Drupal Upgrading Upgrading Core and Modules

CU.NET Meetup

Omar gave a presentation on security during our .NET Meetup this week. He demonstrated several attack vectors including SQL injection. He showed how easy it is to extract database information (schema and table names) and then use the UNION clause to dump table information. The presentation was at Accuraty Solutions and its owner (Jeremy Farrance) described in rather unpleasant terms, the severity of Drupal's SQL injection vulnerability announced on October 29, 2014. This "Highly Critical" security alert recommended immediate upgrade to version 7.32. This was followed on November 19, 2014 with a "Moderately Critical" security alert concerning Drupal session hijacking recommended upgrading to version 7.34. So this weekend I am upgrading my four Drupal websites to the current recommended release of 7.34.

Note1: The website you are currently in is not a Drupal website, it was created entirely in code and does not use any CMS.
Note2: See the article .NET Security for more info about attack vectors demonstrated during the .NET meetup.

Drupal Upgrade Procedure

  1. Download a the desired version of the Drupal core files from drupal.org and extract the compressed files.
  2. Make a full backup of the website and associated database. Verify backup!
  3. Be nice to your users and put the website in maintenance mode.
  4. Manually replace the old core files with the new version of the core files.
  5. Run the "update.php" script to update the Drupal database.
  6. Clear cache, run Cron, and run a status report. Fix any issues from Status Report.
  7. Clean up install files.
  8. Upgrade any individual modules that have new releases.
  9. Add any new modules.
  10. Run Status report again.
  11. Take your site out of maintenance mode.

First, go to drupal.org and download the desired version of the core Drupal files. Read the release notes before deciding on a particular version. I am using the latest recommended release version of 7.34. Extract the compressed core files.

Before making any modification to the website, you should make a full back up of your web site including the associated MySQL database. I used FileZilla as the FTP client to make a local copy of my four Drupal websites, starting at my account root directory. On each site I use the "Backup and Migrate" module to create nightly backups of Drupal's MySQL database and store the backups within a private directory inside the "sites" directory. So my full backup also included the last three backups of each Drupal MySQL database. Verify the backup before continuing!

If you wish your users to receive a nice message that your site is undergoing maintenance, instead of error messages indicating the required system files could not be found, then put the site into Maintenance Mode. To do this, go to Configuration, then inside Development choose "Maintenance mode". Check the "Put site in maintenance mode" option and save configuration.

Maintenance Mode

The next step is to remove all the directories except "sites", from within the web site root. Typically the "sites" folder contains any customizations you have made to the website. If you have made modifications outside of this folder, they will need to be restored from your backup. This is one of the reasons it is important to verify your backup before starting any modifications to the site.

Copy all the files from the new version of the Drupal core you downloaded, except for the "Sites" folder, to your website root directory.

After the files are copied, add "/update.php" onto the end of your site URL to run the Drupal database update. Select "Continue" and then "Apply pending updates". If no error messages appear, then update was successful. It is possible to have errors which require a manual update of the database. Note: If you don't have a login control on your Maintenance Mode screen, you can put "/?q=user" on the end of your site URL to get a login screen.

Database Update

Next clear caches by going to "Configuration" and under "Development" choose "performance" and then click on "Clear all caches". Then run Cron for any other maintenance tasks you have set up. Finally, go to Reports and run a Status report. See Additional Notes below if your Status report contains security messages concerning ".htaccess" files.

If you wish, you can remove the following install files from your new site:

  1. CHANGELOG.txt
  2. INSTALL.mysql.txt
  3. INSTALL.pgsql.txt
  4. install.php
  5. INSTALL.sqlite.txt
  6. INSTALL.txt
  7. LICENSE.txt
  9. UPGRADE.txt

You are done with the core upgrade. Verify your site still looks and works correctly.

Now would be a good time to upgrade individual modules. While the Drupal core is a manual upgrade process, module upgrades are typically the automated process of: download updates, install updates, run database update, clear cache, run cron, run Status Report, verify website. So I also updated the "Chaos tool suite", "DB Maintenance", "View" and "Meta Tags Quick" modules.

Also a good time to add any new modules. I added the Goggle Analytics module to track traffic to the website. To verify this install, check the page source code for your Google UA- tracking number. If your tracking number does not appear in the web page source, try turning off the "Universal web tracking opt-out" option in the "Privacy" configuration menu.

Update Problems Encountered

  1. Didn't run database upgrade after upgrading your modules.

    If you don't run your database upgrade after upgrading your modules, you could get system messages about a missing "images_dimensions" table and not be able to get your site to run:

    Additional uncaught exception thrown while handling exception.
    Original PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table '1218369_c42c.dpl_image_dimensions' doesn't exist: SELECT * FROM {image_dimensions} id WHERE id.fid IN (:fids_0); Array ( [:fids_0] => 585 ) in file_entity_file_load() (line 225 of /srv/disk9/1218369/www/kcshadow.net/mobile/sites/all/modules/media/file_entity/file_entity.module).
    To fix this, create the table in the MySQL database as:

    CREATE TABLE `image_dimensions` (
      `fid` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'File ID.',
      `height` int(10) unsigned NOT NULL DEFAULT '0' COMMENT 'The height of the image in pixels.',
      `width` int(10) unsigned NOT NULL DEFAULT '0' COMMENT 'The width of the image in pixels.',
      PRIMARY KEY (`fid`)
    ) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COMMENT='Cache images dimensions.';

    Then once you can get back into your site, run the database updates.

  2. I had custom CSS in the Skeleton theme (inside sites folder), which was lost when I upgraded the Skeleton theme module. Had to restore these files to Mobile, Windows Developer and ASP.NET Developer sites:

    • /home/www/kcshadow.net/mobile/sites/all/themes/skeletontheme/css/layout.css
    • /home/www/kcshadow.net/mobile/sites/all/themes/skeletontheme/css/style.css
    • /home/www/kcshadow.net/mobile/sites/all/themes/skeletontheme/color/colors.css
  3. Mobile Site had a customer "ClientBin" folder outside of "site" folder which contained .xap files and had to be restored.

Additional Notes:

Always check your "Status Reports" for security recommendations. In particular look for messages concerning the ".htaccess" file for various directories. As of this writing, the current recommended contents of the ".htaccess" file for temporary or private directories should be the following. Be sure to remove update permissions to the ".htaccess file" when finished!


 Deny from all  
 # Turn off all options we don't need.  
 Options None  
 Options +FollowSymLinks  
 # Set the catch-all handler to prevent scripts from being executed.  
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006  
  # Override the handler again if we're run later in the evaluation list.  
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003     
 # If we know how to do it safely, disable the PHP engine entirely.  
  php_flag engine off