Drupal Release: 10.1.3

TL;DR

Drupal 10.1.3: Bug Fixes and Security Improvements

This minor release focuses on bug fixes, security improvements, and CKEditor 5 updates. It addresses several critical issues including a username enumeration vulnerability, fixes for Views functionality, and improvements to the CKEditor 5 integration. This release is important for maintaining site security and stability, particularly for sites using CKEditor 5 or Views.

Site administrators should update to this version promptly to ensure their sites remain secure and function correctly, especially those using the affected components.

Highlight of the Release

• Security fix for username enumeration vulnerability via one-time login route
• Updated CKEditor 5 to version 39.0.1
• Fixed Views functionality issues including AJAX pagers with exposed filters
• Improved RTL support for site branding
• Added utility method for invoking backward compatible code

Migration Guide

No significant migration steps are required for this minor release. This is a maintenance release focused on bug fixes and security improvements.

If you're using CKEditor 5, the update to version 39.0.1 should be seamless and doesn't require any manual intervention beyond the normal update process.

For developers who have been working around the fixed issues, particularly with Views AJAX pagers, ManyToOneHelper group configuration, or cache metadata handling, you may want to review your custom code to remove any workarounds that are no longer necessary.

Upgrade Recommendations

It is strongly recommended to update to Drupal 10.1.3 as soon as possible, especially if your site:

1. Uses CKEditor 5 for content editing
2. Has multilingual content with Views
3. Uses exposed filters with AJAX pagers in Views
4. Has RTL language support

The security fix for username enumeration makes this update particularly important for all Drupal sites, regardless of specific features in use.

Follow the standard Drupal update procedure:

1. Back up your database and files
2. Put your site into maintenance mode
3. Update Drupal core using Composer (composer update drupal/core-* --with-all-dependencies) or by replacing the codebase
4. Run the database updates (drush updatedb or visit /update.php)
5. Clear caches
6. Take your site out of maintenance mode

No special steps are required beyond the normal update process.

Bug Fixes

Security and Access Control

• Fixed username enumeration vulnerability via one-time login route when logged in as another user (Issue #3327294)
• Fixed the renderer discarding cache metadata from access results when access is not allowed (Issue #3374253)
• Improved early return in EntityPermissionsForm::access if the user lacks "administer permissions" (Issue #3344789)

CKEditor 5 Improvements

• Fixed inability to apply styles to certain HTML elements like <div>, <ul>, <ol>, <table> in CKEditor 5 (Issue #3326261)
• Fixed random test failures in CKEditor5AllowedTagsTest (Issue #3368509)

Views Functionality

• Fixed Views translate tabs visibility when editing (Issue #3212759)
• Fixed MySQL date format translation in Views (Issue #3218087)
• Fixed AJAX pager not working with exposed filters that have default values (Issue #3100826)

Theme and UI

• Fixed hardcoded color class for site branding when using RTL (Issue #3379089)
• Fixed Claro jQuery UI CSS assets being added to the page multiple times (Issue #3378341)
• Added missing Umami theme dependency on SDC (Issue #3379430)

Database and Installation

• Fixed installer issue preventing creation of new databases on PostgreSQL (Issue #2010368)

Core System

• Fixed ManyToOneHelper ignoring group configuration in some cases (Issue #2559961)
• Fixed file mode check in commit-code-check.sh being too strict (Issue #3377131)
• Fixed duplicate declaration of $context in WidgetBase (Issue #3378657)
• Fixed documentation problem with node_is_page (Issue #3381660)
• Fixed ThemeRegistry build not always returning ThemeRegistry (Issue #2514960)
• Fixed BrowserTestBase::drupalGet() not handling base URL properly (Issue #2986962)
• Fixed absolute path handling for oembed iframe (Issue #3311469)
• Fixed ImageUrlTest failures on GitlabCI integration (Issue #3384764)
• Updated Peast to version 1.15.4 (Issue #3382123)
• Fixed need to catch Peast exceptions (Issue #3381097)
• Removed cruft from LanguageNegotiationMethodManager (Issue #3377318)
• Converted "enable/disable" to "install/uninstall" in exception text for clarity (Issue #3379525)

New Features

New Utility Method for Backward Compatible Code

A new utility method has been implemented to help developers invoke backward compatible code. This addition (Issue #3371619) provides a standardized approach to handle backward compatibility, making it easier to maintain code that needs to work across different Drupal versions.

Improved Anti-flicker JavaScript

Better ways to add anti-flicker JavaScript have been investigated and implemented (Issue #3355381), providing an improved user experience by reducing visible content flashing during page loads.

Security Updates

Username Enumeration Vulnerability Fix

A security vulnerability has been addressed that allowed username enumeration via the one-time login route when logged in as another user (Issue #3327294). This fix prevents potential attackers from discovering valid usernames on the system, which could be used in further attacks.

Improved Exception Handling for Peast

Added proper exception handling for Peast (Issue #3381097), preventing potential security issues that could arise from unhandled exceptions in the JavaScript parsing library.

Performance Improvements

Improved Cache Metadata Handling

The renderer now properly preserves cache metadata from access results, even when access is not allowed (Issue #3374253). This ensures that cache metadata is consistently maintained throughout the rendering process, improving cache reliability and performance.

Optimized Asset Loading

Fixed an issue where Claro jQuery UI CSS assets could be added to the page multiple times (Issue #3378341), reducing unnecessary asset loading and improving page load performance.

Impact Summary

Drupal 10.1.3 is a maintenance release that addresses 27 issues, including important security fixes, bug fixes, and enhancements. The most significant impact is the security fix for username enumeration vulnerability, which affects all Drupal sites.

Content editors will benefit from the updated CKEditor 5 (version 39.0.1) with improved styling capabilities and better stability. Sites with multilingual content and RTL languages will see improved support, particularly in Views functionality and site branding.

Developers gain access to a new utility method for backward compatible code, which will help maintain code that needs to work across different Drupal versions. The fixes to cache metadata handling and various test environment improvements will lead to more reliable development workflows.

Site administrators should prioritize this update due to the security improvements and the numerous bug fixes that enhance overall site stability. The update process follows standard procedures and doesn't require special migration steps.

While this is labeled as a minor release, the security fix and the number of bug fixes make it an important update for maintaining site security and functionality.