Maintenance release of the Drupal 7 series. Includes fixes for incompatibilities introduced in the Drupal 7.20 security release only.
No security fixes are included in this release; however, sites which were unable to upgrade to Drupal 7.20 (or upgraded but made modifications to disable the security fixes included within it) should upgrade to Drupal 7.21 to obtain additional security protection.
No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.
If you have already upgraded to Drupal 7.20 with no problems this release does not provide any new functionality. You can upgrade to Drupal 7.21 at your leisure, without reading the notes below.
Important update notes:
Drupal 7.20 fixed a fundamental security flaw in the Drupal core Image module and therefore introduced incompatibilities with a number of contributed modules and sites (see the Drupal 7.20 release notes). To help mitigate the effect of these changes, an optional 'image_allow_insecure_derivatives' variable was provided, which sites could use to turn off the security fix.
Drupal 7.21 adds additional security protection for sites that use this variable. Although they will still not receive the full benefit of the security fix, they will now have protection against the most damaging and easiest-to-inflict vulnerabilities that were addressed in Drupal 7.20.
If you encountered problems when upgrading or attempting to upgrade to Drupal 7.20, then you should upgrade to Drupal 7.21 following the instructions below:
- First check if upgrading to Drupal 7.21 (and applying any patches or fixes recommended in the Drupal 7.20 release notes) allows you to upgrade your site without any issues. Unset the 'image_allow_insecure_derivatives' variable if you previously set it while upgrading to Drupal 7.20.
If your site experiences problems that do not yet have a fix (and the problems are severe enough that you are unable to tolerate them on your site), set the 'image_allow_insecure_derivatives' variable to TRUE. This can be done using Drush, or by placing code such as
$conf['image_allow_insecure_derivatives'] = TRUE;in your settings.php file. (There is also a module you can install which will turn the variable on by default and provide a user interface for turning it back off.)
If you choose to set this variable, understand that your site is not fully secure; it will still be vulnerable to some forms of denial-of-service attacks which use image derivatives as described in SA-CORE-2013-002 (although not the most serious and easiest-to-inflict ones). You should therefore monitor the issue queues of any modules which were giving you trouble and remove the variable from your site as soon as fixes become available which you are able to apply.
There is one behavior change introduced in this release for sites using the 'image_allow_insecure_derivatives' variable. Previously, setting the variable would allow you to generate any image derivative without including a token in the URL. Now, although tokens will still be optional for most image derivatives, they will be required in the unlikely case of an image derivative which was itself generated from an image derivative (for example, if you first generate a thumbnail image by visiting
http://example.com/sites/default/files/styles/thumbnail/public/field/image/example.png, and then want to take that thumbnail image and generate a "medium" image based off of it by visiting
http://example.com/sites/default/files/styles/medium/public/styles/thumbnail/public/field/image/example.png, the second case will require a token in the URL in order to work). This change was necessary in order to provide the security improvements and is not believed to have a practical effect in realistic scenarios.
Changes since 7.20:
- #1934568 by David_Rothstein, pwolanin: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the security issues fixed in Drupal 7.20.