Releases: visuaFUSION/drupal-7
7.2026.02
Drupal 7 LTSR Release Notes
Current Version: 7.2026.02
Release Date: January 2026
License: GPL-2.0-or-later
Overview
Drupal 7 LTSR (Long Term Support Release) is a community-maintained fork of Drupal 7, providing extended security support beyond the official end-of-life date of January 5, 2025.
What's New
PHP 8.x Support
| Requirement | Value |
|---|---|
| Minimum PHP Version | 8.0.0 |
| Supported Versions | PHP 8.0, 8.1, 8.2, 8.3 |
Security Hardening
Gadget Chain Mitigation (SA-CORE-2025-003)
Added defensive __wakeup() methods to prevent PHP Object Injection attacks:
| Class | Location |
|---|---|
| Archive_Tar | modules/system/system.tar.inc |
| Query | includes/database/query.inc |
| DatabaseTransaction | includes/database/database.inc |
| DrupalCacheArray | includes/bootstrap.inc |
Security Analysis
| Advisory | Status |
|---|---|
| SA-CORE-2025-001 (XSS) | Not affected |
| SA-CORE-2025-002 (Access Bypass) | D7 core not affected |
| SA-CORE-2025-003 (Gadget Chain) | Mitigated |
HTTP Client Modernization
cURL Support for HTTP Requests
drupal_http_request() now uses PHP's cURL extension when available:
- Significantly more reliable on Windows/IIS environments
- Better SSL/TLS handling than raw PHP sockets
- Auto-detects loopback connections and handles SSL verification appropriately
- Legacy socket-based implementation retained as fallback
Configuration Options
// Disable cURL (use legacy sockets)
$conf['drupal_http_request_use_curl'] = FALSE;
// Force skip SSL verification (not recommended for production)
$conf['drupal_http_request_skip_ssl_verify'] = TRUE;Self-Hosted Update System
- Update checks now use the LTSR release server
- No more "unsupported" warnings from drupal.org
- Announcements feed redirected to LTSR channel
New Constants
| Constant | Value |
|---|---|
DRUPAL_FORK_NAME |
'Drupal 7 LTSR' |
DRUPAL_FORK_UPDATE_URL |
'https://raw.githubusercontent.com/visuafusion/releases/refs/heads/main' |
DRUPAL_FORK_PROJECT_URL |
'https://github.com/visuafusion/drupal-7' |
DRUPAL_FORK_SUPPRESS_EOL_WARNINGS |
TRUE |
Overlay Loading Indicator
New Visual Loading Feedback
- Modern 5-dot wave animation with Drupal blue pulse effect
- Site logo displayed above the loading dots
- Appears immediately when overlay opens
- Shows during form submissions for visual feedback
- Modern card design with rounded corners and subtle shadow
Favicon Fallback
Consistent Branding in Admin
- When admin theme doesn't have a favicon configured, falls back to the default theme's favicon
- Eliminates browser default favicon (globe) in admin overlay
- Provides consistent branding experience across front-end and admin
Announcements Feed Improvements
LTSR Feed Format Support
- Announcements module now supports GitHub-hosted feeds
- Compatible with both drupal.org (
_drupalorg) and LTSR (_drupal) feed formats - Version matching updated to support LTSR versioning (7.YYYY.MM)
- Graceful handling of missing URL fields in feed items
Files Changed
Core
| File | Description |
|---|---|
includes/bootstrap.inc |
Version, constants, DrupalCacheArray security |
includes/common.inc |
cURL HTTP implementation |
includes/theme.inc |
Favicon fallback logic |
includes/database/database.inc |
DatabaseTransaction security |
includes/database/query.inc |
Query class security |
Overlay Module
| File | Description |
|---|---|
modules/overlay/overlay-parent.js |
Loading indicator theme function |
modules/overlay/overlay-parent.css |
Loading indicator styles |
modules/overlay/overlay-child.js |
Form submission loading trigger |
modules/overlay/overlay.module |
Logo URL passed to JavaScript |
Update Module
| File | Description |
|---|---|
modules/update/update.compare.inc |
LTSR update server support |
modules/update/update.fetch.inc |
LTSR update fetching |
modules/update/update.module |
EOL warning suppression |
Announcements Feed Module
| File | Description |
|---|---|
modules/announcements_feed/announcements_feed.inc |
LTSR feed support |
System Module
| File | Description |
|---|---|
modules/system/system.tar.inc |
Archive_Tar security |
Upgrading
From Drupal 7.103 (or earlier)
- Back up your database and files
- Replace core files with LTSR 7.2026.02
- Run
update.php - Clear caches
Configuration
The update server URL can be overridden in settings.php:
$conf['update_fetch_url'] = 'https://your-server.com/release-history';Supported Contrib Modules
20 contrib modules are maintained under LTSR with version 7.x-2026.01:
| Module | Module | Module | Module |
|---|---|---|---|
| Views | CTools | Token | Entity API |
| Date | Webform | Panels | Display Suite |
| Libraries | LDAP | Calendar | Auto Nodetitle |
| Content Access | Analytics | Smart Trim | Timefield |
| Video | Wysiwyg | Webserver Auth | Permissions per Webform |
Version History
7.2026.02 (January 2026)
- HTTP client modernization (cURL support)
- Overlay loading indicator with site logo
- Favicon fallback for admin theme
- Announcements feed LTSR format support
7.2026.01 (January 2026)
- Initial LTSR release
- PHP 8.x support (8.0-8.3)
- Security hardening (SA-CORE-2025-003)
- Self-hosted update system
- EOL warning suppression
Resources
| Resource | URL |
|---|---|
| Repository | https://github.com/visuafusion/drupal-7 |
| Modules | https://github.com/visuaFUSION/drupal-7-modules |
| Release History | https://github.com/visuafusion/releases |
Credits
All the credit goes to the amazing folks who created, contributed, and maintained Drupal 7 for all those years. Drupal 7 LTSR is maintained by visuaFUSION for organizations requiring extended Drupal 7 support.
7.103
Directly from https://www.drupal.org/project/drupal/releases/7.103. visuaFUSION has not, at the point of this release, contributed to Drupal 7 in any way. This was the last official release of Drupal 7 before it's official end-of-life on 2025.01.05. This project will serve as a means of security and PHP support updates, as well as modern browser support for Drupal 7 core going forward.
Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).
No security fixes are included in this release.
Changes have been made to default.settings.php. More details in the Change Records for major changes below.
No changes have been made to .htaccess, web.config or robots.txt files in this release, so upgrading custom versions of those files is not necessary.
This is the first Drupal 7 release to pass tests in PHP 8.3. However there may still be problems not revealed by Drupal core's test suite, especially on sites with contrib (and custom) modules. Please test, and report any problems in the appropriate issue queue.
As always, many thanks to everyone that contributed to this - and every - release of Drupal 7.
Major changes in 7.103:
#3319062: [D7] PhpMail : broken mail headers in PHP 8.0+ because of LF characters
#3478716: [D7] Full path disclosure from errors on maintenance pages
#3444017: [D7] HTTP_HOST header cannot be trusted
#3383223: URL aliases can be used to override trusted urls
All changes:
#3319062 by arx-e, poker10, rclemings, down2under, mcdruid, aitala, longwave, edvanleeuwen, jbiechele, davidwhthomas, danrod, stevewilson, Chase.: [D7] PhpMail : broken mail headers in PHP 8.0+ because of LF characters
#3478716 by ram4nd, mcdruid, poker10: [D7] Full path disclosure from errors on maintenance pages
#3444017 by poker10, avpaderno, akalata, mcdruid: [D7] HTTP_HOST header cannot be trusted
#3438308 by avpaderno, ceonizm, poker10, aaron.ferris, robcarr: dirname(): Passing null to parameter #1 ($path) of type string is deprecated in drupal_get_path()
#3383223 by poker10, dokumori, dsnopek, catch, berdir, effulgentsia, mlhess, samuel.mortenson, poiu, moshe weitzman: URL aliases can be used to override trusted urls
#1447236 by C. Lee, avpaderno, mfb, poker10: DefaultMailSystem implements MailSystemInterface::format() incorrectly
#3182166 by stefanos.petrakis@gmail.com, poker10, almador, adinan cenci, czunigaco, rhip, benjifisher, neclimdul, cilefen: [D7] preg_split in _filter_url breaks for long html tags
#3397882 by poker10, andypost, joseph.olstad: [D7 PHP 8.3] TextSummaryTestCase::testLength() fails on some libxml versions
#3446569 by poker10, joseph.olstad: [D7 PHP 8.3] Fix SessionHttpsTestCase->testEmptySessionId() failure
#3464097 by avpaderno, poker10: CacheClearCase::testClearArray() sets a persistent variable that has no effect
#3467905 by avpaderno: drupal_var_export() initializes a variable that is never used
#3467781 by avpaderno: drupal_var_export() passes a third argument to itself, when it uses just two parameters
#3463022 by avpaderno: Correct a comment in drupal_settings_initialize()
#2453785 by adammalone: Password hashing tests do not cover all options
#2401743 by EPashkin: Wrong link to test results in settings form