See https://drupal.org/SA-CORE-2014-002. This is going to be a fun one.
Drupal 7 code can be found at http://drupalcode.org/project/drupal.git/commitdiff/6642fbc7001c728e2181... (and Drupal 6 code at http://drupalcode.org/project/drupal.git/commitdiff/66e94d74994fced9fafb...).
Patch credit: znerol, torotil, rszrama, larowlan, dawehner, pennyaskito, tim.plunkett, sun, Damien Tournoud, David_Rothstein, and effulgentsia
