Drupal Release: 7.76

TL;DR

Drupal 7.76 Release: Enhanced Security, Database Improvements, and PHP 7.4 Compatibility

This release brings significant improvements to Drupal 7's security posture with new flood protection for password reset forms and better user flood control logging. Database handling sees major enhancements, particularly for SQLite and MySQL 8 support. Several PHP 7.4 compatibility issues have been resolved, and the system email "From" header now uses the site name for better deliverability. This maintenance release is important for sites running on newer PHP versions or using SQLite/MySQL 8 databases.

Highlight of the Release

• Added flood protection to password reset form for enhanced security
• Improved system emails by using site name in From header
• Added MySQL 8 support for modern database environments
• Enabled WAL journal mode by default for SQLite for better performance
• Fixed PHP 7.4 compatibility issues in menu tree output and other areas
• Enhanced user flood control logging with new hook_user_flood_control()

Migration Guide

No specific migration steps are required for this maintenance release. However, site administrators should be aware of the following changes that might affect their sites:

Database Changes

• SQLite WAL Mode: SQLite databases now use WAL journal mode by default. While this improves performance, it creates additional files in your database directory (.db-wal and .db-shm files). Ensure your backup procedures account for these additional files.

• MySQL 8 Support: If upgrading your database to MySQL 8, review your queries for compatibility with the stricter SQL mode in MySQL 8.

Email Configuration

• From Header Changes: System emails now use the site name in the From header. If you've implemented custom email handling that depends on the previous behavior, you may need to update your code.

Testing Environment

• If you use the testing framework, note that run-tests.sh now uses the PHP_BINARY constant, which might change how tests are executed in your environment.

Upgrade Recommendations

Recommendation Level: Moderate Priority

This release contains important security enhancements, database improvements, and PHP 7.4 compatibility fixes that make it a recommended upgrade for most Drupal 7 sites, particularly those:

• Running on PHP 7.4
• Using SQLite or MySQL 8 databases
• Concerned about security hardening

While there are no critical security fixes that would necessitate an immediate upgrade, the password reset form flood protection and improved user flood control logging provide valuable security enhancements.

Upgrade Steps:

1. Back up your database and files
2. Put your site in maintenance mode
3. Update Drupal core files
4. Run update.php
5. Test your site thoroughly
6. Take your site out of maintenance mode

For sites using SQLite, be aware that the new WAL journal mode will create additional files that should be included in backups.

Bug Fixes

Database Fixes

• SQLite Query Fixes: Fixed SQLite INSERT FROM...SELECT queries that were previously not working correctly (#2427875).
• SQLite Simpletest Tables: Fixed an issue where the SQLite database driver failed to properly drop simpletest tables (#1713332).
• Connection Unit Test: Fixed skipping of ConnectionUnitTest for non-MySQL databases (#3174134).

PHP 7.4 Compatibility Fixes

• Menu Tree Output Notices: Fixed PHP notices in menu tree output() function when running on PHP 7.4 (#3155357).
• PHP Notices in Locale Module: Addressed PHP notices coming from locale.module (#2571711).

JavaScript Fixes

• jQuery Whitespace: Removed leading whitespace in jquery.js file (#3178638).

Form Element Fixes

• Weight Form Element: Fixed behavior of the Weight form element (#2946801).

Other Fixes

• Variable Locking: Fixed overzealous locking in variable_initialize() that could cause performance issues (#973436).
• Element Children Sort Order: Fixed inconsistent element_children sort order between PHP 5 and PHP 7 (#2756297).
• Security Exploit Notices: Fixed notices/warnings from attempted exploitation of previous security vulnerabilities (SA-CORE-2018-002 and SA-CORE-2018-004) (#2975433).

New Features

Enhanced Security Features

• Password Reset Form Flood Protection: Added flood protection to the password reset form to prevent brute force attacks (#3074666).
• Improved User Flood Control Logging: The user module now provides better logging for flood control events, making it easier to monitor potential security threats (#2989985).
• New Hook for Flood Control: Added hook_user_flood_control() allowing modules to implement custom flood control logic (#2989985).

Email Improvements

• Site Name in Email Headers: System emails now use the site name in the From header, improving email deliverability and recipient recognition (#3098058).

Database Enhancements

• SQLite WAL Journal Mode: Enabled Write-Ahead Logging (WAL) journal mode by default for SQLite databases, improving performance and concurrency (#3172877).
• MySQL 8 Support: Added comprehensive support for MySQL 8 databases, ensuring compatibility with this modern database version (#2978575).

Security Updates

Security Enhancements

• Password Reset Form Flood Protection (#3074666): Added critical flood protection to the password reset form, preventing brute force attacks that could otherwise allow attackers to reset user passwords through repeated attempts.

• Enhanced User Flood Control Logging (#2989985): Improved logging for user flood control events, making it easier to detect and respond to potential security threats like brute force login attempts.

• Fixed Security Exploit Notices (#2975433): Addressed notices and warnings that could appear from attempted exploitation of previous security vulnerabilities (SA-CORE-2018-002 and SA-CORE-2018-004), improving system robustness against known attack vectors.

While not strictly security fixes, these enhancements significantly improve the security posture of Drupal 7 sites by adding protection against common attack vectors and improving visibility into potential security events.

Performance Improvements

Database Performance Improvements

• SQLite WAL Journal Mode: Enabled Write-Ahead Logging (WAL) journal mode by default for SQLite databases (#3172877). This change significantly improves performance by:
  • Allowing multiple readers to access the database concurrently with a writer
  • Reducing disk I/O operations during transactions
  • Improving overall database throughput

Variable System Optimization

• Reduced Locking Overhead: Fixed overzealous locking in variable_initialize() (#973436), which reduces contention and improves performance during bootstrap, especially on busy sites with multiple concurrent requests.

Testing Performance

• Improved Test Runner: Enhanced run-tests.sh to use PHP_BINARY constant (#2798377), ensuring more reliable test execution and potentially faster test runs.

Impact Summary

Drupal 7.76 delivers significant improvements across security, database handling, and PHP compatibility. The addition of flood protection to password reset forms addresses a long-standing security gap, while enhanced user flood control logging provides better visibility into potential attacks.

Database improvements are substantial, with SQLite receiving major enhancements including WAL journal mode for better performance and fixes for INSERT queries and simpletest table handling. MySQL 8 support ensures compatibility with modern database environments.

PHP 7.4 compatibility fixes resolve notices in menu tree output and locale module, ensuring smoother operation on current PHP versions. The improvement to system emails by using the site name in From headers will enhance email deliverability.

For developers, the new hook_user_flood_control() provides flexibility for custom security implementations, while fixes to element_children sort order ensure consistent behavior across PHP versions.

Overall, this release represents an important maintenance update that improves security, performance, and compatibility without introducing breaking changes.