Planet Drupal

Subscribe to Planet Drupal feed
Drupal.org - aggregated feeds in category Planet Drupal
Updated: 39 min 46 sec ago

tanay.co.in: SA-CORE-2014-005 - All you need to know to protect your Drupal Site from the latest SQL Injection vulnerability

Thu, 16/10/2014 - 13:18

Last night, Drupal Release a security update to its core - v7.32

 

The release addresses the SQL Injection vulnerability described at https://www.drupal.org/SA-CORE-2014-005

 

 

How serious is it?

There are many proof of concepts scripts available all over the internet now. I have tried a couple of those python scripts and literally anyone who can execute a python script can now login to your Drupal 7 Site as admin, or execute any SQL on your Drupal Database!

[I am not linking them here for the obvious reasons, if you came here searching for those scripts, you are at the wrong place]

 

So, is my site vulnerable?

Most of the Drupal-special webhosts like Acquia, Pantheon, Platform.sh have apparently patched their platforms protecting your Drupal site even if your individual site has not been patched yet. So most of you are safe. You should be worried if you are hosting on one of those generic hosts to whom Drupal is just yet another script or if you are running the site on your own stack.

 

How do I fix my Site?

Don’t worry. Fortunately it is very simple. And it would not take more than 2 minutes to fix your site (if you do it via #3 below).

 

If the words like “git”, “patch”, “upgrade” scare you and if you like the words “FTP”, “Filezilla” more then skip directly to #3 below.

 

  • OPTION #1: The first option is to update your site to the latest version of Drupal - 7.32.

  • OPTION #2:But yeah, there is considerable effort involved behind upgrading your Drupal Site. Every upgrade usually would require significant regression testing and this could take a while.

    So, as an alternative, there is a very small patch out there for  you. Apply it and you are all set.
    Patch : https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch

    How do I apply this patch?
    Like any other patch -

  • OPTION #3: [THE SIMPLEST OF ALL] Alternatively, if you do not want to deal with patches or upgrades, or if you are are looking for a quick fix, here you go:

    • FTP to, or open your Drupal Root Directory

    • Navigate to  includes/database/ folder

    • There will be a file named database.inc . Take a backup of the file. We are going to modify the file. Store the backup somewhere safe just in case.

    • Open the file database.inc .

    • At around line 739, you will find a line of code that reads
      foreach ($data as $i => $value) {
      Replace this line with
      foreach (array_values($data) as $i => $value) {

    • Save the file and exit

    • Pat yourself on the back. You are all set now :-)

 


I have no enemies. Should I still fix my site?

Absolutely yes. With the many google dorks that could be used to find Drupal Sites, you could be the subject of random attack. - ie Some noob with the script picking up your site randomly to login as admin and defacing it or playing around with it, or stealing your userbase for spamming!

 

Who found this issue? Who reported it? When was it first reported? ……. Check out the FAQ on Drupal.org for answers - https://www.drupal.org/node/2357241

 
Categories: Elsewhere

Visitors Voice: What is a good autocomplete?

Thu, 16/10/2014 - 12:45
Too often clients add autocomplete as an requirement without much thought. And as an result it is actually making the user experience worse. Instead of helping the users it confuses them. The first rule when designing autocomplete is: the suggestions must be relevant for many! Otherwise don’t make any suggestions at all, since it’s just […]
Categories: Elsewhere

Open Source Training: Drupal 7.32 is an Absolutely Necessary Update

Thu, 16/10/2014 - 11:03

We're accustomed to the Drupal security team releasing security fixes.

Fortunately, most of the fixes were relatively minor. They either impacted a small group of sites, or they were unlikely to lead to your site being hacked.

Let's take a brief look at the 4 previous Drupal security advisories in 2014:

Categories: Elsewhere

PreviousNext: Constructive Conflict Resolution in the Drupal Community

Thu, 16/10/2014 - 06:06

How can the Drupal community recognise and handle conflict more constructively? This core conversation session from DrupalCon Amsterdam aimed to start a discussion about creating an army of empowered bystanders ready, willing and able to use conflict as a positive force in the community.

Categories: Elsewhere

PreviousNext: Constructive Conflict Resolution in the Drupal Community

Thu, 16/10/2014 - 06:06

How can the Drupal community recognise and handle conflict more constructively? This core conversation session from DrupalCon Amsterdam aimed to start a discussion about creating an army of empowered bystanders ready, willing and able to use conflict as a positive force in the community.

Categories: Elsewhere

Midwestern Mac, LLC: Fixing Drupal Fast - Using Ansible to deploy a security update on many sites

Thu, 16/10/2014 - 06:01

Earlier today, the Drupal Security Team announced SA-CORE-2014-005 - Drupal core - SQL injection, a 'Highly Critical' bug in Drupal 7 core that could result in SQL injection, leading to a whole host of other problems.

While not a regular occurrence, this kind of vulnerability is disclosed from time to time—if not in Drupal core, in some popular contributed module, or in some package you have running on your Internet-connected servers. What's the best way to update your entire infrastructure (all your sites and servers) against a vulnerability like this, and fast? High profile sites could be quickly targeted by criminals, and need to be able to deploy a fix ASAP... and though lower-profile sites may not be immediately targeted, you can bet there will eventually be a malicious bot scanning for vulnerable sites, so these sites need to still apply the fix in a timely manner.

Categories: Elsewhere

Drupalize.Me: Tips for Applying Today's Drupal Core Security Update (SA-CORE-2014-005)

Wed, 15/10/2014 - 23:13

Today a highly critical security update (SA-CORE-2014-005) was released for Drupal 7. Any Drupal site running Drupal 7.31 or lower needs to update to 7.32 or apply the patch immediately. Here are some tips to get your Drupal 7 site updated today!

Categories: Elsewhere

Mediacurrent: 10 Reasons Why Marketers Are Moving to Drupal

Wed, 15/10/2014 - 22:11

Marketers around the world face the same pressures of trying to leverage marketing automation, content marketing, social media engagement, SEO, and more to drive prospective buyers to engage with their brands.

Categories: Elsewhere

CMS Quick Start: Drupal 7 Login Methods and Module Roundup: Part 2

Wed, 15/10/2014 - 21:35

Last time we explored some different options that determined how the login form was displayed on your site. Today we're going to expand on that and look at different ways of wrangling or changing the actual login experience for your users. The default settings aren't exactly very refined and so it can take some configuration to get a better user experience out of the whole process.

read more

Categories: Elsewhere

CTI Digital: See the team behind Drupal 8 (all 2,300 of them!)

Wed, 15/10/2014 - 18:28

On October 1st 2014, Dries announced at DrupalCon Amsterdam that Drupal 8 had reached Beta 1, a significant milestone in the journey to Drupal 8.  

He also revealed that 2,300 individuals have contributed to the Drupal 8 project. Pretty impressive - but hard to imagine, right?   One of our Drupal developers here at CTI decided to create a visualisation to express the flurry of activity before, during and after DrupalCon, which has culminated in this significant achievement.    The video Adam created helps communicate the true scale of the project. Enjoy…  

Categories: Elsewhere

LightSky: Are you Giving Back?

Wed, 15/10/2014 - 17:56

LightSky has been using Drupal for quite some time, but because of a lot of factors haven’t contributed as much during that time as we probably should.  Mike and I implemented a philosophical change about a year ago to make a concerted effort to give back.  It has been small steps for us though, we are a small organization and in a growing phase, so our resources to give back have been limited.  Starting with attending some Drupal camps, to building modules, contributing to core, and growing from there, we have made a pretty big effort on our end to help support the Drupal community and we think you should too.

Agencies like us aren’t the only ones to give back though, companies of all different backgrounds across the globe use Drupal, and give back to the community.  Some, more directly than others, but even passively, giving back to the community is what keeps Drupal sustainable, and makes the platform so desirable.

How Can a Widget Factory Give Back to Drupal?

This is an interesting question, but it isn’t as complicated as one might think.  Look at all of our clients for example, they all give back to Drupal and many of them have no web experience, and can’t write or interpret even the most basic of code.  They give back through us.  They choose to partner with a company that gives back to the Drupal community, and that is a big deal.  There is great value in their support of the community for their company and their bottom line.  Open source projects are often some of the most cost effective choices in the software world, and Drupal is really no different. 

Experience Not Needed

Contributing doesn’t have to be through a third party though.  Content on Drupal.org can be updated by anyone with a user account.  Making documentation changes to a module that your organization is using, or building better documentation is a great way to give back, and anyone can do it.  But the way that I recommend companies give back is speaking at a Drupal camp.  Do a case study, it doesn’t have to be technical, show people how Drupal has helped your company.

Drupal allows our clients to to have an enterprise level product, that is community based, and completely flexible, and often Drupal provides them a solution that no other software could really match.  But what created this excellent product is the community, and without people giving back regularly, this product would never exist.  So if you aren’t giving back, think about how you can, and if your Drupal firm isn’t giving back, make sure that they know you think they should.

For more tips like these, follow us on social media or subscribe for free to our RSS feed and newsletter. You can also contact us directly or request a consultation
Categories: Elsewhere

Drupal Watchdog: The Angry Themer

Wed, 15/10/2014 - 17:00
Column

Welcome back to the ANGRY THEMER!

Faithful readers of this column who have followed my outbursts over the past few years might ask, “How can I prevent myself from turning into a grumpy old themer with high blood pressure like you?”

Fortunately, the Drupal project has grown to include new tools to help battle-hardened Vikings such as I cope with Drupal’s terrible markup and keep my rage more or less under control.

And you, dear themer, no longer have to dive into code or understand the inner workings of Drupal, while also battling Responsive, Web 2.0, Internet Explorer versions 6,7, 8, 9..., Safari, Chrome, Firefox, or Opera – not to mention the gazillion tablets and smartphones. (Ah, but that’s another story, best saved for another day.)

These are my favorite weapons – uh, I mean tools, tools of the trade – that I utilize when I need to slice through the Drupal Markup sludge.

Themes

Drupal contrib has a ton of “Starter Themes”; so you don't have to trudge through all the basics every time you design a site.

Of course my favorite theme is the Mothership (Full Disclosure: written by your very own Angry Themer), which isn’t so much a theme as a complete cleanup of Drupal’s approach to markup.

Mothership – Keelhaul the DIV!

The Mothership theme is not something you use to make your site pretty; this isn’t Wordpress. It’s designed to make your source code look and act awesome by knifing through the sea of divs, classes, and about 20% of old markup fixes that come packed with Drupal, and deep-sixing it – leaving sparkling-clean HTML5 in its wake.

The Mothership theme comes equipped to clean up nearly every dusty corner and musty absess of Drupal that needs cleaning up:

  • settings for removing class names
  • corrects the markup to HTML5 standards
  • modifies CSS & Javascript files

It also comes with commonly used basic CSS and JS libraries to help with responsive HTML5 sites, and now it even fixes the IE 9 CSS caching/respond.js issue.

As a bonus, you get to swagger and swear like a Caribbean pirate – and the ship’s captain strongly resembles Johnny Depp!

For those less-aggressive themers out there (and you know who your are), maybe Zen or Aurora – which have a more relaxed attitude towards markup – are more your speed.

Categories: Elsewhere

Drupal.org frontpage posts for the Drupal planet: Drupal 7.32 released

Wed, 15/10/2014 - 14:47

Drupal 7.32, a maintenance release which contain fixes for security vulnerabilities, is now available for download. See the Drupal 7.32 release notes for further information.

Download Drupal 7.32

Upgrading your existing Drupal 7 is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.32 is a security release only. For more details, see the 7.32 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.32 was released in response to the discovery of critical security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to Drupal 7.32.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 7.x
Categories: Elsewhere

Code Karate: Drupal 7 jQuery Countdown

Wed, 15/10/2014 - 14:36
Episode Number: 173

In episode 173 you learn about how to make a simple countdown timer using the jQuery Countdown module. This module, which uses jQuery, allows you to specify an end date which the countdown timer will countdown to. The countdown timer is available as a block and can be placed in any region that you desire for your website. Also, at this recording their was a minor bug that didn't allow for countdown dates to extend beyond 100 days (wouldn't display the third digit).

Tags: DrupalBlocksDrupal 7Drupal PlanetJavascriptJQuery
Categories: Elsewhere

KnackForge: Drupal user picture deleted automatically

Wed, 15/10/2014 - 09:33
Sometimes you could be in a fury when user picture gets deleted automatically with nothing being noticed as strange. Even this thread 935592 might not help you. Then you have come to right place. Ofcourse the culprit could be your call to user_save() somewhere. The actual issue might be, you are passing global user object instead of full account object. The first param of user_save() should be a full account object, while global user does not have all the data of account object. In this case $account->picture is an object while $user->picture is just an integer, fid (File id) of the image file. So while trying to save, your picture association with the user account gets broken. The reason can be understood by looking at the user_save() source code. The method checks for  empty($account->picture->fid) While using $user, this condition becomes false (we only have $account->picture not $account->picture->fid) and user picuter is removed. So make sure you call like this, global $user $account = account_load($user->uid); /*Some operations with $account object*/ user_save($account, $edit); /*NOT user_save($user, $edit)*/
Categories: Elsewhere

Metal Toad: The Challenge to Innovation

Wed, 15/10/2014 - 01:06
Categories: Elsewhere

Web Wash: Add Keyword Highlighting using Search API in Drupal 7

Wed, 15/10/2014 - 00:44

Search API has been my go-to module for building search pages for the last two years. Even if the client doesn't ask for anything fancy, I still download and install Search API, use Database Search for the index and Views for the page.

If you start with Search API from the beginning, then it's easier to customise later on. The core Search module, on the other hand, is easy to setup but hard to modify.

Recently, I had to create a search page that highlighted the keywords in the results. If you search using a particular keyword, then the word is highlighted.

Categories: Elsewhere

Commerce Guys: DrupalCon Amsterdam Wrap Up

Tue, 14/10/2014 - 20:22
Wow!!! As I think about the week spent in Amsterdam, I am in awe of the entire experience. This beautiful place has a very long and eventful history dating back to the 12th century, and was the perfect setting for DrupalCon Amsterdam 2014. As I think back upon the week, so many words come to mind that reflect emotions I felt while there: festivity, jubilance, liveliness, pride and treasure.   Having only been with Commerce Guys for a short 3 months, I wasn’t sure what to expect. I’ve been in the world of technology for over 13 years, and I’ve been around the block more than once with emerging technologies within the word of digital commerce. This experience for me personally will be one that I will forever treasure.     I said on many occasions that I felt like a fish out of water just trying to get some air. I consider myself fairly smart – I realized in Amsterdam with these magnificent people that any hopes of me getting an invite to be part of Mensa International most likely will never happen. Their kindness and willingness to welcome me to the world of Drupal was more than I could ever ask for.   Henry Ford once said, “Coming together is a beginning; keeping together is progress; working together is success.” The amazing group of people whom I refer to as the “Drupal People” (all 2,370 of them in attendance) embody this quote by Henry Ford. These are some of the most amazing, generous and intellectually aware people I have ever had the experience to associate with.    There was something rare and unique about this group of “Drupal People”. I believe that rareness is their desire to work together for one common goal…it’s what sets them apart from so many others. That goal is to serve the customer, and to provide the best of the best when it comes to a solution that is cost effective, manageable and scalable. From small startup business to full-blown enterprise organization, we have a solution that will work. Whether you are a current Drupal customer or are looking to make a change over to Drupal, I am here to tell you that the “Drupal People” truly are working together in a spirit of togetherness that will make Drupal the platform of the future (if they haven’t already).     I mentioned in the first paragraph some adjectives such as festivity, jubilance, liveliness, treasure and pride. There are two that stand out above all the rest: pride and treasure. I can’t be more proud of the company I have the privilege of working for and the people I have the opportunity to work with. Each and every team member of Commerce Guys brings to work a sense of pride that can’t be explained; only witnessed. Many sleepless hours are spent building the best of the best and ensuring that our customers know only one name: and that name is Drupal, a rare treasure.   I am excited about the next DrupalCons in Bogota, Los Angeles and Barcelona in 2015. As always, Commerce Guys will be there loud and proud supporting Drupal Commerce, Platform.sh, our partners, and the great people who are advocating the vision and future of Drupal.     Cheers to the beautiful city of Amsterdam, the fine people of Amsterdam, and each and every one of you who make what we do possible.   Thanks again for welcoming me to the Drupal Community in Amsterdam, I will be back!!!  
Categories: Elsewhere

Aten Design Group: Drupal Migrate for Development Content

Tue, 14/10/2014 - 19:43

Drupal and many of the people who work with it are moving toward a configuration in code model of site development. One of the advantages of a config in code approach is that the code you add, share, and modify works for all the members of your team and across environments. Instead of everyone syncing databases (or passing around notes on how to update their environment because something changed), everything stays up-to-date with the latest code in your version control system. This essentially provides a known, common state for everyone to work against.

Configuration only gets you part of the picture, though. Modules like Features and configuration initiatives for Drupal 8 separate configuration from content. Configuration is sharable settings; content is the information that site stores/uses. This separation makes sense in organizing your code or site, but leaves a big gap in your ability to build and test a project. If I'm working on a project locally, I can't share a link to the article node I'm having trouble with because it’s a combination of configuration and content that exists only on my local machine.

You need standardized content to test against and to provide a common ground to review variations with your team. But what do you do when you're starting on a project and you don't have content from a client yet? You still need to develop code that uses content and you still need to style the site.

Luckily, we can use a common approach for bringing in content from another source, the Migrate module, to help create content we can share and test against. Additionally, the content can be updated, version controlled, and contributed back as the project rolls forward. And – this is very important for development content – when we're finished with dev content we can remove it with Migrate's rollback functionality. Content created with some modules like Devel Generate and even manually created development content aren’t easily removed when you're finished. At Aten, we commonly had many nodes with "DELETE" in the title to make it "easy" for us to find and remove it later, which is less than ideal.

How does this all work? This is our internal workflow:

  • Create a resources folder in your project. Typically we now have a "root" level that has resources, a public_html folder (which has the Drupal files), and other project files.
  • Inside of the resources, we create a content directory and add content files like YAML files, CSVs, etc. (more on that in a minute)
  • We have started to use gulp and we have a task that will convert the YAML files to JSON.
  • We create a custom module in the project for migrate and add migrate classes for each of the content files we need to import. Typically this will be something like "project_content". For dev specific content, we name the migrations with "Dev" on the end. When we have production content (which is awesome to have early in a project), we leave that suffix off the class name since that content isn't something we need to rollback later.
  • We've created a script that is shared in the project that enables/disables modules, enables and reverts features, runs the migrations, updates various other things related to the project setup. If I add a new migration, I update that script's configuration to include it for others working on the project. I hope to share more about this script soon.
Creating Test Content

Now we need to create the content. Typically this requires some insight provided by our Drupal architecture document, but I have also created a couple of tools to help out with this process which help me stay in code:

The typeinfo commands allow you to inspect content types/entities on the site. For example, if you are going to create content for an Article content type, you would run:

drush typeinfo article

That will output the content type's fields, field types, and some other information. Often this provides a good overview of what pieces you will need to create in your content file. If you have a taxonomy or entity reference field in that content type, you can also get more information about that via another typeinfo command:

drush typeinfo-field field_article_type

This will return a few specifics that may show you the taxonomy that field uses. And now we can use the taxonomyinfo command to list terms in that vocabulary:

drush taxonomyinfo-term-list article_type

We can also extend this functionality to automatically stub some of the content (à la devel-generate) by creating another drush command. This command lets us get the YAML with some data populated for us:

drush stub-content article --include-id --include-title --count=5 > resources/content/article.yaml

An example of this command is here: https://gist.github.com/robballou/a7aa247aa7bdfb3a1b2c

The stub content functionality makes some really rudimentary content and you can expand that with content from your favorite ipsum replacement or other sources.

We can migrate from a variety of sources: from CSV files, JSON files, or even other databases. CSV files are a popular choice because you can collaborate on a spreadsheet (especially via Google sheets) and export that data. JSON is another nice solution because the data can match the destination closely. In some of our projects we have even used YAML and converted that to JSON since the readability of YAML is slightly better than JSON — which means we can have people write content who don't know the ins-and-outs of JSON!

Some systems may have access to a PHP YAML library and it could be used to create a Migrate YAML source class. This would eliminate the need to convert files but may rely on that YAML library to be available on local, staging, and production servers. We've used the node.js/gulp approach because it can be shared between environments and projects that may not have this PHP support built in. Migrating and Removing Test Content

This article won't get into the details of creating your Migrate code, but the next step in the process is creating and testing the code to get this content into Drupal. When this is done, commit this to your version control system to share with others working on the project or with other systems.

As an example, we'll say we created a migration called ArticlesDev which has a handful of articles in it. The content uses a variety of the fields in the content so we can make sure all the functionality works and includes several nodes so we can test lists of various sizes. We can import the content into any system with:

drush migrate-import ArticlesDev

If the article content type changes down the line, you can update the content files and re-run the migration, updating the existing content (or adding new content):

drush migrate-import --update ArticlesDev

Development-specific content may never get imported on shared systems, but if you do want to use that content for client acceptance testing or for any other case, you can easily remove this content with:

drush migrate-rollback ArticlesDev Content in Code

If you're working in a team or if you need a client to review functionality, development content can be very handy. Building on this workflow, you can get a set of content in place early in the process, update it as things change, and get rid of it if you don't need it anymore. Your team and your clients have a common ground when discussing the project. As a bonus, your development migration code can be used as a basis for creating or importing live content as you get it from the client.

Categories: Elsewhere

SitePoint PHP Drupal: Quick Tip: Up and Running with Drupal 8 in Under Five Minutes

Tue, 14/10/2014 - 18:51

In this quick tip, we’ll be installing a local instance of Drupal 8, beta 1. By the end, you’ll have a copy of Drupal that’s not only ready to be extended with Symfony bundles and other packages, but also ready to accept content and display it to end users.

Step 1: Prepare Environment

Continue reading %Quick Tip: Up and Running with Drupal 8 in Under Five Minutes%

Categories: Elsewhere

Pages