Drupal Release: 7.50

TL;DR

Drupal 7.50 Release Summary

Drupal 7.50 brings significant improvements to the core platform with a focus on security, performance, and developer experience. This release adds clickjacking protection, fixes PHP 7 compatibility issues, improves UTF-8 support for databases, and introduces callback support in the Form API. It also addresses several critical bugs including session handling issues and fixes for anonymous form submissions. This update is recommended for all Drupal 7 sites, particularly those running on newer PHP versions or requiring better internationalization support.

Highlight of the Release

• Added default clickjacking protection to improve security
• Improved PHP 7 compatibility with numerous bug fixes
• Added support for full UTF-8 in databases (emojis, Asian symbols, mathematical symbols)
• Introduced callback support in Form API instead of requiring global functions
• Added a new 'administer fields' permission for trusted users
• Fixed password reset functionality when already logged in
• Improved test suite with better failure reporting and test isolation

Migration Guide

Callback Support in Form API

If you're using custom form elements or extending core form functionality, you can now use callbacks instead of global functions:

// Old way - global function
$form['element']['#value_callback'] = 'my_global_value_callback';

// New way - class method callback
$form['element']['#value_callback'] = array('MyClass', 'valueCallback');

UTF-8 Database Support

To take advantage of the improved UTF-8 support:

1. Ensure your database is configured with proper UTF-8 support:

   • For MySQL: Use utf8mb4 character set and collation
   • For other databases: Refer to database-specific documentation

2. Update your settings.php file to specify the UTF-8 character set:

$databases['default']['default'] = array(
  // Other connection settings...
  'charset' => 'utf8mb4',
  'collation' => 'utf8mb4_general_ci',
);

New 'administer fields' Permission

If you have custom roles that need to manage fields but shouldn't have full administrative access:

1. Go to People > Permissions
2. Find the new "Administer fields" permission
3. Grant it to appropriate roles
4. Review and possibly revoke the broader "Administer content types" permission if it was previously granted only for field management

Upgrade Recommendations

Recommendation Level: Moderate Priority

This update is recommended for all Drupal 7 sites, particularly those:

• Running on PHP 7 or planning to upgrade to PHP 7
• Requiring better internationalization support and UTF-8 character handling
• Concerned about security best practices
• Experiencing issues with form submissions or password resets

The upgrade process follows standard Drupal 7 update procedures:

1. Back up your database and files
2. Put your site in maintenance mode
3. Replace your existing Drupal core files with the 7.50 release
4. Run update.php
5. Test thoroughly before taking your site out of maintenance mode

Special Considerations:

• If you've modified core files, review your changes against the new release
• If you're using custom form implementations, test them thoroughly as the Form API callback changes might affect behavior
• Sites with custom database queries should test thoroughly with the improved UTF-8 support

Bug Fixes

• Anonymous Form Submissions: Fixed regression where anonymous users submitting forms with un-uploaded files would lose the file on validation errors.

• Password Reset Issues: Fixed a critical bug where following a password reset link while logged in would leave users unable to change their password.

• PHP 7 Compatibility: Fixed multiple issues affecting PHP 7 compatibility:

  • Array to string conversion in trigger.test
  • Undefined string index in DrupalTestCase::getAbsoluteUrl()
  • Issues with hook_rdf_mapping() and RDF types
  • Invalid numeric comparison in OpenIDTestCase

• Session Handling: Improved session handling with proper boolean returns from _drupal_session_destroy() and _drupal_session_write().

• URL Generation: Fixed URL generation issues that only worked on port 80, now properly supports other ports.

• Password Field Handling: Fixed errors on user create/edit/login forms when password is literally "0".

• Menu Issues: Fixed conflicts where blog module interfered with other URL routes beginning with "blog/".

• Ajax Functionality: Fixed issues with Ajax not working with tableselect elements using checkboxes.

• Hidden Textarea Fields: Fixed regression where hidden field textarea #default_value was being ignored.

• Image Rotation: Fixed various bugs with PHP 5.5 imagerotate(), including issues with incorrect color indices.

• Database Schema: Fixed unsigned int vs. int mismatch between node.nid and history.nid columns.

• Module Directory Scanning: Fixed performance issues with re-scanning module directories when filenames or modules are missing.

New Features

• Clickjacking Protection: Added default clickjacking defense to core, improving security for all Drupal sites.

• New 'administer fields' Permission: Added a dedicated permission for trusted users to use the field UI without needing full administrative access.

• Callback Support in Form API: Now supports using callbacks instead of global functions in parts of the Form API, allowing for better code organization and object-oriented programming approaches.

• Full UTF-8 Support: Enhanced database support for full UTF-8 character sets, including emojis, Asian symbols, and mathematical symbols when the database is properly configured.

• Admin Overlay Support: Added support for admin overlay in exposed forms, improving the administrative experience.

• EditorConfig Support: Introduced .editorconfig to auto-configure editors that support it, improving developer experience and code consistency.

• Test Suite Improvements: Added --directory option to run-tests.sh for better test discovery and improved exit codes to indicate test failures.

Security Updates

• Clickjacking Protection: Added default clickjacking defense to core, protecting against UI redressing attacks.

• IP Address Handling: Fixed ip_address() function when client request IP and proxy IP are the same, improving the accuracy of IP-based security measures.

• User Module Security: Added tests for the User module security issue from SA-CORE-2016-002, ensuring the fix is properly implemented and tested.

• XML Handling: Improved format_xml_elements() to properly handle unencoded values, preventing potential security issues with XML output.

Performance Improvements

• Module Directory Scanning: Significantly improved performance by avoiding re-scanning module directories when a filename or module is missing, which was causing performance issues on sites with many modules.

• Database Optimization: Added index on uid and module columns to the authmap table, improving query performance for user authentication operations.

• Test Performance: Improved test isolation by ensuring cookies from previous tests are not present when a new test starts, leading to more reliable and faster test execution.

Impact Summary

Drupal 7.50 represents a significant update that improves security, performance, and developer experience while maintaining backward compatibility. The addition of clickjacking protection enhances security for all sites without requiring configuration changes. PHP 7 compatibility fixes ensure Drupal 7 continues to work well on modern hosting environments.

The improved UTF-8 support is particularly valuable for multilingual sites and those needing to store special characters, emojis, or non-Latin text. This addresses a long-standing limitation in Drupal 7's database handling.

For developers, the introduction of callback support in the Form API is a welcome improvement that allows for better code organization and object-oriented approaches without requiring global functions. This modernizes parts of Drupal 7's API while maintaining backward compatibility.

The bug fixes for password reset functionality, anonymous form submissions, and Ajax handling address several pain points that have affected users and site administrators. The improved test suite reliability and reporting will help module developers ensure their code works correctly with this release.

Overall, this update strikes a good balance between introducing new capabilities and fixing existing issues while maintaining the stability that Drupal 7 sites depend on.