HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Drupal

>

Releases

>

5.13

Drupal Release: 5.13

Tag Name: 5.13

Release Date: 12/10/2008

View Release
Drupal LogoDrupal

Highly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.

Open SourceDeveloper-FriendlyEnterprise

TL;DR

Drupal 5.13 is a security and maintenance release that addresses several critical issues including session handling vulnerabilities, HTTP host validation, and file access restrictions. This update focuses on improving security, fixing bugs in user authentication and session management, and enhancing overall system stability. It's important for all Drupal 5.x site administrators to upgrade to protect their sites from potential security exploits.

Highlight of the Release

    • Enhanced security for session handling with HTTP-only cookies
    • Improved HTTP host validation to prevent potential attacks
    • Fixed race condition in session management causing database errors
    • Better protection for sensitive files via improved robots.txt and .htaccess
    • Fixed hook_exit() not being invoked for cached requests

Migration Guide

No specific migration steps are required for this maintenance release. Standard update procedures apply:

  1. Back up your database and site files before upgrading
  2. Put your site into maintenance mode
  3. Replace your existing Drupal core files with the new 5.13 release files (keeping your sites directory and any custom modifications)
  4. Run the update script by navigating to update.php in your browser
  5. Take your site out of maintenance mode

Note that this is a security release, so it's recommended to update as soon as possible to protect your site from potential vulnerabilities.

Upgrade Recommendations

This release contains important security fixes that protect against session stealing, HTTP host header attacks, and unauthorized file access. All sites running Drupal 5.x should upgrade to 5.13 as soon as possible.

For sites still on Drupal 5.x, this upgrade is critical for maintaining site security. However, it's important to note that Drupal 5.x is no longer officially supported by the Drupal community. If possible, site owners should consider planning a migration to a supported Drupal version (7.x or higher) as their long-term strategy.

Bug Fixes

Session Management

  • Fixed race condition in sess_write() that caused duplicate entry errors in the sessions table (#213699)
  • Fixed issue where hook_exit() was not being invoked for some cached requests (#318102)

User Experience

  • Fixed display of empty user info categories so they no longer appear on user profiles (#123556)
  • Corrected conditional display of 'login to post comments' message to only show when logging in actually grants comment permissions (#195161)
  • Fixed database field length mismatch between database schema and form validation (#294450)

Authentication

  • Improved user_authenticate() to work without cookies previously set, enabling web service modules to start authenticated sessions (#293612)

Code Quality

  • Added more isset() checking to prevent PHP notices (#278821)
  • Fixed order of attributes in PHPdoc comments (#342988)
  • Various code style improvements to reduce differences with Drupal 6.x

New Features

No significant new features were introduced in this maintenance release. Drupal 5.13 focuses primarily on security enhancements, bug fixes, and code improvements rather than adding new functionality.

Security Updates

Session Security

  • Hardened cookie handling in sess_regenerate() by setting session cookies as HTTP-only, reducing the risk of session stealing via XSS attacks (#280934)

Request Validation

  • Improved HTTP_HOST checking by ensuring the host is lowercased and only valid characters are allowed, preventing potential HTTP host header attacks (#324875)

File System Security

  • Added protection for *.test files and SVN metafiles to prevent them from being exposed under Drupal (#28776)
  • Removed outdated items from robots.txt and improved organization of directives to better protect sensitive files (#299582)

Performance Improvements

This release does not contain any significant performance improvements. The changes are primarily focused on security enhancements and bug fixes rather than performance optimization.

Impact Summary

Drupal 5.13 is primarily a security-focused maintenance release that addresses several important vulnerabilities and bugs. The most significant impacts are:

  1. Enhanced Security: Implementation of HTTP-only cookies for sessions, improved HTTP host validation, and better protection for sensitive files significantly reduces the risk of common web attacks.

  2. Improved Stability: Fixes for session handling race conditions and hook_exit() behavior for cached requests improve overall system reliability.

  3. Better Developer Experience: Improvements to the authentication API enable better integration with web services, and code style consistency makes maintenance easier.

  4. User Experience Refinements: Small but meaningful fixes to user profiles and comment system messaging provide a cleaner interface.

While this release doesn't introduce new features, it's an essential update for maintaining site security and stability for sites still running on the Drupal 5.x branch. Site administrators should prioritize this update, while also considering longer-term plans to migrate to supported Drupal versions.

Statistics:

File Changed12
Line Additions123
Line Deletions75
Line Changes198
Total Commits15

User Affected:

  • Enhanced security against session stealing via XSS attacks
  • Improved protection against HTTP host header attacks
  • Better file system security with protection for sensitive files
  • More stable session handling with race condition fixes

Contributors:

drummdbuytaert