Drupal Release: 7.79

TL;DR

Drupal 7.79 is a security and maintenance release that addresses several critical security vulnerabilities and adds PHP 8 compatibility improvements. This update includes fixes for session cookie security, one-time login link protection, and various PHP 8 compatibility issues. It's an important update for all Drupal 7 sites, especially those planning to upgrade to PHP 8 or concerned about security hardening.

Highlight of the Release

• Added SameSite cookie attribute for PHP sessions to enhance security
• Fixed one-time login link vulnerability that could leak via referer headers
• Added multiple PHP 8 compatibility fixes for future-proofing
• Improved error handling for database transactions in PHP 8
• Fixed misleading error message for image uploads

Migration Guide

No specific migration steps are required for this maintenance release. This is a standard security and bug fix update that should be applied using the normal Drupal update process:

1. Back up your database and site files before updating
2. Put your site into maintenance mode
3. Update your Drupal core files to version 7.79
4. Run the update script by visiting /update.php in your browser
5. Take your site out of maintenance mode

If you're planning to use PHP 8 with your Drupal 7 site, this release includes important compatibility fixes, but you should still thoroughly test your site after upgrading PHP versions, as custom modules may require additional updates.

Upgrade Recommendations

Priority: High

This release contains important security fixes and PHP 8 compatibility improvements. All Drupal 7 sites should upgrade to version 7.79 as soon as possible, especially if:

1. You're planning to upgrade to PHP 8
2. You're concerned about session security and CSRF protection
3. You use one-time login links for user access

The security improvements alone make this update highly recommended for all Drupal 7 sites, regardless of PHP version. The update process follows the standard Drupal core update procedure and should not cause any disruption to existing functionality.

Remember that Drupal 7 is approaching its end-of-life, so while this update is important, site owners should also be planning their migration strategy to Drupal 9 or 10.

Bug Fixes

Security Fixes

• Fixed vulnerability in Archive_Tar with hardened destructor implementation
• Added protection against one-time login link leakage via referer headers
• Added SameSite cookie attribute for PHP sessions

PHP 8 Compatibility Fixes

• Fixed ArgumentCountError in _drupal_error_handler() function
• Corrected parameter order in various functions
• Fixed DatabaseConnection::query signature mismatch with PDO::query
• Resolved MySQL errors when committing/rolling back with no active transaction
• Fixed PDO statement preparation issues
• Addressed test failures in Form element validation and User administration
• Fixed deprecated function usage in OpenID

General Bug Fixes

• Fixed unnecessary field storage writes when field content didn't change
• Corrected inaccurate error message for image uploads
• Removed unnecessary looping in filter_xss() when processing attributes
• Fixed JS source map issues when aggregating JavaScript files
• Fixed array offset access on boolean value in menu_get_active_breadcrumb()
• Resolved undefined function call to drupal_get_path_alias() in url()
• Removed trailing space in menu.inc

New Features

This release primarily focuses on security improvements and bug fixes rather than new features. The most notable enhancement is the addition of the SameSite cookie attribute for PHP sessions, which helps protect against cross-site request forgery (CSRF) attacks by controlling how cookies are sent in cross-site requests.

Security Updates

• SameSite Cookie Protection: Added SameSite cookie attribute for PHP sessions to protect against cross-site request forgery (CSRF) attacks by controlling how cookies are sent in cross-site requests.

• One-Time Login Link Protection: Fixed a vulnerability where valid one-time login links could be leaked to third parties via the referer header, potentially allowing unauthorized access to user accounts.

• Archive_Tar Hardening: Improved security of the Archive_Tar library by hardening its destructor implementation, preventing potential exploitation.

• XSS Protection Improvement: Enhanced the filter_xss() function to process attributes more efficiently and securely.

These security improvements help protect Drupal 7 sites against common web vulnerabilities and strengthen the overall security posture of the CMS.

Performance Improvements

Performance Enhancements

• Optimized Field Storage: Fixed unnecessary field storage writes when field content did not change, reducing database operations and improving performance during content updates.

• Improved XSS Filtering: Eliminated unnecessary looping in filter_xss() when processing attributes, making the function more efficient.

• Cleaner JavaScript: Removed source mapping URLs and source URLs when JavaScript files are aggregated, resulting in cleaner code and potentially faster loading times.

• Dead Code Removal: Eliminated unused code from ajax.js, including progress.upload_callback and progress.error_callback, reducing JavaScript payload size.

Impact Summary

Drupal 7.79 delivers significant security enhancements and PHP 8 compatibility fixes that strengthen the platform's security posture and extend its viability on newer PHP versions.

The security improvements—particularly the SameSite cookie attribute for sessions and protection against one-time login link leakage—address important vulnerabilities that could potentially be exploited in cross-site attacks. These changes make Drupal 7 sites more resilient against common web security threats.

The extensive PHP 8 compatibility fixes are crucial for sites planning to upgrade their PHP environment, ensuring that core Drupal functionality continues to work correctly on newer PHP versions. This extends the practical lifespan of Drupal 7 sites while organizations plan their migration to newer Drupal versions.

Performance optimizations, particularly around field storage and XSS filtering, will provide incremental improvements in site responsiveness and resource utilization.

Overall, this is an important maintenance release that all Drupal 7 site owners should apply promptly to benefit from the security hardening and compatibility improvements.