Drupal Release: 4.7.3

TL;DR

Drupal 4.7.3: Security & Stability Update

This release addresses multiple security vulnerabilities, fixes numerous PHP notices and warnings, and improves overall stability. Key improvements include XML-RPC security fixes, better handling of concurrent node editing, and various performance optimizations. This maintenance release is recommended for all Drupal 4.7.x users to ensure security and stability.

Highlight of the Release

• Security fix for XML-RPC vulnerabilities (SA-2006-011)
• Fixed concurrent node editing issue that could result in lost changes
• Improved performance with optimized locale initialization
• Better handling of search queries with special characters when clean URLs are enabled
• Fixed book module recursion issues and improved functionality

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that focuses on bug fixes and security improvements without introducing breaking changes.

To update:

1. Back up your database and site files
2. Replace your existing Drupal files with the new 4.7.3 release files, keeping your customized files intact
3. Run the update script by visiting update.php in your browser
4. Clear caches after the update is complete

No configuration changes or special steps are needed after updating.

Upgrade Recommendations

Priority: High

All sites running Drupal 4.7.x should upgrade to this release as soon as possible due to the security fixes included (SA-2006-011). The update also addresses numerous bugs and performance issues that improve overall site stability.

This is a maintenance release with no API changes, so the upgrade process should be straightforward with minimal risk of breaking existing functionality. The security improvements alone make this update highly recommended for all Drupal 4.7.x sites.

Bug Fixes

Core System

• Fixed infinite recursion in book_location_down() when there are multiple revisions
• Fixed locale initialization slowness
• Fixed file_create_url() function
• Improved error reporting functionality
• Fixed issue with deleting user ID 0 on duplicate deletions
• Fixed theme_get_settings() to use basename instead of pretty name
• Properly initialized variables in multiple places to prevent PHP notices
• Fixed handling of ampersands in search queries and other URLs when clean URLs are enabled
• Removed redundant module_invoke() call
• Fixed various undefined index and variable issues
• Fixed PHP warnings throughout the codebase

Content Management

• Fixed issue where two people editing a node simultaneously could result in loss of changes
• Made book_export_html themeable and fixed HTML page title setting
• Fixed handling of commenting on nodes containing forms
• Improved parent navigation link functionality

User Management

• Fixed issue where deleted roles were not removed from users_roles table
• Fixed issue where anonymous/authenticated roles were not filtered out upon saving new user accounts

Search & Navigation

• Added db_rewrite_sql() to taxonomy/autocomplete
• Fixed 301 redirects in aggregator
• Removed trailing ampersand from tablesort URLs
• Fixed return values of drupal_is_front_page()
• Properly generated home link in breadcrumb

RSS & XML

• Corrected header information of RSS feeds from text/xml to application/rss+xml
• Fixed glitch with return value checking in XML-RPC client
• Improved format_rss_channel() to allow attributes

Caching

• Fixed issue with sending proper headers when caching is turned off
• Fixed "Double logins" issue related to caching
• Added cache invalidation when saving via the node admin page

New Features

No significant new features were added in this maintenance release. This update focuses primarily on bug fixes, security improvements, and performance optimizations to enhance the stability and security of Drupal 4.7.x.

Security Updates

• Implemented SA-2006-011 security advisory fixes
• Fixed XML-RPC vulnerabilities with improved validation and error checking
• Added proper access checking in several areas of the system
• Improved URL handling with proper encoding using drupal_urlencode() instead of urlencode()
• Fixed potential security issues with form handling and validation

Performance Improvements

Performance Enhancements

• Fixed locale initialization slowness (Patch #65801), which significantly improves page load times for multilingual sites
• Optimized search indexing by improving how content is indexed during cron runs
• Changed from DESC to implicit ASC in certain queries for better database performance
• Cleaned up and optimized book_load() function for better efficiency
• Removed unnecessary conditions in several database queries for improved performance

Impact Summary

Drupal 4.7.3 is primarily a security and bug fix release that addresses multiple vulnerabilities and stability issues. The most significant impact comes from the security fixes (SA-2006-011) and the fix for concurrent node editing that prevents loss of content changes.

Performance improvements to locale initialization will be particularly noticeable for multilingual sites, while the numerous PHP notice and warning fixes contribute to a more stable system overall. The XML-RPC improvements enhance security and functionality for sites using remote procedures.

This release doesn't introduce new features or breaking changes, making it a safe and recommended upgrade for all Drupal 4.7.x sites. The focus on stability and security means users should experience fewer errors and a more reliable system after upgrading.