Feed aggregator

Triquanta Web Solutions: Automatically switch Drush versions per project

Planet Drupal - Fri, 17/10/2014 - 12:38

Now that Drush has become standard equipment in every developer's toolbox, and Drupal 8 is around the corner, you may find yourself asking "Which Drush version should I use?" While Drush 6 has a stable release, only Drush 7 can be used with Drupal 8. Usually, I use Drush 7. It works well with both Drupal 7 and Drupal 8, and even though is doesn't have a stable release yet, it feels pretty stable to me.

Combining Drush versions: the trouble begins

Unfortunately, when you use Drush 7 to run commands on a remote server which runs Drush 6, you will run into errors. For instance when doing a sql-sync:

$ drush sql-sync @mysite-prod @self You will destroy data in mysite and replace with data from example.com/mysite. Do you really want to continue? (y/n): y Starting to dump database on Source. [ok] Database dump saved to [success] /home/www-data/drush-backups/mysite/20141016113131/mysite_20141016_113132.sql.gz The Drush sql-dump command did not report the path to the dump file produced. Try upgrading the version of Drush you[error] are using on the source machine.

Obviously Drush 7 doesn't like to talk to Drush 6. So how do we solve that?

Installing multiple Drush versions side-by-side

It's not too hard to install two Drush versions side-by-side, and use aliases or symlinks to choose a version. On my system I installed Drush 7 using composer and I installed Drush 6 using the manual method.

Next I created two symlinks called "drush6" and "drush7" in a directory in your $PATH variable. I use ~/bin, but it depends on your OS and configuration.

$ cd ~/bin $ ln -s ~/drush-6.4.0/drush drush6 $ ln -s ~/.composer/vendor/drush/drush/drush drush7

Using those symlinks, I can use both versions anywhere on my system:

$ drush6 --version Drush Version : 6.4.0 $ drush7 --version Drush Version : 7.0-dev

Now I can run drush6 sql-sync @mysite-prod @selfto choose Drush 6 and avoid problems syncing with a remote server.

Automating which version to use

It's nice to be able to choose, but wouldn't it be awesome if you can just run drush ...without having to think which version you need? If you're managing multiple sites on different servers, you don't want to spend your energy remembering which project requires which Drush version.

At Triquanta we use git repositories, one for each project. I want to be able to specify the default Drush version per project, so I will never run the wrong Drush version by mistake. That's where this really simple bash script comes in:

#!/bin/bash version=$(git config --get drush.version) if [ "$version" = '6' ]; then drush6 "$@" else drush7 "$@" fi

Save it as "drush" in a directory in your $PATH variable, and make it executable. Now when you execute drush, it will call this script, which by default runs Drush 7.

$ drush --version Drush Version : 7.0-dev

When a project requires Drush 6 instead, I set a variable "drush.version" in the git working copy:

$ git config drush.version 6 $ drush --version Drush Version : 6.4.0

That's all there is to it. Regardless where you are within your git-managed directory structure (the site root, /sites/default/files/, etc.) the script will always know which drush version to use.

Categories: Elsewhere

Modules Unraveled: 122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast

Planet Drupal - Fri, 17/10/2014 - 12:04
Published: Fri, 10/17/14Download this episodeThe Drupal Security Team
  • What type of people are on the Drupal Security Team?
    • https://security.drupal.org/team-members
    • Mostly coders, some project managers, core maintainers
  • What does the security team do?
    • We fix issues in drupal
    • Resolve reported security issues in a Security Advisory
    • Provide assistance for contributed module maintainers in resolving security issues
    • Provide documentation on how to write secure code
    • Provide documentation on securing your site
    • Help the infrastructure team to keep the drupal.org infrastructure secure
  • What doesn’t the security team do
    • projects without stable releases
    • Site support
    • Set policy around security with the security working group.
  • Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
  • How can others get involved?
  • What was the recent bug that was fixed
Questions from Twitter
  • Paulius Pazdrazdys
    How this latest security release is different from others? Do you have any information if this bug done any harm before release?
  • aboros
    The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
  • aboros
    Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
  • Carie Fisher
    When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
  • David Hernandez
    What is the average time from discovery to announcement?
  • Damien McKenna
    @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
  • Heine Deelstra
    How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
  • Mark Conroy
    I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
  • aboros
    Are there plans for some sort of bounty program run by DA maybe?
  • David Hernandez
    What kind of work does the security team do besides review code? What is the administrative overhead?
Episode Links: Greg on drupal.orgGreg on TwitterMichael on drupal.orgMichael on TwitterList of permissions that aren’t includedDrupal Security ReportTwo factor auth moduleParanoia module to prevent php executionSecurity group on g.d.oTags: SecurityDrupal Coreplanet-drupal
Categories: Elsewhere

Junichi Uekawa: test.

Planet Debian - Fri, 17/10/2014 - 00:20
test.

Categories: Elsewhere

Get Pantheon Blog: What We Are Seeing With Drupal SA 2014-005

Planet Drupal - Thu, 16/10/2014 - 23:41

It's been 24 hours since Drupal SA-CORE-2014-005 was announced, and we are already beginning to see attacks in the wild. As a platform with 10s of 1000s of Drupal sites, we have a unique perspective on the problem.

This is not a drill: black-hat scripters from sketchy domains are working through lists of known Drupal websites probing for exploits. If you have not patched all your sites, stop reading and do it right now.

...

Ok, now that your websites are safe, here's what we're seeing.

Profiling and Logging Suspected Exploits

We learned of the vulnerability through our participation with the Drupal Security team, so we had a few days to prepare prior to the announcement. At that point, we were under obligation not to share details as part of responsible disclosure, but we did tweet and email customers to "be ready" for the update on Wednesday.

Beyond that, the first step was fashioning our own exploit to have something to build a defense against. I "owned" my personal blog several times getting this right.

With a sense of a potential attack signature, we developed platform-wide request filtering, WAF style. At our scale, we couldn't try to tweak every individual site: a platform solution was the only answer.

We got that deployed on Monday, giving us two days to see the results of real production traffic. We were able to eliminate false-positives while still detecting our PoC attacks, which gave us confidence that our filter would not impact legitimate traffic. That was an important moment, because it meant we could start locking things down.

Log and Block

With the SA announcement on Wednesday we switched the filter from "log" to "log and block". The first detected (and blocked) attack came in at 22:42 UTC (3:42 PM PT), about seven hours after the security announcement. It attempted to set up a fake user with id 9999 and a suspicious temp email address from trbvm.com.

Over the rest of the day we saw a handfull (20-ish) more attacks that looked like proof of concepts or penetration tests. We saw attempts to re-use a proof of concept posted in a Reddit thread, an attempt to create a user named "morpheus" with a pre-set password, and a few attempts to make accounts with the email address test@test.com and then elevate them to an admin role.

It Gets Real

Early this morning at 08:23 UTC (1:23 AM PT) we started seeing an attack that attempts to insert a new item into the menu_router table. This attack is originating from IPs from a VPS provider in the .ru domain space, and it appears to be working through a list of domain names alphabetically.

The attack seems to be the initial part of a multi-step process. The menu_callback it is attempting to create will try to use file_put_contents() to drop a file somewhere in the codebase. That file will pick up a subsequent http request with more of an attack payload in the $_COOKIE superglobal. This sophistication plus the alphabetical attack sequence suggests a professional exploit.

Note that this attack has a 0% chance of success on Pantheon. We block it, but even if we didn't live sites can't write files into the codebase, and a sophisticated $_COOKIE attack would also be stripped. Still, it's concerning.

This Is Not A Drill

It's barely 24 hours after the SA, and we have logged and blocked over 500 attempted attacks on sites on the Pantheon platform. We expect this rate to increase as exploit code is more widely shared and attacks become more automated.

The fact that we are blocking suspect traffic does not mean you delay updating. We're happy to be defending sites on our Platform, but the filter, like CloudFlare's WAF firewall rule is not a guarantee to secure your site. You need to get the update deployed and patch the vulnerability at the source.

If you need help, let us know. If you have friends who need help, lend a hand.

Credits

Credit to the Drupal Security team for organizing a responsible and orderly release. There was likely temptation to rush something out once the severity was realized, but they showed great professionalism by taking a more deliberate route. As soon as the fix was disclosed, black-hats would start working to weaponize the exploit, which we are already seeing.

I'd also like to thank Leonardo Finetti for chiming in based on some tweets with additional information about the menu_router attack. He has his own post up (in Italian) here.

Finally, I'd like to give credit to Greg "greggles" Knaddison for planting the idea in my head of using the reach of our platform as a way to monitor exploit attempts against sites running on Pantheon. Hopefully the data we're able to gather will help everyone defend better and build more secure software and platforms.

Blog Categories: Engineering
Categories: Elsewhere

Acquia: Shields Up!

Planet Drupal - Thu, 16/10/2014 - 23:32

Yesterday, the Drupal Security team announced that all Drupal 7 sites are highly vulnerable to attack. Acquia deployed a platform-wide "shield" which protects all our customer sites, while still keeping them 100% functional for visitors and content editors. These sites can now upgrade to 7.32 in a more calm, controlled timeline.

Categories: Elsewhere

Acquia: 30 Awesome Drupal 8 API Functions you Should Already Know - Fredric Mitchell

Planet Drupal - Thu, 16/10/2014 - 20:49

Apart from presenting a terrific session that will help you wrap your head around developing for Drupal 8, Fredric and I had a great conversation that covered the use of Drupal and open source in government, government decision-making versus corporate decision-making, designing Drupal 7 sites with Drupal 8 in mind, designing sites for the end users and where the maximum business value comes from in your organization, and more!

Categories: Elsewhere

Bits from Debian: Help empower the Debian Outreach Program for Women

Planet Debian - Thu, 16/10/2014 - 19:30

Debian is thrilled to participate in the 9th round of the GNOME FOSS Outreach Program. While OPW is similar to Google Summer of Code it has a winter session in addition to a summer session and is open to non-students.

Back at DebConf 14 several of us decided to volunteer because we want to increase diversity in Debian. Shortly thereafter the DPL announced Debian's participation in OPW 2014.

We have reached out to several corporate sponsors and are thrilled that so far Intel has agreed to fund an intern slot (in addition to the slot offered by the DPL)! While that makes two funded slots we have a third sponsor that has offered a challenge match: for each dollar donated by an individual to Debian the sponsor will donate another dollar for Debian OPW.

This is where we need your help! If we can raise $3,125 by October 22 that means we can mentor a third intern ($6,250). Please spread the word and donate today if you can at: http://debian.ch/opw2014/

If you'd like to participate as intern, the application deadline is the same (October 22nd). You can find out more on the Debian Wiki.

Categories: Elsewhere

Dries Buytaert: Acquia a leader in Gartner Magic Quadrant for Web Content Management

Planet Drupal - Thu, 16/10/2014 - 14:23
Topic: DrupalAcquia

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for both Acquia and Drupal to be in the leader quadrant. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

Categories: Elsewhere

tanay.co.in: SA-CORE-2014-005 - All you need to know to protect your Drupal Site from the latest SQL Injection vulnerability

Planet Drupal - Thu, 16/10/2014 - 13:18

Last night, Drupal Release a security update to its core - v7.32

 

The release addresses the SQL Injection vulnerability described at https://www.drupal.org/SA-CORE-2014-005

 

 

How serious is it?

There are many proof of concepts scripts available all over the internet now. I have tried a couple of those python scripts and literally anyone who can execute a python script can now login to your Drupal 7 Site as admin, or execute any SQL on your Drupal Database!

[I am not linking them here for the obvious reasons, if you came here searching for those scripts, you are at the wrong place]

 

So, is my site vulnerable?

Most of the Drupal-special webhosts like Acquia, Pantheon, Platform.sh have apparently patched their platforms protecting your Drupal site even if your individual site has not been patched yet. So most of you are safe. You should be worried if you are hosting on one of those generic hosts to whom Drupal is just yet another script or if you are running the site on your own stack.

 

How do I fix my Site?

Don’t worry. Fortunately it is very simple. And it would not take more than 2 minutes to fix your site (if you do it via #3 below).

 

If the words like “git”, “patch”, “upgrade” scare you and if you like the words “FTP”, “Filezilla” more then skip directly to #3 below.

 

  • OPTION #1: The first option is to update your site to the latest version of Drupal - 7.32.

  • OPTION #2:But yeah, there is considerable effort involved behind upgrading your Drupal Site. Every upgrade usually would require significant regression testing and this could take a while.

    So, as an alternative, there is a very small patch out there for  you. Apply it and you are all set.
    Patch : https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch

    How do I apply this patch?
    Like any other patch -

  • OPTION #3: [THE SIMPLEST OF ALL] Alternatively, if you do not want to deal with patches or upgrades, or if you are are looking for a quick fix, here you go:

    • FTP to, or open your Drupal Root Directory

    • Navigate to  includes/database/ folder

    • There will be a file named database.inc . Take a backup of the file. We are going to modify the file. Store the backup somewhere safe just in case.

    • Open the file database.inc .

    • At around line 739, you will find a line of code that reads
      foreach ($data as $i => $value) {
      Replace this line with
      foreach (array_values($data) as $i => $value) {

    • Save the file and exit

    • Pat yourself on the back. You are all set now :-)

 


I have no enemies. Should I still fix my site?

Absolutely yes. With the many google dorks that could be used to find Drupal Sites, you could be the subject of random attack. - ie Some noob with the script picking up your site randomly to login as admin and defacing it or playing around with it, or stealing your userbase for spamming!

 

Who found this issue? Who reported it? When was it first reported? ……. Check out the FAQ on Drupal.org for answers - https://www.drupal.org/node/2357241

 
Categories: Elsewhere

Visitors Voice: What is a good autocomplete?

Planet Drupal - Thu, 16/10/2014 - 12:45
Too often clients add autocomplete as an requirement without much thought. And as an result it is actually making the user experience worse. Instead of helping the users it confuses them. The first rule when designing autocomplete is: the suggestions must be relevant for many! Otherwise don’t make any suggestions at all, since it’s just […]
Categories: Elsewhere

Open Source Training: Drupal 7.32 is an Absolutely Necessary Update

Planet Drupal - Thu, 16/10/2014 - 11:03

We're accustomed to the Drupal security team releasing security fixes.

Fortunately, most of the fixes were relatively minor. They either impacted a small group of sites, or they were unlikely to lead to your site being hacked.

Let's take a brief look at the 4 previous Drupal security advisories in 2014:

Categories: Elsewhere

PreviousNext: Constructive Conflict Resolution in the Drupal Community

Planet Drupal - Thu, 16/10/2014 - 06:06

How can the Drupal community recognise and handle conflict more constructively? This core conversation session from DrupalCon Amsterdam aimed to start a discussion about creating an army of empowered bystanders ready, willing and able to use conflict as a positive force in the community.

Categories: Elsewhere

PreviousNext: Constructive Conflict Resolution in the Drupal Community

Planet Drupal - Thu, 16/10/2014 - 06:06

How can the Drupal community recognise and handle conflict more constructively? This core conversation session from DrupalCon Amsterdam aimed to start a discussion about creating an army of empowered bystanders ready, willing and able to use conflict as a positive force in the community.

Categories: Elsewhere

Midwestern Mac, LLC: Fixing Drupal Fast - Using Ansible to deploy a security update on many sites

Planet Drupal - Thu, 16/10/2014 - 06:01

Earlier today, the Drupal Security Team announced SA-CORE-2014-005 - Drupal core - SQL injection, a 'Highly Critical' bug in Drupal 7 core that could result in SQL injection, leading to a whole host of other problems.

While not a regular occurrence, this kind of vulnerability is disclosed from time to time—if not in Drupal core, in some popular contributed module, or in some package you have running on your Internet-connected servers. What's the best way to update your entire infrastructure (all your sites and servers) against a vulnerability like this, and fast? High profile sites could be quickly targeted by criminals, and need to be able to deploy a fix ASAP... and though lower-profile sites may not be immediately targeted, you can bet there will eventually be a malicious bot scanning for vulnerable sites, so these sites need to still apply the fix in a timely manner.

Categories: Elsewhere

Drupalize.Me: Tips for Applying Today's Drupal Core Security Update (SA-CORE-2014-005)

Planet Drupal - Wed, 15/10/2014 - 23:13

Today a highly critical security update (SA-CORE-2014-005) was released for Drupal 7. Any Drupal site running Drupal 7.31 or lower needs to update to 7.32 or apply the patch immediately. Here are some tips to get your Drupal 7 site updated today!

Categories: Elsewhere

Mediacurrent: 10 Reasons Why Marketers Are Moving to Drupal

Planet Drupal - Wed, 15/10/2014 - 22:11

Marketers around the world face the same pressures of trying to leverage marketing automation, content marketing, social media engagement, SEO, and more to drive prospective buyers to engage with their brands.

Categories: Elsewhere

CMS Quick Start: Drupal 7 Login Methods and Module Roundup: Part 2

Planet Drupal - Wed, 15/10/2014 - 21:35

Last time we explored some different options that determined how the login form was displayed on your site. Today we're going to expand on that and look at different ways of wrangling or changing the actual login experience for your users. The default settings aren't exactly very refined and so it can take some configuration to get a better user experience out of the whole process.

read more

Categories: Elsewhere

CTI Digital: See the team behind Drupal 8 (all 2,300 of them!)

Planet Drupal - Wed, 15/10/2014 - 18:28

On October 1st 2014, Dries announced at DrupalCon Amsterdam that Drupal 8 had reached Beta 1, a significant milestone in the journey to Drupal 8.  

He also revealed that 2,300 individuals have contributed to the Drupal 8 project. Pretty impressive - but hard to imagine, right?   One of our Drupal developers here at CTI decided to create a visualisation to express the flurry of activity before, during and after DrupalCon, which has culminated in this significant achievement.    The video Adam created helps communicate the true scale of the project. Enjoy…  

Categories: Elsewhere

LightSky: Are you Giving Back?

Planet Drupal - Wed, 15/10/2014 - 17:56

LightSky has been using Drupal for quite some time, but because of a lot of factors haven’t contributed as much during that time as we probably should.  Mike and I implemented a philosophical change about a year ago to make a concerted effort to give back.  It has been small steps for us though, we are a small organization and in a growing phase, so our resources to give back have been limited.  Starting with attending some Drupal camps, to building modules, contributing to core, and growing from there, we have made a pretty big effort on our end to help support the Drupal community and we think you should too.

Agencies like us aren’t the only ones to give back though, companies of all different backgrounds across the globe use Drupal, and give back to the community.  Some, more directly than others, but even passively, giving back to the community is what keeps Drupal sustainable, and makes the platform so desirable.

How Can a Widget Factory Give Back to Drupal?

This is an interesting question, but it isn’t as complicated as one might think.  Look at all of our clients for example, they all give back to Drupal and many of them have no web experience, and can’t write or interpret even the most basic of code.  They give back through us.  They choose to partner with a company that gives back to the Drupal community, and that is a big deal.  There is great value in their support of the community for their company and their bottom line.  Open source projects are often some of the most cost effective choices in the software world, and Drupal is really no different. 

Experience Not Needed

Contributing doesn’t have to be through a third party though.  Content on Drupal.org can be updated by anyone with a user account.  Making documentation changes to a module that your organization is using, or building better documentation is a great way to give back, and anyone can do it.  But the way that I recommend companies give back is speaking at a Drupal camp.  Do a case study, it doesn’t have to be technical, show people how Drupal has helped your company.

Drupal allows our clients to to have an enterprise level product, that is community based, and completely flexible, and often Drupal provides them a solution that no other software could really match.  But what created this excellent product is the community, and without people giving back regularly, this product would never exist.  So if you aren’t giving back, think about how you can, and if your Drupal firm isn’t giving back, make sure that they know you think they should.

For more tips like these, follow us on social media or subscribe for free to our RSS feed and newsletter. You can also contact us directly or request a consultation
Categories: Elsewhere

Drupal Watchdog: The Angry Themer

Planet Drupal - Wed, 15/10/2014 - 17:00
Column

Welcome back to the ANGRY THEMER!

Faithful readers of this column who have followed my outbursts over the past few years might ask, “How can I prevent myself from turning into a grumpy old themer with high blood pressure like you?”

Fortunately, the Drupal project has grown to include new tools to help battle-hardened Vikings such as I cope with Drupal’s terrible markup and keep my rage more or less under control.

And you, dear themer, no longer have to dive into code or understand the inner workings of Drupal, while also battling Responsive, Web 2.0, Internet Explorer versions 6,7, 8, 9..., Safari, Chrome, Firefox, or Opera – not to mention the gazillion tablets and smartphones. (Ah, but that’s another story, best saved for another day.)

These are my favorite weapons – uh, I mean tools, tools of the trade – that I utilize when I need to slice through the Drupal Markup sludge.

Themes

Drupal contrib has a ton of “Starter Themes”; so you don't have to trudge through all the basics every time you design a site.

Of course my favorite theme is the Mothership (Full Disclosure: written by your very own Angry Themer), which isn’t so much a theme as a complete cleanup of Drupal’s approach to markup.

Mothership – Keelhaul the DIV!

The Mothership theme is not something you use to make your site pretty; this isn’t Wordpress. It’s designed to make your source code look and act awesome by knifing through the sea of divs, classes, and about 20% of old markup fixes that come packed with Drupal, and deep-sixing it – leaving sparkling-clean HTML5 in its wake.

The Mothership theme comes equipped to clean up nearly every dusty corner and musty absess of Drupal that needs cleaning up:

  • settings for removing class names
  • corrects the markup to HTML5 standards
  • modifies CSS & Javascript files

It also comes with commonly used basic CSS and JS libraries to help with responsive HTML5 sites, and now it even fixes the IE 9 CSS caching/respond.js issue.

As a bonus, you get to swagger and swear like a Caribbean pirate – and the ship’s captain strongly resembles Johnny Depp!

For those less-aggressive themers out there (and you know who your are), maybe Zen or Aurora – which have a more relaxed attitude towards markup – are more your speed.

Categories: Elsewhere

Pages

Subscribe to jfhovinne aggregator