drupal 7.29

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

No other fixes are included.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:

• This release introduced a serious regression, the biggest effect of which is to cause files or images attached to taxonomy terms to be deleted when the taxonomy term is edited and resaved (see issue).
  Solution: Upgrade to Drupal 7.30 or higher.

  More details:

  1. The bug is mostly absent for files attached to other Drupal core entities (such as nodes and users), although it can occur for those also when certain contributed modules are being used to modify the file upload process (so far the IMCE for FileField module, the Link Image Field module, and the 7.x-2.x branch of Imagefield Crop are known to suffer from this issue, as is the Media module in the case where the user who is uploading the file does not have permission to view private files on the site).
  2. The bug also may exist for files or images attached to certain entities provided by custom or contributed modules (for example, file entities provided by the File Entity module), but not all.
  3. Code outside the entity system which uses the File module's "managed_file" form element may experience similar issues as above, at least under certain circumstances.

  Upgrading to Drupal 7.30 or higher should fix most or all of the above problems.

• This release resulted in a regression in the Webform Private File Gateway module which under certain circumstances causes users to be redirected to a webform while trying to upload a file.
  Solution: A fix is being worked on at #2308359: Usage of hook_file_download causes issues with 7.29.

Major changes since 7.28:

1. As of this release Drupal core no longer only invokes hook_file_download() when a file is actually being downloaded, but also invokes it when checking whether a file can be downloaded. Various contributed modules (including the Entity API module) already invoked the hook in this manner previously. Module authors who implement this hook should be aware that it can be invoked in this generic way and not write any code in their hook implementations which assumes that the current page request is in the process of serving an actual file to the web browser. See #2308347: Document that hook_file_download() can be invoked during content edit file uploading for more details.
2. As of this release, the Drupal form API will automatically sanitize option group labels in select elements. Developers who have implemented forms containing select elements with option groups and who have sanitized the option group labels on their own might therefore find that the labels are double-escaped after this release. The solution is to remove the secondary sanitizing and to rely on the sanitizing provided by Drupal core (similar to other form labels, such as those on individual select element options, which were already sanitized by Drupal core previously).