diff -ru ../drupal-5.14/CHANGELOG.txt ./CHANGELOG.txt
--- ../drupal-5.14/CHANGELOG.txt	2008-12-12 04:37:27.000000000 +1100
+++ ./CHANGELOG.txt	2009-01-15 10:32:14.000000000 +1100
@@ -1,4 +1,13 @@
-// $Id: CHANGELOG.txt,v 1.173.2.33 2008/12/11 17:37:27 drumm Exp $
+// $Id: CHANGELOG.txt,v 1.173.2.35 2009/01/14 23:32:14 drumm Exp $
+
+Drupal 5.15, 2009-01-14
+-----------------------
+- Fixed security issues, (Hardening against SQL injection), see
+  SA-CORE-2009-001
+- Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell
+  scripts.
+- Fixed a variety of small bugs.
+
 
 Drupal 5.14, 2008-12-11
 -----------------------
diff -ru ../drupal-5.14/includes/bootstrap.inc ./includes/bootstrap.inc
--- ../drupal-5.14/includes/bootstrap.inc	2008-12-11 05:16:03.000000000 +1100
+++ ./includes/bootstrap.inc	2009-01-15 06:12:27.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: bootstrap.inc,v 1.145.2.12 2008/12/10 18:16:03 drumm Exp $
+// $Id: bootstrap.inc,v 1.145.2.13 2009/01/14 19:12:27 drumm Exp $
 
 /**
  * @file
@@ -230,7 +230,7 @@
 }
 
 /**
- * Validate that $_SERVER['HTTP_HOST'] is safe.
+ * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
  *
  * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters
  * allowed in hostnames.  See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is
@@ -239,9 +239,8 @@
  * @return
  *  TRUE if only containing valid characters, or FALSE otherwise.
  */
-function drupal_valid_http_host() {
-  $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
-  return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
+function drupal_valid_http_host($host) {
+  return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host);
 }
 
 /**
@@ -255,10 +254,21 @@
   global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
   $conf = array();
 
-  if (!drupal_valid_http_host()) {
-    // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
-    header('HTTP/1.1 400 Bad Request');
-    exit;
+  if (isset($_SERVER['HTTP_HOST'])) {
+    // As HTTP_HOST is user input, ensure it only contains characters allowed
+    // in hostnames. See RFC 952 (and RFC 2181).
+    // $_SERVER['HTTP_HOST'] is lowercased here per specifications.
+    $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
+    if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {
+      // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
+      header('HTTP/1.1 400 Bad Request');
+      exit;
+    }
+  }
+  else {
+    // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
+    // defined for E_ALL compliance.
+    $_SERVER['HTTP_HOST'] = '';
   }
 
   include_once './'. conf_path() .'/settings.php';
diff -ru ../drupal-5.14/includes/common.inc ./includes/common.inc
--- ../drupal-5.14/includes/common.inc	2008-07-10 05:34:30.000000000 +1000
+++ ./includes/common.inc	2008-12-26 07:37:07.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: common.inc,v 1.611.2.20 2008/07/09 19:34:30 drumm Exp $
+// $Id: common.inc,v 1.611.2.21 2008/12/25 20:37:07 drumm Exp $
 
 /**
  * @file
@@ -642,8 +642,8 @@
 /**
  * Translate strings to the current locale.
  *
- * All human-readable text that will be displayed somewhere within a page should be
- * run through the t() function.
+ * Human-readable text that will be displayed somewhere within a page should
+ * be run through the t() function.
  *
  * Examples:
  * @code
@@ -679,27 +679,27 @@
  *     $message[] = t("If you don't want to receive such e-mails, you can change your settings at !url.", array('!url' => url("user/$account->uid", NULL, NULL, TRUE)));
  *   @endcode
  *
- * - @variable, which indicates that the text should be run through check_plain,
- *   to strip out HTML characters. Use this for any output that's displayed within
- *   a Drupal page.
+ * - @variable, which indicates that the text should be run through
+ *   check_plain, to escape HTML characters. Use this for any output that's
+ *   displayed within a Drupal page.
  *   @code
  *     drupal_set_title($title = t("@name's blog", array('@name' => $account->name)));
  *   @endcode
  *
- * - %variable, which indicates that the string should be highlighted with
- *   theme_placeholder() which shows up by default as <em>emphasized</em>.
+ * - %variable, which indicates that the string should be HTML escaped and
+ *   highlighted with theme_placeholder() which shows up by default as
+ *   <em>emphasized</em>.
  *   @code
- *     watchdog('mail', t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name)));
+ *     $message = t('%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name));
  *   @endcode
  *
  * When using t(), try to put entire sentences and strings in one t() call.
  * This makes it easier for translators, as it provides context as to what
- * each word refers to. HTML markup within translation strings is allowed,
- * but should be avoided if possible. The exception is embedded links; link
- * titles add additional context for translators so should be kept in the main
- * string.
+ * each word refers to. HTML markup within translation strings is allowed, but
+ * should be avoided if possible. The exception are embedded links; link
+ * titles add a context for translators, so should be kept in the main string.
  *
- * Here is an example of an incorrect use if t():
+ * Here is an example of incorrect usage of t():
  * @code
  *   $output .= t('<p>Go to the @contact-page.</p>', array('@contact-page' => l(t('contact page'), 'contact')));
  * @endcode
@@ -709,7 +709,7 @@
  *   $output .= '<p>'. t('Go to the <a href="@contact-page">contact page</a>.', array('@contact-page' => url('contact'))) .'</p>';
  * @endcode
  *
- * Also avoid escaping quotation marks wherever possible.
+ * Avoid escaping quotation marks wherever possible.
  *
  * Incorrect:
  * @code
@@ -721,6 +721,101 @@
  *   $output .= t("Don't click me.");
  * @endcode
  *
+ * Because t() is designed for handling code-based strings, in almost all
+ * cases, the actual string and not a variable must be passed through t().
+ *
+ * Extraction of translations is done based on the strings contained in t()
+ * calls. If a variable is passed through t(), the content of the variable
+ * cannot be extracted from the file for translation.
+ *
+ * Incorrect:
+ * @code
+ *   $message = 'An error occurred.';
+ *   drupal_set_message(t($message), 'error');
+ *   $output .= t($message);
+ * @endcode
+ *
+ * Correct:
+ * @code
+ *   $message = t('An error occurred.');
+ *   drupal_set_message($message, 'error');
+ *   $output .= $message;
+ * @endcode
+ *
+ * The only case in which variables can be passed safely through t() is when
+ * code-based versions of the same strings will be passed through t() (or
+ * otherwise extracted) elsewhere.
+ *
+ * In some cases, modules may include strings in code that can't use t()
+ * calls. For example, a module may use an external PHP application that
+ * produces strings that are loaded into variables in Drupal for output.
+ * In these cases, module authors may include a dummy file that passes the
+ * relevant strings through t(). This approach will allow the strings to be
+ * extracted.
+ *
+ * Sample external (non-Drupal) code:
+ * @code
+ *   class Time {
+ *     public $yesterday = 'Yesterday';
+ *     public $today = 'Today';
+ *     public $tomorrow = 'Tomorrow';
+ *   }
+ * @endcode
+ *
+ * Sample dummy file.
+ * @code
+ *   // Dummy function included in example.potx.inc.
+ *   function example_potx() {
+ *     $strings = array(
+ *       t('Yesterday'),
+ *       t('Today'),
+ *       t('Tomorrow'),
+ *     );
+ *     // No return value needed, since this is a dummy function.
+ *   }
+ * @endcode
+ *
+ * Having passed strings through t() in a dummy function, it is then
+ * okay to pass variables through t().
+ *
+ * Correct (if a dummy file was used):
+ * @code
+ *   $time = new Time();
+ *   $output .= t($time->today);
+ * @endcode
+ *
+ * However tempting it is, custom data from user input or other non-code
+ * sources should not be passed through t(). Doing so leads to the following
+ * problems and errors:
+ *  - The t() system doesn't support updates to existing strings. When user
+ *    data is updated, the next time it's passed through t() a new record is
+ *    created instead of an update. The database bloats over time and any
+ *    existing translations are orphaned with each update.
+ *  - The t() system assumes any data it receives is in English. User data may
+ *    be in another language, producing translation errors.
+ *  - The "Built-in interface" text group in the locale system is used to
+ *    produce translations for storage in .po files. When non-code strings are
+ *    passed through t(), they are added to this text group, which is rendered
+ *    inaccurate since it is a mix of actual interface strings and various user
+ *    input strings of uncertain origin.
+ *
+ * Incorrect:
+ * @code
+ *   $item = item_load();
+ *   $output .= check_plain(t($item['title']));
+ * @endcode
+ *
+ * Instead, translation of these data can be done through the locale system,
+ * either directly or through helper functions provided by contributed
+ * modules.
+ * @see hook_locale()
+ *
+ * During installation, st() is used in place of t(). Code that may be called
+ * during installation or during normal operation should use the get_t()
+ * helper function.
+ * @see st()
+ * @see get_t()
+ *
  * @param $string
  *   A string containing the English string to translate.
  * @param $args
diff -ru ../drupal-5.14/includes/form.inc ./includes/form.inc
--- ../drupal-5.14/includes/form.inc	2008-09-15 16:03:17.000000000 +1000
+++ ./includes/form.inc	2008-12-21 13:38:53.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: form.inc,v 1.174.2.15 2008/09/15 06:03:17 drumm Exp $
+// $Id: form.inc,v 1.174.2.16 2008/12/21 02:38:53 drumm Exp $
 
 /**
  * @defgroup form Form generation
@@ -1107,7 +1107,7 @@
   return theme('form_element', $element, $element['#children']);
 }
 
-/*
+/**
  * Expand a password_confirm field into two text boxes.
  */
 function expand_password_confirm($element) {
diff -ru ../drupal-5.14/LICENSE.txt ./LICENSE.txt
--- ../drupal-5.14/LICENSE.txt	2006-07-09 21:33:06.000000000 +1000
+++ ./LICENSE.txt	2009-01-14 16:56:37.000000000 +1100
@@ -1,14 +1,13 @@
-// $Id: LICENSE.txt,v 1.5 2006/07/09 11:33:06 dries Exp $
+// $Id: LICENSE.txt,v 1.5.2.1 2009/01/14 05:56:37 drumm Exp $
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
 
-        GNU GENERAL PUBLIC LICENSE
-           Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-          Preamble
+			    Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -58,7 +57,7 @@
   The precise terms and conditions for copying, distribution and
 modification follow.
 
-        GNU GENERAL PUBLIC LICENSE
+		    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -257,7 +256,7 @@
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-          NO WARRANTY
+			    NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -279,9 +278,9 @@
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-         END OF TERMS AND CONDITIONS
+		     END OF TERMS AND CONDITIONS
 
-      How to Apply These Terms to Your New Programs
+	    How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -305,10 +304,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
diff -ru ../drupal-5.14/modules/aggregator/aggregator.info ./modules/aggregator/aggregator.info
--- ../drupal-5.14/modules/aggregator/aggregator.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/aggregator/aggregator.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/block/block.info ./modules/block/block.info
--- ../drupal-5.14/modules/block/block.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/block/block.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/block/block.module ./modules/block/block.module
--- ../drupal-5.14/modules/block/block.module	2008-07-17 05:09:39.000000000 +1000
+++ ./modules/block/block.module	2009-01-14 16:43:04.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: block.module,v 1.246.2.10 2008/07/16 19:09:39 drumm Exp $
+// $Id: block.module,v 1.246.2.11 2009/01/14 05:43:04 drumm Exp $
 
 /**
  * @file
@@ -535,7 +535,7 @@
  */
 function block_box_delete_submit($form_id, $form_values) {
   db_query('DELETE FROM {boxes} WHERE bid = %d', $form_values['bid']);
-  db_query("DELETE FROM {blocks} WHERE module = 'block' AND delta = %d", $form_values['bid']);
+  db_query("DELETE FROM {blocks} WHERE module = 'block' AND delta = '%s'", $form_values['bid']);
   drupal_set_message(t('The block %name has been removed.', array('%name' => $form_values['info'])));
   cache_clear_all();
   return 'admin/build/block';
diff -ru ../drupal-5.14/modules/blog/blog.info ./modules/blog/blog.info
--- ../drupal-5.14/modules/blog/blog.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/blog/blog.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/blogapi/blogapi.info ./modules/blogapi/blogapi.info
--- ../drupal-5.14/modules/blogapi/blogapi.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/blogapi/blogapi.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/book/book.info ./modules/book/book.info
--- ../drupal-5.14/modules/book/book.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/book/book.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/color/color.info ./modules/color/color.info
--- ../drupal-5.14/modules/color/color.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/color/color.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/color/color.module ./modules/color/color.module
--- ../drupal-5.14/modules/color/color.module	2008-02-11 17:53:01.000000000 +1100
+++ ./modules/color/color.module	2008-12-21 13:56:30.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: color.module,v 1.13.2.5 2008/02/11 06:53:01 drumm Exp $
+// $Id: color.module,v 1.13.2.6 2008/12/21 02:56:30 drumm Exp $
 
 /**
  * Implementation of hook_help
@@ -18,17 +18,23 @@
  */
 function color_form_alter($form_id, &$form) {
   // Insert the color changer into the theme settings page.
-  // TODO: Last condition in the following if disables color changer when private files are used this should be solved in a different way. See issue #92059.
-  if ($form_id == 'system_theme_settings' && color_get_info(arg(4)) && function_exists('gd_info') && variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PUBLIC) {
-    $form['color'] = array(
-      '#type' => 'fieldset',
-      '#title' => t('Color scheme'),
-      '#weight' => -1,
-      '#attributes' => array('id' => 'color_scheme_form'),
-      '#theme' => 'color_scheme_form',
-    );
-    $form['color'] += color_scheme_form(arg(4));
-    $form['#submit']['color_scheme_form_submit'] = array();
+  if ($form_id == 'system_theme_settings' && color_get_info(arg(4)) && function_exists('gd_info')) {
+    if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) != FILE_DOWNLOADS_PUBLIC) {
+      // Disables the color changer when the private download method is used.
+      // TODO: This should be solved in a different way. See issue #181003.
+      drupal_set_message(t('The color picker only works if the <a href="@url">download method</a> is set to public.', array('@url' => url('admin/settings/file-system'))));
+    }
+    else {
+      $form['color'] = array(
+        '#type' => 'fieldset',
+        '#title' => t('Color scheme'),
+        '#weight' => -1,
+        '#attributes' => array('id' => 'color_scheme_form'),
+        '#theme' => 'color_scheme_form',
+      );
+      $form['color'] += color_scheme_form(arg(4));
+      $form['#submit']['color_scheme_form_submit'] = array();
+    }
   }
 
   // Use the generated screenshot in the theme list
diff -ru ../drupal-5.14/modules/comment/comment.info ./modules/comment/comment.info
--- ../drupal-5.14/modules/comment/comment.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/comment/comment.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/contact/contact.info ./modules/contact/contact.info
--- ../drupal-5.14/modules/contact/contact.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/contact/contact.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/drupal/drupal.info ./modules/drupal/drupal.info
--- ../drupal-5.14/modules/drupal/drupal.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/drupal/drupal.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/filter/filter.info ./modules/filter/filter.info
--- ../drupal-5.14/modules/filter/filter.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/filter/filter.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/filter/filter.module ./modules/filter/filter.module
--- ../drupal-5.14/modules/filter/filter.module	2008-12-11 09:21:27.000000000 +1100
+++ ./modules/filter/filter.module	2008-12-21 13:47:24.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: filter.module,v 1.160.2.11 2008/12/10 22:21:27 drumm Exp $
+// $Id: filter.module,v 1.160.2.12 2008/12/21 02:47:24 drumm Exp $
 
 /**
  * @file
@@ -947,13 +947,12 @@
         $output .= '<strong>'. $name .'</strong>:<br />';
       }
 
-      $tips = '';
-      foreach ($tiplist as $tip) {
-        $tips .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] . '</li>';
-      }
-
-      if ($tips) {
-        $output .= "<ul class=\"tips\">$tips</ul>";
+      if (count($tiplist) > 0) {
+        $output .= '<ul class="tips">';
+        foreach ($tiplist as $tip) {
+          $output .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] .'</li>';
+        }
+        $output .= '</ul>';
       }
 
       if ($multiple) {
diff -ru ../drupal-5.14/modules/forum/forum.info ./modules/forum/forum.info
--- ../drupal-5.14/modules/forum/forum.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/forum/forum.info	2009-01-15 10:40:15.000000000 +1100
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/help/help.info ./modules/help/help.info
--- ../drupal-5.14/modules/help/help.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/help/help.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/legacy/legacy.info ./modules/legacy/legacy.info
--- ../drupal-5.14/modules/legacy/legacy.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/legacy/legacy.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/locale/locale.info ./modules/locale/locale.info
--- ../drupal-5.14/modules/locale/locale.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/locale/locale.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/menu/menu.info ./modules/menu/menu.info
--- ../drupal-5.14/modules/menu/menu.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/menu/menu.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/node/node.info ./modules/node/node.info
--- ../drupal-5.14/modules/node/node.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/node/node.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/node/node.module ./modules/node/node.module
--- ../drupal-5.14/modules/node/node.module	2008-10-09 07:10:26.000000000 +1100
+++ ./modules/node/node.module	2009-01-15 10:32:14.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: node.module,v 1.776.2.31 2008/10/08 20:10:26 drumm Exp $
+// $Id: node.module,v 1.776.2.33 2009/01/14 23:32:14 drumm Exp $
 
 /**
  * @file
@@ -1960,7 +1960,7 @@
 
   $channel_defaults = array(
     'version'     => '2.0',
-    'title'       => variable_get('site_name', 'Drupal') .' - '. variable_get('site_slogan', ''),
+    'title'       => variable_get('site_name', 'Drupal') . (variable_get('site_slogan', '') ? ' - '. variable_get('site_slogan', '') : ''),
     'link'        => $base_url,
     'description' => variable_get('site_mission', ''),
     'language'    => $locale
@@ -2753,6 +2753,11 @@
 function node_access($op, $node = NULL) {
   global $user;
 
+  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
+    // If there was no node to check against, or the $op was not one of the
+    // supported ones, we return access denied.
+    return FALSE;
+  }
   // Convert the node to an object if necessary:
   if ($op != 'create') {
     $node = (object)$node;
diff -ru ../drupal-5.14/modules/path/path.info ./modules/path/path.info
--- ../drupal-5.14/modules/path/path.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/path/path.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/path/path.module ./modules/path/path.module
--- ../drupal-5.14/modules/path/path.module	2008-02-11 16:11:58.000000000 +1100
+++ ./modules/path/path.module	2009-01-14 16:59:09.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: path.module,v 1.105.2.2 2008/02/11 05:11:58 drumm Exp $
+// $Id: path.module,v 1.105.2.3 2009/01/14 05:59:09 drumm Exp $
 
 /**
  * @file
@@ -179,7 +179,7 @@
     '#type' => 'textfield',
     '#title' => t('Existing system path'),
     '#default_value' => $edit['src'],
-    '#maxlength' => 64,
+    '#maxlength' => 128,
     '#size' => 45,
     '#description' => t('Specify the existing path you wish to alias. For example: node/28, forum/1, taxonomy/term/1+2.'),
     '#field_prefix' => url(NULL, NULL, NULL, TRUE) . (variable_get('clean_url', 0) ? '' : '?q=')
@@ -187,7 +187,7 @@
   $form['dst'] = array(
     '#type' => 'textfield',
     '#default_value' => $edit['dst'],
-    '#maxlength' => 64,
+    '#maxlength' => 128,
     '#size' => 45,
     '#description' => t('Specify an alternative path by which this data can be accessed. For example, type "about" when writing an about page. Use a relative path and don\'t add a trailing slash or the URL alias won\'t work.'),
     '#field_prefix' => url(NULL, NULL, NULL, TRUE) . (variable_get('clean_url', 0) ? '' : '?q=')
@@ -269,7 +269,7 @@
     $form['path']['path'] = array(
       '#type' => 'textfield',
       '#default_value' => $path,
-      '#maxlength' => 250,
+      '#maxlength' => 128,
       '#collapsible' => TRUE,
       '#collapsed' => TRUE,
       '#description' => t('Optionally specify an alternative URL by which this node can be accessed. For example, type "about" when writing an about page. Use a relative path and don\'t add a trailing slash or the URL alias won\'t work.'),
diff -ru ../drupal-5.14/modules/ping/ping.info ./modules/ping/ping.info
--- ../drupal-5.14/modules/ping/ping.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/ping/ping.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/poll/poll.info ./modules/poll/poll.info
--- ../drupal-5.14/modules/poll/poll.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/poll/poll.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/profile/profile.info ./modules/profile/profile.info
--- ../drupal-5.14/modules/profile/profile.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/profile/profile.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/profile/profile.module ./modules/profile/profile.module
--- ../drupal-5.14/modules/profile/profile.module	2008-11-15 13:43:55.000000000 +1100
+++ ./modules/profile/profile.module	2009-01-14 16:38:52.000000000 +1100
@@ -1,5 +1,5 @@
 <?php
-// $Id: profile.module,v 1.189.2.10 2008/11/15 02:43:55 drumm Exp $
+// $Id: profile.module,v 1.189.2.11 2009/01/14 05:38:52 drumm Exp $
 
 /**
  * @file
@@ -678,7 +678,7 @@
         break;
       case 'selection':
         $options = $field->required ? array() : array('--');
-        $lines = split("[,\n\r]", $field->options);
+        $lines = split("[\n\r]", $field->options);
         foreach ($lines as $line) {
           if ($line = trim($line)) {
             $options[$line] = $line;
diff -ru ../drupal-5.14/modules/search/search.info ./modules/search/search.info
--- ../drupal-5.14/modules/search/search.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/search/search.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/statistics/statistics.info ./modules/statistics/statistics.info
--- ../drupal-5.14/modules/statistics/statistics.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/statistics/statistics.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/system/system.info ./modules/system/system.info
--- ../drupal-5.14/modules/system/system.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/system/system.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/system/system.module ./modules/system/system.module
--- ../drupal-5.14/modules/system/system.module	2008-12-12 04:37:27.000000000 +1100
+++ ./modules/system/system.module	2009-01-15 10:32:15.000000000 +1100
@@ -1,12 +1,12 @@
 <?php
-// $Id: system.module,v 1.440.2.44 2008/12/11 17:37:27 drumm Exp $
+// $Id: system.module,v 1.440.2.46 2009/01/14 23:32:15 drumm Exp $
 
 /**
  * @file
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.14');
+define('VERSION', '5.15');
 
 /**
  * Implementation of hook_help().
diff -ru ../drupal-5.14/modules/taxonomy/taxonomy.info ./modules/taxonomy/taxonomy.info
--- ../drupal-5.14/modules/taxonomy/taxonomy.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/taxonomy/taxonomy.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/throttle/throttle.info ./modules/throttle/throttle.info
--- ../drupal-5.14/modules/throttle/throttle.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/throttle/throttle.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/tracker/tracker.info ./modules/tracker/tracker.info
--- ../drupal-5.14/modules/tracker/tracker.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/tracker/tracker.info	2009-01-15 10:40:15.000000000 +1100
@@ -5,8 +5,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/upload/upload.info ./modules/upload/upload.info
--- ../drupal-5.14/modules/upload/upload.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/upload/upload.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - optional
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/user/user.info ./modules/user/user.info
--- ../drupal-5.14/modules/user/user.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/user/user.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"
 
diff -ru ../drupal-5.14/modules/watchdog/watchdog.info ./modules/watchdog/watchdog.info
--- ../drupal-5.14/modules/watchdog/watchdog.info	2008-12-12 04:50:17.000000000 +1100
+++ ./modules/watchdog/watchdog.info	2009-01-15 10:40:15.000000000 +1100
@@ -4,8 +4,8 @@
 package = Core - required
 version = VERSION
 
-; Information added by drupal.org packaging script on 2008-12-11
-version = "5.14"
+; Information added by drupal.org packaging script on 2009-01-14
+version = "5.15"
 project = "drupal"
-datestamp = "1229017817"
+datestamp = "1231976415"