BADCamp is the largest free Drupal event on the planet and it is happening this week, right here in our back yard, at the Palace of Fine Arts.
Chapter Three Trainings
The event kicks off on Thursday with summits and trainings around specific interest areas.
If Magellan hired shipwrights instead of sailors, we would remember him for having the most seaworthy ships lost at sea. If you tried to get your oil changed at an assembly line instead of an auto body shop, the factory would turn you down, or worse do a slipshod job to get you out of the way and get back to building cars.
Similarly, most web development shops create their process around building websites, not supporting them. Aten built a dedicated Support Team out of recognition that maintaining and extending websites requires its own skill set and organizational structure.
At BADCamp 2014, Sandra and I, both Technical Account Managers and developers on Aten’s Support Team, will present “Old dogs, new tricks: Supporting websites after launch”, Saturday, November 8, 2014 at 1:30pm.
We’ll discuss why it’s important for clients to work with a development team specifically designed to support existing sites, and how Aten’s support approach:
- keeps aging sites relevant with new features;
- keeps sites running longer with less technical debt;
- gives us enormous insight throughout a project’s lifecycle so we can consult on a client’s high level objectives and real world challenges;
- and makes us a flexible partner who can puts clients’ minds at ease, with both a rapid response team for hot fixes, and a technical and strategic resource at the ready for larger blocks of work.
We will also discuss how viewing support and maintenance as an opportunity — not an opportunity cost — benefits Aten as well as our clients, and why we think our approach incentivizes great work from developers while building enduring client relationships.
See you at BADCamp!
I am proud to announce the release of the Behat Drupal Extension 3.0! Since 2012, the Drupal Extension has been used for Behaviour Driven Development of thousands of Drupal sites all over the world. The project began as part of the Drupal.org upgrade, and was quickly generalized to enable the testing of any Drupal site.
Version 3 has many exciting new features, and is compatible with Behat 3. Note version 2 does not exist, wanting to avoid version soup.Behavior Driven Development at BADCamp
Before I dive into the new features, it is important to clarify the difference between testing an application, and Behavior Driven Development (BDD).
rather, it starts with a conversationIn order to read more interesting articles As a reader I need to see related articles to the one I'm reading
While both are testing something, only the latter is truly describing a behavior that matters to a stakeholder. This is the subject of a blog post, or series of posts, in and of itself, so more on this subject later.What’s new Documentation
A starter Drupal context that makes no assumptions around the language used for each test, but still provides all the previous functionality to interact directly with Drupal.
Users are encouraged to start tests from this context which will allow them to use truly ubiquitous language that is specific to each project.Drupal Drivers
The Drupal Drivers now exist in a separate project, allowing for non-Behat applications to interact with Drupal (e.g., calling directly from Mink, or Codeception).
Note that the Drupal 6 driver has been removed, but since drivers are now separate projects, it will be easy to port that over to the Drupal Extension 3, should somebody want.
It should also be noted that Drupal 8 support will require ongoing work as the code base there evolves towards release.More granular pre-defined step-definitions
Existing step definitions have been split into 4 indepentent contexts:
- DrupalContext – This contains steps for working with content, users, and taxonomies.
- MinkContext – This is an extension to the Mink Extension, providing additional steps for working with regions and forms.
- MessageContext – Provides steps for working with Drupal success/warning/error messages.
- DrushContext – Provides steps for calling drush commands directly from scenarios
This allows for the use of some pre-definied step-definitions, rather than the previous all-or-none approach.No more regex!
The pre-definied steps now use the new turnip syntax introduced in Behat 3:Given I am viewing a/an :type (content )with the title :title
rather thanGiven /^(?:a|an) "(?P<type>[^"]*)" node with the title "(?P<title>[^"]*)"$/ What’s a ‘node’?!
The term node has been removed from steps and replaced with content in all pre-defined steps.What’s next?
- A REST driver that would allow the full power of the Drupal API to be utilized from a remote server.
- Testing Drupal core with Mink and the Drupal Drivers?
I will be attending the Behat mini-summit at BADCamp along with several other folks from Phase 2. I hope to highlight the Drupal Extension 3, and discuss best-practices for the wide variety of testing needs. I also hope to continue discussions around Behat, Mink and Drupal core.
Launching a new Drupal website is exciting and can be a little risky if you aren’t careful. There are several things to accomplish, details that are too essential to overlook, and many people collaborating to make the deployment go smoothly.
You may have heard some news about the fact that a new theme has been added to Drupal, named Classy. But what kind of theme is it exactly? Is it a pretty new look for Drupal 8? Well, no. You will still see Bartik as the default theme on your Drupal 8 site, so why another theme? Classy is a new base theme in core, which Bartik and Seven will then use as their bases. The idea here is to provide more flexibility to themers when it comes to choosing default CSS classes.
Competition is helping to drive big performance gains in PHP. Alternative ways of running PHP are becoming viable and with them is coming accelerated speed.
Last week’s Public Service Announcement from the Drupal security team caused a lot of attention. And rightfully so – it told us that the vast majority of Drupal 7 sites around the world are considered compromised. A mere 7 hours after critical security patch SA-CORE-2014-005 was released, robots were spotted in the wild, bulk-hacking Drupal 7 sites with this vulnerability. This is something that’s never happened to the Drupal community before, and it is extremely serious. In some way it’s our own version of Heartbleed and other highly-publicized critical vulnerabilities in open source software.
This issue should not reflect badly on the Drupal community, or the Drupal product at all. Vulnerabilities happen to every software project – particularly the large and complex ones like Drupal! In this case it was the result of a choice in the database abstraction layer to use emulated prepared statements. There’s a great dissection of the whole vulnerability at ircmaxell, but the point here is that it was an intentional decision. We were aware of a theoretical security risk, just as we are in making lots of decisions. But theoretical risks don’t mean much compared with real, measurable losses from the available alternatives. As I said before, this can happen to any software project, and Drupal is a relatively responsible, well written one. What’s interesting now, is the response.
First of all, I am amazed to read responses from many Drupal users who are panicked at having to run a diff of their sites, because they don’t have appropriate tools in place. If you are developing without a VCS and automated backups, you are doing more harm than good. Just stop. Take a week to learn the basic requirements of a development environment, and start employing them. End of story.
I’m not concerned for those people – their sites were disasters waiting for an excuse anyway. What’s frightening about this particular situation is that even if you are working with backups and a VCS, even if you patch critical security vulnerabilities on an aggressive schedule, it still wasn’t good enough.
All of my Drupal 7 sites are affected by this PSA. I work for a large, well-respected agency, with access to leading-edge workflows and tools. We follow best practices. All of my sites are secured well beyond PCI requirements. But PCI requirements say that critical security patches have to be applied within 30 days of release. Our best practices include patch review from the tech lead, and validating patches on test environments before pushing them live. With only 7 hours between patch release and exploits in the wild, there isn’t time for any of that.
I’ve heard people complain that it’s too difficult to update Drupal. “drush up —security-only” seems pretty simple to me, or at least simple enough that further simplification won’t address the real problem. That’s because the real problem isn’t that it’s difficult to apply updates – it’s that a human be ing has to initiate them. I live in the Central European timezone, GMT+6. The patch was released at 10PM for me, and bots were exploiting it by 5AM the following morning. I went to work that day and initiated the patching process, so that my patches could be “responsibly” deployed to live with 24-48 hours of client validation time on my dev and staging environments. Despite being relatively on top of patches and responding relatively quickly, the fact that I’m human, and my clients are human, meant we never stood a chance of patching this issue fast enough. Even if we skipped validation, and even if the update process was just one button (rather than two commands), we would still have failed to update in time. I find myself reminded of the Battlestar Galactica pilot, where the Cylon robots are chasing the humans. After each hyperspace jump, the humans have 33 minutes to complete the calculations for another jump before the machines catch up with them. After 130 hours and 237 jumps, it becomes apparent that the humans’ need for sleep is a critical vulnerability.
The only solution is automated patching. It’s hard to figure out a workflow that allows it; indeed you’re forced into post-hoc testing, which means engineering an easy rollback solution. The truth is that 99% of security patches will not affect any of the functionality you’ve customized or upon which you rely, so hopefully this will be an edge case. But it’s a problem that actually has to be addressed. Here’s how I’m adapting my own projects over the coming weeks:
Every wednesday, every hour, my Jenkins instance runs a script which checks modules and core for each project for security updates. When an update is available, it automatically creates a branch off of Stable (my staging branch), applies the updates, and pushes the result up to the server. My git scripts already create a new subdirectory environment for every pushed branch. Once the environment is ready, Jenkins runs all available behat tests against the new branch. If all tests pass, the branch is automatically merged back into Master, Stage, and Live, and pushed. This push operation triggers a normal Jenkins deployment, which takes a backup anyway. An email is generated to the project administrator advising them which security updates were automatically applied, and linking to the relevant changefiles.
I’m excited about implementing this new layer of automation, because it builds on the best practice workflows I already like (test driven development, git flow VCS organization, automated deployment and backups…) to produce a tangible time savings and security improvement for my sites. At the same time, I can’t say that this is something I recommend for EVERYONE, precisely because it requires such a high level of environment maintenance. When you’re a one-person development shop, it’s hard to afford the time to set up the perfect development environment. It’s hard to convince those bottom-of-the-food-chain clients to pay for things like automated testing and deployment. And certainly once you have those things set up, you don’t get paid for maintaining them!
I’m going to be keeping my eyes open for better solutions that can be applied by the “developer on the street.” Something relatively easy, but which allows the same kind of automated, fast response time for security patches. I’m interested in any ideas you want to post in the comments!
I’ll be giving a talk at BadCamp called “Mistakes I have Made: Collected Project Management Failures.” It’ll be funny, and true, and probably reference a few different stories from the past. However, when I look at what the real truth is to a talk about project management mistakes, I go to the source. What are the hardest things about project management?
If you google this, you’re likely to get the answer of ‘everything’.
For me, when I look at this, I separate this out into five different areas of hard:
- Alignment / Mission
- General Sucking: Hard decisions
Around the area of team, I think this is one of the biggest things that you’re hired to watch over as a project manager. It’s your job to make sure that you’re engaging the team to make sure that the problems get solved, that you’re building what you set out to build. It’s so common in my own work that when I feel like there is friction or struggle, I have to lean back and ask myself if I’ve actually worked on really engaging the team – or if I’ve just charged ahead full bore. (Mistake #543)Do I have the right team?
I have definitely been on projects or working with teams that just didn’t have the right fit. There had never been a conversation about if the people working on that particular ‘thing’ were right for it. (Mistake #324) Or they were being used in ways that didn’t suit them personally, they were being asked to use their weakest skills in a really strong way, and it was burning them out. (Mistake #221)Did I give everyone enough time?
This is where people will use Agile to its best advantage. Agile, when you’re actually tracking story points and estimating, will give you enough space to be able to understand if you’ve crammed too much in. (Mistake #112) Did we ask too much in that space from people? (Mistake #14) Are we working under a really silly timeline (Mistake #87) and did we not find out until too late? (Mistake #98.) Even more to the point, once we know the problem, are we not willing to correct it? (Mistake #465)2. Clients
Do we have the right clients? Are we, the people building things for them, the right people to do it? Do we understand their mission? Did we do enough to make sure they understood when, how, and where we were going to build? Do they understand what we’re not doing? Are they ok with their role here? Do they understand ‘scarcity’ in action? Does that shock them?
The list goes on, but in order to be the best technology partner, and you’re helping to lead everything to the finish line, everyone has to agree.3. Services
This is the day-to-day stuff and where new project managers that are client facing get tripped up. Answering for the developers when you shouldn’t. “That should be easy.” Making estimates with having no idea what you’re doing. Estimating things in general. Making the expectations that you’re going to be available all the time. Or not setting the expectations at all.
Services isn’t the hardest-hardest part of this, but it generally adds to it.4. Alignment / Mission
There’s a statement running around the internet right now that working on things that aren’t aligned with your values is just stressful. Working on things that are is called passion. You’ll notice when it’s just not working, because you can’t get rid of that pit in your stomach, that sinking feeling. Not listening to it is a big mistake.5. General Sucking: Hard decisions
Part of your job is being the person that says no, that continually tries to find a way to make the project a success. You’ll sometimes be in the place where everything, all of these 4 things above are collapsing around you. And it sucks. And it happens to a lot of us that do this, because you are the one that’s pulling the threads together.
It gets better.
You are not always going to have these weeks. I refer to them as ‘hell weeks’. Please keep your hands and arms inside the hell week until it comes to a full and complete stop. In these weeks, it’s even more important for you to pay attention to you. Get some sleep. If you can’t get some sleep, talk to your team about how you are feeling, and figure out how to articulate what the problem is so that everyone can solve it together. (Also, ask yourself how you’re working with your team!)
Internalize the idea that you are no good to us dead, and take care of what you can. Projects end, one way or another, and you’ll get through it – one email, one day at a time. These things are hard, projects are hard, building things is hard – but hard things are worth doing.
Hope to see you at BADCamp for my session “Mistakes I have Made: Collected Project Management Failures.” Check out all of the Phase2 thought leaders at BADCamp!
by Jeff Amaral
The resulting module, Region View Modes, places copies of nodes, rendered through specific view modes, into theme regions. Yes, those are the same regions into which you would normally place blocks. There’s no new layout system here. You use the one you already have: your theme.
Once enabled, using the module is pretty easy:
- Visit the Manage Display page for any content type (e.g. Article)
- Expand the Custom Display Settings section
- Check the view mode for one or more theme:region combinations. For example, Bartik theme: Sidebar first region
- Click Save at the bottom of the page
- You’ll now see the activated view mode(s) near the top of the page. Click on one.
- Reorder, hide, or change the settings for any fields
- View a node of that content type
Here’s a demo:
That’s all you need to know to use the module, but if you’re curious about how it works, read on!...
Nalini lives in a small city in India. To save money, all school books and student papers are copied or printed at the local print shop. Nalini is immensely annoyed with her classmates when they choose to print on a single side of paper. If everyone used both sides, she reasons, it would reduce their paper use by half. Nalini sends a message to Greenpeace International through Facebook: "I have an idea for a campaign you should run!"
Greenpeace International is an worldwide independent nonprofit organisation that aims to protect the environment and promote world peace. Originally founded in 1971, the organisation is now active in 44 countries and has 2.8 million supporters. With nearly 2 million Facebook likes and millions of site visitors worldwide, Greenpeace International receives suggestions like Nalini’s thousands of times per year, and because they simply can’t take on every new campaign idea, they wanted to find a way to empower its supporters to run their own campaigns, in their own communities.
In addition, Greenpeace International already had an active volunteer base of 20,000 volunteers, organised in about 400 local groups - each local group, or national volunteer network, had it’s own management and communication tools - a true global volunteering ‘database’ was non-existent, with the data instead spread across lots of individual spreadsheets and google-docs, making it hard to track and measure.
Challenges like these spurred Greenpeace International to create Greenpeace Greenwire, its own online community for employees and volunteers. It’s a meeting place where people can connect with other volunteers, activists and groups working on environmental campaigns in their country. When Greenpeace Greenwire rolls out to more offices, it will allow international connections too.
As well as helping activists find and participate in Greenpeace-led volunteer groups and events, Greenpeace Greenwire lets users create their own events and organize their own activities. Users can start groups, host events, run campaigns, share photos and videos, and write blogs.
Greenpeace Greenwire is a unique project in that it serves a worldwide community - so it needs to be able to scale up to hundreds of thousands of global users - but it also serves each element of that community’s specific set of needs. Flexibility is another key element of the project: allowing users to have different roles in different domains for national and regional offices, and also allowing for flexibility regarding which languages each user could choose. It was also crucial that each user feel comfortable providing their personal data in order to take full advantage of the Greenpeace Greenwire community, but on the other hand, the data must be kept secure and limited only to certain authorized users.Key modules/theme/distribution used: Domain AccessOrganic groupsSearch APIUniversally Unique IDentifierContextEntity referenceMessageMessage SubscribeLanguage fieldMediaCDNEntity cacheSimpleTest FixtureUser RelationshipsViewsAutomated LogoutOrganizations involved: GoalGorillaTeam members: jaapjanbramtenhovejochemvnstefanotabarellironaldtebrakekevinmuller7gipsy
BIP 70 provides a mechanism so that a customer can be sure that they are sending a Bitcoin payment to the correct place. Before BIP 70, the customer would simply be presented with a Bitcoin address to send the amount to. This address could potentially be tampered with so the funds get sent to someone else. It is also not very user-friendly to be sending money to a random collection of letters and numbers.
Now public key infrastructure (PKI) is used to present the customer with cryptographic proof that they are making the correct payment. The payment information that the Bitcoin wallet receives is supplied with a certificate and is digitally signed. The wallet can then present a "human-readable, secure payment destination" to the customer, i.e. the name of the company or a verified email address.
This functionality is now implemented in Coin Tools.
To start using it you need to obtain a certificate. The easiest way to do this is to create a free account at StartSSL. Once they have verified that you own your email address they will put a certificate to this effect into your web browser.
You need to extract this certificate (and private key). Here is how to do it using Firefox, but other browsers are similar. First you need to view your certificates.
Then backup the certificate for your email address provided by StartCom Ltd.
Make sure you save the file with .p12 extension, i.e. email@example.com - P12 is an "archive file format for storing cryptographic objects like private keys and certificates." You will be prompted for a password to encrypt this file.
Next you need to extract your certificate and public key from this file like so:openssl pkcs12 -in firstname.lastname@example.org -clcerts -nokeys -out publicCert.pem
openssl pkcs12 -in email@example.com -nocerts -out privateKey.pem
Each of these commands will require you to enter the password you encrypted the P12 file with. When extracting the private key you must provide a passphrase it should be encrypted with.
Next you need to add the certificate to your payment type (or create a new one). With the latest version of Coin Tools 8.x-1.x there are additional fields on the payment type form for this. Paste the contents of publicCert.pem into the "Certificate" field.
And paste the contents of privateKey.pem into the "Private key" field. Select "Private key is encrypted" and enter the passphrase you encrypted it with.
When making a payment, the customer's wallet will now display the certificate's Common Name. In this case it is a verified email address.
In part 1 of this tutorial, we covered how to configure and use Ansible for local Drupal development. If you didn't have a chance to read that article, you can download my fork of Jeff Geerling's Drupal Dev VM to see the final, working version from part 1. In this article, we'll be switching things up quite a bit as we take a closer look at the 2nd three requirements, namely:Mon, 11/03/2014 - 07:00 aaron
Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution. Read on to find out how to do it simply through your .htaccess file.
In my initial test of a new session recording kit, some records were lost due to lack of audio. Also, the test setup used powered lav mics, which don't fly too well with multiple presenters.
As a follow up, I tested the Zoom H2N digital voice recorder because it just so happens to have a line out jack. So the question was whether that line out would be compatible with the HD PVR for audio. I'm happy to report that it is!
This is fantastic news for many reasons:
- Co-presenters or panels: Standing several feet away from the unit for the test resulted in great sound quality
- No microphone cords: Speakers are free to roam, if that is their style
- Redundancy: If the voice recorder is powered and hooked up correctly, the PVR will spit out a finished MP4, but should that audio fail for any reason, there will be a backup record on an SD card
At $160, the recorder definitely costs more than the original lav mic tested at DrupalCamp Fox Valley. With the suggested accessories (A/C power, tripod, wired remote, case, 32 MB SD Card, audio cable) the audio component comes up to about $225. This brings the total kit cost to just approximately $425 per room, which should accept a full day of recording and accommodate most laptops.
I'll be attending BADCamp and plan to bring the full kit with me, if anyone wants to check it out. Hell, if I get the chance, I will try to test it in the wild. Next steps are testing dongles for various portable devices, as well as contacting the Drupal Association to see what is needed to make these available for camps.
By now you've probably heard about the extremely serious Drupal security issue from mid-October.
The Drupal security team issued a new warning two weeks later that, if possible, escalated the severity of the issue.
Here's an overview of the issue and its impact.
Let me start out by stating that I don't know the technical implications of an autocomplete feature. Okay? I don't have the answer. I'm just looking for information. Best case, I can help get something started that will benefit the entire Drupal community in the future.
With that out of the way, I firmly believe that anything is possible with Drupal. And with the "Drupageddon" of late, an auto update feature would be greatly appreciated by many, I'm sure. (I certainly would have benefited from one.)
I was recently discussing the security update with some friends, and one of them asked "Does Drupal have an auto update?"
And I was like "...no."
Immediately, I thought about all of the updates I don't immediately apply to contrib projects because they change a configuration option, or otherwise modify the way I've set up the site.
So I thought "I don't really want an auto update because it might break things.
That said, why can't Drupal automatically update security fixes - at least in core - automatically? If it did, Drupageddon could have never been a widespread issue.
It's easy to think, "Well, it's fixed now, so there's nothing to worry about."
But I think that's shortsighted.
The particular vulnerability that caused "Drupageddon" has been around since the inception of Drupal 7, which was officially released in 2011. So, for at least 3 years, every time we've fixed a security flaw, we've thought, "It's fixed now, so there's nothing to worry about." ... until the next issue was found, and this last one was a pretty gigantic one!
Wordpress introduced auto update in version 3.7 on October 24, 2013. They also included options in their configuration file that can be set to disable auto updates, as well as choose which types of updates should be performed automatically: none, major and minor or minor only.
You can read more about it on the Configuring Automatic Background Updates page:
I'm just curious if this is something that can be added in a point release of D8 (like 8.5 or something).
Also, I've ready a few posts saying that auto updates would not fit their workflow. They use Drush, Git, etc. to manage their development workflow. And if that's you, I'd say that turning the auto update setting to off would mean that you can continue to work the way you currently do.
However, small business owners, churches, non-profits and the like that have volunteers (with little to no development background) managing their sites don't have the luxury of utilizing Git, Drush etc. In those scenarios, I think the case could be made that an autoupdate feature (as long as the updates are tested before release) could be a much more stable way of maintaining a site than having a volunteer FTP files to a server without really knowing what they are doing.
If you have thoughts, please add them below. I'd love to hear them!
- After doing some more research, I've found that some people tried to do this in D7, but postponed to D8. However, there hasn't been any movement since April 28, 2013. https://www.drupal.org/node/606592
- There's also a post explaining why auto updates would be a very bad idea from September 1, 2011. http://www.freelock.com/blog/john-locke/2011-09/why-auto-updates-are-very-bad-idea I'm not sure that I agree with everything he says though.
Over the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as "Drupageddon" broke and Drupal developer Bevan Rudge posted "Your Drupal website has a backdoor", I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told.
For those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in SA-CORE-2014-005. Since the dawn of time when databases were introduced to websites, SQL injection vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in Drupal 7.32 or later versions).
It took two weeks, but the media have finally begun to use this Drupal event to sell their headlines. A recent BBC article claims that "up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software". While there is the potential for every single Drupal site on this earth to be compromised, I tend to believe Bevan Rudge's assessment that the real world numbers are more likely in the "hundreds of thousands". But the author of the article also found someone to state that this vulnerability and the need to audit your system for additional vulnerabilities is "shocking".
Having managed various software applications and websites for two decades, I find myself annoyed and angry that once again I'm patching and auditing my websites with extreme effort. We've all seen these type of security exploits in a wide range of software applications from a wide range of software developers. Ten years ago I discovered an ecommerce website that I managed hacked due to a SQL injection exploit. What upset me the most wasn't that the site was hacked but that the application's developers were aware of the problem for months but failed to publicly disclose the information to users. While the software industry has gotten better to disclose vulnerabilities and provide fixes for their software there is a lot of improvement than can still be made.
Perhaps what is shocking for those that don't know Drupal's open source community isn't the security exploit itself, but observing Drupal's willingness to fully disclose and take responsible steps to fix what is broken. It has been my experience that too many software vendors attempt to "soften the blow" in their disclosures to please the marketing arm of their company no matter how serious the exploit. Drupal on the other hand often takes the opposite approach. As a CMS critic I don't think I could write stronger words of warning in an article than what Drupal's community already does.
Drupal Security Team: A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. [October 15, 2014]
Bevan Rudge, Drupal.Geek.NZ: I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.
If your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised. [October 22, 2014]
Drupal Security Team: While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. [October 29, 1014]
I'm not a software developer, but I understand the news cycle for covering content management systems very well. Although this is a two week story for the Drupal community, we can expect to see more articles from authors and experts claiming their shock and dismay that such vulnerabilities in the Drupal software can exist. My spin is simply this, the media is only aware of this story because Drupal takes ownership and responsibility to disclose and address security issues in its own software. I personally find news of the vulnerability a non-story. The real story out there are the companies and software developers pointing fingers at Drupal and are not so forthcoming with their own security vulnerabilities. Those are the stories that need to be told.
This article was originally posted on CMS Report.Tags:
Now that we have a fairly good idea how Drupal 8 and data looks let's discuss what can MongoDB provide and why would you want to run it. In Drupal 8, every kind of data can be stored independently. I fully expect that people will indeed mix storages. For example, D8 by default runs a config query on every page to find the blocks to be displayed for the current theme. Again, by default, config entities are stored as serialized PHP arrays so the only way a query like that can run is to load every single block entity from the database and iterate over them. This can get quite slow with hundreds of blocks -- don't forget that a block entity just stores the placement of a block and the same block can be placed several times. Also, after finding the blocks for the current theme, visibility rules (path, node types, roles) are applied again in PHP. If the configuration is stored in MongoDB then all this can become an indexed, practically instant query. Configuration storage, after all, is just storing and querying and retrieving arrays and MongoDB is really, really good at that. Because of this, I expect many sites to pick MongoDB for their configuration storage. I also expect that because of the simplicity of cross-entity type JOINs, many people will stick with SQL for their content storage. Although it must be noted that the choice can be made per entity type and as MongoDB stores complete entities it is able to index even those queries that the SQL storage can not.
There are some simpler storages which are also a good fit for MongoDB: sessions because of the write performance and logging because MongoDB has a capped collection (a circular buffer) feature so you will always have the latest N messages and never too much.
Showing files that have changed on the live server:git status
Looking for code execution attempts via menu_router:select * from menu_router where access_callback = 'file_put_contents'
Showing which files are on the live server and not in version control:diff -r docroot repo | grep docroot | grep 'Only in docroot'
Finding PHP files in the files directory:find . -path "*php"
Checking the amount of time between when a user logged into your site and their most recent page visit:select (s.timestamp - u.login) / 60 / 60 / 24 AS days_since_login, u.uid from sessions s inner join users u on s.uid = u.uid;
Hotfix: (SA-CORE-2014-005)curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1
Sorry , that was 6. Please add others in the comments.
If you need help regarding the recent drupal vulnerability feel free to contact me.Tags: Tweet