Drupal Release: 7.99

TL;DR

Drupal 7.99 is a significant security and maintenance update for Drupal 7, focusing on hardening against PHP security vulnerabilities, fixing username enumeration issues, and improving compatibility with PHP 8.x. This release includes critical security fixes, numerous bug fixes, and infrastructure improvements like GitLab CI integration. It's particularly important for sites still running Drupal 7 as the end-of-life approaches.

Highlight of the Release

• Hardened against PHP Gadget Chain Drupal7/RCE1 vulnerability with added tests
• Fixed username enumeration vulnerabilities in password reset functionality
• Added hook_field_schema_alter() for extending field schema definitions
• Improved PHP 8.x compatibility by fixing deprecation notices
• Integrated GitLab CI for core testing infrastructure
• Fixed issue with links containing '@' being incorrectly converted to email addresses

Migration Guide

No specific migration steps are required for this update. However, site administrators should note:

1. PHP Version Requirements: This release updates PHP requirements according to PSA-2023-06-07. Ensure your hosting environment meets these requirements before upgrading.

2. MySQL 8 Compatibility: If using MySQL 8, note the added documentation about sql_mode override which may be necessary for proper operation.

3. Testing Process: After upgrading, thoroughly test any functionality that:

   • Uses user authentication or password reset features
   • Involves content with special characters in links
   • Relies on feed aggregation
   • Uses image uploads or validation

4. Drupal 7 End-of-Life: Remember that Drupal 7's end-of-life is approaching. While this release improves security and compatibility, planning migration to Drupal 9+ is recommended.

Upgrade Recommendations

Priority: High

This release contains several critical security fixes, including protection against PHP Gadget Chain vulnerabilities and username enumeration issues. All Drupal 7 sites should upgrade as soon as possible to ensure these protections are in place.

Sites running on PHP 8.x will particularly benefit from this upgrade as it addresses several deprecation notices and compatibility issues specific to newer PHP versions.

The upgrade process should be straightforward for most sites:

1. Create a complete backup of your site files and database
2. Put your site into maintenance mode
3. Replace your existing Drupal core files with the new 7.99 release (preserving customized files)
4. Run update.php
5. Test thoroughly before taking the site out of maintenance mode

If you're using contributed modules that extend core functionality affected by these changes (particularly user authentication, field handling, or image processing), test these features carefully after upgrading.

Bug Fixes

• Security Message Persistence: Fixed issue where "5 failed login attempts" security message wasn't cleared when a user reset their password.
• Email Link Conversion: Fixed issue where links containing "@" were incorrectly converted into email addresses even without domain suffixes.
• Vertical Tabs JavaScript Error: Resolved jQuery error occurring when overlay-context hashtag was added to URL with vertical tabs.
• Feed Item Description Handling: Fixed aggregator module issue where feed item descriptions weren't properly stripped of HTML and were limited to 40 characters despite 255 character field limit.
• Zero-byte Image Uploads: Prevented users from uploading 0-byte images which could cause issues.
• XSS Attribute Handling: Fixed issue where valid attribute names containing numbers were incorrectly mangled by XSS filtering.
• Image Resolution Validation: Fixed file_validate_image_resolution() to properly recalculate image dimensions after checking maximum dimensions.
• Exception Handling in Tests: Fixed issue where exceptions were being ignored in errorHandler for DrupalTestCase.
• Cookie Base Path: Fixed issue where cookie base path was set in code but not checked in tests.
• PHP 8.x Compatibility Issues: Fixed multiple deprecation notices and compatibility issues with PHP 8.x:
  • Fixed strpos() null parameter deprecation in system.mail.inc
  • Fixed html_entity_decode() null parameter deprecation in decode_entities()
  • Fixed unserialize() extra data offset issue

New Features

• GitLab CI Integration: Added comprehensive CI/CD pipeline for Drupal 7 core, including test-only jobs and support for different database backends.
• hook_field_schema_alter(): Added new hook allowing modules to alter field schema definitions, providing more flexibility for field implementations.
• Delete Link on Translate Tab: Added a "delete" link in the Operations column of the node Translate tab for better translation management.
• Menu Link Parent Restriction: When adding a new menu link, the available parents are now restricted to the current menu for better usability.
• Drupal.t() Locale Support: Fixed Drupal.t() JavaScript function to properly respect locale_custom_strings for better internationalization.

Security Updates

• PHP Gadget Chain Protection: Hardened Drupal 7 against PHP Gadget Chain Drupal7/RCE1 vulnerability with comprehensive tests to verify protection.
• Username Enumeration Prevention: Fixed two separate issues that could allow username enumeration:
  • Fixed disclosure of usernames in /user/password endpoint
  • Fixed username enumeration via one-time login route
• Watchdog Sanitization: Enhanced security by properly sanitizing watchdog() link in dblog_event() to prevent potential XSS vulnerabilities.
• PHP Version Requirements: Updated PHP requirements according to PSA-2023-06-07 to ensure sites are running on secure PHP versions.
• TYPO3 Phar Error Fix: Resolved security issue related to TYPO3 phar errors after upgrading to Drupal 7.63 and later versions.

Performance Improvements

• Removed Unused JavaScript: Eliminated system.cron.js file which was no longer being used, reducing unnecessary asset loading.
• Optimized Error Handling: Improved exception handling in DrupalTestCase to prevent ignored exceptions, leading to more reliable test outcomes.
• Database Connection Improvements: Updated the list of reserved keywords in DatabaseConnection_mysql for better query handling and performance.
• GitLab CI Optimizations: Implemented several improvements to the CI pipeline to reduce unnecessary rebuilds and improve test execution speed.

Impact Summary

Drupal 7.99 represents a significant security and maintenance update for sites still running on Drupal 7. The release focuses on three key areas:

1. Security Hardening: Critical fixes for PHP Gadget Chain vulnerabilities and username enumeration issues strengthen Drupal 7's security posture at a time when many sites are still running this version beyond its original end-of-life timeline.

2. PHP 8.x Compatibility: Multiple fixes address deprecation notices and compatibility issues with PHP 8.x, ensuring Drupal 7 sites can continue to run on modern hosting environments with current PHP versions.

3. Developer Experience: The addition of GitLab CI integration, new hooks like hook_field_schema_alter(), and various bug fixes improve the developer experience for teams still maintaining Drupal 7 sites.

This release demonstrates the continued commitment to supporting Drupal 7 with security updates and critical fixes despite its aging codebase. For site owners, this update provides essential protections while they plan migrations to newer Drupal versions. The security improvements are particularly valuable as older CMS versions often become targets for automated attacks.

The PHP compatibility improvements help bridge the gap between Drupal 7's original development era and modern hosting environments, giving site owners more flexibility in their infrastructure choices while planning migrations.