Drupal Release: 7.0-alpha6

TL;DR

Drupal 7.0-alpha6 brings significant improvements to the core CMS with over 12,000 changes across 300 files. This release introduces Bartik, a new flexible core theme, enhances the Overlay system for better performance, improves database handling with better PostgreSQL support, fixes critical security issues, and addresses numerous bugs. The update includes important accessibility improvements, better exception handling, and refinements to the Field API. This alpha release represents a major step forward in Drupal 7's development with both user-facing improvements and backend optimizations.

Highlight of the Release

• Introduction of Bartik, a new flexible core theme with many regions and re-coloring options
• Significant performance improvement to Overlay by re-implementing without jQuery UI Dialog
• Enhanced database abstraction with better PostgreSQL support including CONCAT() function
• Improved accessibility for search results and drag-and-drop table rows
• Fixed critical security issues including SQL injection and open redirection vulnerabilities
• Better exception handling and reporting throughout the system
• New ACID queue API entrypoint for reliable queuing operations
• Enhanced Field API with new listing capabilities

Migration Guide

Upgrading to Drupal 7.0-alpha6

Database Changes

• The size of the init field on the users table has been increased to 254 characters
• The sessions.sid field has been increased in size
• Table prefixes are now per database connection rather than global

API Changes

• The Field API has been updated with new listing capabilities
• Entity handling has been improved with updates to EntityFieldQuery
• The ACID queue API provides a new entrypoint for reliable queuing operations

Theme Changes

• Bartik is now the default theme
• Themes can now alter CSS through new hooks
• The .element-invisible class has been updated to work with VoiceOver on OS X Snow Leopard

Module Updates

• The OpenID module has been updated to fix issues with delegated OpenIDs
• File module handling has been improved, particularly for file extensions
• The Poll module has been updated with autoexpire functionality

For Developers

When upgrading custom modules:

• Update any code using drupal_substr() as it had a bug that's now fixed
• Review code using check_url() as URLs were being escaped twice in some cases
• If using database queries, note that merge queries are now more consistent
• Be aware that the SPL autoloader now uses require_once() for better robustness

For Site Administrators

• After upgrading, you may need to clear caches to detect new themes
• The Dashboard will now properly populate after installation
• Review any custom shortcut sets as there are now checks for empty or duplicate labels

Upgrade Recommendations

for Drupal 7.0-alpha6

This is an alpha release and is not recommended for production sites. It contains significant changes from previous versions and is intended for testing purposes only.

Who should upgrade:

• Developers who want to test their modules against the latest Drupal 7 code
• Theme developers who want to start working with the new Bartik theme
• Testers who want to help identify bugs before the beta release
• Site builders who want to explore new features in a development environment

Who should not upgrade:

• Production sites should remain on stable Drupal 6.x releases
• Sites that rely on contributed modules that haven't been ported to Drupal 7

Testing recommendations:

1. Always test on a development copy of your site, never on production
2. Back up your database and files before attempting an upgrade
3. Test the upgrade path from Drupal 6 to identify potential issues
4. Report any bugs you find to the Drupal issue queue

The upgrade path from Drupal 6 to Drupal 7 is being actively improved, with new tests added in this release. However, as this is still an alpha version, expect to encounter issues during the upgrade process.

Bug Fixes

Critical Database Issues

• Fixed SQL injection vulnerability in db_query_range()
• Fixed issues with PostgreSQL and IF() syntax in forums
• Addressed problems with text column types not reliably holding serialized variables
• Fixed merge queries to be more consistent and robust across database systems

Overlay and UI Fixes

• Fixed Overlay performance by re-implementing without jQuery UI Dialog
• Resolved issues with Overlay redirecting to list of content types instead of fields
• Fixed active items in top-level IA not having the proper background when overlay is enabled
• Addressed problems with Overlay not reflecting changes when closed

Field and Entity Handling

• Fixed bug where dependent modules were still installed when required modules returned errors
• Resolved issue where body field was re-added when node type settings were re-saved
• Fixed file field allowing any extension when the list of allowed extensions was left blank
• Addressed problems with file_munge_filename() extension handling

Session and User Management

• Fixed issues with HTTPS sessions using invalid merge queries
• Addressed problems with authenticated users getting less random session IDs
• Fixed OpenID login failures for delegated OpenIDs
• Resolved issues with login cookies and PHP default settings

Other Critical Fixes

• Fixed empty dashboard after installation
• Addressed issues with database errors not displaying during installation
• Fixed problems with block caching mode changes not being caught
• Resolved issues with URL filter incorrectly repeating URL in link title attribute
• Fixed XSS vulnerabilities in Filter Tips and elsewhere

New Features

New Bartik Theme

A new core theme called Bartik has been introduced. This flexible, re-colorable theme features many regions and showcases Drupal's capabilities. It was developed through a collaborative team effort and is now set as the default core theme.

Enhanced Field API

The Field API now includes a listing API, providing better ways to query and display field data. This enhancement makes it easier to work with fields programmatically.

ACID Queue API

A new ACID queue API entrypoint has been added, providing reliable queuing operations with atomicity, consistency, isolation, and durability guarantees.

Theme CSS Alterations

Themes can now alter CSS, giving theme developers more control over styling without having to override templates.

Custom Accept-Charset for Forms

Forms can now have custom accept-charset attributes, improving internationalization support.

Configurable Fallback Format

The fallback text format is now configurable, providing more flexibility for content filtering.

Security Updates

SQL Injection Protection

• Fixed regression of SA-2006-005 - SQL Injection via db_query_range()
• Addressed XSS vulnerabilities through uncaught PDO Exceptions

Open Redirection Vulnerability

Fixed SA-CORE-2010-001 - Open redirection vulnerability that could allow attackers to redirect users to malicious sites.

XSS Prevention

• Fixed XSS vulnerability in Filter Tips
• Improved filter_xss() to not allow empty style/on* attributes at end of opening tag
• Enhanced check_url() and filter_xss_bad_protocol() to prevent double-escaping of URLs

Session Security

• Improved session handling for authenticated users to ensure more random session IDs
• Fixed issues with HTTPS sessions using invalid merge queries
• Increased the size of {sessions}.sid for better security

Form Security

• Fixed protection against forgery of input selection values for checkboxes
• Improved file upload security by properly handling file extensions
• Enhanced user login security by moving user_load() to submit handler

Performance Improvements

Overlay Performance

The Overlay system has been completely re-implemented without jQuery UI Dialog, resulting in massive performance improvements. This change helps address several critical issues related to overlay performance and behavior.

Database Optimizations

• PostgreSQL performance optimization through PDO::ATTR_EMULATE_PREPARES
• Improved handling of database prefixes per connection
• Better caching for module_implements() to avoid unnecessary processing

Menu and Toolbar Optimization

Menu tree building has been optimized and the improvements have been applied to the toolbar, resulting in better performance for menu rendering throughout the system.

Static Cache Improvements

• Avoided variable_set() and variable_del() stampedes for better performance
• Improved field_info_collate_fields() resource usage
• Better handling of form_state() cache

Image Optimization

Module and theme images have been optimized to reduce file sizes and improve page load times.

Impact Summary

Drupal 7.0-alpha6 represents a significant milestone in the development of Drupal 7, with over 12,000 changes across 300 files. The introduction of the Bartik theme as the new default provides a more modern and flexible theming option out of the box. Performance improvements, particularly to the Overlay system, make the administrative interface more responsive and user-friendly.

Database handling has been enhanced with better PostgreSQL support and more consistent merge queries, making Drupal more reliable across different database systems. Security has been strengthened with fixes for SQL injection, XSS vulnerabilities, and open redirection issues.

Accessibility improvements to search results and drag-and-drop functionality make Drupal more usable for all users, including those with disabilities. The Field API enhancements provide developers with more powerful tools for working with content.

For site administrators, the improved Dashboard functionality and better error reporting make managing Drupal sites easier. Developers benefit from enhanced exception handling, better database abstraction, and new APIs like the ACID queue.

While this is still an alpha release and not recommended for production sites, it shows significant progress toward a more robust, performant, and user-friendly Drupal 7.