Drupal Release: 6.0-rc-4

TL;DR

Drupal 6.0 RC4 is a critical release candidate that addresses numerous security issues, bug fixes, and regressions from previous versions. This update includes important fixes for menu handling, form caching, blog API security, and database query handling. It also updates jQuery to version 1.2.3 and improves accessibility in the update information screen. This release is essential for anyone testing Drupal 6 as it resolves several critical issues that could affect site functionality and security.

Highlight of the Release

• Fixed critical security issue in Blog API that could allow posting unauthorized content types
• Updated to jQuery 1.2.3 for improved JavaScript performance and compatibility
• Fixed several critical menu handling issues affecting primary/secondary links and localization
• Resolved form caching bug that caused all subsequent forms on a page to be cached
• Improved accessibility of the update information screen
• Fixed critical database query handling issues including precision/scale arguments order

Migration Guide

This release candidate does not require specific migration steps from RC3 to RC4, as it primarily contains bug fixes rather than API changes. However, site administrators should note:

1. If you've been experiencing issues with primary and secondary links after upgrading to Drupal 6, this release should fix those problems automatically.

2. If you've implemented custom code that relies on db_rewrite_sql() without a WHERE clause, support for this has been restored in RC4.

3. If you've been experiencing issues with form caching or menu localization, these should be resolved after updating to RC4.

4. The update includes jQuery 1.2.3, so any custom JavaScript that depends on specific jQuery behavior should be tested after upgrading.

Upgrade Recommendations

This release is strongly recommended for all Drupal 6 RC3 users as it fixes several critical issues that could affect site functionality and security. The update addresses important regressions in menu handling, form caching, and database queries that could cause serious problems on production sites.

For those testing Drupal 6 before its final release, upgrading to RC4 is essential to ensure you're working with the most stable pre-release version available. The fixes included in this release candidate are likely to be part of the final Drupal 6.0 release.

The upgrade process from RC3 to RC4 should be straightforward, following the standard Drupal minor version update procedure:

1. Back up your database and site files
2. Put your site in maintenance mode
3. Replace your existing Drupal files with the new release
4. Run update.php
5. Take your site out of maintenance mode

Bug Fixes

Critical Bug Fixes

• Fixed issue where cached forms made all subsequent forms on the page cached
• Resolved problem where primary and secondary links were broken on upgrade
• Fixed menu items that were moved out of navigation menu not being found as parents
• Corrected precision and scale arguments order in SQL generation
• Fixed issue where unpublished nodes were not excluded from menus and books
• Resolved missing break in system_send_email_action() causing code to fall over to a different context
• Fixed fatal error in book module breadcrumb creation
• Corrected issue where translated menu link altering was not possible
• Fixed duplication in search index when database collation makes words collide
• Resolved issue where nid was not set in programmatic node creation
• Fixed upload table collision when created in upgrade and later by enabling upload module

Minor Bug Fixes

• Fixed issue where blog page was blank when user/site had no blog posts
• Corrected block_user() function where global user object and user parameter were colliding
• Fixed path_nodeapi() to work regardless of user permissions
• Resolved issue where 'Testing clean URLs...' text was not removed in all cases
• Fixed double escaping in profile module
• Corrected node filtering theme function application
• Fixed issue where required field values were not properly trimmed on validation
• Resolved items not being properly ordered in tabledrag.js with large number of values
• Fixed XHTML validation failure due to misused ampersand
• Corrected settings file checking for multisite setups

New Features

No significant new features were introduced in this release candidate. This RC4 release focuses primarily on fixing critical bugs, security issues, and regressions from previous versions to stabilize Drupal 6 before the final release.

Security Updates

• Fixed critical security issue in Blog API that prevented users from posting content types they were not configured to be able to post
• Improved security by ensuring update status module properly ignores security releases from higher branches in all cases
• Added more prominent mention of security awareness and documentation of Drupal
• Improved documentation for session_save_session() function to enhance security education
• Fixed issue where unpublished nodes were not properly excluded from menus and books, which could potentially expose unpublished content

Performance Improvements

• Updated to jQuery 1.2.3, which includes various performance improvements over previous versions
• Fixed duplication in search index when database collation makes words collide, which improves search performance
• Improved form caching mechanism, preventing unnecessary caching of all forms on a page

Impact Summary

Drupal 6.0 RC4 represents a significant stabilization effort before the final Drupal 6.0 release. It addresses numerous critical issues that were discovered in RC3 and earlier versions, particularly in the areas of menu handling, form caching, and database operations.

The most impactful fixes include resolving broken primary and secondary links after upgrade, fixing a critical form caching issue that affected all forms on a page, correcting database query handling problems, and addressing security concerns in the Blog API. These fixes collectively improve the stability, security, and functionality of Drupal 6.

The update to jQuery 1.2.3 enhances frontend performance and compatibility, while accessibility improvements make the platform more usable for all visitors. For multilingual sites, several critical fixes to menu localization and translation handling have been implemented.

This release candidate brings Drupal 6 much closer to a production-ready state by addressing regressions and ensuring core functionality works as expected. Site administrators and developers testing Drupal 6 will benefit from a more stable platform that better represents what the final release will offer.