will be displayed somewhere within a page should
+ * be run through the t() function.
  *
  * Examples:
  * @code
@@ -666,27 +712,27 @@
  *     $message[] = t("If you don't want to receive such e-mails, you can change your settings at !url.", array('!url' => url("user/$account->uid", NULL, NULL, TRUE)));
  *   @endcode
  *
- * - @variable, which indicates that the text should be run through check_plain,
- *   to strip out HTML characters. Use this for any output that's displayed within
- *   a Drupal page.
+ * - @variable, which indicates that the text should be run through
+ *   check_plain, to escape HTML characters. Use this for any output that's
+ *   displayed within a Drupal page.
  *   @code
  *     drupal_set_title($title = t("@name's blog", array('@name' => $account->name)));
  *   @endcode
  *
- * - %variable, which indicates that the string should be highlighted with
- *   theme_placeholder() which shows up by default as <em>emphasized</em>.
+ * - %variable, which indicates that the string should be HTML escaped and
+ *   highlighted with theme_placeholder() which shows up by default as
+ *   <em>emphasized</em>.
  *   @code
- *     watchdog('mail', t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name)));
+ *     $message = t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name));
  *   @endcode
  *
  * When using t(), try to put entire sentences and strings in one t() call.
  * This makes it easier for translators, as it provides context as to what
- * each word refers to. HTML markup within translation strings is allowed,
- * but should be avoided if possible. The exception is embedded links; link
- * titles add additional context for translators so should be kept in the main
- * string.
+ * each word refers to. HTML markup within translation strings is allowed, but
+ * should be avoided if possible. The exception are embedded links; link
+ * titles add a context for translators, so should be kept in the main string.
  *
- * Here is an example of an incorrect use if t():
+ * Here is an example of incorrect usage of t():
  * @code
  *   $output .= t('<p>Go to the @contact-page.</p>', array('@contact-page' => l(t('contact page'), 'contact')));
  * @endcode
@@ -696,7 +742,7 @@
  *   $output .= '<p>'. t('Go to the <a href="@contact-page">contact page</a>.', array('@contact-page' => url('contact'))) .'</p>';
  * @endcode
  *
- * Also avoid escaping quotation marks wherever possible.
+ * Avoid escaping quotation marks wherever possible.
  *
  * Incorrect:
  * @code
@@ -708,6 +754,101 @@
  *   $output .= t("Don't click me.");
  * @endcode
  *
+ * Because t() is designed for handling code-based strings, in almost all
+ * cases, the actual string and not a variable must be passed through t().
+ *
+ * Extraction of translations is done based on the strings contained in t()
+ * calls. If a variable is passed through t(), the content of the variable
+ * cannot be extracted from the file for translation.
+ *
+ * Incorrect:
+ * @code
+ *   $message = 'An error occurred.';
+ *   drupal_set_message(t($message), 'error');
+ *   $output .= t($message);
+ * @endcode
+ *
+ * Correct:
+ * @code
+ *   $message = t('An error occurred.');
+ *   drupal_set_message($message, 'error');
+ *   $output .= $message;
+ * @endcode
+ *
+ * The only case in which variables can be passed safely through t() is when
+ * code-based versions of the same strings will be passed through t() (or
+ * otherwise extracted) elsewhere.
+ *
+ * In some cases, modules may include strings in code that can't use t()
+ * calls. For example, a module may use an external PHP application that
+ * produces strings that are loaded into variables in Drupal for output.
+ * In these cases, module authors may include a dummy file that passes the
+ * relevant strings through t(). This approach will allow the strings to be
+ * extracted.
+ *
+ * Sample external (non-Drupal) code:
+ * @code
+ *   class Time {
+ *     public $yesterday = 'Yesterday';
+ *     public $today = 'Today';
+ *     public $tomorrow = 'Tomorrow';
+ *   }
+ * @endcode
+ *
+ * Sample dummy file.
+ * @code
+ *   // Dummy function included in example.potx.inc.
+ *   function example_potx() {
+ *     $strings = array(
+ *       t('Yesterday'),
+ *       t('Today'),
+ *       t('Tomorrow'),
+ *     );
+ *     // No return value needed, since this is a dummy function.
+ *   }
+ * @endcode
+ *
+ * Having passed strings through t() in a dummy function, it is then
+ * okay to pass variables through t().
+ *
+ * Correct (if a dummy file was used):
+ * @code
+ *   $time = new Time();
+ *   $output .= t($time->today);
+ * @endcode
+ *
+ * However tempting it is, custom data from user input or other non-code
+ * sources should not be passed through t(). Doing so leads to the following
+ * problems and errors:
+ *  - The t() system doesn't support updates to existing strings. When user
+ *    data is updated, the next time it's passed through t() a new record is
+ *    created instead of an update. The database bloats over time and any
+ *    existing translations are orphaned with each update.
+ *  - The t() system assumes any data it receives is in English. User data may
+ *    be in another language, producing translation errors.
+ *  - The "Built-in interface" text group in the locale system is used to
+ *    produce translations for storage in .po files. When non-code strings are
+ *    passed through t(), they are added to this text group, which is rendered
+ *    inaccurate since it is a mix of actual interface strings and various user
+ *    input strings of uncertain origin.
+ *
+ * Incorrect:
+ * @code
+ *   $item = item_load();
+ *   $output .= check_plain(t($item['title']));
+ * @endcode
+ *
+ * Instead, translation of these data can be done through the locale system,
+ * either directly or through helper functions provided by contributed
+ * modules.
+ * @see hook_locale()
+ *
+ * During installation, st() is used in place of t(). Code that may be called
+ * during installation or during normal operation should use the get_t()
+ * helper function.
+ * @see st()
+ * @see get_t()
+ *
  * @param $string
  *   A string containing the English string to translate.
  * @param $args
@@ -780,7 +921,7 @@
  *
  * This function should only be used on actual URLs. It should not be used for
  * Drupal menu paths, which can contain arbitrary characters.
- *
+ * Valid values per RFC 3986.
  * @param $url
  *   The URL to verify.
  * @param $absolute
@@ -789,12 +930,26 @@
  *   TRUE if the URL is in a valid format.
  */
 function valid_url($url, $absolute = FALSE) {
-  $allowed_characters = '[a-z0-9\/:_\-_\.\?\$,;~=#&%\+]';
   if ($absolute) {
-    return preg_match("/^(http|https|ftp):\/\/". $allowed_characters ."+$/i", $url);
+    return (bool)preg_match("
+      /^                                                      # Start at the beginning of the text
+      (?:ftp|https?):\/\/                                     # Look for ftp, http, or https schemes
+      (?:                                                     # Userinfo (optional) which is typically
+        (?:(?:[\w\.\-\+!$&'\(\)*\+,;=]|%[0-9a-f]{2})+:)*      # a username or a username and password
+        (?:[\w\.\-\+%!$&'\(\)*\+,;=]|%[0-9a-f]{2})+@          # combination
+      )?
+      (?:
+        (?:[a-z0-9\-\.]|%[0-9a-f]{2})+                        # A domain name or a IPv4 address
+        |(?:\[(?:[0-9a-f]{0,4}:)*(?:[0-9a-f]{0,4})\])         # or a well formed IPv6 address
+      )
+      (?::[0-9]+)?                                            # Server port number (optional)
+      (?:[\/|\?]
+        (?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})   # The path and query (optional)
+      *)?
+    $/xi", $url);
   }
   else {
-    return preg_match("/^". $allowed_characters ."+$/i", $url);
+    return (bool)preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url);
   }
 }
 
@@ -1262,7 +1417,7 @@
  *   an HTML string containing a link to the given path.
  */
 function l($text, $path, $attributes = array(), $query = NULL, $fragment = NULL, $absolute = FALSE, $html = FALSE) {
-  if ($path == $_GET['q']) {
+  if (($path == $_GET['q']) || ($path == '<front>' && drupal_is_front_page())) {
     if (isset($attributes['class'])) {
       $attributes['class'] .= ' active';
     }
@@ -1511,6 +1666,8 @@
       foreach ($type as $file => $cache) {
         if ($cache) {
           $contents = file_get_contents($file);
+          // Remove multiple charset declarations for standards compliance (and fixing Safari problems)
+          $contents = preg_replace('/^@charset\s+[\'"](\S*)\b[\'"];/i', '', $contents);
           // Return the path to where this CSS file originated from, stripping off the name of the file at the end of the path.
           $path = base_path() . substr($file, 0, strrpos($file, '/')) .'/';
           // Wraps all @import arguments in url().
@@ -1545,6 +1702,8 @@
  */
 function drupal_clear_css_cache() {
   file_scan_directory(file_create_path('css'), '.*', array('.', '..', 'CVS'), 'file_delete', TRUE);
+  // Clear the page cache, so cached pages do not reference nonexistent CSS.
+  cache_clear_all();
 }
 
 /**
@@ -1644,10 +1803,10 @@
  * are added to the page. Then, all settings are output, followed by 'inline'
  * JavaScript code.
  *
- * @parameter $scope
+ * @param $scope
  *   (optional) The scope for which the JavaScript rules should be returned.
  *   Defaults to 'header'.
- * @parameter $javascript
+ * @param $javascript
  *   (optional) An array with all JavaScript code. Defaults to the default
  *   JavaScript array for the given scope.
  * @return
@@ -1912,7 +2071,7 @@
  * @param $body
  *   Message to be sent. Drupal will format the correct line endings for you.
  * @param $from
- *   Sets From, Reply-To, Return-Path and Error-To to this value, if given.
+ *   Sets From to this value, if given.
  * @param $headers
  *   Associative array containing the headers to add. This is typically
  *   used to add extra headers (From, Cc, and Bcc).
@@ -1932,10 +2091,10 @@
   // SMTP server.  Errors-To is redundant, but shouldn't hurt.
   $default_from = variable_get('site_mail', ini_get('sendmail_from'));
   if ($default_from) {
-    $defaults['From'] = $defaults['Reply-To'] = $defaults['Sender'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $default_from;
+    $defaults['From'] = $defaults['Sender'] = $defaults['Return-Path'] = $defaults['Errors-To'] = $default_from;
   }
   if ($from) {
-    $defaults['From'] = $defaults['Reply-To'] = $from;
+    $defaults['From'] = $from;
   }
   $headers = array_merge($defaults, $headers);
   // Custom hook traversal to allow pass by reference
diff -Naur drupal-5.2/includes/database.inc drupal-5.23/includes/database.inc
--- drupal-5.2/includes/database.inc	2007-07-12 08:25:47.000000000 +0200
+++ drupal-5.23/includes/database.inc	2008-01-07 01:55:44.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.inc,v 1.62.2.4 2007/07/12 06:25:47 drumm Exp $
+// $Id: database.inc,v 1.62.2.6 2008/01/07 00:55:44 drumm Exp $
 
 /**
  * @file
@@ -100,7 +100,7 @@
  */
 function db_set_active($name = 'default') {
   global $db_url, $db_type, $active_db;
-  static $db_conns;
+  static $db_conns, $active_name = FALSE;
 
   if (!isset($db_conns[$name])) {
     // Initiate a new connection, using the named DB URL specified.
@@ -128,11 +128,12 @@
     $db_conns[$name] = db_connect($connect_url);
   }
 
-  $previous_db = $active_db;
+  $previous_name = $active_name;
   // Set the active connection.
+  $active_name = $name;
   $active_db = $db_conns[$name];
 
-  return array_search($previous_db, $db_conns);
+  return $previous_name;
 }
 
 /**
@@ -252,7 +253,7 @@
  * @param $query
  *   Query to be rewritten.
  * @param $primary_table
- *   Name or alias of the table which has the primary key field for this query. Possible values are: comments, forum, node, menu, term_data, vocabulary.
+ *   Name or alias of the table which has the primary key field for this query. Possible values are: {comments}, {forum}, {node}, {menu}, {term_data}, {vocabulary}.
  * @param $primary_field
  *   Name of the primary field.
  * @param $args
diff -Naur drupal-5.2/includes/database.mysql.inc drupal-5.23/includes/database.mysql.inc
--- drupal-5.2/includes/database.mysql.inc	2007-01-22 03:20:50.000000000 +0100
+++ drupal-5.23/includes/database.mysql.inc	2009-07-10 08:09:38.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.mysql.inc,v 1.66.2.1 2007/01/22 02:20:50 unconed Exp $
+// $Id: database.mysql.inc,v 1.66.2.4 2009/07/10 06:09:38 drumm Exp $
 
 /**
  * @file
@@ -63,6 +63,7 @@
       install_goto('install.php');
     }
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP MySQL support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -105,7 +106,7 @@
     drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to connect to database server');
     print theme('maintenance_page', '<p>If you still have to install Drupal, proceed to the <a href="'. base_path() .'install.php">installation page</a>.</p>
-<p>If you have already finished installed Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.</p>
+<p>If you have already finished installing Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.</p>
 <p>The MySQL error was: '. theme('placeholder', mysql_error()) .'.</p>
 <p>Currently, the username is '. theme('placeholder', $url['user']) .' and the database server is '. theme('placeholder', $url['host']) .'.</p>
 <ul>
@@ -119,6 +120,7 @@
 
   if (!mysql_select_db(substr($url['path'], 1))) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to select database');
     print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
 <p>The MySQL error was: '. theme('placeholder', mysql_error($connection)) .'.</p>
@@ -358,7 +360,7 @@
   $tablename = array_pop($args);
   array_shift($args);
 
-  $query = preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE '. $tablename .' SELECT', db_prefix_tables($query));
+  $query = preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE '. $tablename .' Engine=HEAP SELECT', db_prefix_tables($query));
   if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax
     $args = $args[0];
   }
diff -Naur drupal-5.2/includes/database.mysqli.inc drupal-5.23/includes/database.mysqli.inc
--- drupal-5.2/includes/database.mysqli.inc	2006-12-27 23:50:09.000000000 +0100
+++ drupal-5.23/includes/database.mysqli.inc	2009-07-10 08:09:38.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.mysqli.inc,v 1.32 2006/12/27 22:50:09 dries Exp $
+// $Id: database.mysqli.inc,v 1.32.2.6 2009/07/10 06:09:38 drumm Exp $
 
 /**
  * @file
@@ -56,6 +56,7 @@
   // Check if MySQLi support is present in PHP
   if (!function_exists('mysqli_init') && !extension_loaded('mysqli')) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP MySQLi support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the MySQLi database because the MySQLi extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -75,6 +76,9 @@
   }
   $url['host'] = urldecode($url['host']);
   $url['path'] = urldecode($url['path']);
+  if (!isset($url['port'])) {
+    $url['port'] = NULL;
+  }
 
   $connection = mysqli_init();
   @mysqli_real_connect($connection, $url['host'], $url['user'], $url['pass'], substr($url['path'], 1), $url['port'], NULL, MYSQLI_CLIENT_FOUND_ROWS);
@@ -85,8 +89,8 @@
     drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to connect to database server');
     print theme('maintenance_page', '<p>If you still have to install Drupal, proceed to the <a href="'. base_path() .'install.php">installation page</a>.</p>
-<p>If you have already finished installed Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.</p>
-<p>The MySQL error was: '. theme('placeholder', mysqli_error($connection)) .'.</p>
+<p>If you have already finished installing Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the MySQL database server. This could mean your hosting provider\'s database server is down.</p>
+<p>The MySQL error was: '. theme('placeholder', mysqli_connect_error($connection)) .'.</p>
 <p>Currently, the username is '. theme('placeholder', $url['user']) .' and the database server is '. theme('placeholder', $url['host']) .'.</p>
 <ul>
   <li>Are you sure you have the correct username and password?</li>
@@ -99,9 +103,10 @@
   }
   else if (mysqli_connect_errno() > 0) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to select database');
     print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
-<p>The MySQL error was: '. theme('placeholder', mysqli_error($connection)) .'.</p>
+<p>The MySQL error was: '. theme('placeholder', mysqli_connect_error($connection)) .'.</p>
 <p>Currently, the database is '. theme('placeholder', substr($url['path'], 1)) .'. The username is '. theme('placeholder', $url['user']) .' and the database server is '. theme('placeholder', $url['host']) .'.</p>
 <ul>
   <li>Are you sure you have the correct database name?</li>
@@ -199,18 +204,18 @@
 }
 
 /**
-* Return an individual result field from the previous query.
-*
-* Only use this function if exactly one field is being selected; otherwise,
-* use db_fetch_object() or db_fetch_array().
-*
-* @param $result
-*   A database query result resource, as returned from db_query().
-* @param $row
-*   The index of the row whose result is needed.
-* @return
-*   The resulting field or FALSE.
-*/
+ * Return an individual result field from the previous query.
+ *
+ * Only use this function if exactly one field is being selected; otherwise,
+ * use db_fetch_object() or db_fetch_array().
+ *
+ * @param $result
+ *   A database query result resource, as returned from db_query().
+ * @param $row
+ *   The index of the row whose result is needed.
+ * @return
+ *   The resulting field or FALSE.
+ */
 function db_result($result, $row = 0) {
   if ($result && mysqli_num_rows($result) > $row) {
     $array = mysqli_fetch_array($result, MYSQLI_NUM);
@@ -338,7 +343,7 @@
   $tablename = array_pop($args);
   array_shift($args);
 
-  $query = preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE '. $tablename .' SELECT', db_prefix_tables($query));
+  $query = preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE '. $tablename .' Engine=HEAP SELECT', db_prefix_tables($query));
   if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax
     $args = $args[0];
   }
diff -Naur drupal-5.2/includes/database.pgsql.inc drupal-5.23/includes/database.pgsql.inc
--- drupal-5.2/includes/database.pgsql.inc	2006-12-27 23:13:56.000000000 +0100
+++ drupal-5.23/includes/database.pgsql.inc	2008-09-15 08:14:52.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.pgsql.inc,v 1.43 2006/12/27 22:13:56 dries Exp $
+// $Id: database.pgsql.inc,v 1.43.2.3 2008/09/15 06:14:52 drumm Exp $
 
 /**
  * @file
@@ -54,6 +54,7 @@
    // Check if MySQL support is present in PHP
   if (!function_exists('pg_connect')) {
     drupal_maintenance_theme();
+    drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('PHP PostgreSQL support not enabled');
     print theme('maintenance_page', '<p>We were unable to use the PostgreSQL database because the PostgreSQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
 <p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -92,7 +93,7 @@
     drupal_set_header('HTTP/1.1 503 Service Unavailable');
     drupal_set_title('Unable to connect to database');
     print theme('maintenance_page', '<p>If you still have to install Drupal, proceed to the <a href="'. base_path() .'install.php">installation page</a>.</p>
-<p>If you have already finished installed Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the PostgreSQL database server. This could mean your hosting provider\'s database server is down.</p>
+<p>If you have already finished installing Drupal, this either means that the username and password information in your <code>settings.php</code> file is incorrect or that we can\'t connect to the PostgreSQL database server. This could mean your hosting provider\'s database server is down.</p>
 <p>The PostgreSQL error was: '. theme('placeholder', decode_entities($php_errormsg)) .'</p>
 <p>Currently, the database is '. theme('placeholder', substr($url['path'], 1)) .', the username is '. theme('placeholder', $url['user']) .', and the database server is '. theme('placeholder', $url['host']) .'.</p>
 <ul>
@@ -418,10 +419,14 @@
  * @return SQL query with the DISTINCT wrapper surrounding the given table.field.
  */
 function db_distinct_field($table, $field, $query) {
-  $field_to_select = 'DISTINCT ON ('. $table .'.'. $field .") $table.$field";
-  // (?<!text) is a negative look-behind (no need to rewrite queries that already use DISTINCT).
-  $query = preg_replace('/(SELECT.*)(?:'. $table .'\.|\s)(?<!DISTINCT\()(?<!DISTINCT\('. $table .'\.)'. $field .'(.*FROM )/AUsi', '\1 '. $field_to_select .'\2', $query);
-  $query = preg_replace('/(ORDER BY )(?!'.$table.'\.'.$field.')/', '\1'."$table.$field, ", $query);
+  if (!preg_match('/FROM\s+\S+\s+AS/si', $query)
+    && !preg_match('/DISTINCT\s+ON\s*\(\s*(' . $table . '\s*\.\s*)?' . $field . '\s*\)/si', $query)
+    && !preg_match('/DISTINCT[ (]' . $field . '/si', $query)
+    && preg_match('/(.*FROM\s+)(.*?\s)(\s*(WHERE|GROUP|HAVING|ORDER|LIMIT|FOR).*)/Asi', $query, $m)) {
+      $query = $m[1];
+      $query .= preg_replace('/([\{\w+\}]+)\s+(' . $table . ')\s/Usi', '(SELECT DISTINCT ON (' . $field . ') * FROM \1) \2 ', $m[2]);
+      $query .= $m[3];
+  }
   return $query;
 }
 
diff -Naur drupal-5.2/includes/file.inc drupal-5.23/includes/file.inc
--- drupal-5.2/includes/file.inc	2007-05-31 07:48:58.000000000 +0200
+++ drupal-5.23/includes/file.inc	2009-01-26 15:22:45.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: file.inc,v 1.90.2.1 2007/05/31 05:48:58 drumm Exp $
+// $Id: file.inc,v 1.90.2.7 2009/01/26 14:22:45 drumm Exp $
 
 /**
  * @file
@@ -154,20 +154,17 @@
 
 
 /**
- * Check if $source is a valid file upload. If so, move the file to Drupal's tmp dir
- * and return it as an object.
+ * Verify an uploaded file.
  *
- * The use of SESSION['file_uploads'] should probably be externalized to upload.module
- *
- * @todo Rename file_check_upload to file_prepare upload.
- * @todo Refactor or merge file_save_upload.
- * @todo Extenalize SESSION['file_uploads'] to modules.
- *
- * @param $source An upload source (the name of the upload form item), or a file
- * @return FALSE for an invalid file or upload. A file object for valid uploads/files.
+ * Check if $source is a valid file upload. If so, move the file to the
+ * temporary directory and return it as an object.
  *
+ * @param $source
+ *   An upload source (the name of the upload form item), or a file.
+ * @return
+ *   FALSE for an invalid file or upload. A file object for valid
+ *   uploads/files.
  */
-
 function file_check_upload($source = 'upload') {
   // Cache for uploaded files. Since the data in _FILES is modified
   // by this function, we cache the result.
@@ -223,10 +220,11 @@
     $file = new stdClass();
     $file->filename = trim(basename($_FILES["files"]["name"][$source]), '.');
 
-    // Create temporary name/path for newly uploaded files.
-    $file->filepath = tempnam(file_directory_temp(), 'tmp_');
+    // Create temporary name/path for newly uploaded files. On Windows, tempnam()
+    // requires an absolute path, so we use realpath().
+    $file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_');
 
-    $file->filemime = $_FILES["files"]["type"][$source];
+    $file->filemime = file_get_mimetype($file->filename);
 
     // Rename potentially executable files, to help prevent exploits.
     if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
@@ -523,7 +521,8 @@
  */
 function file_save_data($data, $dest, $replace = FILE_EXISTS_RENAME) {
   $temp = file_directory_temp();
-  $file = tempnam($temp, 'file');
+  // On Windows, tempnam() requires an absolute path, so we use realpath().
+  $file = tempnam(realpath($temp), 'file');
   if (!$fp = fopen($file, 'wb')) {
     drupal_set_message(t('The file could not be created.'), 'error');
     return 0;
@@ -639,7 +638,7 @@
   $files = array();
 
   if (is_dir($dir) && $handle = opendir($dir)) {
-    while ($file = readdir($handle)) {
+    while (FALSE !== ($file = readdir($handle))) {
       if (!in_array($file, $nomask) && $file[0] != '.') {
         if (is_dir("$dir/$file") && $recurse) {
           $files = array_merge($files, file_scan_directory("$dir/$file", $mask, $nomask, $callback, $recurse, $key, $min_depth, $depth + 1));
@@ -719,16 +718,387 @@
  * Determine the maximum file upload size by querying the PHP settings.
  *
  * @return
- *   A file size limit in MB based on the PHP upload_max_filesize and post_max_size
+ *   A file size limit in bytes based on the PHP upload_max_filesize and post_max_size
  */
 function file_upload_max_size() {
   static $max_size = -1;
 
   if ($max_size < 0) {
     $upload_max = parse_size(ini_get('upload_max_filesize'));
-    // sanity check- a single upload should not be more than 50% the size limit of the total post
-    $post_max = parse_size(ini_get('post_max_size')) / 2;
+    $post_max = parse_size(ini_get('post_max_size'));
     $max_size = ($upload_max < $post_max) ? $upload_max : $post_max;
   }
   return $max_size;
 }
+
+/**
+ * Determine an Internet Media Type, or MIME type from a filename.
+ *
+ * @param $filename
+ *   Name of the file, including extension.
+ * @param $mapping
+ *   An optional array of extension to media type mappings in the form
+ *   'extension1|extension2|...' => 'type'.
+ *
+ * @return
+ *   The internet media type registered for the extension or application/octet-stream for unknown extensions.
+ */
+function file_get_mimetype($filename, $mapping = NULL) {
+  if (!is_array($mapping)) {
+    $mapping = variable_get('mime_extension_mapping', array(
+      'ez' => 'application/andrew-inset',
+      'atom' => 'application/atom',
+      'atomcat' => 'application/atomcat+xml',
+      'atomsrv' => 'application/atomserv+xml',
+      'cap|pcap' => 'application/cap',
+      'cu' => 'application/cu-seeme',
+      'tsp' => 'application/dsptype',
+      'spl' => 'application/x-futuresplash',
+      'hta' => 'application/hta',
+      'jar' => 'application/java-archive',
+      'ser' => 'application/java-serialized-object',
+      'class' => 'application/java-vm',
+      'hqx' => 'application/mac-binhex40',
+      'cpt' => 'image/x-corelphotopaint',
+      'nb' => 'application/mathematica',
+      'mdb' => 'application/msaccess',
+      'doc|dot' => 'application/msword',
+      'bin' => 'application/octet-stream',
+      'oda' => 'application/oda',
+      'ogg|ogx' => 'application/ogg',
+      'pdf' => 'application/pdf',
+      'key' => 'application/pgp-keys',
+      'pgp' => 'application/pgp-signature',
+      'prf' => 'application/pics-rules',
+      'ps|ai|eps' => 'application/postscript',
+      'rar' => 'application/rar',
+      'rdf' => 'application/rdf+xml',
+      'rss' => 'application/rss+xml',
+      'rtf' => 'application/rtf',
+      'smi|smil' => 'application/smil',
+      'wpd' => 'application/wordperfect',
+      'wp5' => 'application/wordperfect5.1',
+      'xhtml|xht' => 'application/xhtml+xml',
+      'xml|xsl' => 'application/xml',
+      'zip' => 'application/zip',
+      'cdy' => 'application/vnd.cinderella',
+      'kml' => 'application/vnd.google-earth.kml+xml',
+      'kmz' => 'application/vnd.google-earth.kmz',
+      'xul' => 'application/vnd.mozilla.xul+xml',
+      'xls|xlb|xlt' => 'application/vnd.ms-excel',
+      'cat' => 'application/vnd.ms-pki.seccat',
+      'stl' => 'application/vnd.ms-pki.stl',
+      'ppt|pps' => 'application/vnd.ms-powerpoint',
+      'odc' => 'application/vnd.oasis.opendocument.chart',
+      'odb' => 'application/vnd.oasis.opendocument.database',
+      'odf' => 'application/vnd.oasis.opendocument.formula',
+      'odg' => 'application/vnd.oasis.opendocument.graphics',
+      'otg' => 'application/vnd.oasis.opendocument.graphics-template',
+      'odi' => 'application/vnd.oasis.opendocument.image',
+      'odp' => 'application/vnd.oasis.opendocument.presentation',
+      'otp' => 'application/vnd.oasis.opendocument.presentation-template',
+      'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
+      'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
+      'odt' => 'application/vnd.oasis.opendocument.text',
+      'odm' => 'application/vnd.oasis.opendocument.text-master',
+      'ott' => 'application/vnd.oasis.opendocument.text-template',
+      'oth' => 'application/vnd.oasis.opendocument.text-web',
+      'docm' => 'application/vnd.ms-word.document.macroEnabled.12',
+      'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+      'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
+      'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
+      'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
+      'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
+      'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
+      'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
+      'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
+      'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
+      'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+      'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
+      'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
+      'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
+      'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+      'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
+      'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
+      'cod' => 'application/vnd.rim.cod',
+      'mmf' => 'application/vnd.smaf',
+      'sdc' => 'application/vnd.stardivision.calc',
+      'sds' => 'application/vnd.stardivision.chart',
+      'sda' => 'application/vnd.stardivision.draw',
+      'sdd' => 'application/vnd.stardivision.impress',
+      'sdf' => 'application/vnd.stardivision.math',
+      'sdw' => 'application/vnd.stardivision.writer',
+      'sgl' => 'application/vnd.stardivision.writer-global',
+      'sxc' => 'application/vnd.sun.xml.calc',
+      'stc' => 'application/vnd.sun.xml.calc.template',
+      'sxd' => 'application/vnd.sun.xml.draw',
+      'std' => 'application/vnd.sun.xml.draw.template',
+      'sxi' => 'application/vnd.sun.xml.impress',
+      'sti' => 'application/vnd.sun.xml.impress.template',
+      'sxm' => 'application/vnd.sun.xml.math',
+      'sxw' => 'application/vnd.sun.xml.writer',
+      'sxg' => 'application/vnd.sun.xml.writer.global',
+      'stw' => 'application/vnd.sun.xml.writer.template',
+      'sis' => 'application/vnd.symbian.install',
+      'vsd' => 'application/vnd.visio',
+      'wbxml' => 'application/vnd.wap.wbxml',
+      'wmlc' => 'application/vnd.wap.wmlc',
+      'wmlsc' => 'application/vnd.wap.wmlscriptc',
+      'wk' => 'application/x-123',
+      '7z' => 'application/x-7z-compressed',
+      'abw' => 'application/x-abiword',
+      'dmg' => 'application/x-apple-diskimage',
+      'bcpio' => 'application/x-bcpio',
+      'torrent' => 'application/x-bittorrent',
+      'cab' => 'application/x-cab',
+      'cbr' => 'application/x-cbr',
+      'cbz' => 'application/x-cbz',
+      'cdf' => 'application/x-cdf',
+      'vcd' => 'application/x-cdlink',
+      'pgn' => 'application/x-chess-pgn',
+      'cpio' => 'application/x-cpio',
+      'csh' => 'text/x-csh',
+      'deb|udeb' => 'application/x-debian-package',
+      'dcr|dir|dxr' => 'application/x-director',
+      'dms' => 'application/x-dms',
+      'wad' => 'application/x-doom',
+      'dvi' => 'application/x-dvi',
+      'rhtml' => 'application/x-httpd-eruby',
+      'flac' => 'application/x-flac',
+      'pfa|pfb|gsf|pcf|pcf.Z' => 'application/x-font',
+      'mm' => 'application/x-freemind',
+      'gnumeric' => 'application/x-gnumeric',
+      'sgf' => 'application/x-go-sgf',
+      'gcf' => 'application/x-graphing-calculator',
+      'gtar|tgz|taz' => 'application/x-gtar',
+      'hdf' => 'application/x-hdf',
+      'phtml|pht|php' => 'application/x-httpd-php',
+      'phps' => 'application/x-httpd-php-source',
+      'php3' => 'application/x-httpd-php3',
+      'php3p' => 'application/x-httpd-php3-preprocessed',
+      'php4' => 'application/x-httpd-php4',
+      'ica' => 'application/x-ica',
+      'ins|isp' => 'application/x-internet-signup',
+      'iii' => 'application/x-iphone',
+      'iso' => 'application/x-iso9660-image',
+      'jnlp' => 'application/x-java-jnlp-file',
+      'js' => 'application/x-javascript',
+      'jmz' => 'application/x-jmol',
+      'chrt' => 'application/x-kchart',
+      'kil' => 'application/x-killustrator',
+      'skp|skd|skt|skm' => 'application/x-koan',
+      'kpr|kpt' => 'application/x-kpresenter',
+      'ksp' => 'application/x-kspread',
+      'kwd|kwt' => 'application/x-kword',
+      'latex' => 'application/x-latex',
+      'lha' => 'application/x-lha',
+      'lyx' => 'application/x-lyx',
+      'lzh' => 'application/x-lzh',
+      'lzx' => 'application/x-lzx',
+      'frm|maker|frame|fm|fb|book|fbdoc' => 'application/x-maker',
+      'mif' => 'application/x-mif',
+      'wmd' => 'application/x-ms-wmd',
+      'wmz' => 'application/x-ms-wmz',
+      'com|exe|bat|dll' => 'application/x-msdos-program',
+      'msi' => 'application/x-msi',
+      'nc' => 'application/x-netcdf',
+      'pac' => 'application/x-ns-proxy-autoconfig',
+      'nwc' => 'application/x-nwc',
+      'o' => 'application/x-object',
+      'oza' => 'application/x-oz-application',
+      'p7r' => 'application/x-pkcs7-certreqresp',
+      'crl' => 'application/x-pkcs7-crl',
+      'pyc|pyo' => 'application/x-python-code',
+      'qtl' => 'application/x-quicktimeplayer',
+      'rpm' => 'application/x-redhat-package-manager',
+      'sh' => 'text/x-sh',
+      'shar' => 'application/x-shar',
+      'swf|swfl' => 'application/x-shockwave-flash',
+      'sit|sitx' => 'application/x-stuffit',
+      'sv4cpio' => 'application/x-sv4cpio',
+      'sv4crc' => 'application/x-sv4crc',
+      'tar' => 'application/x-tar',
+      'tcl' => 'application/x-tcl',
+      'gf' => 'application/x-tex-gf',
+      'pk' => 'application/x-tex-pk',
+      'texinfo|texi' => 'application/x-texinfo',
+      '~|%|bak|old|sik' => 'application/x-trash',
+      't|tr|roff' => 'application/x-troff',
+      'man' => 'application/x-troff-man',
+      'me' => 'application/x-troff-me',
+      'ms' => 'application/x-troff-ms',
+      'ustar' => 'application/x-ustar',
+      'src' => 'application/x-wais-source',
+      'wz' => 'application/x-wingz',
+      'crt' => 'application/x-x509-ca-cert',
+      'xcf' => 'application/x-xcf',
+      'fig' => 'application/x-xfig',
+      'xpi' => 'application/x-xpinstall',
+      'au|snd' => 'audio/basic',
+      'mid|midi|kar' => 'audio/midi',
+      'mpga|mpega|mp2|mp3|m4a' => 'audio/mpeg',
+      'm3u' => 'audio/x-mpegurl',
+      'oga|spx' => 'audio/ogg',
+      'sid' => 'audio/prs.sid',
+      'aif|aiff|aifc' => 'audio/x-aiff',
+      'gsm' => 'audio/x-gsm',
+      'wma' => 'audio/x-ms-wma',
+      'wax' => 'audio/x-ms-wax',
+      'ra|rm|ram' => 'audio/x-pn-realaudio',
+      'ra' => 'audio/x-realaudio',
+      'pls' => 'audio/x-scpls',
+      'sd2' => 'audio/x-sd2',
+      'wav' => 'audio/x-wav',
+      'alc' => 'chemical/x-alchemy',
+      'cac|cache' => 'chemical/x-cache',
+      'csf' => 'chemical/x-cache-csf',
+      'cbin|cascii|ctab' => 'chemical/x-cactvs-binary',
+      'cdx' => 'chemical/x-cdx',
+      'cer' => 'chemical/x-cerius',
+      'c3d' => 'chemical/x-chem3d',
+      'chm' => 'chemical/x-chemdraw',
+      'cif' => 'chemical/x-cif',
+      'cmdf' => 'chemical/x-cmdf',
+      'cml' => 'chemical/x-cml',
+      'cpa' => 'chemical/x-compass',
+      'bsd' => 'chemical/x-crossfire',
+      'csml|csm' => 'chemical/x-csml',
+      'ctx' => 'chemical/x-ctx',
+      'cxf|cef' => 'chemical/x-cxf',
+      'emb|embl' => 'chemical/x-embl-dl-nucleotide',
+      'spc' => 'chemical/x-galactic-spc',
+      'inp|gam|gamin' => 'chemical/x-gamess-input',
+      'fch|fchk' => 'chemical/x-gaussian-checkpoint',
+      'cub' => 'chemical/x-gaussian-cube',
+      'gau|gjc|gjf' => 'chemical/x-gaussian-input',
+      'gal' => 'chemical/x-gaussian-log',
+      'gcg' => 'chemical/x-gcg8-sequence',
+      'gen' => 'chemical/x-genbank',
+      'hin' => 'chemical/x-hin',
+      'istr|ist' => 'chemical/x-isostar',
+      'jdx|dx' => 'chemical/x-jcamp-dx',
+      'kin' => 'chemical/x-kinemage',
+      'mcm' => 'chemical/x-macmolecule',
+      'mmd|mmod' => 'chemical/x-macromodel-input',
+      'mol' => 'chemical/x-mdl-molfile',
+      'rd' => 'chemical/x-mdl-rdfile',
+      'rxn' => 'chemical/x-mdl-rxnfile',
+      'sd|sdf' => 'chemical/x-mdl-sdfile',
+      'tgf' => 'chemical/x-mdl-tgf',
+      'mcif' => 'chemical/x-mmcif',
+      'mol2' => 'chemical/x-mol2',
+      'b' => 'chemical/x-molconn-Z',
+      'gpt' => 'chemical/x-mopac-graph',
+      'mop|mopcrt|mpc|dat|zmt' => 'chemical/x-mopac-input',
+      'moo' => 'chemical/x-mopac-out',
+      'mvb' => 'chemical/x-mopac-vib',
+      'asn' => 'chemical/x-ncbi-asn1-spec',
+      'prt|ent' => 'chemical/x-ncbi-asn1-ascii',
+      'val|aso' => 'chemical/x-ncbi-asn1-binary',
+      'pdb|ent' => 'chemical/x-pdb',
+      'ros' => 'chemical/x-rosdal',
+      'sw' => 'chemical/x-swissprot',
+      'vms' => 'chemical/x-vamas-iso14976',
+      'vmd' => 'chemical/x-vmd',
+      'xtel' => 'chemical/x-xtel',
+      'xyz' => 'chemical/x-xyz',
+      'gif' => 'image/gif',
+      'ief' => 'image/ief',
+      'jpeg|jpg|jpe' => 'image/jpeg',
+      'pcx' => 'image/pcx',
+      'png' => 'image/png',
+      'svg|svgz' => 'image/svg+xml',
+      'tiff|tif' => 'image/tiff',
+      'djvu|djv' => 'image/vnd.djvu',
+      'wbmp' => 'image/vnd.wap.wbmp',
+      'ras' => 'image/x-cmu-raster',
+      'cdr' => 'image/x-coreldraw',
+      'pat' => 'image/x-coreldrawpattern',
+      'cdt' => 'image/x-coreldrawtemplate',
+      'ico' => 'image/x-icon',
+      'art' => 'image/x-jg',
+      'jng' => 'image/x-jng',
+      'bmp' => 'image/x-ms-bmp',
+      'psd' => 'image/x-photoshop',
+      'pnm' => 'image/x-portable-anymap',
+      'pbm' => 'image/x-portable-bitmap',
+      'pgm' => 'image/x-portable-graymap',
+      'ppm' => 'image/x-portable-pixmap',
+      'rgb' => 'image/x-rgb',
+      'xbm' => 'image/x-xbitmap',
+      'xpm' => 'image/x-xpixmap',
+      'xwd' => 'image/x-xwindowdump',
+      'eml' => 'message/rfc822',
+      'igs|iges' => 'model/iges',
+      'msh|mesh|silo' => 'model/mesh',
+      'wrl|vrml' => 'model/vrml',
+      'ics|icz' => 'text/calendar',
+      'css' => 'text/css',
+      'csv' => 'text/csv',
+      '323' => 'text/h323',
+      'html|htm|shtml' => 'text/html',
+      'uls' => 'text/iuls',
+      'mml' => 'text/mathml',
+      'asc|txt|text|pot' => 'text/plain',
+      'rtx' => 'text/richtext',
+      'sct|wsc' => 'text/scriptlet',
+      'tm|ts' => 'text/texmacs',
+      'tsv' => 'text/tab-separated-values',
+      'jad' => 'text/vnd.sun.j2me.app-descriptor',
+      'wml' => 'text/vnd.wap.wml',
+      'wmls' => 'text/vnd.wap.wmlscript',
+      'bib' => 'text/x-bibtex',
+      'boo' => 'text/x-boo',
+      'h++|hpp|hxx|hh' => 'text/x-c++hdr',
+      'c++|cpp|cxx|cc' => 'text/x-c++src',
+      'h' => 'text/x-chdr',
+      'htc' => 'text/x-component',
+      'c' => 'text/x-csrc',
+      'd' => 'text/x-dsrc',
+      'diff|patch' => 'text/x-diff',
+      'hs' => 'text/x-haskell',
+      'java' => 'text/x-java',
+      'lhs' => 'text/x-literate-haskell',
+      'moc' => 'text/x-moc',
+      'p|pas' => 'text/x-pascal',
+      'gcd' => 'text/x-pcs-gcd',
+      'pl|pm' => 'text/x-perl',
+      'py' => 'text/x-python',
+      'etx' => 'text/x-setext',
+      'tcl|tk' => 'text/x-tcl',
+      'tex|ltx|sty|cls' => 'text/x-tex',
+      'vcs' => 'text/x-vcalendar',
+      'vcf' => 'text/x-vcard',
+      '3gp' => 'video/3gpp',
+      'dl' => 'video/dl',
+      'dif|dv' => 'video/dv',
+      'fli' => 'video/fli',
+      'gl' => 'video/gl',
+      'mpeg|mpg|mpe' => 'video/mpeg',
+      'mp4' => 'video/mp4',
+      'ogv' => 'video/ogg',
+      'qt|mov' => 'video/quicktime',
+      'mxu' => 'video/vnd.mpegurl',
+      'lsf|lsx' => 'video/x-la-asf',
+      'mng' => 'video/x-mng',
+      'asf|asx' => 'video/x-ms-asf',
+      'wm' => 'video/x-ms-wm',
+      'wmv' => 'video/x-ms-wmv',
+      'wmx' => 'video/x-ms-wmx',
+      'wvx' => 'video/x-ms-wvx',
+      'avi' => 'video/x-msvideo',
+      'movie' => 'video/x-sgi-movie',
+      'ice' => 'x-conference/x-cooltalk',
+      'sisx' => 'x-epoc/x-sisx-app',
+      'vrm|vrml|wrl' => 'x-world/x-vrml',
+      'xps' => 'application/vnd.ms-xpsdocument',
+    ));
+  }
+  foreach ($mapping as $ext_preg => $mime_match) {
+    if (preg_match('!\.('. $ext_preg .')$!i', $filename)) {
+      return $mime_match;
+    }
+  }
+
+  return 'application/octet-stream';
+}
diff -Naur drupal-5.2/includes/form.inc drupal-5.23/includes/form.inc
--- drupal-5.2/includes/form.inc	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/includes/form.inc	2009-02-26 06:50:33.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: form.inc,v 1.174.2.11 2007/07/26 19:16:45 drumm Exp $
+// $Id: form.inc,v 1.174.2.17 2009/02/26 05:50:33 drumm Exp $
 
 /**
  * @defgroup form Form generation
@@ -13,17 +13,18 @@
  * The drupal_get_form() function handles retrieving, processing, and
  * displaying a rendered HTML form for modules automatically. For example:
  *
+ * @code
  * // Display the user registration form.
  * $output = drupal_get_form('user_register');
+ * @endcode
  *
  * Forms can also be built and submitted programmatically without any user input
  * using the drupal_execute() function.
  *
- *
  * For information on the format of the structured arrays used to define forms,
  * and more detailed explanations of the Form API workflow, see the
- * @link http://api.drupal.org/api/HEAD/file/developer/topics/forms_api_reference.html reference @endlink
- * and the @link http://api.drupal.org/api/HEAD/file/developer/topics/forms_api.html quickstart guide. @endlink
+ * @link http://api.drupal.org/api/file/developer/topics/forms_api_reference.html/5 reference @endlink
+ * and the @link http://api.drupal.org/api/file/developer/topics/forms_api.html/5 quickstart guide. @endlink
  */
 
 /**
@@ -529,10 +530,11 @@
   /* Validate the current input */
   if (!isset($elements['#validated']) || !$elements['#validated']) {
     if (isset($elements['#needs_validation'])) {
-      // An empty textfield returns '' so we use empty(). An empty checkbox
-      // and a textfield could return '0' and empty('0') returns TRUE so we
-      // need a special check for the '0' string.
-      if ($elements['#required'] && empty($elements['#value']) && $elements['#value'] !== '0') {
+      // Make sure a value is passed when the field is required.
+      // A simple call to empty() will not cut it here as some fields, like
+      // checkboxes, can return a valid value of '0'. Instead, check the
+      // length if it's a string, and the item count if it's an array.
+      if ($elements['#required'] && (!count($elements['#value']) || (is_string($elements['#value']) && strlen(trim($elements['#value'])) == 0))) {
         form_error($elements, t('!name field is required.', array('!name' => $elements['#title'])));
       }
 
@@ -1105,7 +1107,7 @@
   return theme('form_element', $element, $element['#children']);
 }
 
-/*
+/**
  * Expand a password_confirm field into two text boxes.
  */
 function expand_password_confirm($element) {
@@ -1263,7 +1265,19 @@
   if (count($element['#options']) > 0) {
     foreach ($element['#options'] as $key => $choice) {
       if (!isset($element[$key])) {
-        $element[$key] = array('#type' => 'radio', '#title' => $choice, '#return_value' => check_plain($key), '#default_value' => $element['#default_value'], '#attributes' => $element['#attributes'], '#parents' => $element['#parents'], '#spawned' => TRUE);
+        // Generate the parents as the autogenerator does, so we will have a
+        // unique id for each radio button.
+        $parents_for_id = array_merge($element['#parents'], array($key));
+        $element[$key] = array(
+          '#type' => 'radio',
+          '#title' => $choice,
+          '#return_value' => check_plain($key),
+          '#default_value' => $element['#default_value'],
+          '#attributes' => $element['#attributes'],
+          '#id' => form_clean_id('edit-'. implode('-', $parents_for_id)),
+          '#parents' => $element['#parents'],
+          '#spawned' => TRUE
+        );
       }
     }
   }
@@ -1429,7 +1443,7 @@
 function theme_form($element) {
   // Anonymous div to satisfy XHTML compliance.
   $action = $element['#action'] ? 'action="' . check_url($element['#action']) . '" ' : '';
-  return '<form '. $action . ' method="'. $element['#method'] .'" '. 'id="'. $element['#id'] .'"'. drupal_attributes($element['#attributes']) .">\n<div>". $element['#children'] ."\n</div></form>\n";
+  return '<form '. $action .' accept-charset="UTF-8" method="'. $element['#method'] .'" '. 'id="'. $element['#id'] .'"'. drupal_attributes($element['#attributes']) .">\n<div>". $element['#children'] ."\n</div></form>\n";
 }
 
 /**
@@ -1536,7 +1550,11 @@
  *   A string representing the form element.
  */
 function theme_form_element($element, $value) {
-  $output  = '<div class="form-item">'."\n";
+  $output  = '<div class="form-item"';
+  if (!empty($element['#id'])) {
+    $output .= ' id="'. $element['#id'] .'-wrapper"';
+  }
+  $output .= ">\n";
   $required = !empty($element['#required']) ? '<span class="form-required" title="'. t('This field is required.') .'">*</span>' : '';
 
   if (!empty($element['#title'])) {
diff -Naur drupal-5.2/includes/image.inc drupal-5.23/includes/image.inc
--- drupal-5.2/includes/image.inc	2006-12-26 15:01:41.000000000 +0100
+++ drupal-5.23/includes/image.inc	2007-12-27 09:31:24.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: image.inc,v 1.17 2006/12/26 14:01:41 dries Exp $
+// $Id: image.inc,v 1.17.2.1 2007/12/27 08:31:24 drumm Exp $
 
 /**
  * Return a list of available toolkits.
@@ -235,7 +235,7 @@
     return FALSE;
   }
 
-  $res = imageCreateTrueColor($width, $height);
+  $res = imagecreatetruecolor($width, $height);
   if ($info['extension'] == 'png') {
     $transparency = imagecolorallocatealpha($res, 0, 0, 0, 127);
     imagealphablending($res, FALSE);
@@ -243,11 +243,29 @@
     imagealphablending($res, TRUE);
     imagesavealpha($res, TRUE);
   }
-  imageCopyResampled($res, $im, 0, 0, 0, 0, $width, $height, $info['width'], $info['height']);
+  elseif ($info['extension'] == 'gif') {
+    // If we have a specific transparent color.
+    $transparency_index = imagecolortransparent($im);
+    if ($transparency_index >= 0) {
+      // Get the original image's transparent color's RGB values.
+      $transparent_color = imagecolorsforindex($im, $transparency_index);
+      // Allocate the same color in the new image resource.
+      $transparency_index = imagecolorallocate($res, $transparent_color['red'], $transparent_color['green'], $transparent_color['blue']);
+      // Completely fill the background of the new image with allocated color.
+      imagefill($res, 0, 0, $transparency_index);
+      // Set the background color for new image to transparent.
+      imagecolortransparent($res, $transparency_index);
+      // Find number of colors in the images palette.
+      $number_colors = imagecolorstotal($im);
+      // Convert from true color to palette to fix transparency issues.
+      imagetruecolortopalette($res, TRUE, $number_colors);
+    }
+  }
+  imagecopyresampled($res, $im, 0, 0, 0, 0, $width, $height, $info['width'], $info['height']);
   $result = image_gd_close($res, $destination, $info['extension']);
 
-  imageDestroy($res);
-  imageDestroy($im);
+  imagedestroy($res);
+  imagedestroy($im);
 
   return $result;
 }
diff -Naur drupal-5.2/includes/install.inc drupal-5.23/includes/install.inc
--- drupal-5.2/includes/install.inc	2007-02-06 09:20:17.000000000 +0100
+++ drupal-5.23/includes/install.inc	2008-10-05 03:46:57.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: install.inc,v 1.31.2.1 2007/02/06 08:20:17 drumm Exp $
+// $Id: install.inc,v 1.31.2.4 2008/10/05 01:46:57 drumm Exp $
 
 define('SCHEMA_UNINSTALLED', -1);
 define('SCHEMA_INSTALLED', 0);
@@ -33,8 +33,8 @@
  * @param $module
  *   A module name.
  * @return
- *   If the module has updates, an array of available updates. Otherwise,
- *   FALSE.
+ *   If the module has updates, an array of available updates sorted by version.
+ *   Otherwise, FALSE.
  */
 function drupal_get_schema_versions($module) {
   $updates = array();
@@ -50,6 +50,7 @@
   if (count($updates) == 0) {
     return FALSE;
   }
+  sort($updates, SORT_NUMERIC);
   return $updates;
 }
 
@@ -243,7 +244,7 @@
 function drupal_get_install_files($module_list = array()) {
   $installs = array();
   foreach ($module_list as $module) {
-    $installs = array_merge($installs, file_scan_directory('./modules', "^$module.install$", array('.', '..', 'CVS'), 0, TRUE, 'name', 0));
+    $installs = array_merge($installs, drupal_system_listing($module .'.install$', 'modules'));
   }
   return $installs;
 }
@@ -571,6 +572,7 @@
 function install_goto($path) {
   global $base_url;
   header('Location: '. $base_url . '/' . $path);
+  header('Cache-Control: no-cache'); // Not a permanent redirect.
   exit();
 }
 
@@ -676,6 +678,7 @@
  */
 function drupal_check_profile($profile) {
   include_once './includes/file.inc';
+  include_once './includes/common.inc';
 
   $profile_file = "./profiles/$profile/$profile.profile";
 
diff -Naur drupal-5.2/includes/locale.inc drupal-5.23/includes/locale.inc
--- drupal-5.2/includes/locale.inc	2007-05-21 02:20:02.000000000 +0200
+++ drupal-5.23/includes/locale.inc	2010-03-04 01:16:02.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: locale.inc,v 1.105.2.4 2007/05/21 00:20:02 drumm Exp $
+// $Id: locale.inc,v 1.105.2.6 2010/03/04 00:16:02 drumm Exp $
 
 /**
  * @file
@@ -41,6 +41,9 @@
   $options = array();
   $form['name'] = array('#tree' => TRUE);
   foreach ($languages['name'] as $key => $lang) {
+    // Language code should contain no markup, but is emitted
+    // by radio and checkbox options.
+    $key = check_plain($key);
     $options[$key] = '';
     $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key));
     if ($status->enabled) {
@@ -97,6 +100,14 @@
   return $output;
 }
 
+function _locale_admin_manage_screen_validate($form_id, $form_values) {
+  foreach ($form_values['name'] as $key => $value) {
+    if (preg_match('/["<>\']/', $value)) {
+      form_set_error('name][' . $key, t('The characters &lt;, &gt;, " and \' are not allowed in the language name in English field.'));
+    }
+  }
+}
+
 /**
  * Process locale admin manager form submissions.
  */
@@ -184,12 +195,22 @@
     form_set_error(t('The language %language (%code) already exists.', array('%language' => $form_values['langname'], '%code' => $form_values['langcode'])));
   }
 
+  // If we are adding a non-custom language, check for a valid langcode.
   if (!isset($form_values['langname'])) {
     $isocodes = _locale_get_iso639_list();
     if (!isset($isocodes[$form_values['langcode']])) {
       form_set_error('langcode', t('Invalid language code.'));
     }
   }
+  // Otherwise, check for invlaid characters
+  else {
+    if (preg_match('/["<>\']/', $form_values['langcode'])) {
+      form_set_error('langcode', t('The characters &lt;, &gt;, " and \' are not allowed in the language code field.'));
+    }
+    if (preg_match('/["<>\']/', $form_values['langname'])) {
+      form_set_error('langname', t('The characters &lt;, &gt;, " and \' are not allowed in the language name in English field.'));
+    }
+  }
 }
 
 /**
@@ -331,8 +352,14 @@
 function _locale_string_seek_form() {
   // Get *all* languages set up
   $languages = locale_supported_languages(FALSE, TRUE);
-  asort($languages['name']); unset($languages['name']['en']);
-  $languages['name'] = array_map('check_plain', $languages['name']);
+  unset($languages['name']['en']);
+  // Sanitize the values to be used in radios.
+  $languages_name = array();
+  foreach ($languages['name'] as $key => $value) {
+    $languages_name[check_plain($key)] = check_plain($value);
+  }
+  $languages['name'] = $languages_name;
+  asort($languages['name']);
 
   // Present edit form preserving previous user settings
   $query = _locale_string_seek_query();
@@ -526,6 +553,10 @@
 
   while (!feof($fd)) {
     $line = fgets($fd, 10*1024); // A line should not be this long
+    if ($lineno == 0) {
+      // The first line might come with a UTF-8 BOM, which should be removed.
+      $line = str_replace("\xEF\xBB\xBF", '', $line);
+    }
     $lineno++;
     $line = trim(strtr($line, array("\\\n" => "")));
 
diff -Naur drupal-5.2/includes/menu.inc drupal-5.23/includes/menu.inc
--- drupal-5.2/includes/menu.inc	2007-06-17 03:50:50.000000000 +0200
+++ drupal-5.23/includes/menu.inc	2009-07-10 07:56:51.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: menu.inc,v 1.146.2.1 2007/06/17 01:50:50 drumm Exp $
+// $Id: menu.inc,v 1.146.2.3 2009/07/10 05:56:51 drumm Exp $
 
 /**
  * @file
@@ -975,7 +975,7 @@
     $count = 0;
     while ($path && !$count) {
       foreach ($menu['items'] as $key => $item) {
-        if (isset($item['path']) && $item['path'] == $path) {
+        if (isset($item['path']) && ($item['path'] == $path || ($item['path'] == '<front>' && drupal_is_front_page()))) {
           $trails[$count] = array();
           $mid = $key;
           while ($mid && $menu['items'][$mid]) {
@@ -1055,6 +1055,10 @@
   $temp_mid = -1;
 
   foreach ($menu_item_list as $item) {
+    // Protect against D6 style access
+    if (isset($item['access']) && is_array($item['access']) && count($item['access']) == 1 && isset($item['access'][0]) && is_string($item['access'][0])) {
+      $item['access'] = FALSE;
+    }
     if (!isset($item['path'])) {
       $item['path'] = '';
     }
@@ -1225,6 +1229,10 @@
   $new_items = array();
 
   foreach ($menu_item_list as $item) {
+    // Protect against D6 style access
+    if (isset($item['access']) && is_array($item['access']) && count($item['access']) == 1 && isset($item['access'][0]) && is_string($item['access'][0])) {
+      $item['access'] = FALSE;
+    }
     if (isset($item['callback'])) {
       $_menu['callbacks'][$item['path']] = array('callback' => $item['callback']);
       if (isset($item['callback arguments'])) {
diff -Naur drupal-5.2/includes/pager.inc drupal-5.23/includes/pager.inc
--- drupal-5.2/includes/pager.inc	2006-10-15 21:57:05.000000000 +0200
+++ drupal-5.23/includes/pager.inc	2009-07-01 22:52:11.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: pager.inc,v 1.59 2006/10/15 19:57:05 dries Exp $
+// $Id: pager.inc,v 1.59.2.1 2009/07/01 20:52:11 drumm Exp $
 
 /**
  * @file
@@ -85,7 +85,7 @@
 function pager_get_querystring() {
   static $string = NULL;
   if (!isset($string)) {
-    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
+    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
   }
   return $string;
 }
diff -Naur drupal-5.2/includes/session.inc drupal-5.23/includes/session.inc
--- drupal-5.2/includes/session.inc	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/includes/session.inc	2010-03-04 01:16:02.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: session.inc,v 1.37.2.2 2007/07/26 19:16:45 drumm Exp $
+// $Id: session.inc,v 1.37.2.8 2010/03/04 00:16:02 drumm Exp $
 
 /**
  * @file
@@ -31,8 +31,9 @@
   // Otherwise, if the session is still active, we have a record of the client's session in the database.
   $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key));
 
-  // We found the client's session record and they are an authenticated user
-  if ($user && $user->uid > 0) {
+  // We found the client's session record and they are an authenticated,
+  // active user.
+  if ($user && $user->uid > 0 && $user->status == 1) {
     // This is done to unserialize the data member of $user
     $user = drupal_unpack($user);
 
@@ -44,8 +45,9 @@
       $user->roles[$role->rid] = $role->name;
     }
   }
-  // We didn't find the client's record (session has expired), or they are an anonymous user.
-  else  {
+  // We didn't find the client's record (session has expired), or they are
+  // blocked, or they are an anonymous user.
+  else {
     $session = isset($user->session) ? $user->session : '';
     $user = drupal_anonymous_user($session);
   }
@@ -57,30 +59,26 @@
   global $user;
 
   // If saving of session data is disabled or if the client doesn't have a session,
-  // and one isn't being created ($value), do nothing.
-  if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) {
+  // and one isn't being created ($value), do nothing. This keeps crawlers out of
+  // the session table. This reduces memory and server load, and gives more useful
+  // statistics. We can't eliminate anonymous session table rows without breaking
+  // the throttle module and the "Who's Online" block.
+  if (!session_save_session() || ($user->uid == 0 && empty($_COOKIE[session_name()]) && empty($value))) {
     return TRUE;
   }
 
-  $result = db_query("SELECT sid FROM {sessions} WHERE sid = '%s'", $key);
-
-  if (!db_num_rows($result)) {
-    // Only save session data when when the browser sends a cookie. This keeps
-    // crawlers out of session table. This reduces memory and server load,
-    // and gives more useful statistics. We can't eliminate anonymous session
-    // table rows without breaking throttle module and "Who's Online" block.
-    if ($user->uid || $value || count($_COOKIE)) {
-      db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time());
-    }
-  }
-  else {
-    db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time(), $key);
-
+  db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER["REMOTE_ADDR"], $value, time(), $key);
+  if (db_affected_rows()) {
     // TODO: this can be an expensive query. Perhaps only execute it every x minutes. Requires investigation into cache expiration.
     if ($user->uid) {
       db_query("UPDATE {users} SET access = %d WHERE uid = %d", time(), $user->uid);
     }
   }
+  else {
+    // If this query fails, another parallel request probably got here first.
+    // In that case, any session data generated in this request is discarded.
+    @db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER["REMOTE_ADDR"], $value, time());
+  }
 
   return TRUE;
 }
@@ -163,8 +161,8 @@
  *
  * @param $status
  *   Disables writing of session data when FALSE, (re-)enables writing when TRUE.
- *
- * @return FALSE if writing session data has been disabled. Otherwise, TRUE.
+ * @return
+ *   FALSE if writing session data has been disabled. Otherwise, TRUE.
  */
 function session_save_session($status = NULL) {
   static $save_session = TRUE;
diff -Naur drupal-5.2/includes/tablesort.inc drupal-5.23/includes/tablesort.inc
--- drupal-5.2/includes/tablesort.inc	2007-06-17 00:29:25.000000000 +0200
+++ drupal-5.23/includes/tablesort.inc	2009-07-01 22:52:11.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: tablesort.inc,v 1.43.2.1 2007/06/16 22:29:25 drumm Exp $
+// $Id: tablesort.inc,v 1.43.2.2 2009/07/01 20:52:11 drumm Exp $
 
 /**
  * @file
@@ -131,7 +131,7 @@
  *   except for those pertaining to table sorting.
  */
 function tablesort_get_querystring() {
-  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
+  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
 }
 
 /**
diff -Naur drupal-5.2/includes/theme.inc drupal-5.23/includes/theme.inc
--- drupal-5.2/includes/theme.inc	2007-05-31 07:52:42.000000000 +0200
+++ drupal-5.23/includes/theme.inc	2009-05-13 21:41:56.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: theme.inc,v 1.337.2.2 2007/05/31 05:52:42 drumm Exp $
+// $Id: theme.inc,v 1.337.2.9 2009/05/13 19:41:56 drumm Exp $
 
 /**
  * @file
@@ -8,7 +8,7 @@
  * The theme system allows for nearly all output of the Drupal system to be
  * customized by user themes.
  *
- * @see <a href="http://drupal.org/node/253">Theme system</a>
+ * @see <a href="http://drupal.org/node/171179">Theme guide</a>
  * @see themeable
  */
 
@@ -42,7 +42,8 @@
 
   // Only select the user selected theme if it is available in the
   // list of enabled themes.
-  $theme = $user->theme && $themes[$user->theme]->status ? $user->theme : variable_get('theme_default', 'garland');
+  $theme = !empty($user->theme) && !empty($themes[$user->theme]->status) ? $user->theme : variable_get('theme_default', 'garland');
+
 
   // Allow modules to override the present theme... only select custom theme
   // if it is available in the list of installed themes.
@@ -167,7 +168,12 @@
     $functions[$function] = theme_get_function($function);
   }
   if ($functions[$function]) {
-    return call_user_func_array($functions[$function], $args);
+    $output = call_user_func_array($functions[$function], $args);
+    // Add final markup to the full page.
+    if ($function == 'page' || $function == 'book_export_html') {
+      $output = drupal_final_markup($output);
+    }
+    return $output;
   }
 }
 
@@ -544,16 +550,14 @@
     $i = 1;
 
     foreach ($links as $key => $link) {
-      $class = '';
+      $class = $key;
 
       // Automatically add a class to each link and also to each LI
       if (isset($link['attributes']) && isset($link['attributes']['class'])) {
         $link['attributes']['class'] .= ' ' . $key;
-        $class = $key;
       }
       else {
         $link['attributes']['class'] = $key;
-        $class = $key;
       }
 
       // Add first and last classes to the list of links to help out themers.
@@ -564,7 +568,7 @@
       if ($i == $num_links) {
         $extra_class .= 'last ';
       }
-      $output .= '<li class="'. $extra_class . $class .'">';
+      $output .= '<li '. drupal_attributes(array('class' => $extra_class . $class)) .'>';
 
       // Is the title HTML?
       $html = isset($link['html']) && $link['html'];
@@ -765,17 +769,20 @@
   // Format the table header:
   if (count($header)) {
     $ts = tablesort_init($header);
-    $output .= ' <thead><tr>';
+    // HTML requires that the thead tag has tr tags in it follwed by tbody
+    // tags. Using ternary operator to check and see if we have any rows.
+    $output .= (count($rows) ? ' <thead><tr>' : ' <tr>');
     foreach ($header as $cell) {
       $cell = tablesort_header($cell, $header, $ts);
       $output .= _theme_table_cell($cell, TRUE);
     }
-    $output .= " </tr></thead>\n";
+    // Using ternary operator to close the tags based on whether or not there are rows
+    $output .= (count($rows) ? " </tr></thead>\n" : "</tr>\n");
   }
 
   // Format the table rows:
-  $output .= "<tbody>\n";
   if (count($rows)) {
+    $output .= "<tbody>\n";
     $flip = array('even' => 'odd', 'odd' => 'even');
     $class = 'even';
     foreach ($rows as $number => $row) {
@@ -814,9 +821,10 @@
       }
       $output .= " </tr>\n";
     }
+    $output .= "</tbody>\n";
   }
 
-  $output .= "</tbody></table>\n";
+  $output .= "</table>\n";
   return $output;
 }
 
@@ -920,10 +928,10 @@
  *   All other elements are treated as attributes of the list item element.
  * @param $title
  *   The title of the list.
- * @param $attributes
- *   The attributes applied to the list element.
  * @param $type
  *   The type of list to return (e.g. "ul", "ol")
+ * @param $attributes
+ *   The attributes applied to the list element.
  * @return
  *   A string containing the list output.
  */
diff -Naur drupal-5.2/includes/xmlrpc.inc drupal-5.23/includes/xmlrpc.inc
--- drupal-5.2/includes/xmlrpc.inc	2007-04-19 04:05:15.000000000 +0200
+++ drupal-5.23/includes/xmlrpc.inc	2008-10-02 00:01:17.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: xmlrpc.inc,v 1.38.2.1 2007/04/19 02:05:15 drumm Exp $
+// $Id: xmlrpc.inc,v 1.38.2.5 2008/10/01 22:01:17 drumm Exp $
 
 /*
   Drupal XML-RPC library. Based on the IXR - The Incutio XML-RPC Library - (c) Incutio Ltd 2002-2005
@@ -343,7 +343,7 @@
 }
 
 
-function xmlrpc_error($code = NULL, $message = NULL) {
+function xmlrpc_error($code = NULL, $message = NULL, $reset = FALSE) {
   static $xmlrpc_error;
   if (isset($code)) {
     $xmlrpc_error = new stdClass();
@@ -351,6 +351,9 @@
     $xmlrpc_error->code = $code;
     $xmlrpc_error->message = $message;
   }
+  elseif ($reset) {
+    $xmlrpc_error = NULL;
+  }
   return $xmlrpc_error;
 }
 
@@ -387,15 +390,16 @@
     $xmlrpc_date->hour = date('H', $time);
     $xmlrpc_date->minute = date('i', $time);
     $xmlrpc_date->second = date('s', $time);
-    $xmlrpc_date->iso8601 = date('Ymd\TH:i:s');
+    $xmlrpc_date->iso8601 = date('Ymd\TH:i:s', $time);
   }
   else {
+    $time = str_replace(array('-', ':'), '', $time);
     $xmlrpc_date->year = substr($time, 0, 4);
     $xmlrpc_date->month = substr($time, 4, 2);
     $xmlrpc_date->day = substr($time, 6, 2);
     $xmlrpc_date->hour = substr($time, 9, 2);
-    $xmlrpc_date->minute = substr($time, 12, 2);
-    $xmlrpc_date->second = substr($time, 15, 2);
+    $xmlrpc_date->minute = substr($time, 11, 2);
+    $xmlrpc_date->second = substr($time, 13, 2);
     $xmlrpc_date->iso8601 = $time;
   }
   return $xmlrpc_date;
@@ -426,6 +430,7 @@
 function _xmlrpc() {
   $args = func_get_args();
   $url = array_shift($args);
+  xmlrpc_clear_error();
   if (is_array($args[0])) {
     $method = 'system.multicall';
     $multicall_args = array();
@@ -474,3 +479,10 @@
   $error = xmlrpc_error();
   return $error->message;
 }
+
+/**
+ * Clears any previous error.
+ */
+function xmlrpc_clear_error() {
+  xmlrpc_error(NULL, NULL, TRUE);
+}
\ No newline at end of file
diff -Naur drupal-5.2/includes/xmlrpcs.inc drupal-5.23/includes/xmlrpcs.inc
--- drupal-5.2/includes/xmlrpcs.inc	2006-07-05 13:45:51.000000000 +0200
+++ drupal-5.23/includes/xmlrpcs.inc	2008-05-10 03:53:33.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: xmlrpcs.inc,v 1.21 2006/07/05 11:45:51 dries Exp $
+// $Id: xmlrpcs.inc,v 1.21.2.1 2008/05/10 01:53:33 drumm Exp $
 
 /**
  * The main entry point for XML-RPC requests.
@@ -149,7 +149,7 @@
   }
   // Has this method been mapped to a Drupal function by us or by modules?
   if (!isset($xmlrpc_server->callbacks[$methodname])) {
-    return xmlrpc_error(-32601, t('Server error. Requested method %methodname not specified.', array("%methodname" => $xmlrpc_server->message->methodname)));
+    return xmlrpc_error(-32601, t('Server error. Requested method @methodname not specified.', array("@methodname" => $xmlrpc_server->message->methodname)));
   }
   $method = $xmlrpc_server->callbacks[$methodname];
   $signature = $xmlrpc_server->signatures[$methodname];
@@ -208,7 +208,7 @@
   }
   */
   if (!function_exists($method)) {
-    return xmlrpc_error(-32601, t('Server error. Requested function %method does not exist.', array("%method" => $method)));
+    return xmlrpc_error(-32601, t('Server error. Requested function @method does not exist.', array("@method" => $method)));
   }
   // Call the mapped function
   return call_user_func_array($method, $args);
@@ -293,10 +293,10 @@
 function xmlrpc_server_method_signature($methodname) {
   $xmlrpc_server = xmlrpc_server_get();
   if (!isset($xmlrpc_server->callbacks[$methodname])) {
-    return xmlrpc_error(-32601, t('Server error. Requested method %methodname not specified.', array("%methodname" => $methodname)));
+    return xmlrpc_error(-32601, t('Server error. Requested method @methodname not specified.', array("@methodname" => $methodname)));
   }
   if (!is_array($xmlrpc_server->signatures[$methodname])) {
-    return xmlrpc_error(-32601, t('Server error. Requested method %methodname signature not specified.', array("%methodname" => $methodname)));
+    return xmlrpc_error(-32601, t('Server error. Requested method @methodname signature not specified.', array("@methodname" => $methodname)));
   }
   // We array of types
   $return = array();
@@ -315,4 +315,4 @@
 function xmlrpc_server_method_help($method) {
   $xmlrpc_server = xmlrpc_server_get();
   return $xmlrpc_server->help[$method];
-}
\ No newline at end of file
+}
diff -Naur drupal-5.2/install.php drupal-5.23/install.php
--- drupal-5.2/install.php	2007-07-12 08:53:03.000000000 +0200
+++ drupal-5.23/install.php	2008-07-09 23:48:41.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: install.php,v 1.34.2.2 2007/07/12 06:53:03 drumm Exp $
+// $Id: install.php,v 1.34.2.5 2008/07/09 21:48:41 drumm Exp $
 
 require_once './includes/install.inc';
 
@@ -15,9 +15,10 @@
  *   The installation phase we should proceed to.
  */
 function install_main() {
-  global $profile, $install_locale;
   require_once './includes/bootstrap.inc';
   drupal_bootstrap(DRUPAL_BOOTSTRAP_CONFIGURATION);
+  // This must go after drupal_bootstrap(), which unsets globals!
+  global $profile, $install_locale;
   require_once './modules/system/system.install';
   require_once './includes/file.inc';
 
@@ -152,6 +153,15 @@
   include_once './includes/form.inc';
   drupal_maintenance_theme();
 
+  // Don't fill in placeholders
+  if ($db_url == 'mysql://username:password@localhost/databasename') {
+    $db_user = $db_pass = $db_path = '';
+  }
+  elseif (!empty($db_url)) {
+    // Do not install over a configured settings.php.
+    install_already_done_error();
+  }
+
   // The existing database settings are not working, so we need write access
   // to settings.php to change them.
   if (!drupal_verify_install_file($settings_file, FILE_EXIST|FILE_READABLE|FILE_WRITABLE)) {
@@ -162,10 +172,6 @@
     exit;
   }
 
-  // Don't fill in placeholders
-  if ($db_url == 'mysql://username:password@localhost/databasename') {
-    $db_user = $db_pass = $db_path = '';
-  }
   $output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
   drupal_set_title(st('Database configuration'));
   print theme('install_page', $output);
@@ -506,7 +512,7 @@
 
   drupal_maintenance_theme();
   drupal_set_title(st('Drupal already installed'));
-  print theme('install_page', st('<ul><li>To start over, you must empty your existing database.</li><li>To install to a different database, edit the appropriate <em>settings.php</em> file in the <em>sites</em> folder.</li><li>To upgrade an existing installation, proceed to the <a href="@base-url/update.php">update script</a>.</li></ul>', array('@base-url' => $base_url)));
+  print theme('install_page', st('<ul><li>To start over, you must empty your existing database and replace the appropriate <em>settings.php</em> with an unmodified copy.</li><li>To install to a different database, edit the appropriate <em>settings.php</em> file in the <em>sites</em> folder.</li><li>To upgrade an existing installation, proceed to the <a href="@base-url/update.php">update script</a>.</li></ul>', array('@base-url' => $base_url)));
   exit;
 }
 
diff -Naur drupal-5.2/misc/drupal.js drupal-5.23/misc/drupal.js
--- drupal-5.2/misc/drupal.js	2007-07-16 01:07:06.000000000 +0200
+++ drupal-5.23/misc/drupal.js	2009-02-26 07:46:48.000000000 +0100
@@ -1,4 +1,4 @@
-// $Id: drupal.js,v 1.29.2.1 2007/07/15 23:07:06 drumm Exp $
+// $Id: drupal.js,v 1.29.2.3 2009/02/26 06:46:48 drumm Exp $
 
 var Drupal = Drupal || {};
 
@@ -12,8 +12,8 @@
  */
 Drupal.extend = function(obj) {
   for (var i in obj) {
-    if (this[i]) {
-      Drupal.extend.apply(this[i], [obj[i]]);
+    if (this[i] && (typeof(this[i]) == 'function' || typeof(this[i]) == 'object')) {
+   	  Drupal.extend.apply(this[i], [obj[i]]);
     }
     else {
       this[i] = obj[i];
@@ -202,5 +202,5 @@
 
 // Global Killswitch on the <html> element
 if (Drupal.jsEnabled) {
-  document.documentElement.className = 'js';
+  $(document.documentElement).addClass('js');
 }
diff -Naur drupal-5.2/misc/favicon.ico drupal-5.23/misc/favicon.ico
--- drupal-5.2/misc/favicon.ico	2006-10-29 14:17:37.000000000 +0100
+++ drupal-5.23/misc/favicon.ico	2007-09-21 13:23:46.000000000 +0200
@@ -1 +1,3 @@
-


 h( 
 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÇ´”j¤�F¹”hç£~=鶗f½Ì¸˜pÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÙκD•hàŠSýˆNýµ’XýÁ£pý´�Sý½›bý°ˆEåÖDzLÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿØ˶H’]ø“[ý¥{5ý©‚>ý“`ý�[ýŸr&ýŸr&ý˜hý múØʵPÿÿÿÿÿÿÿÿÿÿÿÿ±y Þ·nýÛº„ýÿÿÿýÿÿÿýðèÜý¾Ÿlý³�Sý±ŒOý¦|6ýôðçýæÝÐåÿÿÿÿÿÿÿÿÿ˳Žp¾uý»rýñáÉýÿÿÿýÿÿÿýÿÿÿýÿÿÿýâÖÂý¾ oýôîåýÿÿÿýÿÿÿýѨuÿÿÿÿÿÿ¸‹B½¾uý·lýß½ˆýÿÿÿýÿÿÿýÿÿÿýÿýûýáÄ“ý­�7ýË´Žýýüúýÿÿÿý©Áÿÿÿÿÿÿ°ué½uý¹qý»týÛ·}ýñâÊýêÔ°ýÊ“:ý·ký²jý‘Uý§€?ýʱ†ý›n&éÿÿÿÿÿÿ±xã½uýºsý¹qý¶ký¸pý·mý·mýºsý¼tý¹rý’Xý†Ný”gàÿÿÿÿÿÿ»“R­½sý¹qýºsýºsýºrýºsýºsýºsýºsý½tý²ný�Zý«ŠT«ÿÿÿÿÿÿÓÁ¤ZÃý¼vý·mý¹rýºsýºsýºsýºsýºsýºsý¼týš`ýÏ¿¦Wÿÿÿÿÿÿÿÿÿк•ÇöäÈýΛGý¹pý¹pýºsýºsýºsýºsýºsý¿vý¬€:ÅÿÿÿÿÿÿÿÿÿÿÿÿéãØ(äÝÑãÿÿÿýäÅ“ý¼wý¸pýºsýºsýºsý¿vý´xççßÒ+ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÖȳ½ÿÿÿýíÕ¯ý¼vý¹qý¾uý½uý´€,ÓæÝÐ.ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÚϼRá×ÇÝÔ¢Rýºoýµ‚.ÐмœbÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÏ®wí¼–Z¥ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐÀ¦^ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿü?ðàÀÀ€
€
€
€
ÀÀàðü?þÿÿ
\ No newline at end of file
+

 h&  
 ¨Ž( 
 }N‹Wz�X²‹Wå™l!ï¢y6Î�^˜„R"‹WG‰VàŽYÿŽYÿ¶”[ÿÄ©{ÿ±�PÿÁ¥uÿ¤|6ôˆUzŠVCŽXüŽZÿ¡v-ÿ¦|7ÿŽYÿ•cÿªƒAÿŸs(ÿ™jÿ“aÿ“ez—^+£eõ·qÿÛ¹‚ÿÿÿÿÿÿÿÿÿìãÕÿ¾ nÿ®ˆJÿºšdÿ¡u,ÿíåØÿïèÝý�u19¡d«ºsÿºsÿôêÚÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ÷óîÿÓ¾œÿûùöÿÿÿÿÿÿÿÿÿ»�lµªjâºsÿºsÿܹ�ÿÿÿÿÿÿÿÿÿÿÿÿÿþþþÿâʤÿ¨{2ÿÌ´Œÿûù÷ÿÿÿÿÿÆ­„ß®lýºsÿºsÿ¼x
+ÿÖ¬hÿíÛ¾ÿܹ€ÿ„ ÿºsÿ¶qÿ™_ÿ™iÿÁ¤tÿ’bò­küºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¸rÿ–]ÿŽYÿ‹Wâ©héºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ²nÿ�Yÿ‹W· c¼ºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ›`ÿ‡T‡”\ض~ýâÑÿÁ‚ÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿš_í�P½“N’ùôëÿøðäÿÒ£Wÿºs
ÿºsÿºsÿºsÿºsÿºsÿ±nÿ—^p·�IcðãÏþüùóÿß»„ÿºsÿºsÿºsÿºsÿ®lýš_m•\Ì«uåóèÖÿĈ'ÿºsÿ´oÿ£eÏ—]/¬z,�Úµyÿ«i÷˜^=ªw#è–]5üðàÀ€
€
€
€
€
€
ÀÀðøüþÿ( @
 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ‚QGƒR›ˆUÈU݈Uó†TùƒRë€PáOÀO|�QÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿuI
O‡TÚŒWÿŽYÿŽYÿŽYÿŽYÿžq&ÿ»›fÿ¼œhÿ»œgÿ¤{7ÿˆV
ó„R ‚Qÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ‚Q+€PÞŠVÿŽYÿŽYÿŽYÿŽYÿ¢v.ÿãÕÀÿëâÓÿ×Ŧÿ˳‹ÿк–ÿßѹÿëáÒÿÆ«ÿŠXóƒRuÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿƒR^†Sï�XÿŽYÿŽYÿŽYÿŽYÿŽYÿœm ÿ°‹NÿŽYÿŽYÿŽYÿŽYÿŽYÿ�\ÿ¶”\ÿ™jÿ‹WÿƒR«�QÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿƒRZŠVùŽYÿŽYÿŽYÿŽYÿŽYÿŽYÿŽYÿŽYÿŽYÿŽYÿŽZÿŽYÿŽYÿŽYÿŽYÿŽY
ÿŽYÿŽYÿ�XÿƒR©ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ†T5ŠVï�Zÿ–]ÿ”\ÿ–dÿ¾ nÿη‘ÿÒ½›ÿºšdÿ�p$ÿŽYÿŽYÿ«„CÿØƨÿ�o#ÿ‘^ÿºšeÿ½žkÿŽYÿŽYÿ¥{5ÿ·–aÿˆY‹ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ‚Q’Zà²nÿ¹rÿºsÿÀÿ÷îâÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßзÿ¤y2ÿŽYÿ«ƒBÿã×ÂÿïçÛÿÚÉ­ÿ“`ÿŽYÿ¹™cÿûúøÿÿÿÿÿ×ƪû€P(ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ—]´¸rÿºsÿºsÿºsÿåÊŸÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþþþÿØŧÿškÿŽYÿŽYÿŽYÿŽY
ÿͶ�ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ«‰RÆÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿŽY§húºsÿºsÿºsÿºsÿóèÖÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿûùöÿÉ°‡ÿ t*ÿškÿÙǪÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÖħý�Qÿÿÿÿÿÿÿÿÿÿÿÿ”[€·qÿºsÿºsÿºsÿºsÿòåÐÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþýýÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿñêàÿ‚Q‚ÿÿÿÿÿÿÿÿÿÿÿÿœaÖºsÿºsÿºsÿºsÿºsÿß¿ŒÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿèÜÉÿ¸—`ÿ®‰JÿÙǪÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýüûÿ…S
¾ÿÿÿÿÿÿÿÿÿÿÿÿ¥fîºsÿºsÿºsÿºsÿºsÿ¾|ÿ÷ïâÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿüúöÿرqÿ¹sÿ dÿŽYÿŽYÿ­‡GÿïèÜÿÿÿÿÿÿÿÿÿÿÿÿÿêáÑÿ‡TÙÿÿÿÿÿÿÿÿÿÿÿÿ¨gúºsÿºsÿºsÿºsÿºsÿºsÿÆ‹-ÿòåÑÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿèÑ­ÿ„ ÿºsÿºsÿºsÿªjÿ�ZÿŽYÿ�[ÿ¹™cÿñêàÿþþþÿ»›fÿ‡Tëÿÿÿÿÿÿÿÿÿÿÿÿªhÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ»uÿÑ¢Vÿß¿ŒÿäÉ�ÿÖ¬hÿÆ‹-ÿºsÿºsÿºsÿºsÿºsÿºsÿ²nÿ”\ÿŽYÿŽYÿ�\ÿ–fÿŽYÿ‡Tûÿÿÿÿÿÿÿÿÿÿÿÿ¥fþºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿµpÿ’[ÿŽYÿŽYÿŽYÿŽYÿ…Sðÿÿÿÿÿÿÿÿÿÿÿÿ�aúºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ±mÿ�ZÿŽYÿŽYÿŽYÿƒRäÿÿÿÿÿÿÿÿÿÿÿÿ—]òºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ©iÿŽYÿŽYÿŽYÿ�QÓÿÿÿÿÿÿÿÿÿÿÿÿ•\ɺsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¹rÿ”\ÿŽYÿŽYÿ�Q™ÿÿÿÿÿÿÿÿÿÿÿÿ“[`²nÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ£eÿŽYÿŠVÿ‚Q9ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿš_ï¿|ÿÁ�ÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ®lÿŽYÿ‚QÉÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ“[QÔ¬kÿåÈ™ÿݸ{ÿË•>ÿºtÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¯lÿ‰Vø€P:ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¸‹AÞþþþÿùôêÿîÚ»ÿܸ}ÿň'ÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¬jÿ…Sœÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ”\ÞÅ›ýþþþÿÿÿÿÿû÷ðÿéЧÿÓ¤Xÿºtÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿžbñ†T
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ“[6׺ŠüþþþÿÿÿÿÿþýûÿîÛ¼ÿÚ²rÿ¾{ÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¬kû”\Uÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ“[(̬wúþþýÿÿÿÿÿÿÿÿÿôèÔÿß½‡ÿ¿~ÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¥fø–]9ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ”\¯ƒ;ÜóèØÿÿÿÿÿÿÿÿÿùóèÿÞº‚ÿ¼wÿºsÿºsÿºsÿºsÿºsÿºsÿºsÿ¶pÿœaé‘Zÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ—a	mË«yúüúöÿÿÿÿÿòåÎÿПPÿºsÿºsÿºsÿºsÿºsÿ·qÿ¡cù”\Ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¤s$¶çÕ·ÿôéÖÿÖªdÿºsÿºsÿºsÿ¸qÿ¢dú”\¨”\ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ“[%Ƥlõ÷ðäÿ½zÿºsÿ®lÿ–]¶–\ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ“\ßȤýÑ¢Vÿ¯lÿ–]šÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ»“S⾇.ÿ–]¤ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ–`
+——_¯ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿðÿÿÀ
ÿÿÿþ?üøðààÀÀÀÀÀÀÀÀÀààððøü?þÿÿÿÀ
ÿÿàÿÿøÿÿü?ÿÿüÿÿüÿÿ
\ No newline at end of file
diff -Naur drupal-5.2/modules/aggregator/aggregator.info drupal-5.23/modules/aggregator/aggregator.info
--- drupal-5.2/modules/aggregator/aggregator.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/aggregator/aggregator.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/aggregator/aggregator.module drupal-5.23/modules/aggregator/aggregator.module
--- drupal-5.2/modules/aggregator/aggregator.module	2007-07-09 05:38:22.000000000 +0200
+++ drupal-5.23/modules/aggregator/aggregator.module	2008-04-28 09:41:23.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: aggregator.module,v 1.324.2.1 2007/07/09 03:38:22 drumm Exp $
+// $Id: aggregator.module,v 1.324.2.3 2008/04/28 07:41:23 drumm Exp $
 
 /**
  * @file
@@ -51,11 +51,14 @@
       'callback arguments' => array('aggregator_form_category'),
       'access' => $edit,
       'type' => MENU_LOCAL_TASK);
-    $items[] = array('path' => 'admin/content/aggregator/remove',
+    $items[] = array(
+      'path' => 'admin/content/aggregator/remove',
       'title' => t('Remove items'),
-      'callback' => 'aggregator_admin_remove_feed',
+      'callback' => 'drupal_get_form',
+      'callback arguments' => array('aggregator_admin_remove_feed'),
       'access' => $edit,
-      'type' => MENU_CALLBACK);
+      'type' => MENU_CALLBACK,
+    );
     $items[] = array('path' => 'admin/content/aggregator/update',
       'title' => t('Update items'),
       'callback' => 'aggregator_admin_refresh_feed',
@@ -342,7 +345,7 @@
   if ($form_values['op'] == t('Submit')) {
     // Check for duplicate titles
     if (isset($form_values['cid'])) {
-      $category = db_fetch_object(db_query("SELECT cid FROM {aggregator_category} WHERE title = '%s' AND cid != %d", $form_values['title'], $form_values['cid']));
+      $category = db_fetch_object(db_query("SELECT cid FROM {aggregator_category} WHERE title = '%s' AND cid <> %d", $form_values['title'], $form_values['cid']));
     }
     else {
       $category = db_fetch_object(db_query("SELECT cid FROM {aggregator_category} WHERE title = '%s'", $form_values['title']));
@@ -473,10 +476,10 @@
   if ($form_values['op'] == t('Submit')) {
     // Check for duplicate titles
     if (isset($form_values['fid'])) {
-      $result = db_query("SELECT title, url FROM {aggregator_feed} WHERE (title = '%s' OR url='%s') AND fid != %d", $form_values['title'], $form_values['url'], $form_values['fid']);
+      $result = db_query("SELECT title, url FROM {aggregator_feed} WHERE (title = '%s' OR url = '%s') AND fid <> %d", $form_values['title'], $form_values['url'], $form_values['fid']);
     }
     else {
-      $result = db_query("SELECT title, url FROM {aggregator_feed} WHERE title = '%s' OR url='%s'", $form_values['title'], $form_values['url']);
+      $result = db_query("SELECT title, url FROM {aggregator_feed} WHERE title = '%s' OR url = '%s'", $form_values['title'], $form_values['url']);
     }
     while ($feed = db_fetch_object($result)) {
       if (strcasecmp($feed->title, $form_values['title']) == 0) {
@@ -1001,12 +1004,29 @@
   return $output;
 }
 
+function aggregator_admin_remove_feed($fid) {
+  $feed = aggregator_get_feed($fid);
+  return confirm_form(
+    array(
+      'feed' => array(
+        '#type' => 'value',
+        '#value' => $feed,
+      ),
+    ),
+    t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => $feed['title'])),
+    'admin/content/aggregator',
+    t('This action cannot be undone.'),
+    t('Remove items'),
+    t('Cancel')
+  );
+}
+
 /**
- * Menu callback; removes all items from a feed, then redirects to the overview page.
+ * Remove all items from a feed and redirect to the overview page.
  */
-function aggregator_admin_remove_feed($feed) {
-  aggregator_remove(aggregator_get_feed($feed));
-  drupal_goto('admin/content/aggregator');
+function aggregator_admin_remove_feed_submit($form_id, $form_values) {
+  aggregator_remove($form_values['feed']);
+  return 'admin/content/aggregator';
 }
 
 /**
diff -Naur drupal-5.2/modules/block/block.info drupal-5.23/modules/block/block.info
--- drupal-5.2/modules/block/block.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/block/block.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/block/block.module drupal-5.23/modules/block/block.module
--- drupal-5.2/modules/block/block.module	2007-06-14 08:06:48.000000000 +0200
+++ drupal-5.23/modules/block/block.module	2009-01-14 06:43:04.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: block.module,v 1.246.2.5 2007/06/14 06:06:48 drumm Exp $
+// $Id: block.module,v 1.246.2.11 2009/01/14 05:43:04 drumm Exp $
 
 /**
  * @file
@@ -320,12 +320,12 @@
       // Output region header
       if ($status && $region != $last_region) {
         $region_title = t('@region', array('@region' => drupal_ucfirst($block_regions[$region])));
-        $rows[] = array(array('data' => $region_title, 'class' => 'region', 'colspan' => ($throttle ? 7 : 6)));
+        $rows[] = array(array('data' => $region_title, 'class' => 'region', 'colspan' => ($throttle ? 6 : 5)));
         $last_region = $region;
       }
       // Output disabled header
       elseif ($status != $last_status) {
-        $rows[] = array(array('data' => t('Disabled'), 'class' => 'region', 'colspan' => ($throttle ? 7 : 6)));
+        $rows[] = array(array('data' => t('Disabled'), 'class' => 'region', 'colspan' => ($throttle ? 6 : 5)));
         $last_status = $status;
       }
 
@@ -359,7 +359,7 @@
 }
 
 function block_box_get($bid) {
-  return db_fetch_array(db_query("SELECT bx.*, bl.title FROM {boxes} bx INNER JOIN {blocks} bl ON bx.bid = bl.delta WHERE bl.module = 'block' AND bx.bid = %d", $bid));
+  return db_fetch_array(db_query("SELECT * FROM {boxes} WHERE bid = %d", $bid));
 }
 
 /**
@@ -524,7 +524,7 @@
  */
 function block_box_delete($bid = 0) {
   $box = block_box_get($bid);
-  $form['info'] = array('#type' => 'hidden', '#value' => $box['info'] ? $box['info'] : $box['title']);
+  $form['info'] = array('#type' => 'hidden', '#value' => $box['info']);
   $form['bid'] = array('#type' => 'hidden', '#value' => $bid);
 
   return confirm_form($form, t('Are you sure you want to delete the block %name?', array('%name' => $box['info'])), 'admin/build/block', '', t('Delete'), t('Cancel'));
@@ -535,7 +535,7 @@
  */
 function block_box_delete_submit($form_id, $form_values) {
   db_query('DELETE FROM {boxes} WHERE bid = %d', $form_values['bid']);
-  db_query("DELETE FROM {blocks} WHERE module = 'block' AND delta = %d", $form_values['bid']);
+  db_query("DELETE FROM {blocks} WHERE module = 'block' AND delta = '%s'", $form_values['bid']);
   drupal_set_message(t('The block %name has been removed.', array('%name' => $form_values['info'])));
   cache_clear_all();
   return 'admin/build/block';
@@ -589,18 +589,19 @@
  * Allow users to decide which custom blocks to display when they visit
  * the site.
  */
-function block_user($type, $edit, &$user, $category = NULL) {
-  global $user;
+function block_user($type, $edit, &$account, $category = NULL) {
   switch ($type) {
     case 'form':
       if ($category == 'account') {
-        $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom != 0 AND (r.rid IN (%s) OR r.rid IS NULL) ORDER BY b.weight, b.module", implode(',', array_keys($user->roles)));
+        $rids = array_keys($account->roles);
+        $placeholders = implode(',', array_fill(0, count($rids), '%d'));
+        $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom != 0 AND (r.rid IN ($placeholders) OR r.rid IS NULL) ORDER BY b.weight, b.module", $rids);
         $form['block'] = array('#type' => 'fieldset', '#title' => t('Block configuration'), '#weight' => 3, '#collapsible' => TRUE, '#tree' => TRUE);
         while ($block = db_fetch_object($result)) {
           $data = module_invoke($block->module, 'block', 'list');
           if ($data[$block->delta]['info']) {
             $return = TRUE;
-            $form['block'][$block->module][$block->delta] = array('#type' => 'checkbox', '#title' => check_plain($data[$block->delta]['info']), '#default_value' => isset($user->block[$block->module][$block->delta]) ? $user->block[$block->module][$block->delta] : ($block->custom == 1));
+            $form['block'][$block->module][$block->delta] = array('#type' => 'checkbox', '#title' => check_plain($data[$block->delta]['info']), '#default_value' => isset($account->block[$block->module][$block->delta]) ? $account->block[$block->module][$block->delta] : ($block->custom == 1));
           }
         }
 
@@ -641,7 +642,9 @@
   static $blocks = array();
 
   if (!count($blocks)) {
-    $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.theme = '%s' AND b.status = 1 AND (r.rid IN (%s) OR r.rid IS NULL) ORDER BY b.region, b.weight, b.module", $theme_key, implode(',', array_keys($user->roles)));
+    $rids = array_keys($user->roles);
+    $placeholders = implode(',', array_fill(0, count($rids), '%d'));
+    $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.theme = '%s' AND b.status = 1 AND (r.rid IN ($placeholders) OR r.rid IS NULL) ORDER BY b.region, b.weight, b.module", array_merge(array($theme_key), $rids));
     while ($block = db_fetch_object($result)) {
       if (!isset($blocks[$block->region])) {
         $blocks[$block->region] = array();
@@ -681,8 +684,23 @@
       else {
         $page_match = TRUE;
       }
+      $block->enabled = $enabled;
+      $block->page_match = $page_match;
+      $blocks[$block->region]["{$block->module}_{$block->delta}"] = $block;
+    }
+  }
 
-      if ($enabled && $page_match) {
+  // Create an empty array if there were no entries
+  if (!isset($blocks[$region])) {
+    $blocks[$region] = array();
+  }
+
+  foreach ($blocks[$region] as $key => $block) {
+    // Render the block content if it has not been created already.
+    if (!isset($block->content)) {
+      // Erase the block from the static array - we'll put it back if it has content.
+      unset($blocks[$region][$key]);
+      if ($block->enabled && $block->page_match) {
         // Check the current throttle status and see if block should be displayed
         // based on server load.
         if (!($block->throttle && (module_invoke('throttle', 'status') > 0))) {
@@ -704,9 +722,5 @@
       }
     }
   }
-  // Create an empty array if there were no entries
-  if (!isset($blocks[$region])) {
-    $blocks[$region] = array();
-  }
   return $blocks[$region];
 }
diff -Naur drupal-5.2/modules/blog/blog.info drupal-5.23/modules/blog/blog.info
--- drupal-5.2/modules/blog/blog.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/blog/blog.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/blog/blog.module drupal-5.23/modules/blog/blog.module
--- drupal-5.2/modules/blog/blog.module	2007-04-23 19:05:11.000000000 +0200
+++ drupal-5.23/modules/blog/blog.module	2008-07-06 02:27:42.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: blog.module,v 1.271.2.2 2007/04/23 17:05:11 dries Exp $
+// $Id: blog.module,v 1.271.2.3 2008/07/06 00:27:42 drumm Exp $
 
 /**
  * @file
@@ -117,9 +117,10 @@
   else if ($a == 'feed') {
     return blog_feed_last();
   }
-  else {
+  else if ($a === NULL) {
     return blog_page_last();
   }
+  drupal_not_found();
 }
 
 /**
diff -Naur drupal-5.2/modules/blogapi/blogapi.info drupal-5.23/modules/blogapi/blogapi.info
--- drupal-5.2/modules/blogapi/blogapi.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/blogapi/blogapi.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/blogapi/blogapi.install drupal-5.23/modules/blogapi/blogapi.install
--- drupal-5.2/modules/blogapi/blogapi.install	1970-01-01 01:00:00.000000000 +0100
+++ drupal-5.23/modules/blogapi/blogapi.install	2008-08-27 15:25:13.000000000 +0200
@@ -0,0 +1,90 @@
+<?php
+// $Id: blogapi.install,v 1.2.2.3 2008/08/27 13:25:13 drumm Exp $
+
+/**
+ * Implementation of hook_install().
+ */
+function blogapi_install() {
+  // Create table.
+  switch ($GLOBALS['db_type']) {
+    case 'mysql':
+    case 'mysqli':
+      db_query("CREATE TABLE {blogapi_files} (
+        fid int NOT NULL auto_increment,
+        uid int unsigned NOT NULL default 0,
+        filepath varchar(255) NOT NULL default '',
+        filesize int unsigned NOT NULL default 0,
+        PRIMARY KEY (fid),
+        KEY uid (uid)
+      ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
+      break;
+
+    case 'pgsql':
+      db_query("CREATE TABLE {blogapi_files} (
+        fid serial,
+        uid int_unsigned NOT NULL default 0,
+        filepath varchar(255) NOT NULL default '',
+        filesize int_unsigned NOT NULL default 0,
+        PRIMARY KEY (fid)
+      )");
+
+      db_query("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
+      break;
+  }
+
+}
+
+/**
+ * Implementation of hook_uninstall().
+ */
+function blogapi_uninstall() {
+  // Remove table.
+  db_query("DROP TABLE {blogapi_files}");
+}
+
+/**
+ * @defgroup updates-5.x-extra Extra blogapi updates for 5.x
+ * @{
+ */
+
+/**
+ * Add blogapi_files table to enable size restriction for BlogAPI file uploads.
+ *
+ * Added in Drupal 5.10 (and 6.4).
+ */
+function blogapi_update_5000() {
+  $ret = array();
+  switch ($GLOBALS['db_type']) {
+    case 'mysql':
+    case 'mysqli':
+      $ret[] = update_sql("CREATE TABLE {blogapi_files} (
+        fid int NOT NULL auto_increment,
+        uid int unsigned NOT NULL default 0,
+        filepath varchar(255) NOT NULL default '',
+        filesize int unsigned NOT NULL default 0,
+        PRIMARY KEY (fid),
+        KEY uid (uid)
+      ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
+      break;
+
+    case 'pgsql':
+      $ret[] = update_sql("CREATE TABLE {blogapi_files} (
+        fid serial,
+        uid int_unsigned NOT NULL default 0,
+        filepath varchar(255) NOT NULL default '',
+        filesize int_unsigned NOT NULL default 0,
+        PRIMARY KEY (fid)
+      )");
+
+      $ret[] = update_sql("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
+      break;
+  }
+
+  return $ret;
+}
+
+
+/**
+ * @} End of "defgroup updates-5.x-extra"
+ */
+
diff -Naur drupal-5.2/modules/blogapi/blogapi.module drupal-5.23/modules/blogapi/blogapi.module
--- drupal-5.2/modules/blogapi/blogapi.module	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/modules/blogapi/blogapi.module	2008-10-08 22:10:25.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: blogapi.module,v 1.100.2.2 2007/07/26 19:16:45 drumm Exp $
+// $Id: blogapi.module,v 1.100.2.6 2008/10/08 20:10:25 drumm Exp $
 
 /**
  * @file
@@ -21,6 +21,13 @@
 }
 
 /**
+ * Implementation of hook_perm().
+ */
+function blogapi_perm() {
+  return array('administer content with blog api');
+}
+
+/**
  * Implementation of hook_xmlrpc().
  */
 function blogapi_xmlrpc() {
@@ -122,7 +129,7 @@
       t('Retrieve information about the text formatting plugins supported by the server.')),
     array(
       'mt.publishPost',
-      'blogap_mti_publish_post',
+      'blogapi_mt_publish_post',
       array('boolean', 'string', 'string', 'string'),
       t('Publish (rebuild) all of the static files related to an entry from your weblog. Equivalent to saving an entry in the system (but without the ping).')));
 }
@@ -210,6 +217,11 @@
 
   node_invoke_nodeapi($edit, 'blogapi new');
 
+  $valid = blogapi_status_error_check($edit, $publish);
+  if ($valid !== TRUE) {
+    return $valid;
+  }
+
   node_validate($edit);
   if ($errors = form_get_errors()) {
     return blogapi_error(implode("\n", $errors));
@@ -247,7 +259,8 @@
   if (!node_access('update', $node)) {
     return blogapi_error(t('You do not have permission to update this post.'));
   }
-
+  // Save the original status for validation of permissions.
+  $original_status = $node->status;
   $node->status = $publish;
 
   // check for bloggerAPI vs. metaWeblogAPI
@@ -263,6 +276,11 @@
 
   node_invoke_nodeapi($node, 'blogapi edit');
 
+  $valid = blogapi_status_error_check($node, $original_status);
+  if ($valid !== TRUE) {
+    return $valid;
+  }
+
   node_validate($node);
   if ($errors = form_get_errors()) {
     return blogapi_error(implode("\n", $errors));
@@ -296,6 +314,33 @@
 }
 
 /**
+ * Check that the user has permission to save the node with the chosen status.
+ *
+ * @return
+ *   TRUE if no error, or the blogapi_error().
+ */
+function blogapi_status_error_check($node, $original_status) {
+  
+  $node = (object) $node;
+
+  $node_type_default = variable_get('node_options_'. $node->type, array('status', 'promote'));
+
+  // If we don't have the 'administer nodes' permission and the status is
+  // changing or for a new node the status is not the content type's default,
+  // then return an error.
+  if (!user_access('administer nodes') && (($node->status != $original_status) || (empty($node->nid) && $node->status != in_array('status', $node_type_default)))) {
+    if ($node->status) {
+      return blogapi_error(t('You do not have permission to publish this type of post. Please save it as a draft instead.'));
+    }
+    else {
+      return blogapi_error(t('You do not have permission to save this post as a draft. Please publish it instead.'));
+    }
+  }
+  return TRUE;
+}
+
+
+/**
  * Blogging API callback. Removes the specified blog node.
  */
 function blogapi_blogger_delete_post($appkey, $postid, $username, $password, $publish) {
@@ -355,20 +400,63 @@
     return blogapi_error($user);
   }
 
+  $usersize = 0;
+  $uploadsize = 0;
+
+  $roles = array_intersect(user_roles(0, 'administer content with blog api'), $user->roles);
+
+  foreach ($roles as $rid => $name) {
+    $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
+    $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
+    $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
+  }
+
+  $filesize = strlen($file['bits']);
+
+  if ($filesize > $uploadsize) {
+    return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize))));
+  }
+
+  if (_blogapi_space_used($user->uid) + $filesize > $usersize) {
+    return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize))));
+  }
+
+  // Only allow files with whitelisted extensions and convert remaining dots to
+  // underscores to prevent attacks via non-terminal executable extensions with
+  // files such as exploit.php.jpg.
+
+  $whitelist = array_unique(explode(' ', trim($extensions)));
+
   $name = basename($file['name']);
+
+  if ($extension_position = strrpos($name, '.')) {
+    $filename = drupal_substr($name, 0, $extension_position);
+    $final_extension = drupal_substr($name, $extension_position + 1);
+
+    if (!in_array(strtolower($final_extension), $whitelist)) {
+      return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist))));
+    }
+
+    $filename = str_replace('.', '_', $filename);
+    $filename .= '.'. $final_extension;
+  }
+
   $data = $file['bits'];
 
   if (!$data) {
     return blogapi_error(t('No file sent.'));
   }
 
-  if (!$file = file_save_data($data, $name)) {
+  if (!$file = file_save_data($data, $filename)) {
     return blogapi_error(t('Error storing file.'));
   }
 
+  db_query("INSERT INTO {blogapi_files} (uid, filepath, filesize) VALUES (%d, '%s', %d)", $user->uid, $file, $filesize);
+
   // Return the successful result.
   return array('url' => file_create_url($file), 'struct');
 }
+
 /**
  * Blogging API callback. Returns a list of the taxonomy terms that can be
  * associated with a blog node.
@@ -442,11 +530,60 @@
   foreach ($categories as $category) {
     $node->taxonomy[] = $category['categoryId'];
   }
+  $validated = blogapi_mt_validate_terms($node);
+  if ($validated !== TRUE) {
+    return $validated;
+  }
   node_save($node);
   return TRUE;
 }
 
 /**
+ * Blogging API helper - find allowed taxonomy terms for a node type.
+ */
+function blogapi_mt_validate_terms($node) {
+  // We do a lot of heavy lifting here since taxonomy module doesn't have a
+  // stand-alone validation function.
+  if (module_exists('taxonomy')) {
+    $found_terms = array();
+    if (!empty($node->taxonomy)) {
+      $term_list = array_unique($node->taxonomy);
+      $placeholders = implode(', ', array_fill(0, count($term_list), '%d'));
+      $params = $term_list;
+      $params[] = $node->type;
+      $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". $placeholders .") AND n.type = '%s'", 't', 'tid'), $params);
+      $found_terms = array();
+      $found_count = 0;
+      while ($term = db_fetch_object($result)) {
+        $found_terms[$term->vid][$term->tid] = $term->tid;
+        $found_count++;
+      }
+      // If the counts don't match, some terms are invalid or not accessible to this user.
+      if (count($term_list) != $found_count) {
+        return blogapi_error(t('Invalid categories submitted.'));
+      }
+    }
+    // Look up all the vocabularies for this node type.
+    $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type);
+    // Check each vocabulary associated with this node type.
+    while ($vocabulary = db_fetch_object($result2)) {
+      // Required vocabularies must have at least one term.
+      if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) {
+        return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name)));
+      }
+      // Vocabularies that don't allow multiple terms may have at most one.
+      if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) {
+        return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name));
+      }
+    }
+  }
+  elseif (!empty($node->taxonomy)) {
+    return blogapi_error(t('Error saving categories. This feature is not available.'));
+  }
+  return TRUE;
+}
+
+/**
  * Blogging API callback. Sends a list of available input formats.
  */
 function blogapi_mt_supported_text_filters() {
@@ -467,7 +604,7 @@
 /**
  * Blogging API callback. Publishes the given node
  */
-function blogap_mti_publish_post($postid, $username, $password) {
+function blogapi_mt_publish_post($postid, $username, $password) {
   $user = blogapi_validate_user($username, $password);
   if (!$user->uid) {
     return blogapi_error($user);
@@ -477,11 +614,16 @@
     return blogapi_error(t('Invalid post.'));
   }
 
-  $node->status = 1;
-  if (!node_access('update', $node)) {
+  // Nothing needs to be done if already published.
+  if ($node->status) {
+    return;
+  }
+
+  if (!node_access('update', $node) || !user_access('administer nodes')) {
     return blogapi_error(t('You do not have permission to update this post.'));
   }
 
+  $node->status = 1;
   node_save($node);
 
   return TRUE;
@@ -510,7 +652,7 @@
   $user = user_authenticate($username, $password);
 
   if ($user->uid) {
-    if (user_access('edit own blog', $user)) {
+    if (user_access('administer content with blog api', $user)) {
       return $user;
     }
     else {
@@ -548,6 +690,82 @@
     '#description' => t('Select the content types for which you wish to enable posting via blogapi. Each type will appear as a different "blog" in the client application (if supported).')
   );
 
+
+  $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
+  $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1);
+  $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1);
+
+  $form['settings_general'] = array(
+    '#type' => 'fieldset',
+    '#title' => t('File settings'),
+    '#collapsible' => TRUE,
+  );
+
+  $form['settings_general']['blogapi_extensions_default'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Default permitted file extensions'),
+    '#default_value' => $blogapi_extensions_default,
+    '#maxlength' => 255,
+    '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'),
+  );
+
+  $form['settings_general']['blogapi_uploadsize_default'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Default maximum file size per upload'),
+    '#default_value' => $blogapi_uploadsize_default,
+    '#size' => 5,
+    '#maxlength' => 5,
+    '#description' => t('The default maximum file size a user can upload.'),
+    '#field_suffix' => t('MB')
+  );
+
+  $form['settings_general']['blogapi_usersize_default'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Default total file size per user'),
+    '#default_value' => $blogapi_usersize_default,
+    '#size' => 5,
+    '#maxlength' => 5,
+    '#description' => t('The default maximum size of all files a user can have on the site.'),
+    '#field_suffix' => t('MB')
+  );
+
+  $form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>');
+
+  $roles = user_roles(0, 'administer content with blog api');
+  $form['roles'] = array('#type' => 'value', '#value' => $roles);
+
+  foreach ($roles as $rid => $role) {
+    $form['settings_role_'. $rid] = array(
+      '#type' => 'fieldset',
+      '#title' => t('Settings for @role', array('@role' => $role)),
+      '#collapsible' => TRUE,
+      '#collapsed' => TRUE,
+    );
+    $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array(
+      '#type' => 'textfield',
+      '#title' => t('Permitted file extensions'),
+      '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default),
+      '#maxlength' => 255,
+      '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'),
+    );
+    $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array(
+      '#type' => 'textfield',
+      '#title' => t('Maximum file size per upload'),
+      '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default),
+      '#size' => 5,
+      '#maxlength' => 5,
+      '#description' => t('The maximum size of a file a user can upload (in megabytes).'),
+    );
+    $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array(
+      '#type' => 'textfield',
+      '#title' => t('Total file size per user'),
+      '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default),
+      '#size' => 5,
+      '#maxlength' => 5,
+      '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'),
+    );
+  }
+
   return system_settings_form($form);
 }
 
@@ -713,3 +931,7 @@
   return $types;
 }
 
+
+function _blogapi_space_used($uid) {
+  return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid));
+}
\ No newline at end of file
diff -Naur drupal-5.2/modules/book/book.info drupal-5.23/modules/book/book.info
--- drupal-5.2/modules/book/book.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/book/book.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/book/book.module drupal-5.23/modules/book/book.module
--- drupal-5.2/modules/book/book.module	2007-02-14 05:30:33.000000000 +0100
+++ drupal-5.23/modules/book/book.module	2009-05-13 21:41:56.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: book.module,v 1.406.2.1 2007/02/14 04:30:33 drumm Exp $
+// $Id: book.module,v 1.406.2.2 2009/05/13 19:41:56 drumm Exp $
 
 /**
  * @file
@@ -702,8 +702,9 @@
   global $base_url;
   $html = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n";
   $html .= '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">';
-  $html .= "<head>\n<title>". $title ."</title>\n";
+  $html .= "\n<head>\n";
   $html .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
+  $html .= "\n<title>". $title ."</title>\n";
   $html .= '<base href="'. $base_url .'/" />' . "\n";
   $html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>\n";
   $html .= "</head>\n<body>\n". $content ."\n</body>\n</html>\n";
diff -Naur drupal-5.2/modules/color/color.info drupal-5.23/modules/color/color.info
--- drupal-5.2/modules/color/color.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/color/color.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/color/color.module drupal-5.23/modules/color/color.module
--- drupal-5.2/modules/color/color.module	2007-07-09 07:02:32.000000000 +0200
+++ drupal-5.23/modules/color/color.module	2008-12-21 03:56:30.000000000 +0100
@@ -1,22 +1,40 @@
 <?php
-// $Id: color.module,v 1.13.2.2 2007/07/09 05:02:32 drumm Exp $
+// $Id: color.module,v 1.13.2.6 2008/12/21 02:56:30 drumm Exp $
+
+/**
+ * Implementation of hook_help
+ */
+function color_help($section) {
+  switch ($section) {
+    case 'admin/help#color':
+      $output = '<p>'. t('Color module allows a site administrator to quickly and easily change the color scheme of the entire site. In order for color module to work however, a theme must be specifically designed to use the color changing features. The default theme, Garland, (as well as its fixed width counterpart, Minnelli) was designed to take advantage of these features. With color module, you can easily change the color of links, backgrounds, text, and more depending on which color module enabled theme you are using. Color module requires your <a href="@url">file download method</a> to be set to public.', array('@url' => url('admin/settings/file-system'))) .'</p>';
+      $output .= '<p>'. t("It is important to remember that color module saves a modified copy of the theme's style.css file in the files directory, and includes it after the theme's original style.css. This means that if you make any manual changes to your theme's style.css file, you must save your color settings again, even if they haven't changed. This causes the color module generated version of style.css in the files directory to be recreated using the new version of the original file.") .'</p>';
+      return $output;
+  }
+}
 
 /**
  * Implementation of hook_form_alter().
  */
 function color_form_alter($form_id, &$form) {
   // Insert the color changer into the theme settings page.
-  // TODO: Last condition in the following if disables color changer when private files are used this should be solved in a different way. See issue #92059.
-  if ($form_id == 'system_theme_settings' && color_get_info(arg(4)) && function_exists('gd_info') && variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PUBLIC) {
-    $form['color'] = array(
-      '#type' => 'fieldset',
-      '#title' => t('Color scheme'),
-      '#weight' => -1,
-      '#attributes' => array('id' => 'color_scheme_form'),
-      '#theme' => 'color_scheme_form',
-    );
-    $form['color'] += color_scheme_form(arg(4));
-    $form['#submit']['color_scheme_form_submit'] = array();
+  if ($form_id == 'system_theme_settings' && color_get_info(arg(4)) && function_exists('gd_info')) {
+    if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) != FILE_DOWNLOADS_PUBLIC) {
+      // Disables the color changer when the private download method is used.
+      // TODO: This should be solved in a different way. See issue #181003.
+      drupal_set_message(t('The color picker only works if the <a href="@url">download method</a> is set to public.', array('@url' => url('admin/settings/file-system'))));
+    }
+    else {
+      $form['color'] = array(
+        '#type' => 'fieldset',
+        '#title' => t('Color scheme'),
+        '#weight' => -1,
+        '#attributes' => array('id' => 'color_scheme_form'),
+        '#theme' => 'color_scheme_form',
+      );
+      $form['color'] += color_scheme_form(arg(4));
+      $form['#submit']['color_scheme_form_submit'] = array();
+    }
   }
 
   // Use the generated screenshot in the theme list
@@ -253,8 +271,10 @@
     $paths['files'][] = $paths['target'] . $base;
   }
 
-  // Render new images
-  _color_render_images($theme, $info, $paths, $palette);
+  // Render new images, if base image exists
+  if ($info['base_image']) {
+    _color_render_images($theme, $info, $paths, $palette);
+  }
 
   // Rewrite stylesheet
   _color_rewrite_stylesheet($theme, $info, $paths, $palette);
@@ -373,7 +393,7 @@
   // Render gradient.
   for ($y = 0; $y < $info['gradient'][3]; ++$y) {
     $color = _color_blend($target, $palette['top'], $palette['bottom'], $y / ($info['gradient'][3] - 1));
-    imagefilledrectangle($target, $info['gradient'][0], $info['gradient'][1] + $y, $info['gradient'][2], $info['gradient'][1] + $y + 1, $color);
+    imagefilledrectangle($target, $info['gradient'][0], $info['gradient'][1] + $y, $info['gradient'][0] + $info['gradient'][2], $info['gradient'][1] + $y + 1, $color);
   }
 
   // Blend over template.
diff -Naur drupal-5.2/modules/comment/comment.info drupal-5.23/modules/comment/comment.info
--- drupal-5.2/modules/comment/comment.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/comment/comment.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/comment/comment.module drupal-5.23/modules/comment/comment.module
--- drupal-5.2/modules/comment/comment.module	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/modules/comment/comment.module	2010-08-11 22:37:49.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: comment.module,v 1.520.2.6 2007/07/26 19:16:45 drumm Exp $
+// $Id: comment.module,v 1.520.2.15 2010/08/11 20:37:49 drumm Exp $
 
 /**
  * @file
@@ -260,7 +260,7 @@
   if (!empty($nids)) {
     // From among the comments on the nodes selected in the first query,
     // find the $number most recent comments.
-    $result = db_query_range('SELECT c.nid, c.subject, c.cid, c.timestamp FROM {comments} c INNER JOIN {node} n ON n.nid = c.nid WHERE c.nid IN ('. implode(',', $nids) .') AND n.status = 1 AND c.status = %d ORDER BY c.timestamp DESC', COMMENT_PUBLISHED, 0, $number);
+    $result = db_query_range('SELECT c.nid, c.subject, c.cid, c.timestamp FROM {comments} c INNER JOIN {node} n ON n.nid = c.nid WHERE c.nid IN ('. implode(',', $nids) .') AND n.status = 1 AND c.status = %d ORDER BY c.cid DESC', COMMENT_PUBLISHED, 0, $number);
     while ($comment = db_fetch_object($result)) {
       $comments[] = $comment;
     }
@@ -575,7 +575,7 @@
   global $user;
 
   if ($op == 'edit') {
-    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
+    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
   }
 }
 
@@ -723,7 +723,7 @@
         }
 
         // Add the comment to database.
-        $status = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
+        $edit['status'] = user_access('post comments without approval') ? COMMENT_PUBLISHED : COMMENT_NOT_PUBLISHED;
         $roles = variable_get('comment_roles', array());
         $score = 0;
 
@@ -784,7 +784,7 @@
           $edit['name'] = $user->name;
         }
 
-        db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
+        db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $edit['status'], $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']);
 
         _comment_update_node_statistics($edit['nid']);
 
@@ -800,7 +800,7 @@
 
       // Explain the approval queue if necessary, and then
       // redirect the user to the node he's commenting on.
-      if ($status == COMMENT_NOT_PUBLISHED) {
+      if ($edit['status'] == COMMENT_NOT_PUBLISHED) {
         drupal_set_message(t('Your comment has been queued for moderation by site administrators and will be published after approval.'));
       }
       return $edit['cid'];
@@ -981,7 +981,7 @@
 
       if ($order == COMMENT_ORDER_NEWEST_FIRST) {
         if ($mode == COMMENT_MODE_FLAT_COLLAPSED || $mode == COMMENT_MODE_FLAT_EXPANDED) {
-          $query .= ' ORDER BY c.timestamp DESC';
+          $query .= ' ORDER BY c.cid DESC';
         }
         else {
           $query .= ' ORDER BY c.thread DESC';
@@ -989,7 +989,7 @@
       }
       else if ($order == COMMENT_ORDER_OLDEST_FIRST) {
         if ($mode == COMMENT_MODE_FLAT_COLLAPSED || $mode == COMMENT_MODE_FLAT_EXPANDED) {
-          $query .= ' ORDER BY c.timestamp';
+          $query .= ' ORDER BY c.cid';
         }
         else {
 
@@ -1055,8 +1055,9 @@
       }
     }
 
-    // If enabled, show new comment form.
-    if (user_access('post comments') && node_comment_mode($nid) == COMMENT_NODE_READ_WRITE && (variable_get('comment_form_location', COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_BELOW)) {
+    // If enabled, show new comment form if it's not already being displayed.
+    $reply = arg(0) == 'comment' && arg(1) == 'reply';
+    if (user_access('post comments') && node_comment_mode($nid) == COMMENT_NODE_READ_WRITE && (variable_get('comment_form_location', COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_BELOW) && !$reply) {
       $output .= comment_form_box(array('nid' => $nid), t('Post new comment'));
     }
 
@@ -1231,7 +1232,7 @@
     }
     cache_clear_all();
     drupal_set_message(t('The update has been performed.'));
-    drupal_goto('admin/content/comment');
+    return 'admin/content/comment';
   }
 }
 
@@ -1565,10 +1566,6 @@
     $form['#after_build'] = array('comment_form_add_preview');
   }
 
-  if ($_REQUEST['destination']) {
-    $form['#attributes']['destination'] = $_REQUEST['destination'];
-  }
-
   if (empty($edit['cid']) && empty($edit['pid'])) {
     $form['#action'] = url('comment/reply/'. $edit['nid']);
   }
@@ -1627,7 +1624,8 @@
     $output .= theme('comment_view', $comment);
   }
   else {
-    $form['#suffix'] = node_view(node_load($edit['nid']));
+    $suffix = empty($form['#suffix']) ? '' : $form['#suffix'];
+    $form['#suffix'] = $suffix . node_view(node_load($edit['nid']));
     $edit['pid'] = 0;
   }
 
@@ -1658,7 +1656,7 @@
     // 2) Strip out all HTML tags
     // 3) Convert entities back to plain-text.
     // Note: format is checked by check_markup().
-    $form_values['subject'] = trim(truncate_utf8(decode_entities(strip_tags(check_markup($form_values['comment'], $form_values['format']))), 29, TRUE));
+    $form_values['subject'] = truncate_utf8(trim(decode_entities(strip_tags(check_markup($form_values['comment'], $form_values['format'])))), 29, TRUE);
     // Edge cases where the comment body is populated only by HTML tags will
     // require a default subject.
     if ($form_values['subject'] == '') {
@@ -1811,23 +1809,33 @@
 
 function theme_comment_post_forbidden($nid) {
   global $user;
-  if ($user->uid) {
-    return t("you can't post comments");
-  }
-  else {
-    // we cannot use drupal_get_destination() because these links sometimes appear on /node and taxo listing pages
-    if (variable_get('comment_form_location', COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) {
-      $destination = "destination=". drupal_urlencode("comment/reply/$nid#comment-form");
-    }
-    else {
-      $destination = "destination=". drupal_urlencode("node/$nid#comment-form");
-    }
+  static $authenticated_post_comments;
 
-    if (variable_get('user_register', 1)) {
-      return t('<a href="@login">Login</a> or <a href="@register">register</a> to post comments', array('@login' => url('user/login', $destination), '@register' => url('user/register', $destination)));
+  if (!$user->uid) {
+    if (!isset($authenticated_post_comments)) {
+      // We only output any link if we are certain, that users get permission
+      // to post comments by logging in. We also locally cache this information.
+      $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval'));
     }
-    else {
-      return t('<a href="@login">Login</a> to post comments', array('@login' => url('user/login', $destination)));
+
+    if ($authenticated_post_comments) {
+      // We cannot use drupal_get_destination() because these links
+      // sometimes appear on /node and taxonomy listing pages.
+      if (variable_get('comment_form_location', COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) {
+        $destination = 'destination='. drupal_urlencode("comment/reply/$nid#comment-form");
+      }
+      else {
+        $destination = 'destination='. drupal_urlencode("node/$nid#comment-form");
+      }
+
+      if (variable_get('user_register', 1)) {
+        // Users can register themselves.
+        return t('<a href="@login">Login</a> or <a href="@register">register</a> to post comments', array('@login' => url('user/login', $destination), '@register' => url('user/register', $destination)));
+      }
+      else {
+        // Only admins can add new users, no public registration.
+        return t('<a href="@login">Login</a> to post comments', array('@login' => url('user/login', $destination)));
+      }
     }
   }
 }
diff -Naur drupal-5.2/modules/contact/contact.info drupal-5.23/modules/contact/contact.info
--- drupal-5.2/modules/contact/contact.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/contact/contact.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/contact/contact.module drupal-5.23/modules/contact/contact.module
--- drupal-5.2/modules/contact/contact.module	2007-06-05 09:18:05.000000000 +0200
+++ drupal-5.23/modules/contact/contact.module	2009-12-16 21:46:31.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: contact.module,v 1.74.2.1 2007/06/05 07:18:05 drumm Exp $
+// $Id: contact.module,v 1.74.2.3 2009/12/16 20:46:31 drumm Exp $
 
 /**
  * @file
@@ -27,7 +27,7 @@
         $menu_note = '';
       }
       $output .= '<p>'. t('The contact module also adds a <a href="@menu-settings">menu item</a> (disabled by default) to the navigation block.', array('@menu-settings' => url('admin/build/menu'))) .' '. $menu_note .'</p>';
-      return($output);
+      return $output;
   }
 }
 
@@ -145,7 +145,7 @@
   $result = db_query('SELECT cid, category, recipients, selected FROM {contact} ORDER BY weight, category');
   $rows = array();
   while ($category = db_fetch_object($result)) {
-    $rows[] = array($category->category, $category->recipients, ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid));
+    $rows[] = array(check_plain($category->category), check_plain($category->recipients), ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid));
   }
   $header = array(t('Category'), t('Recipients'), t('Selected'), array('data' => t('Operations'), 'colspan' => 2));
 
@@ -227,7 +227,7 @@
     db_query('UPDATE {contact} SET selected = 0');
   }
   $recipients = explode(',', $form_values['recipients']);
-  foreach ($recipients as $key=>$recipient) {
+  foreach ($recipients as $key => $recipient) {
     // E-mail address validation has already been done in _validate.
     $recipients[$key] = trim($recipient);
   }
@@ -547,6 +547,5 @@
   drupal_set_message(t('Your message has been sent.'));
 
   // Jump to home page rather than back to contact page to avoid contradictory messages if flood control has been activated.
-  return('');
+  return '';
 }
-
diff -Naur drupal-5.2/modules/drupal/drupal.info drupal-5.23/modules/drupal/drupal.info
--- drupal-5.2/modules/drupal/drupal.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/drupal/drupal.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/filter/filter.info drupal-5.23/modules/filter/filter.info
--- drupal-5.2/modules/filter/filter.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/filter/filter.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/filter/filter.module drupal-5.23/modules/filter/filter.module
--- drupal-5.2/modules/filter/filter.module	2007-06-05 09:29:14.000000000 +0200
+++ drupal-5.23/modules/filter/filter.module	2009-06-03 19:52:13.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: filter.module,v 1.160.2.2 2007/06/05 07:29:14 drumm Exp $
+// $Id: filter.module,v 1.160.2.14 2009/06/03 17:52:13 drumm Exp $
 
 /**
  * @file
@@ -159,9 +159,9 @@
         if ($allowed_html = variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')) {
           switch ($long) {
             case 0:
-              return t('Allowed HTML tags') .': '. check_plain($allowed_html);
+              return t('Allowed HTML tags: @tags', array('@tags' => $allowed_html));
             case 1:
-              $output = '<p>'. t('Allowed HTML tags') .': '. check_plain($allowed_html) .'</p>';
+              $output = '<p>'. t('Allowed HTML tags: @tags', array('@tags' => $allowed_html)) .'</p>';
               if (!variable_get("filter_html_help_$format", 1)) {
                 return $output;
               }
@@ -604,6 +604,9 @@
 
   if (!empty($form)) {
     $form = system_settings_form($form);
+    $form['format'] = array('#type' => 'hidden', '#value' => $format);
+    $form['#submit']['system_settings_form_submit'] = array();
+    $form['#submit']['filter_admin_configure_submit'] = array();
   }
   else {
     $form['error'] = array('#value' => t('No settings are available.'));
@@ -613,6 +616,13 @@
 }
 
 /**
+ * Clear the filter's cache when configuration settings are saved.
+ */
+function filter_admin_configure_submit($form_id, $form_values) {
+  cache_clear_all($form_values['format'] .':', 'cache_filter', TRUE);
+}
+
+/**
  * Retrieve a list of input formats.
  */
 function filter_formats() {
@@ -699,13 +709,20 @@
   static $filters = array();
 
   if (!isset($filters[$format])) {
-    $filters[$format] = array();
     $result = db_query("SELECT * FROM {filters} WHERE format = %d ORDER BY weight ASC", $format);
-    while ($filter = db_fetch_object($result)) {
-      $list = module_invoke($filter->module, 'filter', 'list');
-      if (isset($list) && is_array($list) && isset($list[$filter->delta])) {
-        $filter->name = $list[$filter->delta];
-        $filters[$format][$filter->module .'/'. $filter->delta] = $filter;
+    if (db_num_rows($result) == 0 && !db_result(db_query("SELECT 1 FROM {filter_formats} WHERE format = %d", $format))) {
+      // The format has no filters and does not exist, use the default input
+      // format.
+      $filters[$format] = filter_list_format(variable_get('filter_default_format', 1));
+    }
+    else {
+      $filters[$format] = array();
+      while ($filter = db_fetch_object($result)) {
+        $list = module_invoke($filter->module, 'filter', 'list');
+        if (isset($list) && is_array($list) && isset($list[$filter->delta])) {
+          $filter->name = $list[$filter->delta];
+          $filters[$format][$filter->module .'/'. $filter->delta] = $filter;
+        }
       }
     }
   }
@@ -930,13 +947,12 @@
         $output .= '<strong>'. $name .'</strong>:<br />';
       }
 
-      $tips = '';
-      foreach ($tiplist as $tip) {
-        $tips .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] . '</li>';
-      }
-
-      if ($tips) {
-        $output .= "<ul class=\"tips\">$tips</ul>";
+      if (count($tiplist) > 0) {
+        $output .= '<ul class="tips">';
+        foreach ($tiplist as $tip) {
+          $output .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] .'</li>';
+        }
+        $output .= '</ul>';
       }
 
       if ($multiple) {
@@ -1048,7 +1064,7 @@
     '#title' => t('Allowed HTML tags'),
     '#default_value' => variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'),
     '#size' => 64,
-    '#maxlength' => 255,
+    '#maxlength' => 1024,
     '#description' => t('If "Strip disallowed tags" is selected, optionally specify tags which should not be stripped. JavaScript event attributes are always stripped.'),
   );
   $form['filter_html']["filter_html_help_$format"] = array(
@@ -1171,13 +1187,13 @@
  */
 function _filter_autop($text) {
   // All block level tags
-  $block = '(?:table|thead|tfoot|caption|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|form|blockquote|address|p|h[1-6])';
+  $block = '(?:table|thead|tfoot|caption|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|form|blockquote|address|p|h[1-6]|hr)';
 
   // Split at <pre>, <script>, <style> and </pre>, </script>, </style> tags.
   // We don't apply any processing to the contents of these tags to avoid messing
   // up code. We look for matched pairs and allow basic nesting. For example:
   // "processed <pre> ignored <script> ignored </script> ignored </pre> processed"
-  $chunks = preg_split('@(</?(?:pre|script|style)[^>]*>)@i', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
+  $chunks = preg_split('@(</?(?:pre|script|style|object)[^>]*>)@i', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
   // Note: PHP ensures the array consists of alternating delimiters and literals
   // and begins and ends with a literal (inserting NULL as required).
   $ignore = FALSE;
@@ -1234,7 +1250,7 @@
  * for scripts and styles.
  */
 function filter_xss_admin($string) {
-  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
 }
 
 /**
@@ -1259,6 +1275,11 @@
  *   The format to use.
  */
 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
+  // site scripting issues on Internet Explorer 6.
+  if (!drupal_validate_utf8($string)) {
+    return '';
+  }
   // Store the input format
   _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)
@@ -1280,7 +1301,7 @@
     (
     <(?=[^a-zA-Z!/])  # a lone <
     |                 # or
-    <[^>]*.(>|$)      # a string that starts with a <, up until the > or the end of the string
+    <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
     |                 # or
     >                 # just a >
     )%x', '_filter_xss_split', $string);
diff -Naur drupal-5.2/modules/forum/forum.info drupal-5.23/modules/forum/forum.info
--- drupal-5.2/modules/forum/forum.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/forum/forum.info	2010-08-11 22:46:30.000000000 +0200
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/forum/forum.install drupal-5.23/modules/forum/forum.install
--- drupal-5.2/modules/forum/forum.install	2006-09-01 09:40:08.000000000 +0200
+++ drupal-5.23/modules/forum/forum.install	2008-07-06 02:07:13.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: forum.install,v 1.6 2006/09/01 07:40:08 drumm Exp $
+// $Id: forum.install,v 1.6.2.1 2008/07/06 00:07:13 drumm Exp $
 
 /**
  * Implementation of hook_install().
@@ -35,7 +35,6 @@
  */
 function forum_uninstall() {
   db_query('DROP TABLE {forum}');
-  db_query("DELETE FROM {node} WHERE type = 'forum'");
   variable_del('forum_containers');
   variable_del('forum_nav_vocabulary');
   variable_del('forum_hot_topic');
diff -Naur drupal-5.2/modules/forum/forum.module drupal-5.23/modules/forum/forum.module
--- drupal-5.2/modules/forum/forum.module	2007-05-31 07:58:17.000000000 +0200
+++ drupal-5.23/modules/forum/forum.module	2009-07-01 22:52:11.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: forum.module,v 1.375.2.5 2007/05/31 05:58:17 drumm Exp $
+// $Id: forum.module,v 1.375.2.9 2009/07/01 20:52:11 drumm Exp $
 
 /**
  * @file
@@ -89,11 +89,6 @@
         'type' => MENU_CALLBACK);
     }
   }
-  else {
-    // Add the CSS for this module
-    // We put this in !$may_cache so it's only added once per request
-    drupal_add_css(drupal_get_path('module', 'forum') .'/forum.css');
-  }
 
   return $items;
 }
@@ -292,6 +287,7 @@
  * Implementation of hook_view().
  */
 function forum_view(&$node, $teaser = FALSE, $page = FALSE) {
+  drupal_add_css(drupal_get_path('module', 'forum') .'/forum.css');
   if ($page) {
     $vocabulary = taxonomy_get_vocabulary(variable_get('forum_nav_vocabulary', ''));
     // Breadcrumb navigation
@@ -392,7 +388,7 @@
   $form['title'] = array('#type' => 'textfield', '#title' => check_plain($type->title_label), '#default_value' => $node->title, '#required' => TRUE, '#weight' => -5);
 
   if ($node->nid) {
-    $forum_terms = taxonomy_node_get_terms_by_vocabulary(_forum_get_vid(), $node->nid);
+    $forum_terms = taxonomy_node_get_terms_by_vocabulary($node->nid, _forum_get_vid());
     // if editing, give option to leave shadows
     $shadow = (count($forum_terms) > 1);
     $form['shadow'] = array('#type' => 'checkbox', '#title' => t('Leave shadow copy'), '#default_value' => $shadow, '#description' => t('If you move this topic, you can leave a link in the old forum to the new forum.'));
@@ -649,18 +645,8 @@
   return array('#type' => 'select', '#title' => $title, '#default_value' => $parent, '#options' => $options, '#description' => $description, '#required' => TRUE);
 }
 
-function forum_link_alter(&$node, &$links) {
-  foreach ($links as $module => $link) {
-    if (strstr($module, 'taxonomy_term')) {
-      // Link back to the forum and not the taxonomy term page. We'll only
-      // do this if the taxonomy term in question belongs to forums.
-      $tid = str_replace('taxonomy/term/', '', $link['href']);
-      $term = taxonomy_get_term($tid);
-      if ($term->vid == _forum_get_vid()) {
-        $links[$module]['href'] = str_replace('taxonomy/term', 'forum', $link['href']);
-      }
-    }
-  }
+function forum_term_path($term) {
+  return 'forum/'. $term->tid;
 }
 
 /**
@@ -847,6 +833,12 @@
  * Menu callback; prints a forum listing.
  */
 function forum_page($tid = 0) {
+  if (!is_numeric($tid)) {
+    return MENU_NOT_FOUND;
+  }
+  $tid = (int)$tid;
+
+  drupal_add_css(drupal_get_path('module', 'forum') .'/forum.css');
   $forum_per_page = variable_get('forum_per_page', 25);
   $sortby = variable_get('forum_order', 1);
 
diff -Naur drupal-5.2/modules/help/help.info drupal-5.23/modules/help/help.info
--- drupal-5.2/modules/help/help.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/help/help.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/help/help.module drupal-5.23/modules/help/help.module
--- drupal-5.2/modules/help/help.module	2006-12-23 23:06:05.000000000 +0100
+++ drupal-5.23/modules/help/help.module	2007-10-16 08:57:22.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: help.module,v 1.69 2006/12/23 22:06:05 dries Exp $
+// $Id: help.module,v 1.69.2.1 2007/10/16 06:57:22 drumm Exp $
 
 /**
  * @file
@@ -126,9 +126,14 @@
       $output .= $temp;
     }
 
+    // Only print list of administration pages if the module in question has
+    // any such pages associated to it.
     $admin_tasks = system_get_module_admin_tasks($name);
-    ksort($admin_tasks);
-    $output .= theme('item_list', $admin_tasks, t('@module administration pages', array('@module' => $module['name'])));
+    if (!empty($admin_tasks)) {
+      ksort($admin_tasks);
+      $output .= theme('item_list', $admin_tasks, t('@module administration pages', array('@module' => $module['name'])));
+    }
+
   }
   return $output;
 }
diff -Naur drupal-5.2/modules/legacy/legacy.info drupal-5.23/modules/legacy/legacy.info
--- drupal-5.2/modules/legacy/legacy.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/legacy/legacy.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/legacy/legacy.module drupal-5.23/modules/legacy/legacy.module
--- drupal-5.2/modules/legacy/legacy.module	2006-11-21 21:14:18.000000000 +0100
+++ drupal-5.23/modules/legacy/legacy.module	2007-11-10 04:27:33.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: legacy.module,v 1.15 2006/11/21 20:14:18 dries Exp $
+// $Id: legacy.module,v 1.15.2.1 2007/11/10 03:27:33 drumm Exp $
 
 /**
  * @file
@@ -57,19 +57,19 @@
     // Map "node/view/52" to "node/52".
     $items[] = array('path' => 'node/view', 'title' => t('View'),
       'callback' => 'drupal_goto',
-      'callback arguments' => array('node/'. arg(2), NULL, NULL),
+      'callback arguments' => array('node/'. arg(2), NULL, NULL, 301),
       'access' => TRUE, 'type' => MENU_CALLBACK);
 
     // Map "book/view/52" to "node/52".
     $items[] = array('path' => 'book/view', 'title' => t('View'),
       'callback' => 'drupal_goto',
-      'callback arguments' => array('node/'. arg(2), NULL, NULL),
+      'callback arguments' => array('node/'. arg(2), NULL, NULL, 301),
       'access' => TRUE, 'type' => MENU_CALLBACK);
 
     // Map "user/view/52" to "user/52".
     $items[] = array('path' => 'user/view', 'title' => t('View'),
       'callback' => 'drupal_goto',
-      'callback arguments' => array('user/'. arg(2), NULL, NULL),
+      'callback arguments' => array('user/'. arg(2), NULL, NULL, 301),
       'access' => TRUE, 'type' => MENU_CALLBACK);
   }
 
diff -Naur drupal-5.2/modules/locale/locale.info drupal-5.23/modules/locale/locale.info
--- drupal-5.2/modules/locale/locale.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/locale/locale.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/locale/locale.install drupal-5.23/modules/locale/locale.install
--- drupal-5.2/modules/locale/locale.install	2006-11-14 07:20:40.000000000 +0100
+++ drupal-5.23/modules/locale/locale.install	2010-03-04 01:16:02.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: locale.install,v 1.7 2006/11/14 06:20:40 drumm Exp $
+// $Id: locale.install,v 1.7.2.1 2010/03/04 00:16:02 drumm Exp $
 
 /**
  * Implementation of hook_install().
@@ -85,3 +85,23 @@
   db_query('DROP TABLE {locales_source}');
   db_query('DROP TABLE {locales_target}');
 }
+
+/**
+ * Neutralize unsafe language names in the database.
+ */
+function locale_update_1() {
+  $ret = array();
+  $matches = db_result(db_query("SELECT 1 FROM {locales_meta} WHERE name LIKE '%<%' OR name LIKE '%>%'"));
+  if ($matches) {
+    $ret[] = update_sql("UPDATE {locales_meta} SET name = REPLACE(name, '<', '')");
+    $ret[] = update_sql("UPDATE {locales_meta} SET name = REPLACE(name, '>', '')");
+    drupal_set_message('The language name in English of all the existing custom languages of your site have been sanitized for security purposes. Visit the <a href="'. url('admin/settings/language') .'">Languages</a> page to check these and fix them if necessary.', 'warning');
+  }
+  // Check if some langcode values contain potentially dangerous characters and
+  // warn the user if so. These are not fixed since they are referenced in other
+  // tables (e.g. {node}).
+  if (db_result(db_query("SELECT 1 FROM {locales_meta} WHERE locale LIKE '%<%' OR locale LIKE '%>%' OR locale LIKE '%\"%' OR locale LIKE '%\\\\\%'"))) {
+    drupal_set_message('Some of your custom language code values contain invalid characters. You should examine the <a href="'. url('admin/settings/language') .'">Languages</a> page. These must be fixed manually.', 'error');
+  }
+  return $ret;
+}
diff -Naur drupal-5.2/modules/locale/locale.module drupal-5.23/modules/locale/locale.module
--- drupal-5.2/modules/locale/locale.module	2006-12-27 14:11:59.000000000 +0100
+++ drupal-5.23/modules/locale/locale.module	2010-03-04 01:16:02.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: locale.module,v 1.155 2006/12/27 13:11:59 drumm Exp $
+// $Id: locale.module,v 1.155.2.2 2010/03/04 00:16:02 drumm Exp $
 
 /**
  * @file
@@ -111,7 +111,7 @@
         'type' => MENU_CALLBACK);
       $items[] = array('path' => 'admin/settings/locale/string/delete/'. arg(5),
         'title' => t('Delete string'),
-        'callback' => 'locale_admin_string_delete',
+        'callback' => 'locale_admin_string_delete_page',
         'callback arguments' => array(arg(5)),
         'access' => $access,
         'type' => MENU_CALLBACK);
@@ -137,15 +137,17 @@
     if ($user->language == '') {
       $user->language = key($languages['name']);
     }
-    $languages['name'] = array_map('check_plain', array_map('t', $languages['name']));
+    foreach (array_map('t', $languages['name']) as $key => $value) {
+      $languages_name[check_plain($key)] = check_plain($value);
+    }
     $form['locale'] = array('#type' => 'fieldset',
       '#title' => t('Interface language settings'),
       '#weight' => 1,
     );
     $form['locale']['language'] = array('#type' => 'radios',
       '#title' => t('Language'),
-      '#default_value' => $user->language,
-      '#options' => $languages['name'],
+      '#default_value' => check_plain($user->language),
+      '#options' => $languages_name,
       '#description' => t('Selecting a different locale will change the interface language of the site.'),
     );
     return $form;
@@ -407,9 +409,29 @@
 }
 
 /**
- * Delete a string.
+ * String deletion confirmation page.
+ */
+function locale_admin_string_delete_page($lid) {
+  if ($source = db_fetch_object(db_query('SELECT * FROM {locales_source} WHERE lid = %d', $lid))) {
+    return drupal_get_form('locale_string_delete_form', $source);
+  }
+  else {
+    return drupal_not_found();
+  }
+}
+
+/**
+ * User interface for the string deletion confirmation screen.
+ */
+function locale_string_delete_form($source) {
+  $form['lid'] = array('#type' => 'value', '#value' => $source->lid);
+  return confirm_form($form, t('Are you sure you want to delete the string "%source"?', array('%source' => $source->source)), 'admin/build/translate/search', t('Deleting the string will remove all translations of this string in all languages. This action cannot be undone.'), t('Delete'), t('Cancel'));
+}
+
+/**
+ * Process string deletion submissions.
  */
-function locale_admin_string_delete($lid) {
+function locale_string_delete_form_submit($form_id, $form_values) {
   include_once './includes/locale.inc';
-  _locale_string_delete($lid);
+  _locale_string_delete($form_values['lid']);
 }
diff -Naur drupal-5.2/modules/menu/menu.info drupal-5.23/modules/menu/menu.info
--- drupal-5.2/modules/menu/menu.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/menu/menu.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/menu/menu.module drupal-5.23/modules/menu/menu.module
--- drupal-5.2/modules/menu/menu.module	2007-07-26 21:16:45.000000000 +0200
+++ drupal-5.23/modules/menu/menu.module	2009-02-26 07:56:26.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: menu.module,v 1.100.2.1 2007/07/26 19:16:45 drumm Exp $
+// $Id: menu.module,v 1.100.2.4 2009/02/26 06:56:26 drumm Exp $
 
 /**
  * @file
@@ -176,7 +176,7 @@
   if (isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
     $item = array();
     if ($form['nid']['#value'] > 0) {
-      $item = db_fetch_array(db_query("SELECT * FROM {menu} WHERE path = 'node/%d'", $form['nid']['#value']));
+      $item = db_fetch_array(db_query("SELECT * FROM {menu} WHERE path = 'node/%d' ORDER BY mid", $form['nid']['#value']));
       if (isset($form['#post']['menu']) && is_array($form['#post']['menu'])) {
         $item = !is_array($item) ? $form['#post']['menu'] : (($form['#post']['op'] == t('Preview')) ? array_merge($item, $form['#post']['menu']) : array_merge($form['#post']['menu'], $item));
       }
@@ -357,6 +357,7 @@
     '#title' => t('Description'),
     '#default_value' => $item['description'],
     '#description' => t('The description displayed when hovering over a menu item.'),
+    '#maxlength' => 255,
   );
 
   if ($item['type'] & MENU_CREATED_BY_ADMIN) {
@@ -395,8 +396,9 @@
     '#description' => t('Optional. In the menu, the heavier items will sink and the lighter items will be positioned nearer the top.'),
   );
 
-  // Always enable menu items (but not menus) when editing them.
-  if (!($item['type'] & MENU_IS_ROOT)) {
+  // Always enable menu items (but not menus) when editing them, unless already
+  // conditionally visible.
+  if (!($item['type'] & (MENU_IS_ROOT | MENU_VISIBLE_IF_HAS_CHILDREN))) {
     $item['type'] |= MENU_VISIBLE_IN_TREE | MENU_VISIBLE_IN_BREADCRUMB;
   }
 
diff -Naur drupal-5.2/modules/node/content_types.inc drupal-5.23/modules/node/content_types.inc
--- drupal-5.2/modules/node/content_types.inc	2007-07-26 21:16:46.000000000 +0200
+++ drupal-5.23/modules/node/content_types.inc	2008-02-11 08:54:44.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: content_types.inc,v 1.24.2.2 2007/07/26 19:16:46 drumm Exp $
+// $Id: content_types.inc,v 1.24.2.4 2008/02/11 07:54:44 drumm Exp $
 
 /**
  * @file
@@ -226,9 +226,6 @@
 
   // Work out what the type was before the user submitted this form
   $old_type = trim($form_values['old_type']);
-  if (empty($old_type)) {
-    $old_type = $type->type;
-  }
 
   $types = node_get_types('names');
 
@@ -239,16 +236,18 @@
     if (!preg_match('!^[a-z0-9_]+$!', $type->type)) {
       form_set_error('type', t('The machine-readable name can only consist of lowercase letters, underscores, and numbers.'));
     }
-    // The type cannot be just the character '0', since elsewhere we check it using empty().
-    if ($type->type === '0') {
-      form_set_error('type', t("Invalid type. Please enter a type name other than '0' (the character zero)."));
+    // 'theme' conflicts with theme_node_form()
+    // 'add' and 'list' conflict with menu paths
+    // '0' is invalid, since elsewhere we check it using empty().
+    if (in_array($type->type, array('0', 'theme', 'add', 'list'))) {
+      form_set_error('type', t("Invalid machine-readable name. Please enter a name other than %invalid.", array('%invalid' => $type->type)));
     }
   }
 
   $names = array_flip($types);
 
   if (isset($names[$type->name]) && $names[$type->name] != $old_type) {
-    form_set_error('name', t('The human-readable name %name is already taken.', array('%name' => $names[$type->name])));
+    form_set_error('name', t('The human-readable name %name is already taken.', array('%name' => $type->name)));
   }
 }
 
diff -Naur drupal-5.2/modules/node/node.info drupal-5.23/modules/node/node.info
--- drupal-5.2/modules/node/node.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/node/node.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/node/node.module drupal-5.23/modules/node/node.module
--- drupal-5.2/modules/node/node.module	2007-07-26 21:16:46.000000000 +0200
+++ drupal-5.23/modules/node/node.module	2009-01-15 00:32:14.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: node.module,v 1.776.2.19 2007/07/26 19:16:46 drumm Exp $
+// $Id: node.module,v 1.776.2.33 2009/01/14 23:32:14 drumm Exp $
 
 /**
  * @file
@@ -139,7 +139,20 @@
 }
 
 /**
- * Automatically generate a teaser for a node body in a given format.
+ * Automatically generate a teaser for a node body.
+ *
+ * If the end of the teaser is not indicated using the <!--break--> delimiter
+ * then we try to end it at a sensible place, such as the end of a paragraph,
+ * a line break, or the end of a sentence (in that order of preference).
+ *
+ * @param $body
+ *   The content for which a teaser will be generated.
+ * @param $format
+ *   The format of the content. If the content contains PHP code, we do not
+ *   split it up to prevent parse errors. If the line break filter is present
+ *   then we treat newlines embedded in $body as line breaks.
+ * @return
+ *   The generated teaser.
  */
 function node_teaser($body, $format = NULL) {
 
@@ -169,40 +182,67 @@
   }
 
   // If we have a short body, the entire body is the teaser.
-  if (strlen($body) < $size) {
+  if (strlen($body) <= $size) {
     return $body;
   }
 
+  // If the delimiter has not been specified, try to split at paragraph or
+  // sentence boundaries.
+
   // The teaser may not be longer than maximum length specified. Initial slice.
   $teaser = truncate_utf8($body, $size);
-  $position = 0;
-  // Cache the reverse of the teaser.
+
+  // Store the actual length of the UTF8 string -- which might not be the same
+  // as $size.
+  $max_rpos = strlen($teaser);
+
+  // How much to cut off the end of the teaser so that it doesn't end in the
+  // middle of a paragraph, sentence, or word.
+  // Initialize it to maximum in order to find the minimum.
+  $min_rpos = $max_rpos;
+
+  // Store the reverse of the teaser.  We use strpos on the reversed needle and
+  // haystack for speed and convenience.
   $reversed = strrev($teaser);
 
-  // In some cases, no delimiter has been specified. In this case, we try to
-  // split at paragraph boundaries.
-  $breakpoints = array('</p>' => 0, '<br />' => 6, '<br>' => 4, "\n" => 1);
-  // We use strpos on the reversed needle and haystack for speed.
-  foreach ($breakpoints as $point => $offset) {
-    $length = strpos($reversed, strrev($point));
-    if ($length !== FALSE) {
-      $position = - $length - $offset;
-      return ($position == 0) ? $teaser : substr($teaser, 0, $position);
-    }
+  // Build an array of arrays of break points grouped by preference.
+  $break_points = array();
+
+  // A paragraph near the end of sliced teaser is most preferable.
+  $break_points[] = array('</p>' => 0);
+
+  // If no complete paragraph then treat line breaks as paragraphs.
+  $line_breaks = array('<br />' => 6, '<br>' => 4);
+  // Newline only indicates a line break if line break converter
+  // filter is present.
+  if (isset($filters['filter/2'])) {
+    $line_breaks["\n"] = 1;
   }
+  $break_points[] = $line_breaks;
+
+  // If the first paragraph is too long, split at the end of a sentence.
+  $break_points[] = array('. ' => 1, '! ' => 1, '? ' => 1, '。' => 0, '؟ ' => 1);
 
-  // When even the first paragraph is too long, we try to split at the end of
-  // the last full sentence.
-  $breakpoints = array('. ' => 1, '! ' => 1, '? ' => 1, '。' => 0, '؟ ' => 1);
-  $min_length = strlen($reversed);
-  foreach ($breakpoints as $point => $offset) {
-    $length = strpos($reversed, strrev($point));
-    if ($length !== FALSE) {
-      $min_length = min($length, $min_length);
-      $position = 0 - $length - $offset;
+  // Iterate over the groups of break points until a break point is found.
+  foreach ($break_points as $points) {
+    // Look for each break point, starting at the end of the teaser.
+    foreach ($points as $point => $offset) {
+      // The teaser is already reversed, but the break point isn't.
+      $rpos = strpos($reversed, strrev($point));
+      if ($rpos !== FALSE) {
+        $min_rpos = min($rpos + $offset, $min_rpos);
+      }
+    }
+
+    // If a break point was found in this group, slice and return the teaser.
+    if ($min_rpos !== $max_rpos) {
+      // Don't slice with length 0.  Length must be <0 to slice from RHS.
+      return ($min_rpos === 0) ? $teaser : substr($teaser, 0, 0 - $min_rpos);
     }
   }
-  return ($position == 0) ? $teaser : substr($teaser, 0, $position);
+
+  // If a break point was not found, still return a teaser.
+  return $teaser;
 }
 
 /**
@@ -519,7 +559,7 @@
   else {
     // Turn the conditions into a query.
     foreach ($param as $key => $value) {
-      $cond[] = 'n.'. db_escape_string($key) ." = '%s'";
+      $cond[] = 'n.'. db_escape_table($key) ." = '%s'";
       $arguments[] = $value;
     }
     $cond = implode(' AND ', $cond);
@@ -920,12 +960,22 @@
         $join2 .= ' LEFT JOIN {node_counter} nc ON nc.nid = i.sid';
         $total += $weight;
       }
-      $select2 = (count($ranking) ? implode(' + ', $ranking) : 'i.relevance') .' AS score';
 
-      // Do search
+      // When all search factors are disabled (ie they have a weight of zero),
+      // the default score is based only on keyword relevance and there is no need to
+      // adjust the score of each item.
+      if ($total == 0) {
+        $select2 = 'i.relevance AS score';
+        $total = 1;
+      }
+      else {
+        $select2 = implode(' + ', $ranking) . ' AS score';
+      }
+
+      // Do search.
       $find = do_search($keys, 'node', 'INNER JOIN {node} n ON n.nid = i.sid '. $join1 .' INNER JOIN {users} u ON n.uid = u.uid', $conditions1 . (empty($where1) ? '' : ' AND '. $where1), $arguments1, $select2, $join2, $arguments2);
 
-      // Load results
+      // Load results.
       $results = array();
       foreach ($find as $item) {
         // Build the node body.
@@ -933,9 +983,9 @@
         $node = node_build_content($node, FALSE, FALSE);
         $node->body = drupal_render($node->content);
 
-        // Fetch comments for snippet
+        // Fetch comments for snippet.
         $node->body .= module_invoke('comment', 'nodeapi', $node, 'update index');
-        // Fetch terms for snippet
+        // Fetch terms for snippet.
         $node->body .= module_invoke('taxonomy', 'nodeapi', $node, 'update index');
 
         $extra = node_invoke_nodeapi($node, 'search result');
@@ -1223,12 +1273,14 @@
           $items[] = array(
             'path' => 'node/'. arg(1) .'/revisions/'. arg(3) .'/delete',
             'callback' => 'node_revision_delete',
-            'callback arguments' => array(arg(1), arg(3)), 
+            'callback arguments' => array(arg(1), arg(3)),
+            'type' => MENU_CALLBACK,
           );
           $items[] = array(
             'path' => 'node/'. arg(1) .'/revisions/'. arg(3) .'/revert',
             'callback' => 'node_revision_revert',
-            'callback arguments' => array(arg(1), arg(3)), 
+            'callback arguments' => array(arg(1), arg(3)),
+            'type' => MENU_CALLBACK,
           );
         }
       }
@@ -1312,42 +1364,48 @@
  * Callback function for admin mass publishing nodes.
  */
 function node_operations_publish($nodes) {
-  db_query('UPDATE {node} SET status = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET status = 1 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
  * Callback function for admin mass unpublishing nodes.
  */
 function node_operations_unpublish($nodes) {
-  db_query('UPDATE {node} SET status = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET status = 0 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
  * Callback function for admin mass promoting nodes.
  */
 function node_operations_promote($nodes) {
-  db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
  * Callback function for admin mass demoting nodes.
  */
 function node_operations_demote($nodes) {
-  db_query('UPDATE {node} SET promote = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET promote = 0 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
  * Callback function for admin mass editing nodes to be sticky.
  */
 function node_operations_sticky($nodes) {
-  db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
  * Callback function for admin mass editing nodes to remove stickiness.
  */
 function node_operations_unsticky($nodes) {
-  db_query('UPDATE {node} SET sticky = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  $placeholders = implode(',', array_fill(0, count($nodes), '%d'));
+  db_query('UPDATE {node} SET sticky = 0 WHERE nid IN('. $placeholders .')', $nodes);
 }
 
 /**
@@ -1739,7 +1797,7 @@
   node_save($node);
 
   drupal_set_message(t('%title has been reverted back to the revision from %revision-date', array('%revision-date' => format_date($node->revision_timestamp), '%title' => $node->title)));
-  watchdog('content', t('@type: reverted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $revision)));
+  watchdog('content', t('@type: reverted %title revision %revision.', array('@type' => t($node->type), '%title' => $node->title, '%revision' => $node->vid)));
 
   return 'node/'. $node->nid .'/revisions';
 }
@@ -1874,7 +1932,7 @@
 
     // Allow modules to add additional item fields and/or modify $item
     $extra = node_invoke_nodeapi($item, 'rss item');
-    $extra = array_merge($extra, array(array('key' => 'pubDate', 'value' =>  date('r', $item->created)), array('key' => 'dc:creator', 'value' => $item->name), array('key' => 'guid', 'value' => $item->nid .' at '. $base_url, 'attributes' => array('isPermaLink' => 'false'))));
+    $extra = array_merge($extra, array(array('key' => 'pubDate', 'value' => gmdate('r', $item->created)), array('key' => 'dc:creator', 'value' => $item->name), array('key' => 'guid', 'value' => $item->nid .' at '. $base_url, 'attributes' => array('isPermaLink' => 'false'))));
     foreach ($extra as $element) {
       if ($element['namespace']) {
         $namespaces = array_merge($namespaces, $element['namespace']);
@@ -1902,7 +1960,7 @@
 
   $channel_defaults = array(
     'version'     => '2.0',
-    'title'       => variable_get('site_name', 'Drupal') .' - '. variable_get('site_slogan', ''),
+    'title'       => variable_get('site_name', 'Drupal') . (variable_get('site_slogan', '') ? ' - '. variable_get('site_slogan', '') : ''),
     'link'        => $base_url,
     'description' => variable_get('site_mission', ''),
     'language'    => $locale
@@ -1941,10 +1999,10 @@
     else {
       $node->uid = 0;
     }
-
-    $node->created = $node->date ? strtotime($node->date) : NULL;
   }
 
+  $node->created = !empty($node->date) ? strtotime($node->date) : time();
+
   // Do node-type-specific validation checks.
   node_invoke($node, 'submit');
   node_invoke_nodeapi($node, 'submit');
@@ -1997,16 +2055,14 @@
 }
 
 function node_object_prepare(&$node) {
-  if (user_access('administer nodes')) {
-    // Set up default values, if required.
-    if (!isset($node->created)) {
-      $node->created = time();
-    }
-
-    if (!isset($node->date)) {
-      $node->date = format_date($node->created, 'custom', 'Y-m-d H:i:s O');
-    }
+  // Set up default values, if required.
+  if (!isset($node->created)) {
+    $node->created = time();
+  }
+  if (!isset($node->date)) {
+    $node->date = format_date($node->created, 'custom', 'Y-m-d H:i:s O');
   }
+
   node_invoke($node, 'prepare');
   node_invoke_nodeapi($node, 'prepare');
 }
@@ -2078,9 +2134,9 @@
     '#weight' => 20,
   );
   $form['author']['name'] = array('#type' => 'textfield', '#title' => t('Authored by'), '#maxlength' => 60, '#autocomplete_path' => 'user/autocomplete', '#default_value' => $node->name ? $node->name : '', '#weight' => -1, '#description' => t('Leave blank for %anonymous.', array('%anonymous' => variable_get('anonymous', t('Anonymous')))));
-  $form['author']['date'] = array('#type' => 'textfield', '#title' => t('Authored on'), '#maxlength' => 25, '#description' => t('Format: %time. Leave blank to use the time of form submission.', array('%time' => $node->date)));
+  $form['author']['date'] = array('#type' => 'textfield', '#title' => t('Authored on'), '#maxlength' => 25, '#description' => t('Format: %time. Leave blank to use the time of form submission.', array('%time' => !empty($node->date) ? $node->date : format_date($node->created, 'custom', 'Y-m-d H:i:s O'))));
 
-  if (isset($node->nid)) {
+  if (isset($node->date)) {
     $form['author']['date']['#default_value'] = $node->date;
   }
 
@@ -2109,6 +2165,14 @@
     $form['delete'] = array('#type' => 'button', '#value' => t('Delete'), '#weight' => 50);
   }
   $form['#after_build'] = array('node_form_add_preview');
+  // Ensure that node_validate() will always get called.
+  $form['#validate']['node_form_validate'] = array();
+  // Also, if the module defines its own _validate() routine based on the
+  // form_id, include that in the #validate array, as well.
+  $node_validate = $node->type .'_node_form_validate';
+  if (function_exists($node_validate)) {
+    $form['#validate'][$node_validate] = array();
+  }
   $form['#base'] = 'node_form';
   return $form;
 }
@@ -2205,7 +2269,7 @@
         $title = t('Add a new @s.', array('@s' => $type->name));
         $out = '<dt>'. l(drupal_ucfirst($type->name), "node/add/$type_url_str", array('title' => $title)) .'</dt>';
         $out .= '<dd>'. filter_xss_admin($type->description) .'</dd>';
-        $item[$type->type] = $out;
+        $item[$type->name] = $out;
       }
     }
 
@@ -2244,10 +2308,6 @@
       $node->picture = $user->picture;
     }
 
-    // Set the timestamps when needed:
-    if ($node->date) {
-      $node->created = strtotime($node->date);
-    }
     $node->changed = time();
 
     // Extract a teaser, if it hasn't been set (e.g. by a module-provided
@@ -2518,6 +2578,9 @@
     $node = node_build_content($node, FALSE, FALSE);
     $node->body = drupal_render($node->content);
 
+    // Allow modules to modify the fully-built node.
+    node_invoke_nodeapi($node, 'alter');
+
     $text = '<h1>'. check_plain($node->title) .'</h1>'. $node->body;
 
     // Fetch extra data normally not visible
@@ -2690,6 +2753,11 @@
 function node_access($op, $node = NULL) {
   global $user;
 
+  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
+    // If there was no node to check against, or the $op was not one of the
+    // supported ones, we return access denied.
+    return FALSE;
+  }
   // Convert the node to an object if necessary:
   if ($op != 'create') {
     $node = (object)$node;
diff -Naur drupal-5.2/modules/path/path.info drupal-5.23/modules/path/path.info
--- drupal-5.2/modules/path/path.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/path/path.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/path/path.module drupal-5.23/modules/path/path.module
--- drupal-5.2/modules/path/path.module	2007-05-21 02:52:28.000000000 +0200
+++ drupal-5.23/modules/path/path.module	2009-01-14 06:59:09.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: path.module,v 1.105.2.1 2007/05/21 00:52:28 drumm Exp $
+// $Id: path.module,v 1.105.2.3 2009/01/14 05:59:09 drumm Exp $
 
 /**
  * @file
@@ -179,7 +179,7 @@
     '#type' => 'textfield',
     '#title' => t('Existing system path'),
     '#default_value' => $edit['src'],
-    '#maxlength' => 64,
+    '#maxlength' => 128,
     '#size' => 45,
     '#description' => t('Specify the existing path you wish to alias. For example: node/28, forum/1, taxonomy/term/1+2.'),
     '#field_prefix' => url(NULL, NULL, NULL, TRUE) . (variable_get('clean_url', 0) ? '' : '?q=')
@@ -187,7 +187,7 @@
   $form['dst'] = array(
     '#type' => 'textfield',
     '#default_value' => $edit['dst'],
-    '#maxlength' => 64,
+    '#maxlength' => 128,
     '#size' => 45,
     '#description' => t('Specify an alternative path by which this data can be accessed. For example, type "about" when writing an about page. Use a relative path and don\'t add a trailing slash or the URL alias won\'t work.'),
     '#field_prefix' => url(NULL, NULL, NULL, TRUE) . (variable_get('clean_url', 0) ? '' : '?q=')
@@ -211,7 +211,7 @@
  * than through the administrative interface.
  */
 function path_nodeapi(&$node, $op, $arg) {
-  if (user_access('create url aliases') || user_access('administer url aliases')) {
+  if (user_access('create url aliases') || user_access('administer url aliases') || ($op == 'load')) {
     switch ($op) {
       case 'validate':
         $node->path = trim($node->path);
@@ -269,7 +269,7 @@
     $form['path']['path'] = array(
       '#type' => 'textfield',
       '#default_value' => $path,
-      '#maxlength' => 250,
+      '#maxlength' => 128,
       '#collapsible' => TRUE,
       '#collapsed' => TRUE,
       '#description' => t('Optionally specify an alternative URL by which this node can be accessed. For example, type "about" when writing an about page. Use a relative path and don\'t add a trailing slash or the URL alias won\'t work.'),
diff -Naur drupal-5.2/modules/ping/ping.info drupal-5.23/modules/ping/ping.info
--- drupal-5.2/modules/ping/ping.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/ping/ping.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/poll/poll.info drupal-5.23/modules/poll/poll.info
--- drupal-5.2/modules/poll/poll.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/poll/poll.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/poll/poll.module drupal-5.23/modules/poll/poll.module
--- drupal-5.2/modules/poll/poll.module	2007-07-26 21:16:48.000000000 +0200
+++ drupal-5.23/modules/poll/poll.module	2008-10-05 02:51:40.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: poll.module,v 1.222.2.1 2007/07/26 19:16:48 drumm Exp $
+// $Id: poll.module,v 1.222.2.5 2008/10/05 00:51:40 drumm Exp $
 
 /**
  * @file
@@ -217,6 +217,7 @@
 
   db_query("INSERT INTO {poll} (nid, runtime, active) VALUES (%d, %d, %d)", $node->nid, $node->runtime, $node->active);
 
+  $i = 0;
   foreach ($node->choice as $choice) {
     if ($choice['chtext'] != '') {
       db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $choice['chtext'], $choice['chvotes'], $i++);
@@ -283,15 +284,15 @@
 function poll_load($node) {
   global $user;
 
-  // Load the appropriate choices into the $node object
   $poll = db_fetch_object(db_query("SELECT runtime, active FROM {poll} WHERE nid = %d", $node->nid));
 
+  // Load the appropriate choices into the $poll object.
   $result = db_query("SELECT chtext, chvotes, chorder FROM {poll_choices} WHERE nid = %d ORDER BY chorder", $node->nid);
   while ($choice = db_fetch_array($result)) {
     $poll->choice[$choice['chorder']] = $choice;
   }
 
-  // Determine whether or not this user is allowed to vote
+  // Determine whether or not this user is allowed to vote.
   $poll->allowvotes = FALSE;
   if (user_access('vote on polls') && $poll->active) {
     if ($user->uid) {
@@ -327,10 +328,11 @@
 }
 
 function poll_page() {
-  // List all polls
-  $sql = "SELECT n.nid, n.title, p.active, n.created, SUM(c.chvotes) AS votes FROM {node} n INNER JOIN {poll} p ON n.nid = p.nid INNER JOIN {poll_choices} c ON n.nid = c.nid WHERE n.status = 1 GROUP BY n.nid, n.title, p.active, n.created ORDER BY n.created DESC";
-  $sql = db_rewrite_sql($sql);
-  $result = pager_query($sql, 15);
+  // List all polls.
+  $sql = db_rewrite_sql("SELECT n.nid, n.title, p.active, n.created, SUM(c.chvotes) AS votes FROM {node} n INNER JOIN {poll} p ON n.nid = p.nid INNER JOIN {poll_choices} c ON n.nid = c.nid WHERE n.status = 1 GROUP BY n.nid, n.title, p.active, n.created ORDER BY n.created DESC");
+  // Count all polls for the pager.
+  $count_sql = db_rewrite_sql('SELECT COUNT(*) FROM {node} n INNER JOIN {poll} p ON n.nid = p.nid WHERE n.status = 1');
+  $result = pager_query($sql, 15, 0, $count_sql);
   $output = '<ul>';
   while ($node = db_fetch_object($result)) {
     $output .= '<li>'. l($node->title, "node/$node->nid") .' - '. format_plural($node->votes, '1 vote', '@count votes') .' - '. ($node->active ? t('open') : t('closed')) .'</li>';
@@ -627,18 +629,32 @@
  * Implementation of hook_update().
  */
 function poll_update($node) {
+  // Update poll settings.
   db_query('UPDATE {poll} SET runtime = %d, active = %d WHERE nid = %d', $node->runtime, $node->active, $node->nid);
 
+  // Clean poll choices.
   db_query('DELETE FROM {poll_choices} WHERE nid = %d', $node->nid);
-  db_query('DELETE FROM {poll_votes} WHERE nid = %d', $node->nid);
 
-  $i = 0;
-  foreach ($node->choice as $choice) {
-    $chvotes = (int)$choice['chvotes'];
+  // Poll choices come in the same order with the same numbers as they are in
+  // the database, but some might have an empty title, which signifies that
+  // they should be removed. We remove all votes to the removed options, so
+  // people who voted on them can vote again.
+  $new_chorder = 0;
+  foreach ($node->choice as $old_chorder => $choice) {
+    $chvotes = isset($choice['chvotes']) ? (int)$choice['chvotes'] : 0;
     $chtext = $choice['chtext'];
 
-    if ($chtext != '') {
-      db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $i++);
+    if (!empty($chtext)) {
+      db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $new_chorder);
+      if ($new_chorder != $old_chorder) {
+        // We can only remove items in the middle, not add, so
+        // new_chorder is always <= old_chorder, making this safe.
+        db_query("UPDATE {poll_votes} SET chorder = %d WHERE nid = %d AND chorder = %d", $new_chorder, $node->nid, $old_chorder);
+      }
+      $new_chorder++;
+    }
+    else {
+      db_query("DELETE FROM {poll_votes} WHERE nid = %d AND chorder = %d", $node->nid, $old_chorder);
     }
   }
 }
diff -Naur drupal-5.2/modules/profile/profile.info drupal-5.23/modules/profile/profile.info
--- drupal-5.2/modules/profile/profile.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/profile/profile.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/profile/profile.module drupal-5.23/modules/profile/profile.module
--- drupal-5.2/modules/profile/profile.module	2007-07-26 21:16:48.000000000 +0200
+++ drupal-5.23/modules/profile/profile.module	2009-01-14 06:38:52.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: profile.module,v 1.189.2.8 2007/07/26 19:16:48 drumm Exp $
+// $Id: profile.module,v 1.189.2.11 2009/01/14 05:38:52 drumm Exp $
 
 /**
  * @file
@@ -336,6 +336,14 @@
   if (db_result(db_query("SELECT fid FROM {profile_fields} WHERE name = '%s'". $query_suffix, $args2))) {
     form_set_error('name', t('The specified name is already in use.'));
   }
+  if ($form_values['visibility'] == PROFILE_HIDDEN) {
+    if ($form_values['required']) {
+      form_set_error('required', t('A hidden field cannot be required.'));
+    }
+    if ($form_values['register']) {
+      form_set_error('register', t('A hidden field cannot be set to visible on the user registration form.'));
+    }
+  }
 }
 
 /**
@@ -670,7 +678,7 @@
         break;
       case 'selection':
         $options = $field->required ? array() : array('--');
-        $lines = split("[,\n\r]", $field->options);
+        $lines = split("[\n\r]", $field->options);
         foreach ($lines as $line) {
           if ($line = trim($line)) {
             $options[$line] = $line;
@@ -742,7 +750,15 @@
 }
 
 function profile_categories() {
-  $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}");
+  // Hide hidden profile fields from users that don't have permission to administer users.
+  // For these users, categories with only hidden profile fields will not be returned.
+  if (user_access('administer users')) {
+    $result = db_query("SELECT DISTINCT(category) FROM {profile_fields}");
+  }
+  else {
+    $result = db_query("SELECT DISTINCT(category) FROM {profile_fields} WHERE visibility <> %d", PROFILE_HIDDEN);
+  }
+
   while ($category = db_fetch_object($result)) {
     $data[] = array('name' => $category->category, 'title' => $category->category, 'weight' => 3);
   }
diff -Naur drupal-5.2/modules/search/search.info drupal-5.23/modules/search/search.info
--- drupal-5.2/modules/search/search.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/search/search.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/search/search.install drupal-5.23/modules/search/search.install
--- drupal-5.2/modules/search/search.install	2006-09-01 09:40:08.000000000 +0200
+++ drupal-5.23/modules/search/search.install	2007-09-30 03:13:23.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: search.install,v 1.6 2006/09/01 07:40:08 drumm Exp $
+// $Id: search.install,v 1.6.2.1 2007/09/30 01:13:23 drumm Exp $
 
 /**
  * Implementation of hook_install().
@@ -71,4 +71,5 @@
   db_query('DROP TABLE {search_total}');
   variable_del('minimum_word_size');
   variable_del('overlap_cjk');
+  variable_del('search_cron_limit');
 }
diff -Naur drupal-5.2/modules/search/search.module drupal-5.23/modules/search/search.module
--- drupal-5.2/modules/search/search.module	2007-07-26 21:16:48.000000000 +0200
+++ drupal-5.23/modules/search/search.module	2009-09-16 06:27:01.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: search.module,v 1.209.2.5 2007/07/26 19:16:48 drumm Exp $
+// $Id: search.module,v 1.209.2.7 2009/09/16 04:27:01 drumm Exp $
 
 /**
  * @file
@@ -1043,9 +1043,6 @@
     '#attributes' => array('title' => t('Enter the terms you wish to search for.')),
   );
   $form['submit'] = array('#type' => 'submit', '#value' => t('Search'));
-  // Always go to the search page since the search form is not guaranteed to be
-  // on every page.
-  $form['#action'] = url('search/node');
   $form['#base'] = 'search_box_form';
 
   return $form;
@@ -1055,6 +1052,17 @@
  * Process a block search form submission.
  */
 function search_box_form_submit($form_id, $form_values) {
+  // The search form relies on control of the redirect destination for its
+  // functionality, so we override any static destination set in the request,
+  // for example by drupal_access_denied() or drupal_not_found()
+  // (see http://drupal.org/node/292565).
+  if (isset($_REQUEST['destination'])) {
+    unset($_REQUEST['destination']);
+  }
+  if (isset($_REQUEST['edit']['destination'])) {
+    unset($_REQUEST['edit']['destination']);
+  }
+
   return 'search/node/'. trim($form_values[$form_id .'_keys']);
 }
 
diff -Naur drupal-5.2/modules/statistics/statistics.info drupal-5.23/modules/statistics/statistics.info
--- drupal-5.2/modules/statistics/statistics.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/statistics/statistics.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/system/system.info drupal-5.23/modules/system/system.info
--- drupal-5.2/modules/system/system.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/system/system.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/system/system.install drupal-5.23/modules/system/system.install
--- drupal-5.2/modules/system/system.install	2007-07-19 07:39:25.000000000 +0200
+++ drupal-5.23/modules/system/system.install	2009-03-22 20:55:22.000000000 +0100
@@ -1,9 +1,9 @@
 <?php
-// $Id: system.install,v 1.69.2.4 2007/07/19 05:39:25 drumm Exp $
+// $Id: system.install,v 1.69.2.12 2009/03/22 19:55:22 drumm Exp $
 
-define('DRUPAL_MINIMUM_PHP',    '4.3.3');
+define('DRUPAL_MINIMUM_PHP',    '4.3.5');
 define('DRUPAL_MINIMUM_MYSQL',  '3.23.17'); // If using MySQL
-define('DRUPAL_MINIMUM_PGSQL',  '7.3');  // If using PostgreSQL
+define('DRUPAL_MINIMUM_PGSQL',  '7.4');  // If using PostgreSQL
 
 /**
  * Test and report Drupal installation requirements.
@@ -40,6 +40,25 @@
     $requirements['php']['severity'] = REQUIREMENT_ERROR;
   }
 
+  // Test PHP register_globals setting.
+  $requirements['php_register_globals'] = array(
+    'title' => $t('PHP register globals'),
+  );
+  $register_globals = trim(ini_get('register_globals'));
+  // Unfortunately, ini_get() may return many different values, and we can't
+  // be certain which values mean 'on', so we instead check for 'not off'
+  // since we never want to tell the user that their site is secure
+  // (register_globals off), when it is in fact on. We can only guarantee
+  // register_globals is off if the value returned is 'off', '', or 0.
+  if (!empty($register_globals) && strtolower($register_globals) != 'off') {
+    $requirements['php_register_globals']['description'] = $t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.');
+    $requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
+    $requirements['php_register_globals']['value'] = $t("Enabled ('@value')", array('@value' => $register_globals));
+  }
+  else {
+    $requirements['php_register_globals']['value'] = $t('Disabled');
+  }
+
   // Test DB version
   global $db_type;
   if (function_exists('db_status_report')) {
@@ -882,6 +901,8 @@
         UNIQUE (name)
       )");
 
+      db_query("SELECT setval('{role}_rid_seq',". max(DRUPAL_ANONYMOUS_RID,DRUPAL_AUTHENTICATED_RID) .")");
+
       db_query("CREATE TABLE {blocks_roles} (
         module varchar(64) NOT NULL,
         delta varchar(32) NOT NULL,
@@ -1236,7 +1257,7 @@
   }
 
   // Flush the menu cache:
-  cache_clear_all('menu:', TRUE);
+  cache_clear_all('*', 'cache_menu', TRUE);
 
   return $ret;
 }
@@ -1383,7 +1404,7 @@
     list(, $page, $op, $uid) = explode('/', $alias->src);
     if ($page == 'feed') {
       $new = "blog/$uid/feed";
-      update_sql("UPDATE {url_alias} SET src = '%s' WHERE pid = '%s'", $new, $alias->pid);
+      db_query("UPDATE {url_alias} SET src = '%s' WHERE pid = %d", $new, $alias->pid);
     }
   }
 
@@ -3027,7 +3048,7 @@
   switch ($GLOBALS['db_type']) {
     case 'mysql':
     case 'mysqli':
-      $ret[] = update_sql("ALTER TABLE {profile_fields} ADD autocomplete TINYint NOT NULL AFTER visibility ;");
+      $ret[] = update_sql("ALTER TABLE {profile_fields} ADD autocomplete TINYint NOT NULL AFTER visibility");
       break;
     case 'pgsql':
       db_add_column($ret, 'profile_fields', 'autocomplete', 'smallint', array('not null' => TRUE, 'default' => 0));
diff -Naur drupal-5.2/modules/system/system.module drupal-5.23/modules/system/system.module
--- drupal-5.2/modules/system/system.module	2007-07-26 21:16:48.000000000 +0200
+++ drupal-5.23/modules/system/system.module	2010-08-11 22:37:49.000000000 +0200
@@ -1,12 +1,12 @@
 <?php
-// $Id: system.module,v 1.440.2.15 2007/07/26 19:16:48 drumm Exp $
+// $Id: system.module,v 1.440.2.63 2010/08/11 20:37:49 drumm Exp $
 
 /**
  * @file
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.2');
+define('VERSION', '5.23');
 
 /**
  * Implementation of hook_help().
@@ -16,7 +16,7 @@
 
   switch ($section) {
     case 'admin/help#system':
-      $output = '<p>'. t('The system module provides system-wide defaults such as running jobs at a particular time, and storing web pages to improve efficiency. The ability to run scheduled jobs makes administering the web site more usable, as administrators do not have to manually start jobs. The storing of web pages, or caching, allows the site to efficiently re-use web pages and improve web site performance. The settings module provides control over preferences, behaviours including visual and operational settings.') .'</p>';
+      $output = '<p>'. t('The system module provides system-wide defaults such as running jobs at a particular time, and storing web pages to improve efficiency. The ability to run scheduled jobs makes administering the web site more usable, as administrators do not have to manually start jobs. The storing of web pages, or caching, allows the site to efficiently re-use web pages and improve web site performance. The system module provides control over preferences, behaviours including visual and operational settings.') .'</p>';
       $output .= '<p>'. t('Some modules require regularly scheduled actions, such as cleaning up logfiles. Cron, which stands for chronograph, is a periodic command scheduler executing commands at intervals specified in seconds. It can be used to control the execution of daily, weekly and monthly jobs (or anything with a period measured in seconds). The aggregator module periodically updates feeds using cron. Ping periodically notifies services of new content on your site. Search periodically indexes the content on your site. Automating tasks is one of the best ways to keep a system running smoothly, and if most of your administration does not require your direct involvement, cron is an ideal solution. Cron can, if necessary, also be run manually.') .'</p>';
       $output .= '<p>'. t("There is a caching mechanism which stores dynamically generated web pages in a database. By caching a web page, the system module does not have to create the page each time someone wants to view it, instead it takes only one SQL query to display it, reducing response time and the server's load. Only pages requested by <em>anonymous</em> users are cached. In order to reduce server load and save bandwidth, the system module stores and sends cached pages compressed.") .'</p>';
       $output .= '<p>'. t('For more information please read the configuration and customization handbook <a href="@system">System page</a>.', array('@system' => 'http://drupal.org/handbook/modules/system/')) .'</p>';
@@ -458,7 +458,7 @@
   }
 }
 
-/*
+/**
  * Returns a fieldset containing the theme select form.
  *
  * @param $description
@@ -526,7 +526,7 @@
 
 function _system_zonelist() {
   $timestamp = time();
-  $zonelist = array(-11, -10, -9.5, -9, -8, -7, -6, -5, -4, -3.5, -3, -2, -1, 0, 1, 2, 3, 3.5, 4, 5, 5.5, 5.75, 6, 6.5, 7, 8, 9, 9.5, 10, 10.5, 11, 11.5, 12, 12.75, 13, 14);
+  $zonelist = array(-11, -10, -9.5, -9, -8, -7, -6, -5, -4.5, -4, -3.5, -3, -2.5, -2, -1, 0, 1, 2, 3, 3.5, 4, 5, 5.5, 5.75, 6, 6.5, 7, 8, 9, 9.5, 10, 10.5, 11, 11.5, 12, 12.75, 13, 14);
   $zones = array();
   foreach ($zonelist as $offset) {
     $zone = $offset * 3600;
@@ -658,7 +658,7 @@
   sort($problem_modules);
 
   if (count($problem_modules) > 0) {
-    $description .= '<p>'. t('<strong class="error">The following enabled modules are incompatible with aggressive mode caching and will not function properly: %modules</strong>', array('%modules' => implode(', ', $problem_modules))) .'.</p>';
+    $description .= '<p>'. t('<strong class="error">The following enabled modules are incompatible with aggressive mode caching and might not function properly: %modules</strong>', array('%modules' => implode(', ', $problem_modules))) .'.</p>';
   }
   else {
     $description .= '<p>'. t('<strong class="ok">Currently, all enabled modules are compatible with the aggressive caching policy.</strong> Please note, if you use aggressive caching and enable new modules, you will need to check this page again to ensure compatibility.') .'</p>';
@@ -1246,6 +1246,9 @@
 function system_modules($form_values = NULL) {
   // Get current list of modules.
   $files = module_rebuild_cache();
+
+  uasort($files, 'system_sort_modules_by_info_name');
+
   if ($confirm_form = system_modules_confirm_form($files, $form_values)) {
     return $confirm_form;
   }
@@ -1368,6 +1371,10 @@
   return $form;
 }
 
+function system_sort_modules_by_info_name($a, $b) {
+  return strcasecmp($a->info['name'], $b->info['name']);
+}
+
 /**
  * Form process callback function to disable check boxes.
  */
@@ -1425,11 +1432,11 @@
 function system_module_build_dependencies($modules, $form_values) {
   static $dependencies;
 
-  if (!isset($dependencies) && isset($form_values)) {
+  if (!isset($dependencies) && isset($form_values) && is_array($form_values)) {
     $dependencies = array();
     foreach ($modules as $name => $module) {
       // If the module is disabled, will be switched on and it has dependencies.
-      if (!$module->status && $form_values['status'][$name] && isset($module->info['dependencies'])) {
+      if (!$module->status && isset($form_values['status'][$name]) && $form_values['status'][$name] && isset($module->info['dependencies'])) {
         foreach ($module->info['dependencies'] as $dependency) {
           if (!$form_values['status'][$dependency] && isset($modules[$dependency])) {
             if (!isset($dependencies[$name])) {
@@ -2116,12 +2123,12 @@
  * Output a confirmation form
  *
  * This function returns a complete form for confirming an action. A link is
- * offered to go back to the item that is being changed in case the user changes
- * his/her mind.
+ * offered to go back to the item that is being changed in case the user 
+ * changes his/her mind.
  *
- * You can check for the existence of $_POST[$name] (where $name
- * is usually 'confirm') to check if the confirmation was successful or
- * use the regular submit model.
+ * If the submit handler for this form is invoked, the user successfully
+ * confirmed the action. You should never directly inspect $_POST to see if an
+ * action was confirmed.
  *
  * @param $form
  *   Additional elements to inject into the form, for example hidden elements.
@@ -2364,7 +2371,7 @@
     }
   }
 
-  $output = '<div class="admin">';
+  $output = '<div class="admin clear-block">';
   foreach ($container as $id => $data) {
     $output .= '<div class="'. $id .' clear-block">';
     $output .= $data;
diff -Naur drupal-5.2/modules/taxonomy/taxonomy.info drupal-5.23/modules/taxonomy/taxonomy.info
--- drupal-5.2/modules/taxonomy/taxonomy.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/taxonomy/taxonomy.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/taxonomy/taxonomy.module drupal-5.23/modules/taxonomy/taxonomy.module
--- drupal-5.2/modules/taxonomy/taxonomy.module	2007-07-26 21:16:49.000000000 +0200
+++ drupal-5.23/modules/taxonomy/taxonomy.module	2009-07-10 07:47:16.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: taxonomy.module,v 1.330.2.10 2007/07/26 19:16:49 drumm Exp $
+// $Id: taxonomy.module,v 1.330.2.21 2009/07/10 05:47:16 drumm Exp $
 
 /**
  * @file
@@ -57,7 +57,6 @@
  * @return
  *   An internal Drupal path.
  */
-
 function taxonomy_term_path($term) {
   $vocabulary = taxonomy_get_vocabulary($term->vid);
   if ($vocabulary->module != 'taxonomy' && $path = module_invoke($vocabulary->module, 'term_path', $term)) {
@@ -621,12 +620,13 @@
  */
 function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') {
   $vocabulary = taxonomy_get_vocabulary($vid);
-  $help = ($help) ? $help : $vocabulary->help;
-  if ($vocabulary->required) {
-    $blank = 0;
+  $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
+
+  if (!$vocabulary->multiple) {
+    $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
   }
   else {
-    $blank = '<'. t('none') .'>';
+    $blank = ($vocabulary->required) ? 0 : t('- None -');
   }
 
   return _taxonomy_term_select(check_plain($vocabulary->name), $name, $value, $vid, $help, intval($vocabulary->multiple), $blank);
@@ -717,7 +717,7 @@
         $typed_string = implode(', ', $typed_terms) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
 
         if ($vocabulary->help) {
-          $help = $vocabulary->help;
+          $help = filter_xss_admin($vocabulary->help);
         }
         else {
           $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".');
@@ -729,7 +729,7 @@
           '#default_value' => $typed_string,
           '#autocomplete_path' => 'taxonomy/autocomplete/'. $vocabulary->vid,
           '#weight' => $vocabulary->weight,
-          '#maxlength' => 255,
+          '#maxlength' => 1024,
         );
       }
       else {
@@ -740,7 +740,7 @@
             $default_terms[$term->tid] = $term;
           }
         }
-        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
+        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
         $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
         $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
       }
@@ -1073,6 +1073,7 @@
     else {
       $result = db_query(db_rewrite_sql("SELECT t.tid, COUNT(n.nid) AS c FROM {term_node} t INNER JOIN {node} n ON t.nid = n.nid WHERE n.status = 1 AND n.type = '%s' GROUP BY t.tid"), $type);
     }
+    $count[$type] = array();
     while ($term = db_fetch_object($result)) {
       $count[$type][$term->tid] = $term->c;
     }
@@ -1121,7 +1122,7 @@
  *   An array of matching term objects.
  */
 function taxonomy_get_term_by_name($name) {
-  $db_result = db_query(db_rewrite_sql("SELECT t.tid, t.* FROM {term_data} t WHERE LOWER('%s') LIKE LOWER(t.name)", 't', 'tid'), trim($name));
+  $db_result = db_query(db_rewrite_sql("SELECT t.tid, t.* FROM {term_data} t WHERE LOWER('%s') = LOWER(t.name)", 't', 'tid'), trim($name));
   $result = array();
   while ($term = db_fetch_object($db_result)) {
     $result[] = $term;
@@ -1176,12 +1177,41 @@
   return $terms[$tid];
 }
 
+/**
+ * Create a select form element for a given taxonomy vocabulary.
+ *
+ * NOTE: This function expects input that has already been sanitized and is
+ * safe for display. Callers must properly sanitize the $title and
+ * $description arguments to prevent XSS vulnerabilities.
+ *
+ * @param $title
+ *   The title of the vocabulary. This MUST be sanitized by the caller.
+ * @param $name
+ *   Ignored.
+ * @param $value
+ *   The currently selected terms from this vocabulary, if any.
+ * @param $vocabulary_id
+ *   The vocabulary ID to build the form element for.
+ * @param $description
+ *   Help text for the form element. This MUST be sanitized by the caller.
+ * @param $multiple
+ *   Boolean to control if the form should use a single or multiple select.
+ * @param $blank
+ *   Optional form choice to use when no value has been selected.
+ * @param $exclude
+ *   Optional array of term ids to exclude in the selector.
+ * @return
+ *   A FAPI form array to select terms from the given vocabulary.
+ *
+ * @see taxonomy_form()
+ * @see taxonomy_form_term()
+ */
 function _taxonomy_term_select($title, $name, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) {
   $tree = taxonomy_get_tree($vocabulary_id);
   $options = array();
 
   if ($blank) {
-    $options[0] = $blank;
+    $options[''] = $blank;
   }
   if ($tree) {
     foreach ($tree as $term) {
@@ -1191,10 +1221,6 @@
         $options[] = $choice;
       }
     }
-    if (!$blank && !$value) {
-      // required but without a predefined value, so set first as predefined
-      $value = $tree[0]->tid;
-    }
   }
 
   return array('#type' => 'select',
@@ -1248,16 +1274,20 @@
     }
 
     if ($operator == 'or') {
-      $str_tids = implode(',', call_user_func_array('array_merge', $descendant_tids));
-      $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY '. $order;
-      $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1';
+      $args = call_user_func_array('array_merge', $descendant_tids);
+      $placeholders = implode(',', array_fill(0, count($args), '%d'));
+      $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1 ORDER BY '. $order;
+      $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1';
     }
     else {
       $joins = '';
       $wheres = '';
+      $args = array();
       foreach ($descendant_tids as $index => $tids) {
         $joins .= ' INNER JOIN {term_node} tn'. $index .' ON n.nid = tn'. $index .'.nid';
-        $wheres .= ' AND tn'. $index .'.tid IN ('. implode(',', $tids) .')';
+        $placeholders = implode(',', array_fill(0, count($tids), '%d'));
+        $wheres .= ' AND tn'. $index .'.tid IN ('. $placeholders .')';
+        $args = array_merge($args, $tids);
       }
       $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres .' ORDER BY '. $order;
       $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres;
@@ -1265,10 +1295,10 @@
     $sql = db_rewrite_sql($sql);
     $sql_count = db_rewrite_sql($sql_count);
     if ($pager) {
-      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count);
+      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count, $args);
     }
     else {
-      $result = db_query_range($sql, 0, variable_get('feed_default_items', 10));
+      $result = db_query_range($sql, $args, 0, variable_get('feed_default_items', 10));
     }
   }
 
@@ -1369,7 +1399,8 @@
   }
 
   if ($terms['tids']) {
-    $result = db_query(db_rewrite_sql('SELECT t.tid, t.name FROM {term_data} t WHERE t.tid IN (%s)', 't', 'tid'), implode(',', $terms['tids']));
+    $placeholders = implode(',', array_fill(0, count($terms['tids']), '%d'));
+    $result = db_query(db_rewrite_sql('SELECT t.tid, t.name FROM {term_data} t WHERE t.tid IN ('. $placeholders .')', 't', 'tid'), $terms['tids']);
     $tids = array(); // we rebuild the $tids-array so it only contains terms the user has access to.
     $names = array();
     while ($term = db_fetch_object($result)) {
diff -Naur drupal-5.2/modules/throttle/throttle.info drupal-5.23/modules/throttle/throttle.info
--- drupal-5.2/modules/throttle/throttle.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/throttle/throttle.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/tracker/tracker.info drupal-5.23/modules/tracker/tracker.info
--- drupal-5.2/modules/tracker/tracker.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/tracker/tracker.info	2010-08-11 22:46:30.000000000 +0200
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/upload/upload.info drupal-5.23/modules/upload/upload.info
--- drupal-5.2/modules/upload/upload.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/upload/upload.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/upload/upload.module drupal-5.23/modules/upload/upload.module
--- drupal-5.2/modules/upload/upload.module	2007-03-07 04:27:24.000000000 +0100
+++ drupal-5.23/modules/upload/upload.module	2010-08-11 22:37:49.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: upload.module,v 1.148.2.1 2007/03/07 03:27:24 drumm Exp $
+// $Id: upload.module,v 1.148.2.6 2010/08/11 20:37:49 drumm Exp $
 
 /**
  * @file
@@ -117,7 +117,7 @@
   $default_uploadsize = $form_values['upload_uploadsize_default'];
   $default_usersize = $form_values['upload_usersize_default'];
 
-  $exceed_max_msg = t('Your PHP settings limit the maximum file size per upload to %size MB.', array('%size' => file_upload_max_size())).'<br/>';
+  $exceed_max_msg = t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'<br/>';
   $more_info = t("Depending on your sever environment, these settings may be changed in the system-wide php.ini file, a php.ini file in your Drupal root directory, in your Drupal site's settings.php file, or in the .htaccess file in your Drupal root directory.");
 
   if (!is_numeric($default_uploadsize) || ($default_uploadsize <= 0)) {
@@ -126,7 +126,7 @@
   if (!is_numeric($default_usersize) || ($default_usersize <= 0)) {
     form_set_error('upload_usersize_default', t('The %role file size limit must be a number and greater than zero.', array('%role' => t('default'))));
   }
-  if ($default_uploadsize > file_upload_max_size()) {
+  if ($default_uploadsize * 1024 * 1024 > file_upload_max_size()) {
    form_set_error('upload_uploadsize_default', $exceed_max_msg . $more_info);
    $more_info = '';
   }
@@ -144,7 +144,7 @@
     if (!is_numeric($usersize) || ($usersize <= 0)) {
       form_set_error('upload_usersize_'. $rid, t('The %role file size limit must be a number and greater than zero.', array('%role' => $role)));
     }
-    if ($uploadsize > file_upload_max_size()) {
+    if ($uploadsize * 1024 * 1024 > file_upload_max_size()) {
      form_set_error('upload_uploadsize_'. $rid, $exceed_max_msg . $more_info);
      $more_info = '';
     }
@@ -158,7 +158,7 @@
  * Menu callback for the upload settings form.
  */
 function upload_admin_settings() {
-  $upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp');
+  $upload_extensions_default = variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
   $upload_uploadsize_default = variable_get('upload_uploadsize_default', 1);
   $upload_usersize_default = variable_get('upload_usersize_default', 1);
 
@@ -259,9 +259,15 @@
 }
 
 function upload_file_download($file) {
-  $file = file_create_path($file);
-  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
-  if ($file = db_fetch_object($result)) {
+  $filepath = file_create_path($file);
+  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath);
+  while ($file = db_fetch_object($result)) {
+    if ($filepath !== $file->filepath) {
+      // Since some database servers sometimes use a case-insensitive
+      // comparison by default, double check that the filename is an exact
+      // match.
+      continue;
+    }
     if (user_access('view uploaded files')) {
       $node = node_load($file->nid);
       if (node_access('view', $node)) {
@@ -271,13 +277,8 @@
           'Content-Length: '. $file->filesize,
         );
       }
-      else {
-        return -1;
-      }
-    }
-    else {
-      return -1;
     }
+    return -1;
   }
 }
 
@@ -421,7 +422,7 @@
           $total_usersize = upload_space_used($user->uid) + $filesize;
           $error = array();
           foreach ($user->roles as $rid => $name) {
-            $extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+            $extensions = variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
             $uploadsize = variable_get("upload_uploadsize_$rid", variable_get('upload_uploadsize_default', 1)) * 1024 * 1024;
             $usersize = variable_get("upload_usersize_$rid", variable_get('upload_usersize_default', 1)) * 1024 * 1024;
 
@@ -641,7 +642,7 @@
     if (!isset($extensions)) {
       $extensions = '';
       foreach ($user->roles as $rid => $name) {
-        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+        $extensions .= ' '. variable_get("upload_extensions_$rid", variable_get('upload_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'));
       }
 
     }
@@ -864,6 +865,7 @@
     if ($width && $height) {
       $result = image_scale($file->filepath, $file->filepath, $width, $height);
       if ($result) {
+        clearstatcache();
         $file->filesize = filesize($file->filepath);
         drupal_set_message(t('The image was resized to fit within the maximum allowed resolution of %resolution pixels.', array('%resolution' => variable_get('upload_max_resolution', 0))));
       }
@@ -877,8 +879,21 @@
  * Menu-callback for JavaScript-based uploads.
  */
 function upload_js() {
-  // We only do the upload.module part of the node validation process.
-  $node = (object)$_POST;
+  if (isset($_POST['vid']) && is_numeric($_POST['vid'])) {
+    // Load the node and check the user is allowed to post attachments to it.
+    $node = node_load(array('vid' => $_POST['vid']));
+    if (!$node || !node_access('update', $node) || !variable_get('upload_'. $node->type, TRUE)) {
+      // Setting this error will cause the form to fail validation.
+      form_set_error('form_token', t('Validation error, please try again. If this error persists, please contact the site administrator.'));
+      $output = theme('status_messages');
+      print drupal_to_js(array('status' => TRUE, 'data' => $output));
+      exit();
+    }
+  }
+  else {
+    // This is a new node.
+    $node = new stdClass();
+  }
 
   // Load existing node files.
   $node->files = upload_load($node);
diff -Naur drupal-5.2/modules/user/user.info drupal-5.23/modules/user/user.info
--- drupal-5.2/modules/user/user.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/user/user.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/modules/user/user.module drupal-5.23/modules/user/user.module
--- drupal-5.2/modules/user/user.module	2007-07-26 21:16:50.000000000 +0200
+++ drupal-5.23/modules/user/user.module	2009-09-16 21:33:40.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: user.module,v 1.745.2.13 2007/07/26 19:16:50 drumm Exp $
+// $Id: user.module,v 1.745.2.36 2009/09/16 19:33:40 drumm Exp $
 
 /**
  * @file
@@ -111,6 +111,11 @@
     user_module_invoke('update', $array, $account, $category);
 
     $data = unserialize(db_result(db_query('SELECT data FROM {users} WHERE uid = %d', $account->uid)));
+    // Consider users edited by an administrator as logged in, if they haven't
+    // already, so anonymous users can view the profile (if allowed).
+    if (empty($array['access']) && empty($account->access) && user_access('administer users')) {
+      $array['access'] = time();
+    }
     foreach ($array as $key => $value) {
       if ($key == 'pass' && !empty($value)) {
         $query .= "$key = '%s', ";
@@ -156,7 +161,7 @@
 
     // If the password changed, delete all open sessions and recreate
     // the current one.
-    if (isset($array['pass'])) {
+    if (!empty($array['pass'])) {
       sess_destroy_uid($account->uid);
       sess_regenerate();
     }
@@ -171,6 +176,11 @@
     if (!isset($array['created'])) {    // Allow 'created' to be set by hook_auth
       $array['created'] = time();
     }
+    // Consider users created by an administrator as already logged in, so
+    // anonymous users can view the profile (if allowed).
+    if (empty($array['access']) && user_access('administer users')) {
+      $array['access'] = time();
+    }
 
     // Note, we wait with saving the data column to prevent module-handled
     // fields from being saved there. We cannot invoke hook_user('insert') here
@@ -365,8 +375,9 @@
   // To reduce the number of SQL queries, we cache the user's permissions
   // in a static variable.
   if (!isset($perm[$account->uid])) {
-    $result = db_query("SELECT DISTINCT(p.perm) FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN (%s)", implode(',', array_keys($account->roles)));
-
+    $rids = array_keys($account->roles);
+    $placeholders = implode(',', array_fill(0, count($rids), '%d'));
+    $result = db_query("SELECT DISTINCT(p.perm) FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN ($placeholders)", $rids);
     $perm[$account->uid] = '';
     while ($row = db_fetch_object($result)) {
       $perm[$account->uid] .= "$row->perm, ";
@@ -874,10 +885,8 @@
 
 function user_auth_help_links() {
   $links = array();
-  foreach (module_list() as $module) {
-    if (module_hook($module, 'auth')) {
-      $links[] = l(module_invoke($module, 'info', 'name'), 'user/help', array(), NULL, $module);
-    }
+  foreach (module_implements('auth') as $module) {
+    $links[] = l(module_invoke($module, 'info', 'name'), 'user/help', array(), NULL, $module);
   }
   return $links;
 }
@@ -886,7 +895,7 @@
 
 
 
-function user_login($msg = '') {
+function user_login() {
   global $user;
 
   // If we are already logged on, go to the user page instead.
@@ -895,9 +904,6 @@
   }
 
   // Display login form:
-  if ($msg) {
-    $form['message'] = array('#value' => '<p>'. check_plain($msg) .'</p>');
-  }
   $form['name'] = array('#type' => 'textfield',
     '#title' => t('Username'),
     '#size' => 60,
@@ -959,9 +965,11 @@
     // Update the user table timestamp noting user has logged in.
     db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);
 
+    // Regenerate the session ID to prevent against session fixation attacks.
+    sess_regenerate();
+
     user_module_invoke('login', $form_values, $user);
 
-    sess_regenerate();
     return 'user/'. $user->uid;
   }
 }
@@ -971,11 +979,21 @@
 
   // Try to log in the user locally. Don't set $user unless successful.
   if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
-    $user = $account;
-    return $user;
+    // Check if the e-mail is denied by an access rule.
+    // Doing this check here saves us a user_load() in user_login_validate()
+    // and introduces less code change for a security fix.
+    if (drupal_is_denied('mail', $account->mail)) {
+      form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $account->name)));
+      return;
+    }
+    else {
+      $user = $account;
+      return $user;
+    }
   }
 
   // Strip name and server from ID:
+  $fullname = $name;
   if ($server = strrchr($name, '@')) {
     $name = substr($name, 0, strlen($name) - strlen($server));
     $server = substr($server, 1);
@@ -983,10 +1001,10 @@
 
   // When possible, determine corresponding external auth source. Invoke
   // source, and log in user if successful:
-  if ($server && ($result = user_get_authmaps("$name@$server"))) {
+  if ($result = user_get_authmaps($fullname)) {
     if (module_invoke(key($result), 'auth', $name, $pass, $server)) {
-      $user = user_external_load("$name@$server");
-      watchdog('user', t('External load by %user using module %module.', array('%user' => $name .'@'. $server, '%module' => key($result))));
+      $user = user_external_load($fullname);
+      watchdog('user', t('External load by %user using module %module.', array('%user' => $fullname, '%module' => key($result))));
     }
   }
 
@@ -995,17 +1013,18 @@
   else {
     foreach (module_implements('auth') as $module) {
       if (module_invoke($module, 'auth', $name, $pass, $server)) {
-        if ($server) {
-          $name .= '@'. $server;
-        }
-        $user = user_load(array('name' => $name));
-        if (!$user->uid) { // Register this new user.
-          $userinfo = array('name' => $name, 'pass' => user_password(), 'init' => $name, 'status' => 1);
-          if ($server) {
-            $userinfo["authname_$module"] = $name;
-          }
+        $registered_user = user_load(array('name' => $fullname));
+        if (!$registered_user->uid) { // Register this new user.
+          $userinfo = array(
+            'name' => $fullname,
+            'pass' => user_password(), 
+            'init' => $fullname,
+            'status' => 1, 
+            'access' => time(),
+          );
+          $userinfo["authname_$module"] = $fullname;
           $user = user_save('', $userinfo);
-          watchdog('user', t('New external user: %user using module %module.', array('%user' => $name, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
+          watchdog('user', t('New external user: %user using module %module.', array('%user' => $fullname, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
           break;
         }
       }
@@ -1050,6 +1069,13 @@
 
 function user_pass_validate($form_id, $form_values) {
   $name = $form_values['name'];
+
+  // Blocked accounts cannot request a new password,
+  // check provided username and email against access rules.
+  if (drupal_is_denied('user', $name) || drupal_is_denied('mail', $name)) {
+    form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
+  }
+
   $account = user_load(array('mail' => $name, 'status' => 1));
   if (!$account) {
     $account = user_load(array('name' => $name, 'status' => 1));
@@ -1069,7 +1095,7 @@
   $from = variable_get('site_mail', ini_get('sendmail_from'));
 
   // Mail one time login URL and instructions.
-  $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => substr($base_url, strlen('http://')), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
+  $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => preg_replace('!^https?://!', '', $base_url), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
   $subject = _user_mail_text('pass_subject', $variables);
   $body = _user_mail_text('pass_body', $variables);
   $mail_success = drupal_mail('user-pass', $account->mail, $subject, $body, $from);
@@ -1102,6 +1128,11 @@
     $current = time();
     // Some redundant checks for extra security ?
     if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {
+      // Deny one-time login to blocked accounts.
+      if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
+        drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
+        drupal_goto();
+      }
       // No time out for first time login.
       if ($account->login && $current - $timestamp > $timeout) {
         drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
@@ -1118,6 +1149,8 @@
           $user = $account;
           // And proceed with normal login, going to user page.
           $edit = array();
+          // Regenerate the session ID to prevent against session fixation attacks.
+          sess_regenerate();
           user_module_invoke('login', $edit, $user);
           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
           drupal_goto('user/'. $user->uid .'/edit');
@@ -1290,7 +1323,7 @@
       drupal_mail('user-register-approval-user', $mail, $subject, $body, $from);
       drupal_mail('user-register-approval-admin', $from, $subject, t("!username has applied for an account.\n\n!edit_uri", $variables), $from);
       drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />In the meantime, your password and further instructions have been sent to your e-mail address.'));
-
+      return '';
     }
   }
 }
@@ -1414,16 +1447,11 @@
     drupal_set_message(t('The account does not exist or has already been deleted.'));
     drupal_goto('admin/user/user');
   }
+
   $edit = $_POST['op'] ? $_POST : (array)$account;
 
   if (arg(2) == 'delete') {
-    if (!empty($edit['confirm'])) {
-      user_delete($edit, $account->uid);
-      drupal_goto('admin/user/user');
-    }
-    else {
-      return drupal_get_form('user_confirm_delete', $account->name, $account->uid);
-    }
+    return drupal_get_form('user_confirm_delete', $account->name, $account->uid);
   }
   else if ($_POST['op'] == t('Delete')) {
     if ($_REQUEST['destination']) {
@@ -1448,13 +1476,20 @@
 }
 
 function user_confirm_delete($name, $uid) {
-  return confirm_form(array(),
+  $form['uid'] = array('#type' => 'value', '#value' => $uid);
+  return confirm_form($form,
     t('Are you sure you want to delete the account %name?', array('%name' => $name)),
     'user/'. $uid,
     t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'),
     t('Delete'), t('Cancel'));
 }
 
+function user_confirm_delete_submit($form_id, $form_values) {
+  $account = user_load(array('uid' => $form_values['uid']));
+  user_delete((array) $account, $form_values['uid']);
+  return 'admin/user/user';
+}
+
 /**
  * Delete a user.
  *
@@ -1559,7 +1594,7 @@
       case 'pass_subject':
         return t('Replacement login information for !username at !site', $variables);
       case 'pass_body':
-        return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.", $variables);
+        return t("!username,\n\nA request to reset the password for your account has been made at !site.\n\nYou may now log in to !uri_brief by clicking on this link or copying and pasting it in your browser:\n\n!login_url\n\nThis is a one-time login, so it can be used only once. It expires after one day and nothing will happen if it's not used.\n\nAfter logging in, you will be redirected to !edit_uri so you can change your password.", $variables);
     }
   }
 }
@@ -1642,21 +1677,10 @@
  * Menu callback: add an access rule
  */
 function user_admin_access_add($mask = NULL, $type = NULL) {
-  if ($edit = $_POST) {
-    if (!$edit['mask']) {
-      form_set_error('mask', t('You must enter a mask.'));
-    }
-    else {
-      $aid = db_next_id('{access}_aid');
-      db_query("INSERT INTO {access} (aid, mask, type, status) VALUES ('%s', '%s', '%s', %d)", $aid, $edit['mask'], $edit['type'], $edit['status']);
-      drupal_set_message(t('The access rule has been added.'));
-      drupal_goto('admin/user/rules');
-    }
-  }
-  else {
-    $edit['mask'] = $mask;
-    $edit['type'] = $type;
-  }
+  $edit = array();
+  $edit['aid'] = 0;
+  $edit['mask'] = $mask;
+  $edit['type'] = $type;
   return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule'));
 }
 
@@ -1688,23 +1712,16 @@
  * Menu callback: edit an access rule
  */
 function user_admin_access_edit($aid = 0) {
-  if ($edit = $_POST) {
-    if (!$edit['mask']) {
-      form_set_error('mask', t('You must enter a mask.'));
-    }
-    else {
-      db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid);
-      drupal_set_message(t('The access rule has been saved.'));
-      drupal_goto('admin/user/rules');
-    }
-  }
-  else {
-    $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
-  }
+  $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
   return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule'));
 }
 
 function user_admin_access_form($edit, $submit) {
+  $form = array();
+  $form['aid'] = array(
+    '#type' => 'value',
+    '#value' => $edit['aid'],
+  );
   $form['status'] = array(
     '#type' => 'radios',
     '#title' => t('Access type'),
@@ -1728,11 +1745,27 @@
     '#required' => TRUE,
   );
   $form['submit'] = array('#type' => 'submit', '#value' => $submit);
+  $form['#base'] = 'user_admin_access_form';
 
   return $form;
 }
 
 /**
+ * Submit callback for user_admin_access_form().
+ */
+function user_admin_access_form_submit($form_id, $form_values) {
+  if ($form_values['aid']) {
+    db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $form_values['mask'], $form_values['type'], $form_values['status'], $form_values['aid']);
+    drupal_set_message(t('The access rule has been saved.'));
+  }
+  else {
+    db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $form_values['mask'], $form_values['type'], $form_values['status']);
+    drupal_set_message(t('The access rule has been added.'));
+  }
+  return 'admin/user/rules'; 
+}
+
+/**
  * Menu callback: list all access rules
  */
 function user_admin_access() {
@@ -2014,7 +2047,8 @@
 
   $sql = 'SELECT DISTINCT u.uid, u.name, u.status, u.created, u.access FROM {users} u LEFT JOIN {users_roles} ur ON u.uid = ur.uid '. $filter['join'] .' WHERE u.uid != 0 '. $filter['where'];
   $sql .= tablesort_sql($header);
-  $result = pager_query($sql, 50, 0, NULL, $filter['args']);
+  $query_count = 'SELECT COUNT(DISTINCT u.uid) FROM {users} u LEFT JOIN {users_roles} ur ON u.uid = ur.uid '. $filter['join'] .' WHERE u.uid != 0 '. $filter['where'];
+  $result = pager_query($sql, 50, 0, $query_count, $filter['args']);
 
   $form['options'] = array(
     '#type' => 'fieldset',
@@ -2434,6 +2468,8 @@
 }
 
 function _user_sort($a, $b) {
+  $a = (array)$a + array('weight' => 0, 'title' => '');
+  $b = (array)$b + array('weight' => 0, 'title' => '');
   return $a['weight'] < $b['weight'] ? -1 : ($a['weight'] > $b['weight'] ? 1 : ($a['title'] < $b['title'] ? -1 : 1));
 }
 
@@ -2554,10 +2590,15 @@
                      );
   foreach ($session as $filter) {
     list($type, $value) = $filter;
-    $string = ($i++ ? '<em>and</em> where <strong>%a</strong> is <strong>%b</strong>' : '<strong>%a</strong> is <strong>%b</strong>');
     // Merge an array of arrays into one if necessary.
     $options = $type == 'permission' ? call_user_func_array('array_merge', $filters[$type]['options']) : $filters[$type]['options'];
-    $form['filters']['current'][] = array('#value' => t($string, array('%a' => $filters[$type]['title'] , '%b' => $options[$value])));
+    $params = array('%property' => $filters[$type]['title'] , '%value' => $options[$value]);
+    if ($i++ > 0) {
+      $form['filters']['current'][] = array('#value' => t('<em>and</em> where <strong>%property</strong> is <strong>%value</strong>', $params));
+    }
+    else {
+      $form['filters']['current'][] = array('#value' => t('<strong>%property</strong> is <strong>%value</strong>', $params));
+    }
   }
 
   foreach ($filters as $key => $filter) {
diff -Naur drupal-5.2/modules/watchdog/watchdog.info drupal-5.23/modules/watchdog/watchdog.info
--- drupal-5.2/modules/watchdog/watchdog.info	2007-07-26 21:25:07.000000000 +0200
+++ drupal-5.23/modules/watchdog/watchdog.info	2010-08-11 22:46:30.000000000 +0200
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2007-07-26
-version = "5.2"
+; Information added by drupal.org packaging script on 2010-08-11
+version = "5.23"
 project = "drupal"
-datestamp = "1185477907"
+datestamp = "1281559590"
 
diff -Naur drupal-5.2/robots.txt drupal-5.23/robots.txt
--- drupal-5.2/robots.txt	2007-03-23 19:57:07.000000000 +0100
+++ drupal-5.23/robots.txt	2008-12-10 21:24:38.000000000 +0100
@@ -1,4 +1,4 @@
-# $Id: robots.txt,v 1.7.2.1 2007/03/23 18:57:07 drumm Exp $
+# $Id: robots.txt,v 1.7.2.3 2008/12/10 20:24:38 drumm Exp $
 #
 # robots.txt
 #
@@ -20,30 +20,27 @@
 User-agent: *
 Crawl-delay: 10
 # Directories
-Disallow: /database/
 Disallow: /includes/
 Disallow: /misc/
 Disallow: /modules/
+Disallow: /profiles/
+Disallow: /scripts/
 Disallow: /sites/
 Disallow: /themes/
-Disallow: /scripts/
-Disallow: /updates/
-Disallow: /profiles/
 # Files
-Disallow: /xmlrpc.php
+Disallow: /CHANGELOG.txt
 Disallow: /cron.php
-Disallow: /update.php
-Disallow: /install.php
-Disallow: /INSTALL.txt
 Disallow: /INSTALL.mysql.txt
 Disallow: /INSTALL.pgsql.txt
-Disallow: /CHANGELOG.txt
-Disallow: /MAINTAINERS.txt
+Disallow: /install.php
+Disallow: /INSTALL.txt
 Disallow: /LICENSE.txt
+Disallow: /MAINTAINERS.txt
+Disallow: /update.php
 Disallow: /UPGRADE.txt
+Disallow: /xmlrpc.php
 # Paths (clean URLs)
 Disallow: /admin/
-Disallow: /aggregator/
 Disallow: /comment/reply/
 Disallow: /contact/
 Disallow: /logout/
@@ -54,7 +51,6 @@
 Disallow: /user/login/
 # Paths (no clean URLs)
 Disallow: /?q=admin/
-Disallow: /?q=aggregator/
 Disallow: /?q=comment/reply/
 Disallow: /?q=contact/
 Disallow: /?q=logout/
diff -Naur drupal-5.2/sites/default/settings.php drupal-5.23/sites/default/settings.php
--- drupal-5.2/sites/default/settings.php	2007-07-09 06:28:12.000000000 +0200
+++ drupal-5.23/sites/default/settings.php	2009-06-16 20:29:52.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: settings.php,v 1.39.2.3 2007/07/09 04:28:12 drumm Exp $
+// $Id: settings.php,v 1.39.2.4 2009/06/16 18:29:52 drumm Exp $
 
 /**
  * @file
@@ -132,6 +132,7 @@
 ini_set('session.cookie_lifetime',  2000000);
 ini_set('session.gc_maxlifetime',   200000);
 ini_set('session.save_handler',     'user');
+ini_set('session.use_cookies',      1);
 ini_set('session.use_only_cookies', 1);
 ini_set('session.use_trans_sid',    0);
 ini_set('url_rewriter.tags',        '');
diff -Naur drupal-5.2/themes/bluemarine/page.tpl.php drupal-5.23/themes/bluemarine/page.tpl.php
--- drupal-5.2/themes/bluemarine/page.tpl.php	2006-08-30 09:37:13.000000000 +0200
+++ drupal-5.23/themes/bluemarine/page.tpl.php	2009-04-30 02:13:49.000000000 +0200
@@ -2,8 +2,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 
 <head>
-  <title><?php print $head_title ?></title>
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
diff -Naur drupal-5.2/themes/chameleon/chameleon.theme drupal-5.23/themes/chameleon/chameleon.theme
--- drupal-5.2/themes/chameleon/chameleon.theme	2007-05-31 08:13:36.000000000 +0200
+++ drupal-5.23/themes/chameleon/chameleon.theme	2009-04-30 02:13:49.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: chameleon.theme,v 1.56.2.2 2007/05/31 06:13:36 drumm Exp $
+// $Id: chameleon.theme,v 1.56.2.3 2009/04/30 00:13:49 drumm Exp $
 
 /**
  * @file
@@ -39,8 +39,8 @@
   $output  = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
   $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n";
   $output .= "<head>\n";
-  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_html_head();
+  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_css();
   $output .= drupal_get_js();
   $output .= "</head>";
diff -Naur drupal-5.2/themes/chameleon/common.css drupal-5.23/themes/chameleon/common.css
--- drupal-5.2/themes/chameleon/common.css	2006-08-30 09:37:14.000000000 +0200
+++ drupal-5.23/themes/chameleon/common.css	2007-09-13 20:59:59.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: common.css,v 1.11 2006/08/30 07:37:14 drumm Exp $ */
+/* $Id: common.css,v 1.11.2.1 2007/09/13 18:59:59 drumm Exp $ */
 
 /*
 ** HTML elements
@@ -82,6 +82,7 @@
  font-size: 0.8em;
  padding-top: 2em;
  text-align: center;
+ clear: both;
 }
 
 /*
diff -Naur drupal-5.2/themes/engines/phptemplate/phptemplate.engine drupal-5.23/themes/engines/phptemplate/phptemplate.engine
--- drupal-5.2/themes/engines/phptemplate/phptemplate.engine	2007-05-31 08:21:32.000000000 +0200
+++ drupal-5.23/themes/engines/phptemplate/phptemplate.engine	2009-05-13 18:36:22.000000000 +0200
@@ -1,5 +1,5 @@
 <?php
-// $Id: phptemplate.engine,v 1.54.2.2 2007/05/31 06:21:32 drumm Exp $
+// $Id: phptemplate.engine,v 1.54.2.9 2009/05/13 16:36:22 drumm Exp $
 
 /**
  * @file
@@ -113,7 +113,9 @@
       // This pre-loading is necessary because phptemplate uses variable names different from
       // the region names, e.g., 'sidebar_left' instead of 'left'.
       if (!in_array($region, array('left', 'right', 'footer'))) {
-        isset($variables[$region]) ? $variables[$region] .= theme('blocks', $region) : $variables[$region] = theme('blocks', $region);
+        $normal_blocks = (isset($variables['regions'])) ? $variables['regions'][$region] : theme('blocks', $region);
+
+        isset($variables[$region]) ? $variables[$region] .= $normal_blocks : $variables[$region] = $normal_blocks;
       }
     }
   }
@@ -148,6 +150,9 @@
  * current path. If none are found, the default page.tpl.php is used.
  */
 function phptemplate_page($content, $show_blocks = TRUE) {
+  global $theme;
+  $regions = array_keys(system_region_list($theme));
+  $variables = array('regions'=>array());
 
   /* Set title and breadcrumb to declared values */
   if (drupal_is_front_page()) {
@@ -163,23 +168,37 @@
   $layout = 'none';
   if ($show_blocks) {
     global $sidebar_indicator;
-    /**
-     * Sidebar_indicator tells the block counting code to count sidebars separately.
-     */
-    $sidebar_indicator = 'left';
-    $sidebar_left = theme('blocks', 'left');
+
+    // Load blocks early for adding header info
+    foreach ($regions as $region) {
+      // Sidebar_indicator tells the block counting code
+      // to count sidebars separately.
+      if ($region == 'left' || $region == 'right') {
+        $sidebar_indicator = $region;
+      }
+      else {
+        $sidebar_indicator = NULL;
+      }
+      $variables['regions'][$region] = theme('blocks', $region);
+    }
+    $sidebar_indicator = NULL;
+
+    $sidebar_left = $variables['regions']['left'];
     if ($sidebar_left != '') {
       $layout = 'left';
     }
 
-    $sidebar_indicator = 'right';
-    $sidebar_right = theme('blocks', 'right');
+    $sidebar_right = $variables['regions']['right'];
     if ($sidebar_right != '') {
       $layout = ($layout == 'left') ? 'both' : 'right';
     }
-    $sidebar_indicator = NULL;
   }
-
+  else {
+    // Add empty strings as default
+    foreach($regions as $region) {
+      $variables['regions'][$region] = '';
+    }
+  }
   // Construct page title
   if (drupal_get_title()) {
     $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
@@ -191,13 +210,13 @@
     }
   }
 
-  $variables = array(
+  $variables = array_merge($variables, array(
     'base_path'           => base_path(),
     'breadcrumb'          => theme('breadcrumb', drupal_get_breadcrumb()),
     'closure'             => theme('closure'),
     'content'             => $content,
     'feed_icons'          => drupal_get_feeds(),
-    'footer_message'      => filter_xss_admin(variable_get('site_footer', FALSE)) . "\n" . theme('blocks', 'footer'),
+    'footer_message'      => filter_xss_admin(variable_get('site_footer', FALSE)) . "\n" . $variables['regions']['footer'],
     'head'                => drupal_get_html_head(),
     'head_title'          => implode(' | ', $head_title),
     'help'                => theme('help'),
@@ -218,7 +237,7 @@
     'scripts'             => drupal_get_js(),
     'tabs'                => theme('menu_local_tasks'),
     'title'               => drupal_get_title()
-  );
+  ));
 
   if ((arg(0) == 'node') && is_numeric(arg(1))) {
     $variables['node'] = node_load(arg(1));
@@ -238,6 +257,7 @@
   $suggestion = 'page';
   $suggestions = array($suggestion);
   while ($arg = arg($i++)) {
+    $arg = str_replace(array("/", "\\", "\0"), '', $arg);
     $suggestions[] = $suggestion . '-' . $arg;
     if (!is_numeric($arg)) {
       $suggestion .= '-' . $arg;
@@ -352,7 +372,10 @@
  * @param $variables
  *   A sequential array of variables passed to the theme function.
  * @param $suggestions
- *   An array of suggested template files to use.
+ *   An array of suggested template files to use. This may include a path when
+ *   the suggested template is contained within a sub-directory of the theme.
+ *   They are set from _phptemplate_variables() or the theming hook invoking
+ *   _phptemplate_callback().
  */
 function _phptemplate_default($hook, $variables, $suggestions = array(), $extension = '.tpl.php') {
   global $theme_engine;
@@ -395,5 +418,3 @@
   ob_end_clean();                  // End buffering and discard
   return $contents;                // Return the contents
 }
-
-?>
diff -Naur drupal-5.2/themes/garland/page.tpl.php drupal-5.23/themes/garland/page.tpl.php
--- drupal-5.2/themes/garland/page.tpl.php	2006-12-14 01:37:00.000000000 +0100
+++ drupal-5.23/themes/garland/page.tpl.php	2009-04-30 02:13:49.000000000 +0200
@@ -2,8 +2,8 @@
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language ?>" lang="<?php print $language ?>">
   <head>
-    <title><?php print $head_title ?></title>
     <?php print $head ?>
+    <title><?php print $head_title ?></title>
     <?php print $styles ?>
     <?php print $scripts ?>
     <style type="text/css" media="print">@import "<?php print base_path() . path_to_theme() ?>/print.css";</style>
diff -Naur drupal-5.2/themes/garland/style.css drupal-5.23/themes/garland/style.css
--- drupal-5.2/themes/garland/style.css	2007-07-09 05:50:59.000000000 +0200
+++ drupal-5.23/themes/garland/style.css	2009-09-16 06:38:12.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: style.css,v 1.14.2.4 2007/07/09 03:50:59 drumm Exp $ */
+/* $Id: style.css,v 1.14.2.5 2009/09/16 04:38:12 drumm Exp $ */
 
 /**
  * Garland, for Drupal 5.0
@@ -606,6 +606,7 @@
   text-decoration: none;
   position: relative;
   top: -1px;
+  display: inline-block;
 }
 ul.primary li.active a, ul.primary li.active a:link, ul.primary li.active a:visited, ul.primary li a:hover,
 ul.secondary li.active a, ul.secondary li.active a:link, ul.secondary li.active a:visited, ul.secondary li a:hover {
diff -Naur drupal-5.2/themes/pushbutton/page.tpl.php drupal-5.23/themes/pushbutton/page.tpl.php
--- drupal-5.2/themes/pushbutton/page.tpl.php	2006-08-30 09:37:14.000000000 +0200
+++ drupal-5.23/themes/pushbutton/page.tpl.php	2009-04-30 02:13:49.000000000 +0200
@@ -1,9 +1,9 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 <head>
-  <title><?php print $head_title ?></title>
   <meta http-equiv="Content-Style-Type" content="text/css" />
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
 </head>
diff -Naur drupal-5.2/update.php drupal-5.23/update.php
--- drupal-5.2/update.php	2007-04-08 02:54:04.000000000 +0200
+++ drupal-5.23/update.php	2008-12-10 23:21:27.000000000 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: update.php,v 1.211.2.2 2007/04/08 00:54:04 drumm Exp $
+// $Id: update.php,v 1.211.2.3 2008/12/10 22:21:27 drumm Exp $
 
 /**
  * @file
@@ -562,10 +562,11 @@
 
 function update_info_page() {
   drupal_set_title('Drupal database update');
+  $link = 'update.php?op=selection&token='. drupal_get_token('update');
   $output = "<ol>\n";
   $output .= "<li>Use this script to <strong>upgrade an existing Drupal installation</strong>. You don't need this script when installing Drupal from scratch.</li>";
   $output .= "<li>Before doing anything, backup your database. This process will change your database and its values, and some things might get lost.</li>\n";
-  $output .= "<li>Update your Drupal sources, check the notes below and <a href=\"update.php?op=selection\">run the database upgrade script</a>. Don't upgrade your database twice as it may cause problems.</li>\n";
+  $output .= "<li>Update your Drupal sources, check the notes below and <a href=\"$link\">run the database upgrade script</a>. Don't upgrade your database twice as it may cause problems.</li>\n";
   $output .= "<li>Go through the various administration pages to change the existing and new settings to your liking.</li>\n";
   $output .= "</ol>";
   $output .= '<p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
@@ -793,10 +794,6 @@
 
   $op = isset($_REQUEST['op']) ? $_REQUEST['op'] : '';
   switch ($op) {
-    case 'Update':
-      $output = update_update_page();
-      break;
-
     case 'finished':
       $output = update_finished_page(TRUE);
       break;
@@ -813,10 +810,18 @@
       $output = update_progress_page_nojs();
       break;
 
+    case 'Update':
+      if ($_GET['token'] == drupal_get_token('update')) {
+        $output = update_update_page();
+        break;
+      }
+      // If the token did not match we just display the default page.
     case 'selection':
-      $output = update_selection_page();
-      break;
-
+      if ($_GET['token'] == drupal_get_token('update')) {
+        $output = update_selection_page();
+        break;
+      }
+      // If the token did not match we just display the default page.
     default:
       $output = update_info_page();
       break;