Drupal Release: 7.68

TL;DR

Drupal 7.68 is a maintenance release that addresses several PHP compatibility issues, security improvements, and bug fixes. It enhances compatibility with PHP 7.x, improves session handling, adds better protection for configuration files, and fixes various bugs including JavaScript handling and theme rendering. This release is important for sites running on newer PHP versions and those concerned about security hardening.

Highlight of the Release

• PHP 7.x compatibility improvements for session handling and array operations
• Enhanced security for configuration files through improved .htaccess rules
• New scripts element to align rendering workflow with styles handling
• Fixed HTTP request handling with array data
• Improved JavaScript handling through AJAX

Migration Guide

No significant migration steps are required for this maintenance release. The changes are primarily bug fixes and compatibility improvements that should not affect existing functionality.

If you've implemented custom code that:

1. Manipulates session IDs directly, review the session handling changes
2. Uses drupal_http_request() with complex data, note that you can now pass arrays directly
3. Has custom theme implementations using JavaScript, the new scripts element provides a more consistent approach similar to styles

These changes are backward compatible and should not break existing functionality.

Upgrade Recommendations

This release is recommended for all Drupal 7 sites, especially those:

• Running on PHP 7.x versions
• Concerned about security hardening
• Experiencing issues with session handling or JavaScript processing

The update contains important compatibility fixes for modern PHP versions and security improvements. Sites running on PHP 7.1 or higher will particularly benefit from this update.

Follow the standard Drupal update procedure:

1. Back up your database and files
2. Put your site in maintenance mode
3. Update your Drupal core files
4. Run update.php
5. Take your site out of maintenance mode

No database schema changes are included in this release, making it a relatively low-risk update.

Bug Fixes

PHP Compatibility Fixes

• Fixed "uasort() expects parameter 1 to be array, null given" warning in node_view_multiple()
• Fixed "session_id(): Cannot change session id" errors in PHP 7.2 and above
• Fixed "Cannot change session id when session is active" in PHP 7.3
• Fixed "A non-numeric value encountered" warning in theme_pager() on PHP 7.1
• Fixed test failures on PHP 5.3

JavaScript and AJAX Fixes

• Fixed issue where settings returned via AJAX were not run through hook_js_alter()
• Fixed DrupalRequestSanitizer not found fatal error when bootstrap phase order is changed

Other Fixes

• Fixed toolbar visibility when printing pages
• Fixed permission issues with default.settings.php
• Fixed HTTP status code handling for uncaught exceptions

New Features

New Scripts Element for Theme Rendering

A new 'scripts' element has been added to align the rendering workflow with how 'styles' are handled. This provides theme developers with more consistent methods for managing JavaScript assets, similar to how CSS is handled.

HTTP Request Improvements

• drupal_http_request() now allows passing data as an array
• The function now uses drupal_http_build_query() internally for better consistency and security

Theme Table Footer Support

The theme_table() function now accepts an optional footer variable and can produce proper <tfoot> elements, allowing for more semantic HTML table structures.

Security Updates

File Protection Improvements

• Added protection for web.config files in .htaccess (and vice versa) to prevent potential information disclosure
• Enhanced .htaccess file generation in file.inc to better cover PHP 7 security requirements
• Improved default.settings.php file permissions

Session Handling Security

Multiple fixes for session handling across different PHP versions improve the security of session management and prevent potential session-related vulnerabilities.

Performance Improvements

Watchdog Performance Improvement

The system now skips module_invoke/module_hook when calling hook_watchdog, reducing excessive function_exists() calls. This improves performance when logging events, especially on busy sites with many log entries.

JavaScript Handling

The new scripts element and improved AJAX handling for JavaScript settings provides more efficient processing of JavaScript assets.

Impact Summary

Drupal 7.68 focuses on PHP compatibility, security hardening, and bug fixes. The release improves compatibility with PHP 7.x versions by addressing several warnings and errors in session handling and array operations. Security is enhanced through better protection of configuration files and improved .htaccess generation.

For developers, the new scripts element provides a more consistent approach to JavaScript handling, aligning with how CSS is managed. HTTP request handling is improved with support for array data and better query building.

The release also fixes several long-standing bugs, including issues with JavaScript settings in AJAX responses, toolbar visibility when printing, and exception handling.

Overall, this is a maintenance release that improves stability, security, and compatibility without introducing breaking changes. It's particularly important for sites running on newer PHP versions or those concerned about security hardening.