drupal 7.39

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

No other fixes are included.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:

Due to the autocomplete changes mentioned in the section below this one, a small number of modules require fixes for their autocomplete functionality to work with Drupal 7.39. These include:

• Entity Reference Autocomplete versions 7.x-1.9 and earlier (fixed in the 7.x-1.10 release)
• Entityqueue versions 7.x-1.0 and earlier (fixed in the 7.x-1.1 release)
• Get Locations versions 7.x-1.16 and earlier (fixed in the 7.x-1.17 release)

Major changes since 7.38:

• The Ajax system now validates URLs before making an Ajax request. Existing code which uses the Drupal Ajax API in any of the standard ways should continue to work after this update. In the event you have unusual Ajax code which does not work with Drupal 7.39, you can have your code manually validate the URL in one of two ways. Either add the URL to the "urlIsAjaxTrusted" JavaScript setting (see ajax_pre_render_element() for an example) or call ajax_set_verification_header() in the Ajax callback function to mark the current URL as trusted. Only do this for URLs that you actually trust; Ajax requests in Drupal should never be made to untrusted URLs.
• There are a few changes to Drupal's autocomplete system that can affect custom or contributed modules which use the autocomplete system in an advanced way.
  1. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms (use element_info_property() for help with that).
  2. The above #process function uses the standard form API $element['#id'] property and assumes that it will match the actual ID that is output in the HTML. The form API normally takes care of this automatically, but if your form-building code is setting an explicit ID make sure that you are doing it via the correct/supported method, i.e. by setting $element['#id'] rather than $element['#attributes'][id']. See the form API documentation for #id and #attributes for more information.
  3. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details).
  4. For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs.
• When form API token validation fails, the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. (Examples of situations where form API token validation fails include when a cross-site request forgery attempt is detected, or when a user tries to submit a form after having logged out and back in again in the meantime.) In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor.