Drupal Release: 7.0-alpha5

TL;DR

Drupal 7.0-alpha5 brings significant improvements to the Drupal 7 development branch with over 8,600 changes across 238 files. This release focuses on bug fixes, security enhancements, and performance optimizations while also improving documentation and API functionality. Key updates include better file handling with private files now being opt-in, enhanced #states API for dynamic form elements, improved multilingual support, and numerous fixes for the theme system. Security improvements include switching from MD5/SHA1 to SHA-256/HMAC and addressing several XSS vulnerabilities. This alpha release continues to refine Drupal 7's architecture as it moves toward a stable release.

Highlight of the Release

• Private files are now opt-in and no longer forced to live within web-accessible directories
• Security improvements including switch from MD5/SHA1 to SHA-256/HMAC and fixes for XSS vulnerabilities
• Enhanced #states API for dynamic form elements with better support for fieldsets, radio buttons, and more
• Improved multilingual support including better installation in non-English languages
• Performance optimizations for sites with statistics module enabled
• Better handling of module dependencies during updates and installations
• Numerous fixes and improvements to the theme system

Migration Guide

Upgrading to Drupal 7.0-alpha5

File System Changes

• Private files are now opt-in and no longer forced to live within web-accessible directories. If you're using private files, you'll need to update your configuration accordingly (#551658).

Database Updates

• Direct updates from Drupal versions earlier than 6.17 are no longer supported. If you're running an older version, you must first update to Drupal 6.17 or later before attempting to update to Drupal 7 (#760014).
• The update dependency check has been reworked to deal with array_merge_recursive() edge cases (#211182).

API Changes

• The drupal_alter() function now supports multiple alter hooks executed by module weight. If you're using alter hooks, review your implementation to ensure compatibility (#765860).
• The #states API has been improved with better support for fieldsets, radio buttons, and more. If you're using #states in your forms, test thoroughly after upgrading (#767212, #767268, #783438).
• If you're extending core stream wrapper classes, note that update.php has been fixed to prevent fatal errors in this scenario (#789464).

Theme System Changes

• CSS Coding Standards have been updated. Review your custom themes for compliance (#748798).
• The theme_image() function has been cleaned up to use drupal_attributes() for all attributes with revisited defaults for 'alt' and 'title'. Check your theme implementations (#555830).
• The class 'node_readmore' has been changed to 'node-readmore' for consistency with standards. Update your CSS if needed (#765044).

Module Dependencies

• The handling of module dependencies has been improved. If you have complex module dependency chains, test thoroughly after upgrading (#228860).
• Dashboard and Toolbar modules have been de-coupled from Overlay. If you're using these modules, check your configuration (#655736).

Upgrade Recommendations

This is an alpha release (7.0-alpha5) and is not recommended for production sites. It contains significant changes from previous versions and is intended for testing and development purposes only.

If you are currently running a previous alpha version of Drupal 7, upgrading to this release is recommended for development and testing environments to help identify and report any issues before the stable release.

For production sites, it is strongly recommended to remain on Drupal 6.x until the stable release of Drupal 7.0 is available.

Before Upgrading:

1. Make a complete backup of your site, including both files and database
2. Test the upgrade process on a development or staging environment first
3. Review the migration guide for any changes that might affect your custom code
4. Check that all contributed modules you use have compatible development versions

Important Notes:

• Direct updates from Drupal versions earlier than 6.17 are no longer supported (#760014)
• If you're using private files, note that the system has changed to opt-in (#551658)
• Several security improvements have been implemented, including a switch from MD5/SHA1 to SHA-256/HMAC (#723802)

This alpha release represents significant progress toward a stable Drupal 7 release, but expect to encounter bugs and incomplete features.

Bug Fixes

Critical Bug Fixes

• Fixed issue where failure to clear system_list() entry from cache_bootstrap results in bogus results during module upgrades (#683988)
• Fixed SQL injection vulnerabilities with SelectQuery (#769554)
• Fixed issue where hook_form_alter() could easily clobber a text format (#735662)
• Fixed issue where reenabling a module causes links to be incorrectly mixed with custom menu links (#800696)
• Fixed issue where update fails on node_update_7006 (#797668)

Theme System Fixes

• Fixed menu children positioning in IE (#737632)
• Fixed issue where theme system wasn't working in hook_init() (#764094)
• Fixed issue where default theme region can be hidden (#778608)
• Fixed issue where ID within theme_filter_guidelines() breaks HTML validation with multiple field items (#755566)
• Fixed issue where CSS wasn't included during installation (#740136)

Form and Field Fixes

• Fixed issue where #field_prefix/suffix is displayed before the label (#755030)
• Fixed issue where entering only 'Confirm password' field passes validation (#547490)
• Fixed issue where ajax_deliver() ignores #ajax['method'] and incorrectly forces 'replaceWith' (#645800)
• Fixed issue where deleting a taxonomy term through admin interface causes issues (#783112)
• Fixed issue where numeric List fields should not be unsigned (#795198)

Other Fixes

• Fixed issue where search page tabs weren't highlighting (#245103)
• Fixed issue where 'Recent comments' block is completely hidden when no comments are available (#565642)
• Fixed issue where drupal_html_to_text() had negative padding error (#508738)
• Fixed issue where drupal_build_js_cache() improperly merged JS files (#796048)
• Fixed issue where a site with statistics module enabled is much slower in serving cached pages in D7 than in D6 (#692044)

New Features

File System Improvements

• Private files are now opt-in and no longer forced to live within web-accessible directories (#551658)
• Better handling of file URLs with support for protocol-relative and root-relative file URLs (#777830)

API Enhancements

• Enhanced drupal_alter() now supports multiple alter hooks executed by module weight (#765860)
• Improved #states API for dynamic form elements with better support for fieldsets, radio buttons, and more (#767212, #767268, #783438)
• Added locale support for jQuery UI (#507502)
• De-coupled Dashboard and Toolbar modules from Overlay (#655736)

Multilingual Improvements

• Fixed OpenID realm being language dependent (#751578)
• Improved installation in non-English languages (#654726)
• Better handling of body field language during upgrades (#782846)

User Interface Enhancements

• Improved visibility of secondary navigation (#763720)
• Better organization of admin/by-module page (#778272)
• Enhanced Dashboard functionality with immediate contextual menu availability when blocks are dragged (#639162)
• Generic approach for position:fixed elements like toolbar (#787940)

Security Updates

Security Enhancements

• Switched from MD5 and SHA1 to SHA-256 and HMAC for improved security (#723802)
• Fixed SA-CORE-2009-007 forum module XSS vulnerability (#520736)
• Fixed SA-CORE-2010-01 locale module XSS vulnerabilities (#740068)
• Fixed trivial SQL injection vulnerabilities with SelectQuery (#769554)
• Fixed issue where search displays user email address regardless of 'administer users' permission (#791076)

Input Validation and Sanitization

• Fixed issue where file description is check_plain()'ed twice (#794030)
• Improved validation for user email addresses
• Fixed issue where drupal_http_request() had case sensitive HTTP header field names (#303838)
• Fixed issue where do not urldecode() parameters in drupal_goto() (#796120)

Authentication and Access Control

• Better labeling of all site-owning super-admin permissions (#594412)
• Improved documentation for user_load() with notes on security and proper use (#716718)

Performance Improvements

Cache and Performance Optimizations

• Fixed issue where a site with statistics module enabled is much slower in serving cached pages in D7 than in D6 (#692044)
• Don't change filenames for aggregated JS/CSS to improve caching (#721400)
• Removed unnecessary query strings from CSS/JS files to improve caching performance (#721400)
• Removed unnecessary query in taxonomy_field_extra_fields() (#805228)
• Improved bootstrap performance with small clean-ups (#800014)

Database Optimizations

• Fixed issue where DBTNG JOINs were close to useless, improving query performance (#793604)
• Added support for MySQL socket specification with DBTNG (#561400)
• Fixed issue where ->fetchAllAssoc() doesn't respect fetch mode set during ->execute() (#742042)
• Added support for comments in built queries (#785782)

Installation and Update Improvements

• Removed unnecessary calls to rebuild module and theme data in the installer (#758804)
• Better handling of module dependencies during updates and installations (#228860)
• Improved handling of schema updates to prevent broken schemas if hook_install() fails (#793274)

Impact Summary

Drupal 7.0-alpha5 represents a significant step forward in the Drupal 7 development cycle, with over 8,600 changes across 238 files. This release focuses on stabilizing core functionality while addressing critical bugs, security vulnerabilities, and performance issues.

The most impactful changes include a complete overhaul of the private files system, which is now opt-in rather than forced to live within web-accessible directories. This provides better security and flexibility for site builders. Security has been further enhanced by switching from MD5/SHA1 to SHA-256/HMAC and fixing several XSS vulnerabilities.

For developers, the improved #states API offers better dynamic form functionality, while enhanced drupal_alter() support for multiple alter hooks executed by module weight provides more flexibility. Database performance and security have been improved with fixes for SQL injection vulnerabilities and better JOIN functionality in DBTNG.

Multilingual site managers will benefit from fixes to OpenID realm language dependency, improved installation in non-English languages, and better RTL language styling. Theme developers get updated CSS coding standards and improved theme system functionality.

Performance optimizations, particularly for sites using the statistics module, address regression issues where D7 was slower than D6 in serving cached pages. The handling of module dependencies during updates and installations has also been significantly improved.

While this is still an alpha release and not recommended for production sites, it demonstrates substantial progress toward a stable Drupal 7 release with improved security, performance, and developer experience.