You are here

drupal-planet

A persistent Drupal 7 exploit using a pluggable variable

A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system.

The APM traces we were looking at included a __lamda_func under which was a class called Ratel. Under those were some apparent external calls to some dodgy looking domains.

One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess.

Assessing the likelihood of a Drupal exploit of Ghostscript Zero Day CVE-2021-3781

Drupal 9 detects a fake image file

My colleagues and I in the Drupal Security Team recently became aware of a Zero Day RCE vulnerability in Ghostscript. This was later assigned CVE-2021-3781.

At least one viable Proof of Concept (PoC) was made public not long after the Zero Day which illustrated Scalable Vector Graphics (SVG) handling in Imagemagick being used as an attack vector.

Checking for Bad Passwords in Drupal with Drop the Ripper to Avoid Site Compromise

This was originally posted on the dev.acquia.com blog.

Easy-to-guess passwords are all too often the means by which intruders gain unauthorised access. It's useful to be able to audit the passwords in use on your site - especially for user accounts with administrative privileges.

Password Policies and Drupal

The default Drupal 7 password form
Correct Horse Battery Staple - credit xkcd.com

This was originally posted on the dev.acquia.com blog.

People tend to choose bad passwords if they are allowed to.

By default Drupal provides some guidance about how to "make your password stronger," but there's no enforcement of any particular password policy out of the box. As usual, there's a module for that. More than one in fact.

How to cleanly delete a Drupal file with drush

This is a simple trick which (unless my googlefu simply failed me) I didn't find described anywhere when I had a quick look:

$ drush ev '$file = file_load(21749); var_dump(file_delete($file, TRUE));'
bool(true)

Check your cache before you wreck yourself

Cache invalidation is known as one of the very few hard things in computer science.

It seems to be a common misconception that Drupal's cache_get checks whether a given cache entry has expired, and won't return a stale result. In fact, in Drupal this is not always the case.

git commit author - give credit where credit is due

Quite some time ago I wrote a post about how patching makes you feel good in which I talked about the motivations for, and benefits of submitting patches on drupal.org (d.o). I concluded by suggesting that project maintainers should be generous in recognising the efforts of those who submit patches.

default Drupal contexts like default views

I was using the brilliant context module in a project recently. The fact that it uses ctools means it has a few characteristics reminiscent of views (and panels). One of these is the import / export functionality, and the distinction between the different types of storage for the contexts you've set up - i.e.

using Geany as an editor for Drupal development

In general I'm a happy vim user, but now and again I am asked why I'm using such an antiquated environment. Editor preference is of course a topic over which many long and pointless arguments have been waged - often from intractable dug-in positions of dogma. I think it's good to poke your head above the trench occasionally and see what else is available.

how to increase php memory limit for drush without access to php.ini

I recently found myself trying to use drush to set up a Drupal 6 install on a server where I did not have root access. I kept getting errors along the lines of this:

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 1234 bytes)

I didn't have permission to edit the php.ini file for php_cli, so I had to find another workaround. The solution's pretty simple and comes courtesy of the drushrc.php file.

Subscribe to RSS - drupal-planet