graphql 8.x-4.6 | Drupal.org

This is a non-production site

- Drupal Core Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal CMS Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal AI Open limitless possibilities with Drupal AI
- Case Studies Powerful stories that show Drupal solutions in the real world
- Drupal for Government Drupal is the open-source CMS that enables digital transformation of government and increases citizen engagement
- Drupal for Higher Education See why 70% of the world's leading universities chose Drupal
- Drupal for Nonprofit See why Drupal is the open-source CMS choice for some of the world’s most influential nonprofits
- Drupal for eCommerce Natively integrate content and commerce
- Drupal for FinTech Secure and trustworthy FinTech infrastructure
- Drupal for Healthcare Drupal powers systems that are secure, patient-centric and engaging
- Drupal for Media & Publishing Create engaging multi-channel experiences to connect with your audiences - everywhere
- Download Drupal Download Drupal and the extensions you need
- Documentation Full knowledgebase including Drupal 7 resources
- Getting Started Guide to installing Drupal on a server
- Local Development Guide Guide to installing Drupal locally with Docker and DDEV
- Developer Resources Step-by-step guide for learning Drupal
- Drupal User Guide Learn to build with Drupal
- API Complete documentation of Drupal Core APIs
- Modules Extend your project's functionality
- Themes Change your project's look and feel
- Distributions Jumpstart your project with a pre-configured install
- Issues Queue Report issues and contribute improvements
- Security Advisories Stay on top of the latest security alerts and updates
- Find a Drupal Certified Partner Connect with the best Drupal agencies around the world
- Become an Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Find a Hosting Provider Find a hosting provider for your Drupal project
- Find a Migration Partner Get help with your migration to the latest version of Drupal
- Find Training Upskill your Drupal team
- Drupal Steward Ensure your website is protected with Drupal Steward
- About the Community Come for the code, stay for the community
- How to Contribute Get involved in growing and evolving Drupal
- DrupalCon DrupalCon unites experts from around the globe who create ambitious digital experiences. Network, learn, and be inspired
- Events Discover local events, meet-ups, and training
- Jobs / Careers Find opportunities to work in Drupal
- News & Blogs News and stories about Drupal
- Forum Got a question about Drupal? Find answers on the Drupal forums
- Slack Get support and communicate with the global Drupal community
- Newsletters Sign up for Drupal news and manage your subscriptions
- Drupal Swag Shop Get your Drupal branded merch!
- The Drupal Association Learn how we support Drupal's growth and innovation - and how you can help
- Become a Member Become a Ripplemaker and support the Drupal Association
- Become a Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Donate Make a donation to the nonprofit that supports Drupal
- Log in
- Create account
- Try Drupal CMS
- Try hosting

Posted by klausi on November 8, 2023 at 1:42pm

Security release of GraphQL fixing a CSRF vulnerability and an access bypass in entity label handling, see:

We recommend the following additional security measures:

GraphqL clients should always send the HTTP Content-Type header "application/json" on POST requests (except for file uploads) and the additional custom HTTP header "Apollo-Require-Preflight: true", which forces browser to make a non-simple POST request to prevent CSRF.

The CSRF vulnerability can also be mitigated by setting the SameSite attribute on session cookies to Lax (recommended) or Strict. This might not be suitable for sites that need to share the Drupal session cookie in some way with other sites. Set the following in your site's services.yml file:
parameters: session.storage.options: # Session cookies are only used for backend admin accounts, so we restrict # the cookies to be used only from the backend origin. We don't use "Strict" # because that also removes cookies whenever an admin navigates from an # email or chat app, which is inconvenient. See # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value cookie_samesite: Lax

Other changes since 8.x-4.5:

fix(Condition): Fix array_pad() call with NULL values
feat(dataproducers): Add entity query dataproducers
feat(fileupload): Add image dimension validation

VCS Label

8.x-4.6

Core compatibility

Release type

Security update

Packaged Git sha1

0666a1f9b2f688cd85f28f92abf01bfcb6a3ead7

Release files

e9142e65b549fa734d563f5214aa691c

Release file SHA-1 hash

10f16d0f37e2ed02ff75fb29e1b23043b413158f

Release file SHA-256 hash

52b1f7d9d217911d88c88dc05cb567d941455bfeec1379588076aaeb6eb797cc

d6b531553eab7dad870b99d6c2ae18b0

Release file SHA-1 hash

629eb1d405ea35460e6f94bd46a20316adf4fbe9

Release file SHA-256 hash

ed492f6d9923bcf6cdd39808d5b65422f85b93853ea416ca330b421e5d3f2c0c