Download drupal-7.39.tar.gztar.gz 3.1 MB
MD5: 6f42a7e9c7a1c2c4c9c2f20c81b8e79a
SHA-1: 82cc4177502bc44f6bfe880311e0d81815e68f0f
SHA-256: afad72be4389e2a2dfc630fc8582277ed185d884101978890139e0d14e4ddbab
Download drupal-7.39.zipzip 3.56 MB
MD5: c6a90ddbb5a80ee652b83f8922ae5767
SHA-1: ca63a8155621d781f5caaca6a84593e5d85abfe8
SHA-256: 269528373498fe692ef2fc7ae370c424b229257b4c7950d188ff418e66c0e0af

Release info

Created by: David_Rothstein
Created on: August 19, 2015 - 21:25
Last updated: January 11, 2016 - 21:46
Core compatibility: 7.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:

Due to the autocomplete changes mentioned in the section below this one, a small number of modules require fixes for their autocomplete functionality to work with Drupal 7.39. These include:

Major changes since 7.38:

  • The Ajax system now validates URLs before making an Ajax request. Existing code which uses the Drupal Ajax API in any of the standard ways should continue to work after this update. In the event you have unusual Ajax code which does not work with Drupal 7.39, you can have your code manually validate the URL in one of two ways. Either add the URL to the "urlIsAjaxTrusted" JavaScript setting (see ajax_pre_render_element() for an example) or call ajax_set_verification_header() in the Ajax callback function to mark the current URL as trusted. Only do this for URLs that you actually trust; Ajax requests in Drupal should never be made to untrusted URLs.
  • There are a few changes to Drupal's autocomplete system that can affect custom or contributed modules which use the autocomplete system in an advanced way.
    1. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms (use element_info_property() for help with that).
    2. The above #process function uses the standard form API $element['#id'] property and assumes that it will match the actual ID that is output in the HTML. The form API normally takes care of this automatically, but if your form-building code is setting an explicit ID make sure that you are doing it via the correct/supported method, i.e. by setting $element['#id'] rather than $element['#attributes'][id']. See the form API documentation for #id and #attributes for more information.
    3. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details).
    4. For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs.
  • When form API token validation fails, the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. (Examples of situations where form API token validation fails include when a cross-site request forgery attempt is detected, or when a user tries to submit a form after having logged out and back in again in the meantime.) In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor.