Drupal Release: 7.90

TL;DR

Drupal 7.90: PHP 8.1 Compatibility, Security Fixes, and Database Improvements

This release focuses on PHP 8.1 compatibility, fixes a CSRF vulnerability in cron, improves PostgreSQL support (including PostgreSQL 12), and addresses various notices and warnings. It's particularly important for sites running on newer PHP versions or PostgreSQL databases. Administrators should upgrade promptly, especially due to the security fix.

Highlight of the Release

• Fixed CSRF vulnerability in cron functionality
• Added PHP 8.1 compatibility improvements
• Added PostgreSQL 12 support
• Fixed comment editing issue that was changing creation dates
• Improved database performance for PostgreSQL

Migration Guide

This release doesn't introduce any breaking changes that would require specific migration steps. However, if you're upgrading from an older version and running on PHP 8.1 or PostgreSQL 12, this update is particularly important.

If you've been experiencing issues with comment creation dates changing upon edits, corrupt log entries, or PHP notices in various core functions, these should be resolved after upgrading.

Upgrade Recommendations

Priority: Medium-High (High if using PHP 8.1 or PostgreSQL 12)

All Drupal 7 sites should upgrade to version 7.90, particularly those:

• Running on PHP 7.4, 8.0, or 8.1
• Using PostgreSQL databases, especially PostgreSQL 12
• Concerned about the security of their cron implementation

The upgrade process follows the standard Drupal 7 update procedure:

1. Back up your database and files
2. Put the site in maintenance mode
3. Replace your existing Drupal core files with the 7.90 release
4. Run update.php
5. Take the site out of maintenance mode

No database schema changes are included in this release, so the update should be straightforward.

Bug Fixes

• PHP 8.1 Compatibility Fixes:

  • Fixed deprecated notices in filter_xss() when passing null to str_replace()
  • Fixed deprecated notices in text_summary() when passing null to strpos()
  • Fixed deprecated notices in _locale_parse_js_file() when passing null to preg_split()

• PHP 7.4 Compatibility Fixes:

  • Fixed notices related to empty entity_keys for taxonomy terms
  • Fixed notice in system.admin.inc when a module has an invalid configure path

• Entity Handling Improvements:

  • Fixed behavior of entity_load() when passed IDs with a trailing dot
  • Fixed Field API assumption about serial/integer entity IDs

• Cache and Performance Issues:

  • Fixed warning in drupal_serve_page_from_cache() related to gzinflate data errors
  • Fixed issue where x-content-type-options nosniff header was ignored for anonymous cached pages

• User Experience Fixes:

  • Fixed issue where editing a comment would change its creation date
  • Fixed PHP notices when generating user mail tokens for anonymous users
  • Fixed error in image styles when an effect has no definition

• Logging Improvements:

  • Fixed issue where logs became completely unusable when an entry had corrupt serialized data

New Features

• Nginx and PHP-FPM Support: Core is now aware of Nginx and PHP-FPM configurations, improving server environment detection.
• PostgreSQL 12 Support: Added compatibility with PostgreSQL 12 databases.
• Improved Module Administration: The "Only For Testing" package is now hidden by default on the modules admin page, creating a cleaner interface for administrators.

Security Updates

• Cron CSRF Vulnerability: Fixed a Cross-Site Request Forgery vulnerability in the cron system (Issue #2431283). This vulnerability could potentially allow attackers to trigger cron runs without proper authorization.

• Security Headers: Fixed an issue where the x-content-type-options nosniff header was being ignored for anonymous cached pages, which could potentially lead to MIME type sniffing attacks.

Performance Improvements

• PostgreSQL Database Optimizations:

  • Improved DatabaseSchema_pgsql::fieldExists() for better performance
  • Optimized Database::tableExists() specifically for PostgreSQL
  • Enhanced DatabaseSchema_pgsql::findTables() for more efficient table discovery
  • Improved DatabaseSchema_pgsql::queryTableInformation() for better performance

• Cache Handling:

  • Fixed issues with page caching that improve overall performance
  • Improved handling of cached pages with proper security headers

Impact Summary

Drupal 7.90 is primarily a maintenance and compatibility release that addresses several important issues:

1. Security: Fixes a CSRF vulnerability in the cron system and improves security header handling for cached pages.

2. PHP Compatibility: Resolves multiple PHP 7.4 and 8.1 compatibility issues, reducing or eliminating deprecation notices and warnings.

3. Database Improvements: Significantly enhances PostgreSQL support, including compatibility with PostgreSQL 12 and performance optimizations.

4. User Experience: Fixes several long-standing issues, most notably the problem where editing comments would change their creation date.

5. System Stability: Improves error handling, particularly for corrupt log entries and image style effects.

This release demonstrates Drupal 7's continued maintenance despite its age, ensuring sites can continue to run securely on modern hosting environments with current PHP versions and database systems. The fixes for PHP 8.1 compatibility are particularly valuable as PHP 7.4 reached end-of-life in November 2022.