Drupal Release: 7.103

TL;DR

Drupal 7.103 is a maintenance and security release that addresses several critical security vulnerabilities and PHP 8.3 compatibility issues. This update includes fixes for URL alias security issues, HTTP_HOST header validation, mail header formatting problems, and various code improvements. It's essential for all Drupal 7 sites to update immediately to protect against potential security exploits.

Highlight of the Release

• Fixed critical security vulnerability in URL alias handling that could override trusted URLs
• Improved HTTP_HOST header validation for better security
• Fixed mail header formatting issues in PHP 8.0+ environments
• Addressed PHP 8.3 compatibility issues
• Prevented full path disclosure from errors on maintenance pages

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that can be applied using the normal Drupal update process:

1. Back up your database and site files before updating
2. Put your site into maintenance mode
3. Update your Drupal core files to version 7.103
4. Run the update script by navigating to /update.php in your browser
5. Take your site out of maintenance mode

If you're running a custom theme or modules, it's always recommended to test the update on a staging environment before applying it to your production site.

Upgrade Recommendations

Priority: Critical

All Drupal 7 site administrators should update to version 7.103 immediately due to the critical security vulnerabilities addressed in this release. The security fixes for URL alias handling, HTTP_HOST header validation, and path disclosure prevention are particularly important as they could be exploited to compromise site security.

Sites running on PHP 8.0 or newer will especially benefit from this update due to the fixes for mail header formatting and other PHP compatibility improvements.

Remember that Drupal 7 is approaching its end-of-life (currently extended to January 2025), so site owners should also be planning their migration to Drupal 9+ or other platforms.

Bug Fixes

Security-Related Bug Fixes

• URL Alias Security Issue: Fixed a vulnerability where URL aliases could be used to override trusted URLs (Issue #3383223).
• HTTP_HOST Header Validation: Improved validation of the HTTP_HOST header to prevent potential security issues (Issue #3444017).
• Path Disclosure Prevention: Fixed full path disclosure that could occur from errors on maintenance pages (Issue #3478716).
• Mail Header Formatting: Resolved broken mail headers in PHP 8.0+ caused by LF characters (Issue #3319062).

PHP Compatibility Fixes

• Fixed SessionHttpsTestCase->testEmptySessionId() failure in PHP 8.3 (Issue #3446569).
• Fixed TextSummaryTestCase::testLength() failures on some libxml versions in PHP 8.3 (Issue #3397882).
• Fixed deprecated passing of null to dirname() function (Issue #3438308).

General Bug Fixes

• Fixed preg_split in _filter_url that breaks for long HTML tags (Issue #3182166).
• Corrected implementation of DefaultMailSystem::format() (Issue #1447236).
• Fixed issues in drupal_var_export() function (Issues #3467781, #3467905).
• Corrected a comment in drupal_settings_initialize() (Issue #3463022).
• Fixed CacheClearCase::testClearArray() which was setting a persistent variable with no effect (Issue #3464097).
• Improved password hashing tests to cover all options (Issue #2453785).
• Fixed wrong link to test results in settings form (Issue #2401743).

New Features

No significant new features were added in this release. Drupal 7.103 is primarily a security and maintenance release focused on fixing vulnerabilities and improving compatibility with newer PHP versions.

Security Updates

Critical Security Fixes

• URL Alias Vulnerability (SA-CORE-2023-005): Fixed a critical issue where URL aliases could be manipulated to override trusted URLs, potentially allowing attackers to bypass security restrictions (Issue #3383223).

• HTTP_HOST Header Validation: Improved validation of the HTTP_HOST header to prevent potential security issues related to header spoofing and request forgery attacks (Issue #3444017).

• Path Disclosure Prevention: Fixed a vulnerability that could expose the full server path in error messages on maintenance pages, which could provide attackers with valuable system information (Issue #3478716).

• Mail Header Security: Resolved an issue with mail headers in PHP 8.0+ where LF characters could potentially be exploited for header injection attacks (Issue #3319062).

These security fixes address vulnerabilities that could potentially be exploited to compromise site security. All Drupal 7 site administrators should update immediately.

Performance Improvements

This release does not include any significant performance improvements. The focus was primarily on security fixes and PHP compatibility improvements rather than performance enhancements.

Impact Summary

Drupal 7.103 is a critical security and maintenance release that addresses several important vulnerabilities and compatibility issues. The most significant impact is on site security, with fixes for URL alias handling that could previously be exploited to override trusted URLs, improved HTTP_HOST header validation, and prevention of full path disclosure on maintenance pages.

For sites running on newer PHP versions (8.0+), this release resolves mail header formatting issues that could cause email functionality to break. It also improves compatibility with PHP 8.3, fixing several test failures and addressing deprecated function usage.

While this release doesn't introduce new features or significant performance improvements, it's essential for maintaining the security and stability of Drupal 7 sites. The security fixes are particularly important as they address vulnerabilities that could potentially be exploited by attackers.

Site administrators should apply this update immediately to protect their sites from potential security exploits. Developers should review any custom code that might interact with URL aliases, HTTP headers, or mail functionality to ensure compatibility with the security improvements in this release.