This is a security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:
No other fixes are included.
Note that Drupal 7.97 was released as a hotfix shortly after this release.
Important update information
Changes to site-owner-managed files
Following this release, Drupal will block access to private files at certain specially crafted paths. Previous versions of Drupal allowed access to these paths, and in most cases blocking access is the correct behavior.
There may be some sites that rely on allowing access to these paths, or the changes in this release may cause other problems with file access. These sites can add the following line to
settings.php:$conf['file_sa_core_2023_005_schemes'] = array('private');This will preserve the old behavior for files saved in the private files directory, using the
privatestream wrapper from Drupal core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of'private'.The comments in
default.settings.phphave additional information.Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.