[meta] Priorities for 2024-12-04 release of Drupal 7

Open on Drupal.org →

Created on 7 June 2024, 7 months ago

Assorted todo lists carried over from 📌 [meta] Priorities for 2024-06-05 release of Drupal 7 Active .

These are not necessarily in priority order.

Top priorities

🌱 [META] Make Drupal 7 core compatible with PHP 8.3 Active
- 📌 [D7 PHP 8.3] TextSummaryTestCase::testLength() fails on some libxml versions Active
- 🐛 [D7 PHP 8.3] Fix SessionHttpsTestCase->testEmptySessionId() failure Needs review

Simple fixes

Important fixes

📌 [D7] User edit form does not use flood control and allow for password brute force attacks Needs review
📌 Add backtrace to all errors RTBC
🐛 Error on PHP8 during execution Database::closeConnection() Needs review
🐛 [D7] PostgreSQL queries that fail in a transaction break the entire transaction Needs review
🐛 The 'access' property of hook_user_cancel_methods_alter() methods is never used Needs work
#2539478: [D7] Allow image fields to use any extensions the current image toolkit supports (instead of hard-coding jpg, png and gif only) → Remove hardcoded image files extensions.
#2749007: Autocomplete broken for servers enforcing clean URLs → Security Regression
🐛 Older PHP versions set SameSite attribute on insecure session cookie Needs work
🐛 [D7] Login fails and no warning is issued if cookies are not enabled Needs review This is a D7 backport of 🐛 Login fails and no warning is issued if cookies are not enabled Fixed , an 18 year old issue that was marked as major and committed to drupal 9.3.x in June 2021.
🐛 [D7] file_unmanaged_move() should issue rename() where possible instead of copy() & unlink() RTBC Important fix. Mcdruid urging commit. @joseph.olstad: "D8 has this already. It is a good idea."
🐛 drupal_goto short circuits and doesn't set things to cache Needs review
🐛 Using entity_get_info in a hook_hook_info results in an incomplete module_implements cache. Needs review
🐛 Do not make entries in "cache_form" when viewing forms that use #ajax['callback'] (Drupal 7 port) Needs work
🐛 [D7] preg_split in _filter_url breaks for long html tags Needs work
#1209226: Avoid slow query for path alias whitelists →
#1978176: Build menu_tree without loading so many objects → @joseph.olstad: "... the performance improvement is huge! .. After several years I see no credible reports of an issue with this patch"
📌 [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future RTBC FabianX said it looks good, has updated tests
🐛 [D7] Support X-Forwarded-* HTTP headers alternates RTBC Important backport for reverse proxies and load balance.
🐛 [D7] Add wrappers to fix permission checks Postponed Required for POSIX filesystem. Fixed in D8? @orlitzky: "I'm just going to keep updating the patch for drupal-7.x for the rest of my life." "I'll keep posting patches until I don't have to any more."
✨ Path alias filter by system path Needs work (D10 patch, still Needs review) includes 6 year old patch for D7 in comment #1 that has been RTBC and without the patch "it's very hard to find alias which contains few slashes in path."
#3210388: Potential dataloss when opting in to "Avoid field storage write when field content did not change" and changing the bundle type of an existing entity →
🐛 [D7] node_access filters out accessible nodes when node is left joined Postponed Issue identified as major. D8/9 fix pending.

Unsorted fixes

#2026817: node_access() should static cache by vid and not nid. →
🐛 pg_attribute.attrelid error Needs review
#3304385: [D7] node/add page misses content types when menu links are moved or disabled →
#2456193: Menu links - not possible to create numeric paths →
🐛 Set fixed "from:" and add "Reply-to:" to comply with DMARC RTBC
#2962374: [D7] Path alias validation should test for relative path, no trailing slash requirements →
🐛 [D7] Automatically shorten cid's in DrupalDatabaseCache RTBC
🐛 Reverting to revisions prior to addition of field translations is broken RTBC Issue is 9 years old, marked as critical and has patch that is RTBC and passes automated tests. Are tests sufficient?
#1328696: Problem with _drupal_wrap_mail_line and attachment files → Attachment of docx file or files with long names results in email that is not correct. Fixed in D8, backport for D7 has patch.
🐛 Support boolean attributes in drupal_attributes() RTBC
#3035571: [D7] ImageStyle::transformDimensions unable to deal with all effects. →
#1565892: node_type_delete() doesn't check the value returned from node_type_get_type() →
#965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls → Needs work and needs CR
#139015: breadcrumbs wrong on dblog event detail pages → Issue seems in good shape, needs a bit of work as of Aug-4
#1951408: Core Update manager doesn't correctly handle "status" UPDATE_NOT_CHECKED → Includes D7 core patch in comment #16 that passes tests and is RTBC. Required for update_advanced module that is used by 2,700 sites. Does not appear to be relevant to D8/D9.
#498752: Partial word search for Drupal 7 → Includes working patch from 5 yrs ago. Was closed as won't fix feature request. Now that a similar feature is proposed for D9 core ✨ Partial Search in Drupal Core Needs work maybe it's worth considering.

📌 Task

Status

Active

Version

7.0 ⚰️

Component

Last updated about 19 hours ago

Created by

🇸🇰Slovakia poker10

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @poker10
Comment 3 months ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Comment about 2 months ago →
🇦🇹Austria torotil
These past days I have been working on implementing CSP headers for a few legacy sites. While 📌 [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future RTBC is a good idea, it solves only one minor problem for adopting CSP and I think there is a much more direct / feasible route which also enables more of contrib to work:

Authenticate scripts using nonces as implemented in the d7csp module. This already solves the problem with inline scripts including the Drupal settings.

Apply the patch from ✨ Forward CSP nonces when inserting JS from AJAX requests Active to also forward the nonce to AJAX loaded JS

Use seckit’s config or a hooks as provided by d7csp to declare the rest of the resources needed.

Catch any stray inline styles or JavaScript that’s embedded bypassing drupal_add_js().

Overall I think using nonces are the easiest way to introduce CSP to Drupal 7 sites. It works without changing Drupal settings. Apart from the minor change to misc/ajax.js anything else can be handled in contrib.
Status changed to Fixed 25 days ago3:42pm 4 December 2024
Comment 25 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
https://www.drupal.org/project/drupal/releases/7.103 → was released today.

That's it for the scheduled releases of D7.

Unfortunately we didn't manage to tick off every item on the todo list, but hopefully we're leaving D7 in pretty good shape.

Thank you to everyone that's contributed to D7 over ~14 years and more than a hundred releases.
Comment 25 days ago →
🇬🇧United Kingdom mustanggb Coventry, United Kingdom
Still no CSP, that's a shame.

Seems like Klaus is heading up a nice community driven D7 LTS initiative over at D7Security, looks like only module support for now, but I'm presuming the plan is to include any core security fixes if/when they're found.
Comment 11 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024