Drupal Release: 4.6.7

TL;DR

Drupal 4.6.7: Security and Bug Fix Release

This release addresses critical security vulnerabilities, fixes XML-RPC functionality, improves SQL abstraction, and resolves several important bugs including external URL support for menus and permission issues. It's primarily a maintenance release focused on security hardening and bug fixes rather than new features.

Highlight of the Release

• Critical security fix preventing script execution from files directory
• Fixed XML-RPC functionality to properly handle empty parameters
• Restored external URL support for menus that was broken by previous security patch
• Improved SQL abstraction layer for better database performance
• Fixed permission issue with unlocked nodes when having Admin Comments but not Admin Nodes permission

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that focuses on security improvements and bug fixes without introducing breaking changes.

Simply follow the standard Drupal update procedure:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Replace the existing files with the new release files
4. Run the update script by visiting update.php in your browser
5. Take your site out of maintenance mode

Upgrade Recommendations

Priority: Critical

All users should upgrade to Drupal 4.6.7 immediately due to the security fixes included in this release, particularly the protection against script execution from the files directory. The bug fixes for XML-RPC functionality and permission handling also address important issues that could affect site operation.

Sites running on PHP 5.1 will especially benefit from this update as it resolves compatibility issues with book navigation links.

Bug Fixes

• External URL Support for Menus: Fixed issue #53857 where external URL support for menus was broken by security advisory SA-2006-001
• PHP 5.1 Compatibility: Resolved issue #50987 where book navigation "next" links were breaking with PHP 5.1
• Permission Handling: Fixed issue #51223 where users couldn't post unlocked nodes if they had Admin Comments but not Admin Nodes permission
• Comment Management: Addressed issue #56942 ensuring comment CIDs properly belong to their associated node ID
• Text Formatting: Backported autop improvements from WordPress (issue #58317) for better paragraph handling
• XML-RPC Functionality: Fixed critical bug where XML-RPC was dropping empty parameters (patch #59513)
• MIME Handling: Removed mime magic (backport from HEAD) to address issue #43220

New Features

No new features were introduced in this maintenance release. This version focuses entirely on security improvements and bug fixes to enhance stability and address vulnerabilities.

Security Updates

• File System Security: Added protection to prevent execution of scripts from the files directory, closing a potential security vulnerability
• XML-RPC Hardening: Fixed XML-RPC backend to properly handle empty parameters, preventing potential security issues related to parameter handling
• Menu Security: Addressed issues related to external URL support for menus that were affected by security advisory SA-2006-001

Performance Improvements

• SQL Abstraction Layer: Enhanced the SQL abstraction layer for improved database interaction efficiency and better query handling
• Text Processing: Improved text formatting with optimized autop functionality backported from WordPress, potentially improving page rendering performance

Impact Summary

Drupal 4.6.7 is primarily a security and bug fix release that addresses several critical issues. The most significant impact is the improved security posture through preventing script execution from the files directory and fixing XML-RPC parameter handling.

For administrators and content editors, the restoration of external URL support for menus (previously broken by a security patch) will improve site navigation capabilities. Developers will benefit from the improved SQL abstraction layer and fixed XML-RPC functionality.

The permission issue fix ensures that users with Admin Comments but without Admin Nodes permission can properly post unlocked nodes, improving workflow for sites with complex permission structures.

PHP 5.1 users will see restored functionality for book navigation links that were previously broken. The backported autop improvements from WordPress enhance text formatting across the site.