diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a24c66bdee1..dcef8ea97fc 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,8 @@ +Drupal 7.80, 2021-04-20 +----------------------- +- Fixed security issues: + - SA-CORE-2021-002 + Drupal 7.79, 2021-04-07 ----------------------- - Initial support for PHP 8 diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 0955260211c..72c92911d2d 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.79'); +define('VERSION', '7.80'); /** * Core API compatibility. diff --git a/includes/common.inc b/includes/common.inc index 88dc7a8bcd4..a19a5eaacc6 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1618,7 +1618,13 @@ function _filter_xss_attributes($attr) { // Attribute name, href for instance. if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) { $attrname = strtolower($match[1]); - $skip = ($attrname == 'style' || substr($attrname, 0, 2) == 'on'); + $skip = ( + $attrname == 'style' || + substr($attrname, 0, 2) == 'on' || + substr($attrname, 0, 1) == '-' || + // Ignore long attributes to avoid unnecessary processing overhead. + strlen($attrname) > 96 + ); $working = $mode = 1; $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr); } diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index 713662df69f..3e88c383430 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -323,7 +323,7 @@ * * To see what PHP settings are possible, including whether they can be set at * runtime (by using ini_set()), read the PHP documentation: - * http://www.php.net/manual/en/ini.list.php + * http://www.php.net/manual/ini.list.php * See drupal_environment_initialize() in includes/bootstrap.inc for required * runtime settings and the .htaccess file for non-runtime settings. Settings * defined there should not be duplicated here so as to avoid conflict issues. @@ -359,7 +359,7 @@ * output filter may not have sufficient memory to process it. If you * experience this issue, you may wish to uncomment the following two lines * and increase the limits of these variables. For more information, see - * http://php.net/manual/en/pcre.configuration.php. + * http://php.net/manual/pcre.configuration.php. */ # ini_set('pcre.backtrack_limit', 200000); # ini_set('pcre.recursion_limit', 200000); @@ -634,15 +634,6 @@ */ # $conf['allow_authorize_operations'] = FALSE; -/** - * Smart start: - * - * If you would prefer to be redirected to the installation system when a - * valid settings.php file is present but no tables are installed, remove - * the leading hash sign below. - */ -# $conf['pressflow_smart_start'] = TRUE; - /** * Theme debugging: * @@ -711,6 +702,15 @@ */ # $conf['variable_initialize_wait_for_lock'] = FALSE; +/** + * Opt in to field_sql_storage_field_storage_write() optimization. + * + * To reduce unnecessary writes field_sql_storage_field_storage_write() can skip + * fields where values have apparently not changed. To opt in to this + * optimization, set this variable to TRUE. + */ +$conf['field_sql_storage_skip_writing_unchanged_fields'] = TRUE; + /** * Use site name as display-name in outgoing mail. * @@ -725,3 +725,23 @@ * @see drupal_mail() */ $conf['mail_display_name_site_name'] = TRUE; + +/** + * SameSite cookie attribute. + * + * This variable can be used to set a value for the SameSite cookie attribute. + * + * Versions of PHP before 7.3 have no native support for the SameSite attribute + * so it is emulated. + * + * The session.cookie-samesite setting in PHP 7.3 and later will be overridden + * by this variable for Drupal session cookies, and any other cookies managed + * with drupal_setcookie(). + * + * Setting this variable to FALSE disables the SameSite attribute on cookies. + * + * @see drupal_setcookie() + * @see drupal_session_start() + * @see https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite + */ +#$conf['samesite_cookie_value'] = 'None';