drupal

The reason - core search module is still indexing content. The solution - go to admin/settings/search and set "Number of items to index per cron run" to 0. This will prevent core search module to work. And to clear the tables you can press "Re-index site" button.

As you may already know, you can control the comments module behavior with user permissions and with per node-type settings. But what if you want to change the node comments access on the fly?

The problem:
On some nodes i want to disable the comment form for current user, but show him the comments. It is possible with the default comment settings of this node type or with access permissions. But what if the permissions are configured for full read-write access for the current type of node and current user have permission to post comments?

Solution:

Security fixes in 6.16:

Installation cross site scripting
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

Problem:
When running cron.php (with browser or from the Reports page) you getting redirects to some pages

Fix:
Looks like there are some drupal_goto exists in hooks. In my case the problem was in the custom module in hook_nodeapi.

So remember, If you use Apache Solr integration module (or other module, which runs miscellaneous hooks on cron), it will run through the hook_nodeapi('view') on cron to index content, and if you have drupal_goto there, then you're busted.

The fifteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

SA-CORE-2009-009 - Drupal Core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed since the 6.14 release:

MichaelJackson.com, the official site for fans of the King of Pop, has just re-launched, featuring some new community-oriented features and some old-school graphics from back in the day. MichaelJackson.com was built using Drupal by the good folks at Sony Music. They are also using Mollom to protect against comment and forum post spam.

Drupal 6.10 and 5.16, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download.
Drupal 5.16 and 6.10 were released in response to the discovery of a security vulnerability. Details can be found in the official security advisories:

Sometimes when you want to replicate cck field way of work you need to get the settings from the required field. The main function you need is _content_type_info(). It will return array with all of the content types info, so you can get the general field settings or field settings per content type. Just do: dsm(_content_type_info()) and examine output properly.

If you know what field in what node type you're looking for then you can just use:

Drupal 6.9 and Drupal 5.15, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download. Read more to find out about security vulnerabilities found there.