From f62a8932140a350fd4ff2e260ecc0d78f2c909fc Mon Sep 17 00:00:00 2001 From: Daniel Wehner Date: Fri, 21 Nov 2014 12:43:48 +0100 Subject: [PATCH] Update to 6.34 --- CHANGELOG.txt | 4 ++++ includes/session.inc | 2 +- modules/system/system.module | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 91adc4411b4..99f2fc62ceb 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -14,6 +14,10 @@ Drupal 6.30, 2014-01-15 ---------------------- - Fixed security issues (multiple vulnerabilities), see SA-CORE-2014-001. +Drupal 6.34, 2014-11-19 +---------------------- +- Fixed security issues (session hijacking). See SA-CORE-2014-006. + Drupal 6.33, 2014-08-06 ---------------------- - Fixed security issues (denial of service). See SA-CORE-2014-004. diff --git a/includes/session.inc b/includes/session.inc index df4719cb4f0..278693864d9 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -42,7 +42,7 @@ function sess_read($key) { register_shutdown_function('session_write_close'); // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers). - if (!isset($_COOKIE[session_name()])) { + if (empty($key) || !isset($_COOKIE[session_name()])) { $user = drupal_anonymous_user(); return ''; } diff --git a/modules/system/system.module b/modules/system/system.module index 2d294bada17..8803ce91def 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '6.33'); +define('VERSION', '6.34'); /** * Core API compatibility.