Maintainers-news

maintainers-news@drupal.org

6 discussions

Core Security - Understanding Text Formats
by maintainers-news＠drupal.org 09 Jan '13

09 Jan '13

View online: http://drupal.org/node/1884352 Dear Drupal maintainer-news subscriber, One of the goals of the Drupal Security Team is promoting education on security topics. In this email, we on the Drupal Security Team provide some “best practice” guidelines for configuration of Drupal’s text formats, to help you keep your sites secure. Despite Drupal core having sensible security defaults, it's quite easy to introduce insecure misconfigurations and in so doing open your site up to attack. If you’re building Drupal sites it’s important to understand Text Formats as an example of safely using user input. One of the most frequently encountered vulnerabilities on the web and the number one vulnerability improperly built Drupal sites is cross-site scripting (XSS). You should be aware of how Drupal’s Text Formats system protects you against XSS, to avoid unknowingly opening your site up to attack (see https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw). Drupal 7 has three formats by default: Filtered HTML, Full HTML, and Plain Text (Drupal 6 does not install the Plain Text format by default.) Known as Text Formats, these are comprised of filters which run on input text when node bodies, certain fields, and comment bodies are output. Text Formats are one of the most important lines of defense against attackers submitting content to your site. In addition to keeping you safe from malicious content, Text Formats also help format and display input. You can review your Text Formats (known as Input Formats in Drupal 6) at: * Drupal 7: Administration > Configuration > Text Formats or /admin/config/content/formats * Drupal 6: Administer > Site configuration > Input formats or /admin/settings/filters As the name implies, the Filtered HTML text format is more restrictive of allowed HTML output than Full HTML, so be sure you haven't allowed roles that may be held by untrusted users to use the Full HTML Text Format. If an untrusted user can use the Full HTML text format then they can possibly execute a XSS attack against your site to deface it, steal private information, or worse. You can read more about cross-site scripting (XSS) at the following pages * https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw * http://drupalscout.com/knowledge-base/introduction-cross-site-scripting-xss… For an automated way to review the Text Formats of your site check out the Security Review module at http://drupal.org/project/security_review. Next time we’ll discuss the underlying APIs provided by Drupal for safely handling user input in your custom code. As a reminder, if you ever find a security issue in Drupal core, or contributed modules, please report it to us immediately. See http://drupal.org/security-team/report-issue for more info. Also, for the month of January some members of the security team are offering IRC office-hours for assistance in writing and building secure Drupal sites and code. Read more at http://drupal.org/node/1883394 Stay secure, http://drupal.org/security-team

1 0

Git migration is live - what you need to do as a maintainer
by maintainers-news＠drupal.org 26 Feb '11

26 Feb '11

The Drupal.org CVS -> Git migration has been completed during the evening of February 24, though the morning of February 25 2011! If you see a member of the git migration team online or at Drupalcon, be sure to thank them. There are a number of things that ALL CVS account holders MUST do ASAP in order to be able to maintain their projects going forward. All write access to CVS is cut off and you cannot make commits or releases that way. A comprehensive set of documentation is available at http://drupal.org/documentation/git [1]. This post is just meant to highlight a few essential steps for existing maintainers. Key points: * Do you want to be able to make new projects and changes to your existing projects? You need to turn on Git access [2] for your account. * Do you want credit for your commits? Read about how to set up your Git identification [3]. * Do you want to have a quick way to find Git instructions for your project? See the Git instructions [4] tab that is now on each project page. * Do you want to be able to access your Git repos without constant prompting for passwords? Add one or more ssh keys [5] to your account. Note that the CVS repositories will NOT get any further updates now that the migration is complete. They are for historical reference only. You are strongly encouraged to replace them with git clone versions. [1] http://drupal.org/documentation/git [2] http://drupal.org/node/1047190 [3] http://drupal.org/node/1022156 [4] http://drupal.org/node/1072822 [5] http://drupal.org/node/1027094

1 0

Drupal migrates to Git on Thursday, February 24th
by maintainers-news＠drupal.org 21 Feb '11

21 Feb '11

The Drupal.org CVS -> Git migration is nearly upon us! There are just *hours* left now until the big day (Thursday, February 24)! We will be doing a final verification of data integrity before launch but while http://git-dev.drupal.org is open for testing we invite you to spot-check your projects. If you have time, comprehensive instructions for verifying project data (as well as other steps you can take to help test and prepare yourself for the migration) are available at http://groups.drupal.org/node/128294. The migration team has taken numerous steps to ensure the integrity of migrated project data, but there is no substitute for the attention a project maintainer can give to her or his own code. Additionally, please be advised that starting at Thursday, February 24, 23:00 UTC [1] (3PM PST, 6PM EST), there will be approximately *12 hours* of downtime while the migration completes. This is the most comprehensive and extensive change to Drupal.org in recent memory - perhaps ever. Therefore, the Infrastructure & Git Migration teams need an extended buffer of time to perform the migration, verify the data, and check for and resolve any issues. For more information on what exactly this downtime entails, please see http://drupal.org/node/1068664. Thanks very much for your help, and we’ll see you on the other side! [1] http://www.worldtimeserver.com/convert_time_in_UTC.aspx

1 0

Less than two weeks to prepare for the CVS -> Git migration!
by maintainers-news＠drupal.org 03 Feb '11

03 Feb '11

For those not following the Drupal.org home page, the Drupal.org CVS -> Git migration we told you about last newsletter is scheduled to launch February 17. There are a number of things that ALL CVS account holders MUST do ASAP in order to prepare for the migration. *Once the migration is complete, that's it; CVS will be cut off, Git will be in place. It is /absolutely imperative/ that each and every one of you perform these steps in advance of the migration.* Thanks for your immediate attention to this. Key points: * Do you want credit for your commits? Read about how to set up your Git identification. * Do you want to be able to make new projects and changes to your existing projects after February 17? Read about how to test Git on our staging site. * Do you want people to be able to download your code? Read about how reviewing your existing projects' data. Keep up on the latest news by http://groups.drupal.org/drupal-org-git-migration-team or Twitter: https://twitter.com/drupalgitgremln. -------- SET UP YOUR GIT IDENTIFICATION -------------------------------------- Git associates commits with a name and e-mail address, rather than a username as in CVS. In order to ensure that you are properly credited for both your legacy and future contributions post-Git migration, please complete the following steps *by February 13*: * Download and install Git. There are lots of resources on the Internet about how to do this. http://book.git-scm.com/2_installing_git.html is one. * Specify your desired full name and e-mail address to associate with your migrated CVS commits in your drupal.org user profile: http://drupal.org/node/1018116 * Use the instructions at http://drupal.org/node/1022156 to identify yourself to Git with your specified name and e-mail address. This will ensure all future commits are also credited to your account. * If you wish to use another e-mail address (for example, one associated with your GitHub account), http://drupal.org/node/1018118 has instructions on how to associate additional e-mail addresses with your Drupal.org account. * If you don't like your current CVS username and want to switch it when we migrate to Git, you have *exactly one and only one chance to change it*. Leave a comment at http://drupal.org/node/1036140 with your current CVS username, your Drupal.org user ID, and your desired Git username. [A-Za-z0-9._-] are the allowed characters. For more information, see http://drupal.org/node/1037478. -------- TEST THE GIT MIGRATION ---------------------------------------------- The Git migration team has set up http://git-dev.drupal.org/, a staging server where you can test your day-to-day maintainership tasks and familiarize yourself with Git. There is a helpful screencast at http://vimeo.com/19467580 which walks through everything you need to (and can) do, and http://drupal.org/help-test-cvs-git-migration contains the text version. Important notes (READ ME!): * *Testing will only be open during certain hours of the day*. During this pre-launch period we're also going to be doing performance optimization and integrating new code to fix bugs, so to allow ample time the server will have certain "blackout" periods. There is a wiki page at http://groups.drupal.org/node/119449 which contains the current status of the system as well as rebuild schedules. Read the Apache password prompt on http://git-dev.drupal.org. It will tell you the current state of the system. * *To log in to http://git-dev.drupal.org/, you must first reset your password.*. This is a basic security precaution for our development sites. You can do this from http://git-dev.drupal.org/user/password. * */All/ users, including current CVS account holders, need to agree to terms of use in order to obtain Git access.* There are instructions for doing this at http://drupal.org/node/1047190. * *The server will be rebuilt every two days.* Each time that happens, you'll lose any projects and code changes you made, and also need to repeat the "reset password" and "agree to git terms" steps /again/ in order to continue testing. * *If you find problems, please log them against the Git Migration Community Testing issue queue (http://drupal.org/project/issues/git_dev).* Make sure whatever you're reporting doesn't show up in our list of known issues [1] first. One of our team members will triage bug reports and support requests, and then push them into the correct issue queue, if necessary. There is also a #drupal-gitsupport channel on irc.freenode.net for new Git users (and experienced Git users who want to help make the transition as smooth as possible :)). -------- REVIEW YOUR EXISTING PROJECTS' DATA --------------------------------- One aspect of the migration is pulling in all legacy CVS data and converting it to Git. It's important to check over your own projects' data and ensure it looks correct. * Does http://git-dev.drupalcode.org/ show the proper branches/tags for your projects, and list the proper commits associated with the proper users? * Have your commit messages been imported in properly under the "Your commits" and "Project commits" views on git-dev.drupal.org? * When you download tarballs and zipballs of your project releases, do they extract cleanly, and contain what they should? * Do they install properly and function as they should? -------- HELP US! ------------------------------------------------------------ And finally, if you already know Git well, please: * Hang out in #drupal-gitsupport to help support new users. * Help with support requests and cleaning up duplicate issues in the Git Community Testing queue: http://drupal.org/project/issues/git_dev * Help write or improve the documentation: http://drupal.org/handbook/git We need all the help we can get in order to make this as smooth a transition as possible! Once Git goes live, CVS is dead, dead, dead. Hooray! [1] http://drupal.org/project/issues/search/git_dev?text=&assigned=&sub…

1 0

Drupal 7 coming, project, CVS and translation changes
by maintainers-news＠drupal.org 07 Dec '10

07 Dec '10

It is that time again! Drupal 7 is nearing completion, drupal.org project spaces were redesigned and we are switching version control systems. There are lots of new things to learn, and great new opoortunities to use. We'd like to inform you about these developments, so you are best equipped. -------- DRUPAL 7 IS AROUND THE CORNER --------------------------------------- Drupal 7.0 RC1 was just released on December 1st, 2010. This means a release is not far off, perhaps as soon as 7-10 days from now. Moshe Weitzman started off the Drupal 7 Contrib Experience (D7CX) movement almost one and a half years ago with the goal to get as many contributed modules ported to Drupal 7 as possible by the time Drupal 7.0 is released. This among other factors lead to the availability of over 700 modules for Drupal 7 (compared to 7000 overall) - at varying levels of completeness. There is of course more work to do, and you might have one or two modules or themes not ported yet. We have documentation detailing all the changes in the API with before/after examples for most items. The Coder module is of great help in this migration as well, and now it includes the Coder Upgrade module, which attempts to do automated code conversion for you. If you made a D7CX pledge, this week is the time to tag your final release. Related links: * Drupal 7.0 RC1 release: http://drupal.org/node/985946 * D7CX announcement: http://cyrve.com/d7cx * D7CX progress tracking: http://d7cx.com/ * Converting modules to 7.x: http://drupal.org/update/modules/6/7 * Coder module: http://drupal.org/project/coder -------- DRUPAL.ORG PROJECT SPACES GET NEW FEATURES -------------------------- You probably already noticed that drupal.org was redesigned earlier this year. If you have not seen that already, now is the time to pause reading and go wander around on the new site! The redesign affected project spaces as well. Here are some tips to use the new features more effectively: 1) Each project now has a 'Maintenance status' and a 'Development status' flag, which you can use to inform users about the state of your work. Categories are also prominently displayed now. These are all good to provide users with the information necessary to choose the right modules. Make sure to set yours properly. 2) There is entirely new maintainer management for each project! You'll see the 'Maintainers' tab on projects you own, which now allows you to add maintainers inline and grant fine grained permissions like 'maintain issues' or 'edit project' separately. 3) The new dashboard on drupal.org helps you keep tabs on your project issues. You can add a block with all issues you are involved in (across all projects) or individual project issue overviews. -------- CVS IS BEING REPLACED WITH GIT -------------------------------------- Drupal.org is moving off of CVS for project version control! The Drupal Association sponsored the project to help move drupal.org to a more modern system enabling the community to do even smoother collaboration. Your new helper will be git (originally written to manage the Linux kernel code). The team is hard at work to accomplish the migration before Drupalcon Chicago. Mid-Februrary is the tentative launch date. What does moving to git mean for Drupal.org? Read more at http://groups.drupal.org/node/106224 We made the existing source of drupal.org projects available under git.drupal.org in a ready-only mode, so you can use it to roll patches or just check out code already. It's very important to understand that the migration will not be a gradual process - when the flip is switched, CVS will become instantly read-only, and git will replace it entirely. So the sooner you familiarize yourself with git, the better! Get books for the holidays, read some great tutorials. Here are some of our tips: * http://gitref.org/ * http://gitready.com/ * http://book.git-scm.com/ * http://www.archive.org/details/GitFundamentals * http://peepcode.com/products/git * http://groups.drupal.org/drupal-org-git-migration-team -------- TRANSLATIONS DECOUPLING FROM PROJECTS ------------------------------- Translations have long been an integral part of the drupal.org project space, using the same CVS version control system and issue queues. Drupal core translations had their own projects and distinct project translations (think Views, Fivestar, etc) got their .po files hosted with the projects themselves. This resulted in a long list of issues, including translators needing to know CVS or project maintainers needing to distinguish between an outdated translation and an updated one. It is a burden for project maintainers to generate translation templates and keep them up to date, and there is no opportunity for translators to keep their translations complete with project releases. Finally, the tools were missing to maintain an up to date translation database on actual Drupal sites with module updates and removals. This is all changing since we are decoupling translations from the module, theme and installation profile projects themselves. What does this mean for you? A. If you are a translation maintainer: you've already been contacted, and your team is in the process of moving from drupal.org to localize.drupal.org. B. If you are a translator: stop working on .po files in CVS (either for Drupal core or contrib), instead import existing .po files from CVS to localize.drupal.org (if not already), remove the imported file from CVS and work on localize.drupal.org from now on. C. If you are a drupal.org project maintainer: do not accept .po files anymore in your issue queues and remove your .pot files from CVS; tell people to use localize.drupal.org. For more background information, follow the news feed for localize.drupal.org at http://localize.drupal.org/news ------------------------------------------------------------------------------ You are getting this newsletter because you are a CVS account holder on drupal.org. See http://drupal.org/node/243389 for more information. We hope these news items were useful for you. We wish you happy holidays, and looking forward to an even more eventful 2011. Yours, The Drupal.org infrastructure team

1 1

Development Server Compromised
by maintainers-news＠drupal.org 04 Nov '09

04 Nov '09

On Tuesday, November 3rd, it was discovered that scratchvm.drupal.org, used for testing Drupal infrastructure upgrades, was compromised by a brute force attack on a weak account password. The attacker was NOT able to achieve root access to the server. However, to ensure the continued security of user accounts, the Infrastructure Team has revoked passwords for Drupal CVS accounts and for Infrastructure Team members. If you do not have CVS access, and are not a member of the Drupal Infrastructure Team, YOU MAY IGNORE THIS EMAIL. Likewise, if you have a CVS account which is no longer in use, you can ignore this email and your account will remain securely locked out. -------- CVS ACCOUNT PASSWORDS ----------------------------------------------- A mirror of the Drupal CVS repository was stored on the compromised server. This included secure hashes of CVS passwords. While it is extremely unlikely that CVS accounts could be compromised, passwords have been revoked as a precaution. To reset your CVS account password: 1) Log in to your user account at http://drupal.org/ 2) Click on "My account" in the navigation block. 3) Click the "Edit" tab for your account. 4) Click the "CVS" sub-tab under "Edit". 5) Enter a new password, and click "Save". 6) Wait AT LEAST 30 MINUTES before attempting to use your CVS account. This time is needed for the CVS server to synchronize your password. If you cannot access your CVS account after following these steps, please file a support request in the Drupal infrastructure issue queue: http://drupal.org/project/issues/infrastructure -------- DRUPAL INFRASTRUCTURE TEAM PASSWORDS -------------------------------- Stored Subversion credentials are stored in clear-text, and were potentially exposed to the attacker. By default, your username and password would be stored for any protected subversion server accessed from scratchvm, such as svn.drupal.org. While it is unlikely that the attacker accessed Subversion passwords, in order to protect your account, infrastructure.drupal.org passwords have been revoked. To reset your Infrastructure Team password: 1) Browse to https://infrastructure.drupal.org/user/password 2) Enter your user name or email address. 3) Follow the instructions sent to your email to use the one-time login link. 4) Reset your password with a different password then what you previously used. 5) If you have Subversion access, WAIT AT LEAST 30 MINUTES before accessing your Subversion account. This time is needed for the Subversion server to synchronize your password. If you cannot access your Subversion account after following these steps, please file a support request in the Drupal infrastructure issue queue: http://drupal.org/project/issues/infrastructure -------- USERS OF SCRATCHVM.DRUPAL.ORG --------------------------------------- If you accessed a protected SVN server other than svn.drupal.org, or used other programs which saved passwords in clear-text, it is recommended that you change your password for those services.

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Maintainers-news