Drupal Release: 7.83

TL;DR

Drupal 7.83 Release: PHP 8.1 Compatibility and Security Enhancements

This release focuses on PHP 8.1 compatibility, security improvements, and bug fixes. It addresses multiple PHP deprecation notices and warnings while enhancing security through improved cookie handling and SQL injection protection. Key improvements include better file upload organization with year/month directories, multiple hreflang tag support, and fixes for various PHP notices and warnings across different PHP versions. This update is particularly important for sites planning to upgrade to PHP 8.1 or those concerned about security hardening.

Highlight of the Release

• PHP 8.1 compatibility improvements addressing deprecation notices and warnings
• Enhanced security with improved cookie domain handling and SQL injection protection
• Better file organization with year/month directory structure for uploads
• Support for multiple hreflang tags pointing to the same URL
• Password reset form security enhancement to prevent revealing valid emails/usernames
• Added 'changed' property to user entities for tracking last modification time

Migration Guide

Preparing for PHP 8.1

If you're planning to run your site on PHP 8.1, this release includes essential compatibility fixes. However, you should still:

1. Test your site thoroughly on PHP 8.1 in a development environment before upgrading production
2. Check for any custom modules that might need updates for PHP 8.1 compatibility
3. Review your logs after upgrading for any remaining deprecation notices

File Upload Directory Structure

The default file upload path now includes year/month directories. This change:

• Only affects new file uploads; existing files remain in their current locations
• May require updates to custom code that assumes specific file paths
• Can be overridden in settings if needed

Cookie Domain Handling

The change to cookie domain handling no longer strips "www." by default:

1. Review your site's cookie domain settings if you rely on cookies being shared between www and non-www versions
2. You may need to explicitly configure cookie sharing if your site uses both www and non-www domains

SQL Match Operator

If you use custom code with database queries that include the $match_operator parameter:

1. Review your code to ensure you're properly sanitizing inputs
2. Use the database API's placeholder system rather than directly inserting values

Upgrade Recommendations

Who should upgrade?

• High Priority: Sites running or planning to upgrade to PHP 8.1
• High Priority: Sites concerned about security hardening
• Medium Priority: Sites with multilingual content using hreflang tags
• Medium Priority: Sites with heavy file upload requirements

Upgrade Path

This is a maintenance and security release with no known breaking changes. Standard upgrade procedures apply:

1. Back up your database and files
2. Put your site in maintenance mode
3. Replace your codebase with the 7.83 release
4. Run update.php
5. Test thoroughly before taking your site out of maintenance mode

Special Considerations

• If you have custom code that relies on specific file paths, test thoroughly after upgrading due to the new year/month directory structure for file uploads
• Review any custom modules that might interact with cookies or user sessions due to the cookie domain handling changes
• If you're using custom database queries with match operators, verify they work correctly after the SQL injection protection improvements

Bug Fixes

• PHP 8.1 Compatibility Fixes:

  • Fixed PDO::ATTR_STRINGIFY_FETCHES in MySQL connection options
  • Addressed deprecation notices in DrupalCacheArray due to tentative return types
  • Fixed signature mismatches in Database classes
  • Resolved implicit conversion from float to int precision loss
  • Corrected SkipDotsRecursiveDirectoryIterator methods return type

• PHP 7.x Compatibility Fixes:

  • Fixed element_property() notice in PHP 7.4 when $key is an integer
  • Addressed PHP 7.2 warning in taxonomy_form_term_submit() related to Countable
  • Fixed TypeError in parse_size function for PHP 8
  • Resolved Ajax upload validation PHP notice on PHP 7

• Security-Related Fixes:

  • Fixed SQL injection vulnerability in $match_operator
  • Improved password reset form to prevent revealing whether an email or username exists
  • Fixed drupal_mkdir to properly set permissions on recursively created directories

• Other Fixes:

  • Fixed PDO Exception where column weight cannot be null in menu.inc
  • Resolved regression in color module
  • Fixed list_allowed_values_string() warning when options are determined by 'allowed_values_function'
  • Corrected error 500 when requesting partial image style paths
  • Fixed DrupalWebTestCase->storeSetupCache() error with time() function
  • Addressed URL encoding issue in drupal_add_html_head_link() for HTTP headers

New Features

• Year/Month Directory Structure for File Uploads: Files are now uploaded to directories organized by year and month by default, improving file organization and management.

• Multiple Hreflang Tags Support: Added support for multiple hreflang tags pointing to the same URL, enhancing multilingual SEO capabilities.

• User Entity 'Changed' Property: Added a 'changed' timestamp property to user entities to track when a user was last modified.

• Skip Permissions Hardening: Backported the skip_permissions_hardening feature from Drupal 8, providing more flexibility in file permission management.

• Single Test Method Execution: Enhanced run-tests.sh to allow running individual test methods, improving developer testing workflow.

• Dzongkha Language Support: Added proper support for the Dzongkha language (previously mislabeled as "Bhutani").

Security Updates

• Cookie Domain Handling: Fixed a security issue where www. was being stripped from cookie domains by default, which could leak session cookies to subdomains.

• SQL Injection Protection: Addressed a vulnerability where the SQL $match_operator was susceptible to injection attacks.

• Password Reset Form: Enhanced security by modifying the password reset form to prevent revealing whether an email address or username exists in the system.

• Directory Permissions: Fixed drupal_mkdir() to properly set permissions on directories created recursively, preventing potential security issues with improperly secured directories.

• JavaScript Cookie Removal: Backported the removal of $_COOKIE['has_js'], eliminating a potential security vector.

Performance Improvements

• Archive_Tar Updates: Synchronized system.tar.inc with Archive_Tar 1.4.14, improving archive handling performance and reliability.

• Cookie Handling Optimization: Removed the JavaScript detection cookie ($_COOKIE['has_js']), reducing unnecessary cookie overhead and improving frontend performance.

• File Organization: The new year/month directory structure for file uploads improves performance by preventing directories from becoming too large, which can slow down file operations on some systems.

Impact Summary

Drupal 7.83 represents a significant maintenance release focused on PHP 8.1 compatibility and security enhancements. The update addresses multiple PHP deprecation notices and warnings that would appear when running on PHP 8.1, making this release essential for sites planning to upgrade their PHP version.

The security improvements are substantial, with fixes for cookie domain handling that prevent session cookie leakage to subdomains, protection against SQL injection attacks, and enhancements to the password reset form to prevent user enumeration. These changes strengthen Drupal 7's security posture without requiring major architectural changes.

For content management, the introduction of year/month directory structure for file uploads brings a long-requested feature to Drupal 7 that improves file organization. This change only affects new uploads and won't disrupt existing files.

Multilingual site owners benefit from improved hreflang tag support and the addition of the Dzongkha language, enhancing SEO capabilities for international sites.

Developers gain better testing tools with the ability to run single test methods and benefit from the new 'changed' property on user entities for tracking modifications.

Overall, this release maintains Drupal 7's stability while addressing modern PHP compatibility needs and enhancing security, making it a recommended update for all Drupal 7 sites.