Articles tagged with "security"

We’re big believers in supporting our team’s growth, because when our people develop, our clients benefit too. Whether that’s through industry certifications, new technologies, or further study, we’re always proud to see our team expanding their skills. Recently, Andrei, one of our Drupal developers, completed a Masters in Information Systems & Cyber Security with the University of Chichester. This was a great personal achievement that also strengthens our collective focus on keeping clients’ websites secure...

When a client has a need or idea that other people might benefit from, it's a great opportunity to contribute a module back to the community. I recently created the new Autocreate Access module to solve a problem on a project where Drupal's autocomplete tagging widget for taxonomy terms didn't work as our client expected. Typically, Drupal sites utilise this field widget to allow users to create new categories for their content on the fly...

We recently went through the process of applying for Cyber Essentials. Cyber Essentials is a program created by the UK government to help businesses get on top of their Cyber security. It was an interesting process for us to go through, and certainly helped us to formalise and document practices we had been doing for years. We did hit a bit of a blocker tho for our developers, specifically on point A7.6 Use of Administrator Accounts...

Drupal provides an excellent sanitisation system to filter the HTML content that editors might create. Think of it like a series of traffic cops that filter different vehicles into different lanes. Some content is allowed through to its destination, some has to be transformed along the way, and some is simply blocked from displaying. Administrators can use the 'Limit allowed HTML tags and correct faulty HTML' option to configure which HTML elements and attributes they...

Update! Since this article was written, a new 'lenient' composer endpoint has been created on Drupal.org to support using modules with Drupal 9 that haven't been marked as compatible with it yet. See the documentation, which boils down to adding a new common entry under 'repositories' in your composer.json, above the usual https://packages.drupal.org/8 one. The rest of this article is still useful for understanding how patching fits into composer's workflow. The vast majority of community-contributed...

There are some key files like robots.txt and .htaccess which are often tweaked for Drupal websites. These can be considered part of the 'scaffolding' of a site - they control the way the site works, rather than its content or design. Any new release of Drupal core that includes changes to them specifically mentions that they need updating, as those changes may have to be merged with any customisations made on your site. For example...

Drupal receives security updates several times a year, and we always apply them as soon as possible. Since Drupal security issues can make the headlines, it's important that site owners know that their site is secure and up to date - it provides for peace of mind and for pride in an excellent site. We decided this year to ensure that clients know about security updates to Drupal Core on their site. Via a quick...

Last night saw the popular EU Cookie Compliance module fall from grace, as the Drupal community discovered that numerous inputs in the admin form were not being sanitised. To me, this shows some serious failings in how our community is handling security awareness. Let's do some fixing :) ### 1) We need to make this OBVIOUS, with clear examples One of the most important things when trying to get people to write secure code is...

After reading this from Ars Technica, which describes how a developer offered to 'help' the maintainer of an NPM module - and then slowly introduced malicious code to it - I can't help but wonder if the Drupal community is vulnerable to the exact same issue. Let's discuss! ###Please, don't touch my package NPM modules have been hacked at before, and it's not pretty when it happens. Because of the way we use packages, it's...

I'll keep this short and sweet, but we thought this would be a useful tip to share with the world as a potential security issue with the combined use of File::getFileUri() and FileSystem::realpath(). Consider the following code excerpt : $file = File::load($some_file_uri); if ($file) { $uri = $file->getFileUri(); $file_realpath = \Drupal::service('file_system')->realpath($uri); } Seems pretty harmless right? Load up the file from $some_file_uri , If we have a valid file then get the URI and then...