Drupal Release: 4.7.4

TL;DR

Drupal 4.7.4: Comprehensive Maintenance Release

This maintenance release for Drupal 4.7.x addresses numerous bugs and security issues across multiple modules. Key improvements include fixes for search functionality, forum taxonomy handling, file upload security, caching optimizations, and better browser compatibility. The update focuses on backporting critical fixes from HEAD to ensure stability and security for 4.7.x users without introducing new features.

Highlight of the Release

• Fixed search functionality to always go to search pages when searching, particularly important on 404 pages
• Improved file upload security with better validation
• Fixed race condition in block administration that could cause data loss
• Better browser compatibility, especially for IE6 file downloads
• Improved caching behavior for better performance

Migration Guide

No specific migration steps are required for this maintenance release. Drupal 4.7.4 is a bug fix release that maintains compatibility with previous 4.7.x versions.

When upgrading from 4.7.3 to 4.7.4:

1. Back up your database and site files
2. Replace all core files and directories except for:
   • sites/ directory
   • files/ directory
   • settings.php file
3. Run the update script by visiting http://yoursite.com/update.php

No database schema changes are included in this release, so the update process should be straightforward.

Upgrade Recommendations

This release contains important bug fixes and security improvements that have been backported from HEAD. All users of Drupal 4.7.x are strongly encouraged to upgrade to 4.7.4 as soon as possible.

The update addresses several security vulnerabilities, fixes critical bugs in core functionality, and improves overall system stability. Since this is a maintenance release with no new features or API changes, the upgrade process should be straightforward with minimal risk of breaking existing functionality.

Priority: High Difficulty: Low Estimated time: 15-30 minutes

Bug Fixes

Core System

• Fixed drupal_is_front_page() to work correctly with aliased front pages
• Corrected URL validation with missing semicolon
• Fixed incorrect comparison in url() function
• Improved error handling with 503 HTTP response when database is down
• Fixed documentation for drupal_goto()
• Corrected theme_closure to use proper theming function

Search & Navigation

• Fixed search functionality to always direct to search pages, particularly important on 404 pages
• Improved pager query regular expression for stricter matching
• Fixed missing links in users list page (/profile)

Content Management

• Fixed forum taxonomy handling to prevent reverting changes to non-forum taxonomy
• Corrected revision system PHP warning when reverting to earlier revisions
• Fixed node validation to allow programmatic node submission
• Improved node teaser generation
• Fixed poll title display to work as in previous versions
• Fixed preview functionality

File Handling

• Improved file upload validation for better security
• Fixed magic quotes handling for files
• Prevented double escaping of filenames in upload module
• Added support for PNG images with alpha transparency
• Fixed file download compatibility with Internet Explorer 6
• Improved .htaccess file in the files directory for better compatibility

Taxonomy & Categories

• Fixed issue where category names couldn't contain ampersands
• Corrected empty vocabulary rendering in taxonomy forms
• Fixed hook_taxonomy op='form' to properly receive the edit array
• Improved handling of free tagging terms in text fields

Caching & Performance

• Fixed race condition in block administration that could cause data loss
• Improved caching for path lookups
• Prevented redundant cache_clear_all() calls inside loops
• Added cache invalidation when polls are voted on

User Management

• Prevented user 1 (admin) from being blocked or deleted
• Excluded blocked users from user listings

Multilingual

• Fixed ISO 639 language code for Welsh
• Fixed issue where msgid_plurals were lost in exported .po files

Database

• Improved database query security with stricter db_rewrite_sql() regular expression
• Fixed PostgreSQL connection warnings
• Fixed PostgreSQL compatibility with book outlining

Aggregator

• Fixed Atom feed handling in the aggregator
• Corrected function definition of aggregator_block()

New Features

No new features were introduced in this maintenance release. Drupal 4.7.4 focuses exclusively on bug fixes, security improvements, and performance optimizations backported from HEAD.

Security Updates

File Upload Security

• Improved validation for the upload module administration
• Fixed magic quotes handling for uploaded files
• Prevented double escaping of filenames in the upload module
• Created more compatible .htaccess file for the files directory

User Management Security

• Prevented user 1 (admin) from being blocked or deleted
• Excluded blocked users from user listings
• Fixed access checking for 'edit primary links' functionality

Database Security

• Implemented more strict regular expressions for db_rewrite_sql() to prevent SQL injection
• Enhanced pager query regular expressions for better security
• Fixed PostgreSQL connection handling to eliminate warnings

Other Security Improvements

• Added clarification about UTF-7 exploit prevention in drupal_set_header()
• Improved HTTP response handling with 503 status when database is down
• Fixed potential XSS issues with proper escaping in multiple places

Performance Improvements

Caching Optimizations

• Fixed caching behavior for path lookups, ensuring the right data is cached
• Prevented redundant cache_clear_all() calls inside loops, reducing unnecessary operations
• Added proper cache invalidation when polls are voted on, maintaining data consistency without over-clearing

Database Query Improvements

• Implemented more strict regular expressions for db_rewrite_sql(), improving query security and performance
• Enhanced pager query regular expressions for better handling of complex queries
• Removed redundant code in several functions, streamlining execution

General Performance

• Fixed race condition in block administration, preventing potential performance issues
• Improved node teaser generation for better efficiency
• Optimized file handling processes, particularly for uploads and downloads

Impact Summary

Drupal 4.7.4 is a significant maintenance release that addresses numerous bugs and security issues across the core system. The impact is primarily positive, providing more stable and secure operation without disrupting existing functionality.

Key impacts include:

1. Enhanced Security: Multiple security improvements in file handling, user management, and database queries reduce vulnerability to common attacks.

2. Improved Stability: Fixes for race conditions, caching issues, and database handling make the system more reliable, particularly for high-traffic sites.

3. Better Browser Compatibility: Fixes for IE6 file downloads and PNG transparency support improve the experience for users on older browsers.

4. Content Management Improvements: Fixes to forum taxonomy, node validation, and preview functionality make content creation and management more reliable.

5. Performance Optimization: Caching improvements and elimination of redundant operations enhance overall system performance.

This release represents an important update for maintaining the security and stability of Drupal 4.7.x sites without introducing breaking changes or requiring significant adaptation from site administrators or developers.