Drupal Release: 7.40

TL;DR

Drupal 7.40 brings significant performance improvements, security enhancements, and bug fixes to the core platform. This release focuses on optimizing module implementation caching, improving security headers, fixing various PHP notices and warnings, enhancing documentation, and addressing several long-standing issues. Notable improvements include better performance for module_implements(), enhanced security for PDO MySQL connections, improved MIME type handling, and more user-friendly README files throughout the codebase.

Highlight of the Release

• Major performance improvement in module_implements() by eliminating unnecessary processing
• Enhanced security for PDO MySQL connections by limiting to single statement execution
• Added protection against MIME type sniffing attacks in browsers
• Support for autoloading PHP Traits added
• Improved password strength checking by ignoring leading and trailing spaces
• More user-friendly README.txt files throughout the codebase

Migration Guide

This release does not contain any changes that require specific migration steps. However, developers should be aware of the following changes that might affect their code:

• If you've been working around the issue where module_implements() cache was being polluted by early calls to module_invoke_all(), you can now remove those workarounds.

• If you've implemented custom queue workers, note that cron and batch processing of queues now accept callables, which might allow you to simplify your code.

• If you're using custom block caching, be aware that block cache IDs are now alterable through the new block_get_cache_id_parts hook.

• If you're filtering email addresses, the plus sign is now allowed in email addresses by default.

• If you're using drupal_http_request(), note that HTTP status codes 201-206 are now treated as success responses rather than errors.

• If you're using PHP 5.4+ and want to use Traits, you can now take advantage of the new autoloading support for Traits.

Upgrade Recommendations

It is recommended to upgrade to Drupal 7.40 as soon as possible, especially if you are experiencing any of the issues fixed in this release. The performance improvements alone make this update worthwhile for most sites.

Priority: Medium

Complexity: Low - This is a standard point release with no database schema changes or major API changes.

Steps to upgrade:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Replace your existing core files with the new Drupal 7.40 core files (keeping your custom and contributed modules, themes, and libraries intact)
4. Run update.php
5. Take your site out of maintenance mode
6. Clear all caches

If you've made any modifications to core files, you'll need to reapply those changes to the new files or (preferably) move your customizations to modules or themes.

For detailed instructions, refer to the UPGRADE.txt file included with Drupal 7.40.

Bug Fixes

• Module Implementation Cache: Fixed issues where the module_implements() cache could be polluted by module_invoke_all() being called before full bootstrap completion.

• User Interface Issues:

  • Fixed incorrect title display on user pages when link paths are added to default menus
  • Fixed issue where the "required" mark could appear multiple times on the same form element when using #states
  • Fixed PHP notice in user_menu_link_alter() when manually adding a "user" path as a shortcut
  • Fixed misleading one-time login link failure messages by marking them as errors

• File Handling:

  • Fixed issue where "Files displayed by default" setting was not being respected
  • Fixed SimpleTest file creation for text files
  • Fixed fast 404 settings for private image files

• Database and Performance:

  • Fixed issue where the "format" field in the "date_format_locale" table was not case sensitive
  • Fixed D6 to D7 update failure on duplicate files in system update #7061
  • Fixed issue with thousand separator for numeric fields defaulting to space instead of nothing

• PHP Notices and Warnings:

  • Fixed undefined index warnings in statistics.php
  • Fixed undefined index warning in path_node_insert/update
  • Fixed undefined index warning in FieldInfo::prepareInstanceDisplay()
  • Fixed PHP notice when filter_dom_serialize() is passed an empty document
  • Fixed issue where drupal_set_message('0') resulted in no output

• Filter and Email:

  • Fixed filter to allow plus sign in email addresses
  • Fixed password strength checking to ignore leading and trailing spaces

• Other Fixes:

  • Fixed issue with malformed theme .info files breaking menu_router generation
  • Fixed issue with Batch API example code having wrong finished callback
  • Fixed issue where after deletion of built-in administrator role, the default admin role was not shown as disabled
  • Fixed issue where statistics_node_view overwrote #attached JavaScript

New Features

• PHP Trait Autoloading Support: Added support for autoloading PHP Traits, making it easier to use this PHP 5.4+ feature in Drupal modules.

• Project Namespace for Dependencies: Added an optional project namespace for dependencies, improving module dependency management.

• Alterable Block Cache IDs: The block_get_cache_id() function now allows modules to alter block cache IDs through the new block_get_cache_id_parts hook, providing more flexibility for cache management.

• Theme Debug in Default Settings: Added the theme_debug setting to default.settings.php, making it easier for developers to enable theme debugging.

• Improved HTTP Request Handling: Updated drupal_http_request() to properly handle 201-206 HTTP status codes as success responses rather than errors.

Security Updates

• PDO MySQL Statement Execution: Added limitation to PDO MySQL to execute single statements only (when PHP supports it), helping to prevent SQL injection attacks.

• MIME Type Sniffing Protection: Added headers to mitigate security risks from browsers attempting to sniff the MIME type of files, preventing certain types of content spoofing attacks.

• Role Management: Fixed issue where after deletion of the built-in administrator role, the default admin role was not shown as disabled, which could lead to confusion about administrative privileges.

• XSS Prevention: Fixed unescaped role name on block admin page via JavaScript, preventing potential cross-site scripting vulnerabilities.

• Password Security: Improved password strength checking by ignoring leading and trailing spaces, preventing users from creating passwords that appear strong but are actually weak.

Performance Improvements

• Module Implementation Caching: Eliminated an unnecessary second loop in module_implements(), providing a significant performance boost to a frequently called core function.

• Info File Parsing: Optimized drupal_parse_info_format() to be 3x faster while reducing memory usage by 95%, improving performance when parsing .info files.

• Cache Management: Fixed issues with the module_implements() cache that could lead to performance degradation when module_invoke_all() was called before full bootstrap completion.

• Time Limit Management: Improved drupal_set_time_limit() to avoid unnecessary calls to change the time limit when it's already set to unlimited, reducing overhead in certain operations.

• Block Caching: Enhanced block caching with alterable cache IDs, allowing for more efficient and flexible cache management strategies.

Impact Summary

Drupal 7.40 delivers substantial improvements to performance, security, and stability without introducing breaking changes. The most impactful changes are the performance optimizations to module_implements() and drupal_parse_info_format(), which will benefit all Drupal 7 sites by reducing CPU and memory usage during page loads.

Security enhancements like PDO MySQL single statement execution and MIME type sniffing protection add important layers of defense against common web vulnerabilities. These changes align with modern security best practices and help protect sites from potential attacks.

The numerous bug fixes address long-standing issues across various subsystems, from user interface quirks to file handling problems. Many of these fixes eliminate PHP notices and warnings that could clutter logs and potentially impact performance.

Documentation improvements make the codebase more approachable for new developers and provide clearer guidance on API usage. The more user-friendly README files throughout the codebase will help both developers and site administrators better understand Drupal's structure and functionality.

Overall, this release represents a solid maintenance update that improves the platform's performance, security, and developer experience without requiring significant changes to existing sites or custom code.