Development News

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

Drupal Contributed Security - Wed, 12/06/2017 - 14:37
Project: 
Version: 
7.x-2.10
Date: 
2017-December-06
Vulnerability: 
Remote Code Execution
Description: 

The Mailhandler module enables you to create nodes by email.

The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.

The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.

Mitigating factors:

  • For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For later versions, the option to disable commands was removed, all commands are enabled in any case.
  • The vulnerability is mitigated by the fact that the attacker must pass the authentication step. The default authentication is that the attacker must send the crafted e-mail from a registered e-mail address.
  • The vulnerability is mitigated by the fact that the mailhandler mailbox e-mail address must be known by the attacker. This essentially depends on the usecase, e.g. Mailcomment module.
  • The vulnerability is mitigated by the fact that the webserver configuration must either permit the execution of some file extensions in the public filesystem or (Apache) has '.htaccess' support enabled through the AllowOverride directive.
Solution: 

Install the latest version:

Also see the Mailhandler project page.

Reported By: 
Coordinated By: 

Massachusetts launches Mass.gov on Drupal 8

Drupal News - Tue, 12/05/2017 - 12:04

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Earlier this year, the Commonwealth of Massachusetts launched Mass.gov on Drupal 8. Holly St. Clair, the Chief Digital Officer of the Commonwealth of Massachusetts, joined me during my Acquia Engage keynote to share how Mass.gov is making constituents' interactions with the state fast, easy, meaningful, and "wicked awesome".

Constituents at the center

Today, 76% of constituents prefer to interact with their government online. Before Mass.gov switched to Drupal it struggled to provide a constituent-centric experience. For example, a student looking for information on tuition assistance on Mass.gov would have to sort through 7 different government websites before finding relevant information.

Mass.gov - Before and After

To better serve residents, businesses and visitors, the Mass.gov team took a data-driven approach. After analyzing site data, they discovered that 10% of the content serviced 89% of site traffic. This means that up to 90% of the content on Mass.gov was either redundant, out-of-date or distracting. The digital services team used this insight to develop a site architecture and content strategy that prioritized the needs and interests of citizens. In one year, the team at Mass.gov moved a 15-year-old site from a legacy CMS to Drupal.

The team at Mass.gov also incorporated user testing into every step of the redesign process, including usability, information architecture and accessibility. In addition to inviting over 330,000 users to provide feedback on the pilot site, the Mass.gov team partnered with the Perkins School for the Blind to deliver meaningful accessibility that surpasses compliance requirements. This approach has earned Mass.gov a score of 80.7 on the System Usability Scale; 12 percent higher than the reported average.

Open from the start

As an early adopter of Drupal 8, the Commonwealth of Massachusetts decided to open source the code that powers Mass.gov. Everyone can see the code that make Mass.gov work, point out problems, suggest improvements, or use the code for their own state. It's inspiring to see the Commonwealth of Massachusetts fully embrace the unique innovation and collaboration model inherent to open source. I wish more governments would do the same!

Congratulations Mass.gov

The new Mass.gov is engaging, intuitive and above all else, wicked awesome. Congratulations Mass.gov!

Categories: Development News, Drupal

We have 10 days to save net neutrality

Drupal News - Tue, 12/05/2017 - 12:01

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Cable squeeze

Last month, the Chairman of the Federal Communications Commission, Ajit Pai, released a draft order that would soften net neutrality regulations. He wants to overturn the restrictions that make paid prioritization, blocking or throttling of traffic unlawful. If approved, this order could drastically alter the way that people experience and access the web. Without net neutrality, Internet Service Providers could determine what sites you can or cannot see.

The proposed draft order is disheartening. Millions of Americans are trying to save net neutrality; the FCC has received over 5 million emails, 750,000 phone calls, and 2 million comments. Unfortunately this public outpouring has not altered the FCC's commitment to dismantling net neutrality.

The commission will vote on the order on December 14th. We have 10 days to save net neutrality.

Although I have written about net neutrality before, I want to explain the consequences and urgency of the FCC's upcoming vote.

What does Pai's draft order say?

Chairman Pai has long been an advocate for "light touch" net neutrality regulations, and claims that repealing net neutrality will allow "the federal government to stop micromanaging the Internet".

Specifically, Pai aims to scrap the protection that classifies ISPs as common carriers under Title II of the Communications Act of 1934. Radio and phone services are also protected under Title II, which prevents companies from charging unreasonable rates or restricting access to services that are critical to society. Pai wants to treat the internet differently, and proposes that the FCC should simply require ISPs "to be transparent about their practices". The responsibility of policing ISPs would also be transferred to the Federal Trade Commission. Instead of maintaining the FCC's clear-cut and rule-based approach, the FTC would practice case-by-case regulation. This shift could be problematic as a case-by-case approach could make the FTC a weak consumer watchdog.

The consequences of softening net neutrality regulations

At the end of the day, frail net neutrality regulations mean that ISPs are free to determine how users access websites, applications and other digital content.

It is clear that depending on ISPs to be "transparent" will not protect against implementing fast and slow lanes. Rolling back net neutrality regulations means that ISPs could charge website owners to make their website faster than others. This threatens the very idea of the open web, which guarantees an unfettered and decentralized platform to share and access information. Gravitating away from the open web could create inequity in how communities share and express ideas online, which would ultimately intensify the digital divide. This could also hurt startups as they now have to raise money to pay for ISP fees or fear being relegated to the "slow lane".

The way I see it, implementing "fast lanes" could alter the technological, economic and societal impact of the internet we know today. Unfortunately it seems that the chairman is prioritizing the interests of ISPs over the needs of consumers.

What can you can do today

Chairman Pai's draft order could dictate the future of the internet for years to come. In the end, net neutrality affects how people, including you and me, experience the web. I've dedicated both my spare time and my professional career to the open web because I believe the web has the power to change lives, educate people, create new economies, disrupt business models and make the world smaller in the best of ways. Keeping the web open means that these opportunities can be available to everyone.

If you're concerned about the future of net neutrality, please take action. Share your comments with the U.S. Congress and contact your representatives. Speak up about your concerns with your friends and colleagues. Organizations like The Battle for the Net help you contact your representatives — it only takes a minute!

Now is the time to stand up for net neutrality: we have 10 days and need everyone's help.

Categories: Development News, Drupal

Holistic Collaboration

Drupal News - Fri, 12/01/2017 - 16:44

The following blog was written by Drupal Association Premium Supporting Partner, Wunder Group.

For the past couple of years I have been talking about the holistic development and operations environments at different camps. As this year’s highlight,  I gave  a session in DrupalCon Vienna around that same topic. The main focus of my talk has been on the improvement opportunities offered by a holistic approach, but there is another important aspect I’d like to introduce: The collaboration model.

Every organization has various experts for different subject matters. Together these experts can create great things. As the saying goes “the whole is more than the sum of its parts”, which means there is more value generated when those experts work together, than from what they would individually produce. This however, is easier said than done. 

These experts have usually worked within their own specific domains and for others their work might seem obscure. It’s easy to perceive them as “they’re doing some weird voodoo” while not realizing that others might see your work in your own domain the same way. Even worse, we raise our craft above all others and we look down at those who do not excel in our domain.

How IT people see each other:

But each competence is equally important. You can’t ignore one part and focus on the other. The whole might be greater than the sum of its parts, but the averages do factor in. Let's take for example a fictional project. Sales people do great job getting the project in, upselling a great design. The design team delivers and it gets even somehow implemented, but nobody remembered to consult the sysops. Imagine apple.com, the pinnacle of web design, but launched on this:
 


(Sorry for the potato quality).
 

Everything needs to be in balance. The real value added is not in the work everybody does individually, but in what falls in between. We need to fill those caps with cooperation to get the best value out of the work. 

So how do you find the balance?

The key to find balance and to get the most out of the group of experts is communication and collaboration. There needs to be active involvement from every part of the organization right from the start to make sure nothing is left unconsidered. The communication needs to stay active throughout the whole project. It is important to speak the same language. I know it’s easy to start talking in domain jargon. And every single discipline has their own. The terms might be clear to you, but remember that the other party might not have ever heard of it. So pay attention to the terms you use. 

“Let's set the beresp ttl down to 60s when the request header has the cache-tag set for all the bereq uris matching /api/ endpoint before passing it to FastCGI” - Space Talk

Instead of looking down to each other we should see others like they see themselves. Respect both their knowledge and the importance of their domain.

How IT people should see each other: 

(Sysadmins: not because we like to flip at everybody, but because Linus, the guy who can literally change the source code of the real world Matrix, the Web.)
 

Everybody needs to acknowledge the goal and work towards it together. Not just focus on their own area but also make sure their work is compatible with that of others. There needs to be a shared communications channel where everyone can reach each other. It should also be possible to communicate directly to those people who know best without having any hierarchy to go through. The flat organization structure doesn’t only mean you can contact higher ups directly, but also that you can contact any individual from different area of expertise directly.

By collaboration you can also eliminate redundancies. It can be so that there are different units doing overlapping work, both with their own ways. Or there could be a team that is doing the work falling in between two other teams. A good example of this is the devops team. Only in a very large organization there is probably enough work to actually have a dedicated team taking care of that work. As devops need to know something about both the development and the operations side they need to be experts on multiple areas. Still there are project specific stuff they need to adjust. This means communication between the development and devops team. Likewise this same information needs to be passed to sysops team. The chain could be even longer, but it’s already easy to play a chinese whispers, or telephone, over such a short distance. And there is probably nothing devs and ops couldn’t do together when communicating directly and working together to fill those gaps. 

Working together, not only to get things done, but also to understand each other gives a lot of benefits with a small work. Building silos and only doing improvement inside them will only widen the cap and all the benefits gained from such improvements will disappear when you need to start filling the gaps between them. Now, go and find a way to do something better together!

Written by Janne Koponen.

Categories: Development News, Drupal

PHP 7.2.0 Released

PHP Announcements - Thu, 11/30/2017 - 06:04
The PHP development team announces the immediate availability of PHP 7.2.0. This release marks the second feature update to the PHP 7 series. PHP 7.2.0 comes with numerous improvements and new features such as Convert numeric keys in object/array casts Counting of non-countable objects Object typehint HashContext as Object Argon2 in password hash Improve TLS constants to sane values Mcrypt extension removed New sodium extension For source downloads of PHP 7.2.0 please visit our downloads page Windows binaries can be found on the PHP for Windows site. The list of changes is recorded in the ChangeLog. The migration guide is available in the PHP Manual. Please consult it for the detailed list of new features and backward incompatible changes. Many thanks to all the contributors and supporters!
Categories: Development News, PHP, PHP News

bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

Drupal Contributed Security - Wed, 11/29/2017 - 14:21
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Cross Site Scripting
Description: 

This module provides a way to make carousels, based on bootstrap-carousel.js.

The module doesn't sufficiently handle output of img HTML tag's alt property.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any similar node module permissions for creating/editing/removing the module-delivered content type.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

Drupal Contributed Security - Wed, 11/29/2017 - 14:17
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Cross-site scripting
Description: 

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials.

The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

Drupal Contributed Security - Wed, 11/29/2017 - 14:13
Project: 
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
CSRF
Description: 

This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack.

The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted deletion of audit reports.

This vulnerability is mitigated by the fact that the victim must have a role with the permission "access audit report".

Solution: 

Install the latest version:

  • If you use the Cloud module for Drupal 7, upgrade to Cloud 7.x-1.7
Reported By: 
Fixed By: 
Coordinated By: 

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

Drupal Contributed Security - Wed, 11/29/2017 - 14:09
Project: 
Version: 
7.x-10.x-dev
Date: 
2017-November-29
Vulnerability: 
Access bypass
Description: 

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.

The modules have an access bypass vulnerability which allows untrusted users (including anonymous users) to view payments made by users within the system. No data can be modified, nor are any credit card numbers displayed.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Domain Integration - Moderately critical - Access bypass - SA-CONTRIB-2017-084

Drupal Contributed Security - Wed, 11/29/2017 - 14:01
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Access bypass
Description: 

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user.

The Domain Integration Login Restrict sub-module doesn't sufficiently check these restrictions when using one-time logins.

This vulnerability is mitigated by the fact that an attacker must have an active account on one of the domains.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

PHP 7.1.12 Released

PHP Announcements - Fri, 11/24/2017 - 02:02
The PHP development team announces the immediate availability of PHP 7.1.12. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.12 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.0.26 Released

PHP Announcements - Thu, 11/23/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.26. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.26 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

An update on the Workflow Initiative for Drupal 8.4/8.5

Drupal News - Wed, 11/22/2017 - 13:57

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Over the past weeks I have shared an update on the Media Initiative and an update on the Layout Initiative. Today I wanted to give an update on the Workflow Initiative.

Creating great software doesn't happen overnight; it requires a desire for excellence and a disciplined approach. Like the Media and Layout Initiatives, the Workflow Initiative has taken such an approach. The disciplined and steady progress these initiative are making is something to be excited about.

8.4: The march towards stability

As you might recall from my last Workflow Initiative update, we added the Content Moderation module to Drupal 8.2 as an experimental module, and we added the Workflows module in Drupal 8.3 as well. The Workflows module allows for the creation of different publishing workflows with various states (e.g. draft, needs legal review, needs copy-editing, etc) and the Content Moderation module exposes these workflows to content authors.

As of Drupal 8.4, the Workflows module has been marked stable. Additionally, the Content Moderation module is marked beta in Drupal 8.4, and is down to two final blockers before marking stable. If you want to help with that, check out the Content Moderation module roadmap.

8.4: Making more entity types revisionable

To advance Drupal's workflow capabilities, more of Drupal's entity types needed to be made "revisionable". When content is revisionable, it becomes easier to move it through different workflow states or to stage content. Making more entity types revisionable is a necessary foundation for better content moderation, workflow and staging capabilities. But it was also hard work and took various people over a year of iterations — we worked on this throughout the Drupal 8.3 and Drupal 8.4 development cycle.

When working through this, we discovered various adjacent bugs (e.g. bugs related to content revisions and translations) that had to be worked through as well. As a plus, this has led to a more stable and reliable Drupal, even for those who don't use any of the workflow modules. This is a testament to our desire for excellence and disciplined approach.

8.5+: Looking forward to workspaces

While these foundational improvements in Drupal 8.3 and Drupal 8.4 are absolutely necessary to enable better content moderation and content staging functionality, they don't have much to show for in terms of user experience changes. Now a lot of this work is behind us, the Workflow Initiative changed its focus to stabilizing the Content Moderation module, but is also aiming to bring the Workspace module into Drupal core as an experimental module.

The Workspace module allows the creation of multiple environments, such as "Staging" or "Production", and allows moving collections of content between them. For example, the "Production" workspace is what visitors see when they visit your site. Then you might have a protected "Staging" workspace where content editors prepare new content before it's pushed to the Production workspace.

While workflows for individual content items are powerful, many sites want to publish multiple content items at once as a group. This includes new pages, updated pages, but also changes to blocks and menu items — hence our focus on making things like block content and menu items revisionable. 'Workspaces' group all these individual elements (pages, blocks and menus) into a logical package, so they can be prepared, previewed and published as a group. This is one of the most requested features and will be a valuable differentiator for Drupal. It looks pretty slick too:

Drupal 8 Outside In Content Creation Prototype

An outside-in design that shows how content creators could work in different workspaces. When you're building out a new section on your site, you want to preview your entire site, and publish all the changes at once. Designed by Jozef Toth at Pfizer.

I'm impressed with the work the Workflow team has accomplished during the Drupal 8.4 cycle: the Workflow module became stable, the Content Moderation module improved by leaps and bounds, and the under-the-hood work has prepared us for content staging via Workspaces. In the process, we've also fixed some long-standing technical debt in the revisions and translations systems, laying the foundation for future improvements.

Special thanks to Angie Byron for contributions to this blog post and to Dick Olsson, Tim Millwood and Jozef Toth for their feedback during the writing process.

Categories: Development News, Drupal

International PHP Conference 2018 - spring edition

PHP Announcements - Wed, 11/22/2017 - 04:54
The International PHP Conference is the world's first PHP conference and stands since more than a decade for top-notch pragmatic expertise in PHP and web technologies. At the IPC, internationally renowned experts from the PHP industry meet up with PHP users and developers from large and small companies. Here is the place where concepts emerge and ideas are born - the IPC signifies knowledge transfer at highest level. All delegates of the International PHP Conference have, in addition to PHP program, free access to the entire range of the webinale '18 taking place at the same time. Basic facts: Date: June 4 – 8, 2018 Location: Maritim Hotel ProArte, Berlin Highlights: 90+ best practice sessions 60+ international top speakers PHPower: Hands-on Power Workshops Expo with exciting exhibitors on June 5th and 6th Conference Combo: Visit the webinale for free All inclusive: Changing buffets, snacks & refreshing drinks Official certificate for attendees Free Swag: Developer bag, T-Shirt, magazines etc. Exclusive networking events Topics: PHP Development Web Development & Architecture Server & Deployment Agile & DevOps Performance & Security Data & Privacy For further information on the International PHP Conference visit: www.phpconference.com
Categories: Development News, PHP, PHP News

php[tek] 2018 : Call for Speakers

PHP Announcements - Mon, 11/20/2017 - 17:55
The 13th annual edition of php[tek], the longest running community focused PHP conference in the USA, will be taking place May 30 - June 1, 2018 in Atlanta, with workshop and training days preceeding it. We have opened up our Call for Speakers and look forward to seeing all the amazing proposals that you will submit to us. As always we plan on offering a broad range of topics with our attendees. We are interested in any topics related to PHP development, as well as non-technical talks that will appeal to a developer heavy audience! Our comprehensive speaker's package this year includes: - A free conference ticket - Round-trip economy airfare booked by us - Accommodations at the conference hotel: - 3 nights for speakers - 4 nights for workshop presenters - 5 nights for training class teachers Don't hesitate, the Call for Speakers is only open until December 29th, 2017. So get those submissions in soon, we look forward to hearing from you!
Categories: Development News, PHP, PHP News

An update on the Layout Initiative for Drupal 8.4/8.5

Drupal News - Wed, 11/15/2017 - 12:39

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Now Drupal 8.4 is released, and Drupal 8.5 development is underway, it is a good time to give an update on what is happening with Drupal's Layout Initiative.

8.4: Stable versions of layout functionality

Traditionally, site builders have used one of two layout solutions in Drupal: Panelizer and Panels. Both are contributed modules outside of Drupal core, and both achieved stable releases in the middle of 2017. Given the popularity of these modules, having stable releases closed a major functionality gap that prevented people from building sites with Drupal 8.

8.4: A Layout API in core

The Layout Discovery module added in Drupal 8.3 core has now been marked stable. This module adds a Layout API to core. Both the aforementioned Panelizer and Panels modules have already adopted the new Layout API with their 8.4 release. A unified Layout API in core eliminates fragmentation and encourages collaboration.

8.5+: A Layout Builder in core

Today, Drupal's layout management solutions exist as contributed modules. Because creating and building layouts is expected to be out-of-the-box functionality, we're working towards adding layout building capabilities to Drupal core.

Using the Layout Builder, you start by selecting predefined layouts for different sections of the page, and then populate those layouts with one or more blocks. I showed the Layout Builder in my DrupalCon Vienna keynote and it was really well received:

8.5+: Use the new Layout Builder UI for the Field Layout module

One of the nice improvements that went in Drupal 8.3 was the Field Layout module, which provides the ability to apply pre-defined layouts to what we call "entity displays". Instead of applying layouts to individual pages, you can apply layouts to types of content regardless of what page they are displayed on. For example, you can create a content type 'Recipe' and visually lay out the different fields that make up a recipe. Because the layout is associated with the recipe rather than with a specific page, recipes will be laid out consistently across your website regardless of what page they are shown on.

The basic functionality is already included in Drupal core as part of the experimental Fields Layout module. The goal for Drupal 8.5 is to stabilize the Fields Layout module, and to improve its user experience by using the new Layout Builder. Eventually, designing the layout for a recipe could look like this:

Drupal 8.5 Field Layouts Prototype

Layouts remains a strategic priority for Drupal 8 as it was the second most important site builder priority identified in my 2016 State of Drupal survey, right behind Migrations. I'm excited to see the work already accomplished by the Layout team, and look forward to seeing their progress in Drupal 8.5! If you want to help, check out the Layout Initiative roadmap.

Special thanks to Angie Byron for contributions to this blog post, to Tim Plunkett and Kris Vanderwater for their feedback during the writing process, and to Emilie Nouveau for the screenshot and video contributions.

Categories: Development News, Drupal

An update on the Media Initiative for Drupal 8.4/8.5

Drupal News - Fri, 11/10/2017 - 11:49

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

In my blog post, "A plan for media management in Drupal 8", I talked about some of the challenges with media in Drupal, the hopes of end users of Drupal, and the plan that the team working on the Media Initiative was targeting for future versions of Drupal 8. That blog post is one year old today. Since that time we released both Drupal 8.3 and Drupal 8.4, and Drupal 8.5 development is in full swing. In other words, it's time for an update on this initiative's progress and next steps.

8.4: a Media API in core

Drupal 8.4 introduced a new Media API to core. For site builders, this means that Drupal 8.4 ships with the new Media module (albeit still hidden from the UI, pending necessary user experience improvements), which is an adaptation of the contributed Media Entity module. The new Media module provides a "base media entity". Having a "base media entity" means that all media assets — local images, PDF documents, YouTube videos, tweets, and so on — are revisable, extendable (fieldable), translatable and much more. It allows all media to be treated in a common way, regardless of where the media resource itself is stored. For end users, this translates into a more cohesive content authoring experience; you can use consistent tools for managing images, videos, and other media rather than different interfaces for each media type.

8.4+: porting contributed modules to the new Media API

The contributed Media Entity module was a "foundational module" used by a large number of other contributed modules. It enables Drupal to integrate with Pinterest, Vimeo, Instagram, Twitter and much more. The next step is for all of these modules to adopt the new Media module in core. The required changes are laid out in the API change record, and typically only require a couple of hours to complete. The sooner these modules are updated, the sooner Drupal's rich media ecosystem can start benefitting from the new API in Drupal core. This is a great opportunity for intermediate contributors to pitch in.

8.5+: add support for remote video in core

As proof of the power of the new Media API, the team is hoping to bring in support for remote video using the oEmbed format. This allows content authors to easily add e.g. YouTube videos to their posts. This has been a long-standing gap in Drupal's out-of-the-box media and asset handling, and would be a nice win.

8.6+: a Media Library in core

The top two requested features for the content creator persona are richer image and media integration and digital asset management.

The top content author improvements for Drupal

The results of the State of Drupal 2016 survey show the importance of the Media Initiative for content authors.

With a Media Library content authors can select pre-existing media from a library and easily embed it in their posts. Having a Media Library in core would be very impactful for content authors as it helps with both these feature requests.

During the 8.4 development cycle, a lot of great work was done to prototype the Media Library discussed in my previous Media Initiative blog post. I was able to show that progress in my DrupalCon Vienna keynote:

The Media Library work uses the new Media API in core. Now that the new Media API landed in Drupal 8.4 we can start focusing more on the Media Library. Due to bandwidth constraints, we don't think the Media Library will be ready in time for the Drupal 8.5 release. If you want to help contribute time or funding to the development of the Media Library, have a look at the roadmap of the Media Initiative or let me know and I'll get you in touch with the team behind the Media Initiative.

Special thanks to Angie Byron for contributions to this blog post and to Janez Urevc, Sean Blommaert, Marcos Cano Miranda, Adam G-H and Gábor Hojtsy for their feedback during the writing process.

Categories: Development News, Drupal

PHP 7.2.0RC6 Released

PHP Announcements - Thu, 11/09/2017 - 09:57
The PHP development team announces the immediate availability of PHP 7.2.0 RC6. This release is the sixth Release Candidate for 7.2.0. Barring any surprises, we expect this to be the FINAL release candidate, with Nov 30th's GA release being not-substantially different. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 6 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Drupal Contributed Security - Wed, 11/08/2017 - 13:22
Version: 
8.x-1.x-dev
Date: 
2017-November-08
Vulnerability: 
Access bypass
Description: 

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

Drupal Contributed Security - Wed, 11/08/2017 - 13:16
Version: 
8.x-1.x-dev
Date: 
2017-November-08
Vulnerability: 
Access bypass
Description: 

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.

The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs on sites that either have another node access module (besides Permissions by Term) in use, or that have node listings that are accessible to unprivileged users and that don't directly filter out unpublished content.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 
Syndicate content