Drupal Release: 4.7.0-beta-6

TL;DR

Drupal 4.7.0-beta-6: Security Fixes and Form API Improvements

This beta release focuses on security fixes and Form API (FAPI) improvements. It addresses several critical security vulnerabilities including session fixation, XSS issues, and email header injection. The release also includes significant FAPI conversions across multiple modules, bug fixes for path aliases, comment handling, and file API improvements. This update is essential for all Drupal 4.7 beta users to ensure site security and stability.

Highlight of the Release

• Critical security fixes addressing session fixation, XSS vulnerabilities, and email header injection (SA-2006-001, SA-2006-002, SA-2006-003, SA-2006-004)
• Extensive Form API conversions across multiple modules improving consistency and reliability
• Fixed path alias encoding issues that were causing broken URLs on profile pages
• Improved file handling with fixes for open_basedir restrictions and file attachment issues
• Enhanced comment functionality with proper hook_comment implementation and better navigation

Migration Guide

Database Schema Changes

• The filter module now makes the format name a UNIQUE field. The update path is included in this release and will be automatically applied when running update.php.

Form API Changes

Many modules have been converted to the Form API model in this release. If you've created custom modules that extend or modify these forms, you'll need to update your code:

• Block administration page
• Filter module forms
• Forum administration forms
• Aggregator module forms
• Profile module forms

Custom Form Handling

If you've implemented custom form handling:

1. Review any code that relies on checkbox behavior, as FAPI now includes unchecked checkboxes with a value of 0
2. If you're using multipart forms for file uploads, ensure you're using the proper FAPI methods as fixes were applied in this area

Path Handling

If you're using custom path handling or URL generation:

1. Review code that generates URLs, especially for profile pages
2. Check any code that works with path aliases

File API

If you're using the File API:

1. Review code that uses hook_file_download as a regression was fixed
2. Check for compatibility with the fixes for open_basedir restrictions

Run update.php after upgrading to apply all database schema changes and updates.

Upgrade Recommendations

Urgency: Critical

All users of Drupal 4.7 beta releases should upgrade immediately to 4.7.0-beta-6 due to the critical security fixes included in this release. The security vulnerabilities addressed could potentially allow unauthorized access to your site, session hijacking, or other serious security breaches.

Upgrade Steps:

1. Back up your database and site files
2. Replace all core files and directories except for the sites directory
3. Run update.php by visiting http://example.com/update.php (replace example.com with your domain)
4. Clear all caches

Special Considerations:

• If you've modified any core files, you'll need to reapply your changes after the upgrade
• Custom modules that interact with forms may need updates due to the extensive Form API conversions
• Test thoroughly in a staging environment before upgrading production sites

This beta release represents significant progress toward the stable 4.7.0 release and includes important security and functionality improvements that make the upgrade strongly recommended for all beta testers.

Bug Fixes

• Path and URL Fixes:

  • Fixed inconsistent encoding of path aliases that caused broken URLs on profile pages (#46746)
  • Fixed issues with editing path aliases (#52157)
  • Fixed bug with linking to absolute URLs through l() function (#49211)
  • Improved relative links updater (#53540)

• Comment System Improvements:

  • Fixed comment order issues during updates (#52403)
  • Added message when replying to non-existent comments (#50835)
  • Fixed "add new comment" link navigation (#51543)
  • Ensured hook_comment is called for all update operations (#51142)

• Form Handling:

  • Fixed multipart node forms that were broken (#52292)
  • Added validation to filter_form (#52484)
  • Fixed issues with unchecked taxonomy lists (#53351)
  • Made it possible to set errors on selection items (#51516)

• File System:

  • Fixed problems with file API and open_basedir restrictions (#5961)
  • Fixed regression with hook_file_download (#52092)
  • Fixed issues with attaching files (#42358)

• Forum Functionality:

  • Fixed warnings when moving forum posts and leaving shadow copies (#51635)
  • Fixed inability to move forum topics created by anonymous users (#43032)

• Database and Performance:

  • Fixed warning in upgrade path (#52303)
  • Made upgrade path work with PostgreSQL (#52265, #52921)
  • Fixed "Out of range value adjusted for column" error (#42388)
  • Fixed various problems with db_rewrite_sql (#51850)

• Node System:

  • Fixed empty node teasers (#51522)
  • Made "Create new revision" respect node type settings (#53012)
  • Fixed node preview with PHP5 (#52586)

• JavaScript and JSON:

  • Fixed drupal_to_js() improper handling of booleans (#52771)
  • Implemented stricter (IE5-compatible) JSON output (#53368)

• Locale and Internationalization:

  • Fixed warnings when inserting locale strings (#52324)

• Theme System:

  • Fixed theme system regressions (#52508)

• Security:

  • Fixed custom menu items being accessible to anyone (SA-2006-001)
  • Fixed XSS issues with username log and mission (SA-2006-002)
  • Fixed session fixation issue (SA-2006-003)
  • Fixed email header injection issue (SA-2006-004)

New Features

• Form API Enhancement: Added a new form attribute that allows form developers to hook into validation results during form building, providing more flexibility in form construction.
• Status Messages for Administration: Added watchdog messages for category and feed additions/deletions in the aggregator module.
• Improved Help System: Help items are now sorted alphabetically for better navigation and readability.
• Duplicate Detection: Added checks for duplicate titles in categories and duplicate title+URL combinations in feeds.

Security Updates

This release includes four critical security fixes:

• SA-2006-001: Fixed vulnerability where custom menu items were accessible to anyone regardless of permissions, which could allow unauthorized access to protected areas of the site.

• SA-2006-002: Addressed XSS (Cross-Site Scripting) issues with username log and mission statement, which could allow attackers to inject malicious scripts into pages viewed by other users.

• SA-2006-003: Fixed session fixation issue that could allow attackers to hijack user sessions and gain unauthorized access to user accounts.

• SA-2006-004: Resolved email header injection issue that could allow attackers to manipulate email headers in system-generated emails, potentially enabling spam relay or phishing attacks.

These security fixes are critical and all Drupal 4.7 beta users should upgrade immediately to protect their sites.

Performance Improvements

• Code Optimization: Several modules had their code simplified and optimized, including:

  • Simplified drupal_attributes() function (#52448)
  • Removed redundant db_escape_string() calls (#52433)
  • General code cleanup and simplification across multiple modules (#52431)

• Database Efficiency:

  • Made db_rewrite_sql() more robust and efficient (#51850)
  • Added missing array initializations to improve memory usage (#53265)

• Form Processing:

  • Cleaned and hardened form_builder for various types of posted elements (#53480), improving both security and performance

Impact Summary

Drupal 4.7.0-beta-6 delivers critical security fixes and significant form handling improvements that enhance both security and usability across the platform. The four security advisories addressed (SA-2006-001 through SA-2006-004) close important vulnerabilities that could otherwise be exploited to compromise Drupal sites.

The extensive Form API conversions across multiple modules create a more consistent administrative experience and lay groundwork for future improvements. These changes touch many core modules including block, filter, forum, and aggregator, bringing them in line with Drupal's evolving form handling standards.

Bug fixes for path aliases, comment handling, and file operations resolve several pain points reported by users during the beta testing period. The improvements to db_rewrite_sql() and other database functions enhance stability, particularly for sites using PostgreSQL.

For developers, the new form attribute that provides access to validation results during form building offers new possibilities for creating more dynamic and responsive forms. The file API improvements resolve long-standing issues with open_basedir restrictions and file attachments.

Overall, this release significantly improves the stability, security, and functionality of Drupal 4.7 as it moves closer to a stable release, while maintaining backward compatibility with previous 4.7 beta releases.