Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Downloads
Download drupal-7.91.tar.gztar.gz
3.21 MB
MD5: edca63fdcd0f2f138016773f2df637ed
SHA-1: 6317f77f7130b511da25f746f6e44d37b7c2ba67
SHA-256: ba2b8360b204120363f6c1448915320280ca5c8f8a2d62250f7371c36177207f
Download drupal-7.91.zipzip
3.73 MB
MD5: 4d02815ff3662c815aff8c5c765fe249
SHA-1: 36512a6115095fbf0af39c8821cd09bb7c476715
SHA-256: f94e91a9bf0572209678adc1ba7b75a6766bb9169416975e5b172e113f5f4f02
Release notes
Maintenance and security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:
No other changes are included.
Important update information
-
Following this release, Drupal will assume by default that custom stream wrappers (like Remote Stream Wrapper among many others) should be private by default so that Drupal will manage downloads and access control. If a module intentionally wishes to serve files with no access checking or management by Drupal, the module should implement
hook_file_download().Since various contributed stream wrapper modules might not be able to update immediately for this security release, site owners may also specify which stream wrappers should be treated as public stream wrappers (with no access control). If content from a stream wrapper on your site stops working after this update, you can add the following line to
settings.php:$conf['file_additional_public_schemes'] = array('example');…where
exampleis replaced by the name of the affected stream wrapper. (For example,s3orhttps.) The name of the stream wrapper will depend on the affected module and its configuration.You should also locate or submit an issue in the module's queue to implement
hook_file_download()for this security advisory. -
If the private files directory is inside the public files directory (e.g.
drupal/sites/files/private), a site file field misconfiguration or other issue might lead to the site relying on the previous access bypass. If parts of your file or image content become inaccessible after this release, add the following line to your site'ssettings.php:$conf['sa_core_2022_012_override'] = TRUE;This setting is a temporary backward-compatibility layer for misconfigured sites and will be removed in a future release. In the long term, you should migrate your uploaded files to the correct public or private directories.
What’s next?
- Learn how to install Drupal
- Learn how to update Drupal
- Extend Drupal to do more
- Get training
- Check out what others built
Security update
Insecure
