Downloads

Download drupal-7.20.tar.gztar.gz 3.02 MB
MD5: ee576d63f1fd8a1f1c072a56978da0c5
SHA-1: 9c9dab4e3d9cda0c02496af34d4083d161c25bf0
SHA-256: 2684e1d595087af4ed991bef1176d57585052d6a99aedaf09250b095df5cdbf3
Download drupal-7.20.zipzip 3.44 MB
MD5: b92096e07122612c76d0f9121167646b
SHA-1: fc8800f78b76afec301bb3bfc63acaef089755e0
SHA-256: acd17e5d460140e92b441169592ea4d84b5c69a5024abb61aae367814b921993

Release notes

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Important update notes (and known issues):

If you encountered difficulties upgrading to Drupal 7.20 as described below, try upgrading to Drupal 7.21 and following the instructions there.

The security fixes in this release change all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)

As an example, links that previously pointed to a URL like http://example.com/sites/default/files/styles/thumbnail/public/field/image/example.png will now point to a URL like http://example.com/sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD.

In addition, any code which programmatically generates a link to an image derivative without using the standard image_style_url() API function will no longer work correctly if the image does not already exist in the file system, since the necessary token will not be present in the URL.

Due to the nature of this security fix, some sites will require extra testing and care when deploying this release of Drupal core, and several contributed modules require code changes in order to continue working correctly. A summary of issues follows.

General issues

  • #1923814: Existing hardcoded images can break after updating from Drupal 7 earlier than 7.20 if image styles have been re-saved: If your site has existing, hardcoded references to image derivatives embedded in text content (for example, as may have been inserted via the Insert module) in most cases these references will continue to work after upgrading to Drupal 7.20. However, if you re-save the associated image style (for example, by going to "Administration » Configuration » Media » Image styles" on your site and re-saving the items listed there), the images will be flushed on disk and your embedded links may stop working after that because they are missing the token. This may also occur if you re-saved the image style recently (before upgrading to Drupal 7.20) and some of the images have not yet been regenerated.
    Solution: There is no robust solution for this problem yet. The best solution is to avoid re-saving image styles for the time being.

  • #1923554: New anti-DoS measure breaks for some file URIs: In Drupal 7.20 and 7.21, if any images are erroneously stored in the database with an extra slash in the URI (for example, public:///path/to/image rather than public://path/to/image), new derivatives for those images will fail to be generated after upgrading. So far, the only confirmed examples of this involve images created with the Devel generate module, which are unlikely to be an issue on production websites.
    Solution: Upgrade to Drupal 7.22 or higher.

  • #1955378: Return same derivative token with path or URI: Any code which calls image_style_url() with a relative path such as "example.png" rather than a file URI such as "public://example.png" will get back a URL with an incorrect token. (Using relative paths as input to image_style_url() is a supported, but less common, method of calling the function.)
    Solution: There is a patch for Drupal 7 in the above issue which needs testing but should fix the problem.

Issues involving Drupal contributed modules

Several contributed modules do not work correctly with Drupal 7.20, although there are candidate patches or fixes available for many of them. Examples are listed below, but we cannot guarantee this list is entirely complete or accurate:

  • Adaptive Image Styles (ais) (versions 7.x-1.4 and earlier do not display adaptive images - see issue).
    Solution: Upgrade to Adaptive Image Styles (ais) 7.x-1.5 or higher.

  • CDN (versions 7.x-2.5 and earlier do not correctly rewrite all image derivative URLs to use the CDN - see issue).
    Solution: Upgrade to CDN 7.x-2.6 or higher.

  • Dynamic Background (versions 7.x-2.0-rc2 and earlier on the 7.x-2.x branch do not display image derivatives correctly - see issue).
    Solution: Upgrade to Dynamic Background 7.x-2.0-rc3 or higher.

  • Field Slideshow (versions 7.x-1.81 and earlier produce invalid image URLs - see issue).
    Solution: Upgrade to Field Slideshow 7.x-1.82 or higher.

  • File (Field) Paths (inserts broken image derivative links into textareas when combined with the Insert module - see issue).
    Solution: Apply the patch in the linked issue. It has been committed to the development version of the module and will be in an upcoming release. Also upgrade to Insert 7.x-1.3 or higher as described below.

  • Image javascript crop (see issue).
    Solution: Apply the patch in the linked issue. It needs testing but may fix the problem.

  • Imageflow (see issue).
    Solution: No solution is available yet.

  • IMCE (a feature which allows preview images to be generated on-the-fly based on image styles does not work - see issue).
    Solution: No solution is available yet.

  • Insert (versions 7.x-1.2 and earlier insert broken image derivative links into textareas - see issue).
    Solution: Upgrade to Insert 7.x-1.3 or higher.

  • Insert image with text (inserts broken image derivative links into textareas - see issue).
    Solution: No solution is available yet.

  • Mail MIME (image derivatives are not correctly inlined in the e-mail message - see issue).
    Solution: Apply the patch in the linked issue. It needs testing but may fix the problem.

  • Manual Crop (see issue).
    Solution: Apply the patch in the linked issue. It has been committed to the development version of the module and will be in an upcoming release.

  • One Click Upload (versions 7.x-1.4 and earlier are reported not to work).
    Solution: Upgrade to One Click Upload 7.x-1.5 or higher.

  • PDF to ImageField (see issue).
    Solution: Apply the patch in the linked issue. It needs testing but may fix the problem.

  • Remote stream wrapper (see issue).
    Solution: Apply the patch in the linked issue. It needs testing but may fix the problem.

  • Responsive images and styles (some responsive images are not displayed - see issue).
    Solution: Apply the patch in the linked issue. It needs testing but should fix the problem in most scenarios.

  • Shadowbox (versions prior to 7.x-3.0-rc2 and 7.x-4.0-rc1 are reported to not work correctly - see issue).
    Solution: Upgrading to Shadowbox 7.x-3.0-rc2 or 7.x-4.0-rc1 is believed to solve the problem. However, this needs further testing and confirmation (at the issue linked to above).

Issues involving hosting environments (HTTP caches, CDNs, etc.)

In rare cases, the addition of the token to image style URLs may alter the way HTTP caches or CDNs handle the images. Sites using HTTP caches or CDNs should examine their configuration and test this release carefully before deploying it to a production site.

As mentioned in the previous section, versions 7.x-2.5 and earlier of the Drupal CDN module do not work correctly either. The fix is to upgrade to CDN 7.x-2.6 or higher.

Overall mitigation steps

Sites which require the ability to generate new image derivatives without a token can set the 'image_allow_insecure_derivatives' variable to TRUE, for example in settings.php:

$conf['image_allow_insecure_derivatives'] = TRUE;

This will cause Drupal to bypass the token check when generating image derivatives and will therefore work around most (if not all) of the issues mentioned above.

However, it will also completely remove the security fix introduced in this release and will therefore increase the site's vulnerability to denial-of-service attacks. If you must use this variable as a temporary measure, upgrade to Drupal 7.21 or higher instead, since that release provides some security protection (although still incomplete protection) for sites which use it.

What’s next?

  1. Learn how to install Drupal
  2. Learn how to update Drupal
  3. Extend Drupal to do more
  4. Get training
  5. Check out what others built
Created by: David_Rothstein
Created on: 20 Feb 2013 at 20:52 UTC
Last updated: 28 Mar 2018 at 19:19 UTC
Security update
Insecure

Other releases