Skip to Content

Newsfeeds

Triquanta Web Solutions: Automatically switch Drush versions per project

Planet Drupal - 17 October 2014 - 3:38am

Now that Drush has become standard equipment in every developer's toolbox, and Drupal 8 is around the corner, you may find yourself asking "Which Drush version should I use?" While Drush 6 has a stable release, only Drush 7 can be used with Drupal 8. Usually, I use Drush 7. It works well with both Drupal 7 and Drupal 8, and even though is doesn't have a stable release yet, it feels pretty stable to me.

Combining Drush versions: the trouble begins

Unfortunately, when you use Drush 7 to run commands on a remote server which runs Drush 6, you will run into errors. For instance when doing a sql-sync:

$ drush sql-sync @mysite-prod @self You will destroy data in mysite and replace with data from example.com/mysite. Do you really want to continue? (y/n): y Starting to dump database on Source. [ok] Database dump saved to [success] /home/www-data/drush-backups/mysite/20141016113131/mysite_20141016_113132.sql.gz The Drush sql-dump command did not report the path to the dump file produced. Try upgrading the version of Drush you[error] are using on the source machine.

Obviously Drush 7 doesn't like to talk to Drush 6. So how do we solve that?

Installing multiple Drush versions side-by-side

It's not too hard to install two Drush versions side-by-side, and use aliases or symlinks to choose a version. On my system I installed Drush 7 using composer and I installed Drush 6 using the manual method.

Next I created two symlinks called "drush6" and "drush7" in a directory in your $PATH variable. I use ~/bin, but it depends on your OS and configuration.

$ cd ~/bin $ ln -s ~/drush-6.4.0/drush drush6 $ ln -s ~/.composer/vendor/drush/drush/drush drush7

Using those symlinks, I can use both versions anywhere on my system:

$ drush6 --version Drush Version : 6.4.0 $ drush7 --version Drush Version : 7.0-dev

Now I can run drush6 sql-sync @mysite-prod @selfto choose Drush 6 and avoid problems syncing with a remote server.

Automating which version to use

It's nice to be able to choose, but wouldn't it be awesome if you can just run drush ...without having to think which version you need? If you're managing multiple sites on different servers, you don't want to spend your energy remembering which project requires which Drush version.

At Triquanta we use git repositories, one for each project. I want to be able to specify the default Drush version per project, so I will never run the wrong Drush version by mistake. That's where this really simple bash script comes in:

#!/bin/bash version=$(git config --get drush.version) if [ "$version" = '6' ]; then drush6 "$@" else drush7 "$@" fi

Save it as "drush" in a directory in your $PATH variable, and make it executable. Now when you execute drush, it will call this script, which by default runs Drush 7.

$ drush --version Drush Version : 7.0-dev

When a project requires Drush 6 instead, I set a variable "drush.version" in the git working copy:

$ git config drush.version 6 $ drush --version Drush Version : 6.4.0

That's all there is to it. Regardless where you are within your git-managed directory structure (the site root, /sites/default/files/, etc.) the script will always know which drush version to use.

Categories: Drupal

Modules Unraveled: 122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast

Planet Drupal - 17 October 2014 - 3:04am
Published: Fri, 10/17/14Download this episodeThe Drupal Security Team
  • What type of people are on the Drupal Security Team?
    • https://security.drupal.org/team-members
    • Mostly coders, some project managers, core maintainers
  • What does the security team do?
    • We fix issues in drupal
    • Resolve reported security issues in a Security Advisory
    • Provide assistance for contributed module maintainers in resolving security issues
    • Provide documentation on how to write secure code
    • Provide documentation on securing your site
    • Help the infrastructure team to keep the drupal.org infrastructure secure
  • What doesn’t the security team do
    • projects without stable releases
    • Site support
    • Set policy around security with the security working group.
  • Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
  • How can others get involved?
  • What was the recent bug that was fixed
Questions from Twitter
  • Paulius Pazdrazdys
    How this latest security release is different from others? Do you have any information if this bug done any harm before release?
  • aboros
    The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
  • aboros
    Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
  • Carie Fisher
    When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
  • David Hernandez
    What is the average time from discovery to announcement?
  • Damien McKenna
    @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
  • Heine Deelstra
    How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
  • Mark Conroy
    I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
  • aboros
    Are there plans for some sort of bounty program run by DA maybe?
  • David Hernandez
    What kind of work does the security team do besides review code? What is the administrative overhead?
Episode Links: Greg on drupal.orgGreg on TwitterMichael on drupal.orgMichael on TwitterList of permissions that aren’t includedDrupal Security ReportTwo factor auth moduleParanoia module to prevent php executionSecurity group on g.d.oTags: SecurityDrupal Coreplanet-drupal
Categories: Drupal

Country Path

New Drupal Modules - 16 October 2014 - 3:40pm
Domain Country path

This country_path.module provides custom aliases and routing.
It's a small project that extends Domain Access module and adds a domain suffix (i.e. path prefix) for each domain.
Primary usage is for creating multi-country (multi-domain) sites where
each country can be identified either by its domain (example.co.uk) or by a URL path prefix (example.com/fr)

Categories: Drupal

Get Pantheon Blog: What We Are Seeing With Drupal SA 2014-005

Planet Drupal - 16 October 2014 - 2:41pm

It's been 24 hours since Drupal SA-CORE-2014-005 was announced, and we are already beginning to see attacks in the wild. As a platform with 10s of 1000s of Drupal sites, we have a unique perspective on the problem.

This is not a drill: black-hat scripters from sketchy domains are working through lists of known Drupal websites probing for exploits. If you have not patched all your sites, stop reading and do it right now.

...

Ok, now that your websites are safe, here's what we're seeing.

Profiling and Logging Suspected Exploits

We learned of the vulnerability through our participation with the Drupal Security team, so we had a few days to prepare prior to the announcement. At that point, we were under obligation not to share details as part of responsible disclosure, but we did tweet and email customers to "be ready" for the update on Wednesday.

Beyond that, the first step was fashioning our own exploit to have something to build a defense against. I "owned" my personal blog several times getting this right.

With a sense of a potential attack signature, we developed platform-wide request filtering, WAF style. At our scale, we couldn't try to tweak every individual site: a platform solution was the only answer.

We got that deployed on Monday, giving us two days to see the results of real production traffic. We were able to eliminate false-positives while still detecting our PoC attacks, which gave us confidence that our filter would not impact legitimate traffic. That was an important moment, because it meant we could start locking things down.

Log and Block

With the SA announcement on Wednesday we switched the filter from "log" to "log and block". The first detected (and blocked) attack came in at 22:42 UTC (3:42 PM PT), about seven hours after the security announcement. It attempted to set up a fake user with id 9999 and a suspicious temp email address from trbvm.com.

Over the rest of the day we saw a handfull (20-ish) more attacks that looked like proof of concepts or penetration tests. We saw attempts to re-use a proof of concept posted in a Reddit thread, an attempt to create a user named "morpheus" with a pre-set password, and a few attempts to make accounts with the email address test@test.com and then elevate them to an admin role.

It Gets Real

Early this morning at 08:23 UTC (1:23 AM PT) we started seeing an attack that attempts to insert a new item into the menu_router table. This attack is originating from IPs from a VPS provider in the .ru domain space, and it appears to be working through a list of domain names alphabetically.

The attack seems to be the initial part of a multi-step process. The menu_callback it is attempting to create will try to use file_put_contents() to drop a file somewhere in the codebase. That file will pick up a subsequent http request with more of an attack payload in the $_COOKIE superglobal. This sophistication plus the alphabetical attack sequence suggests a professional exploit.

Note that this attack has a 0% chance of success on Pantheon. We block it, but even if we didn't live sites can't write files into the codebase, and a sophisticated $_COOKIE attack would also be stripped. Still, it's concerning.

This Is Not A Drill

It's barely 24 hours after the SA, and we have logged and blocked over 500 attempted attacks on sites on the Pantheon platform. We expect this rate to increase as exploit code is more widely shared and attacks become more automated.

The fact that we are blocking suspect traffic does not mean you delay updating. We're happy to be defending sites on our Platform, but the filter, like CloudFlare's WAF firewall rule is not a guarantee to secure your site. You need to get the update deployed and patch the vulnerability at the source.

If you need help, let us know. If you have friends who need help, lend a hand.

Credits

Credit to the Drupal Security team for organizing a responsible and orderly release. There was likely temptation to rush something out once the severity was realized, but they showed great professionalism by taking a more deliberate route. As soon as the fix was disclosed, black-hats would start working to weaponize the exploit, which we are already seeing.

I'd also like to thank Leonardo Finetti for chiming in based on some tweets with additional information about the menu_router attack. He has his own post up (in Italian) here.

Finally, I'd like to give credit to Greg "greggles" Knaddison for planting the idea in my head of using the reach of our platform as a way to monitor exploit attempts against sites running on Pantheon. Hopefully the data we're able to gather will help everyone defend better and build more secure software and platforms.

Blog Categories: Engineering
Categories: Drupal

Acquia: Shields Up!

Planet Drupal - 16 October 2014 - 2:32pm

Yesterday, the Drupal Security team announced that all Drupal 7 sites are highly vulnerable to attack. Acquia deployed a platform-wide "shield" which protects all our customer sites, while still keeping them 100% functional for visitors and content editors. These sites can now upgrade to 7.32 in a more calm, controlled timeline.

Categories: Drupal

Don't Miss: Why ethical free-to-play game design matters

Social/Online Games - Gamasutra - 16 October 2014 - 12:27pm

"Consider: Would you rather work for a company that has loyal fans eager to play your game, or a company that assumes games are disposable trash, and players, marks to be fleeced?" ...

Categories: Game Theory & Design

Acquia: 30 Awesome Drupal 8 API Functions you Should Already Know - Fredric Mitchell

Planet Drupal - 16 October 2014 - 11:49am

Apart from presenting a terrific session that will help you wrap your head around developing for Drupal 8, Fredric and I had a great conversation that covered the use of Drupal and open source in government, government decision-making versus corporate decision-making, designing Drupal 7 sites with Drupal 8 in mind, designing sites for the end users and where the maximum business value comes from in your organization, and more!

Categories: Drupal

Modeling tumor dormancy: What makes a tumor switch from dormant to malignant?

Virtual Reality - Science Daily - 16 October 2014 - 11:40am
A new computational model may help illuminate the conditions surrounding tumor dormancy and the switch to a malignant state. The so-called cellular automaton model simulated various scenarios of tumor growth leading to tumor suppression, dormancy or proliferation.
Categories: Virtual Reality

Blog: In production, trust is stronger than control

Social/Online Games - Gamasutra - 16 October 2014 - 11:17am

"Making software is hard. Making games is damn near impossible. The things where we usually make mistakes are not the ones that following a processes will solve." ...

Categories: Game Theory & Design

CAPTCHA Webform Bridge

New Drupal Modules - 16 October 2014 - 9:50am

This is a simple module that automatically set (or unset) CAPTCHA challenges to webforms. At the moment, its just implement the code proposed at Adding CAPTCHA to a Webform (Method 1 for Drupal 7).

It's a "plug & play" module; there is no need to configure anything. When it's enabled, all webforms created/deleted will set/unset (respectively) CAPTCHA challenges (admin/config/people/captcha/captcha).

Categories: Drupal

'Speak up against the harassment of women'

Social/Online Games - Gamasutra - 16 October 2014 - 9:25am

Feminist game critic Anita Sarkeesian, in a front page article in The New York Times, insisted that those in the video game industry publicly denounce harassment of women in games. ...

Categories: Game Theory & Design

Views Advanced Labels

New Drupal Modules - 16 October 2014 - 7:05am

This module provides several advanced features for customizing the labels of Views fields and filters:

  • Change the label for the "- Any -" option of exposed filter select boxes – e.g., to reflect the field being filtered.
  • If using Chosen, customize the placeholder that is displayed in a Chosen-enabled exposed filter before any values are selected.
  • Rewrite field labels with HTML and tokens from the first result.
Categories: Drupal

Acquia a leader in Gartner Magic Quadrant for Web Content Management

Dries Buytaert - 16 October 2014 - 5:23am
Topic: DrupalAcquia

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for Acquia, and by extension for Drupal. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

Categories: Drupal

Dries Buytaert: Acquia a leader in Gartner Magic Quadrant for Web Content Management

Planet Drupal - 16 October 2014 - 5:23am
Topic: DrupalAcquia

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for both Acquia and Drupal to be in the leader quadrant. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

Categories: Drupal

Luck-based monetization in free-to-play mobile games

Social/Online Games - Gamasutra - 16 October 2014 - 4:46am

"The first two things you want to think about are: What kind of rewards should be available? And what are the chances to get these?" ...

Categories: Game Theory & Design

Why Anything but Games Matters - by Ian Bogost

Gamasutra.com Blogs - 16 October 2014 - 4:33am
On isolationism in game development; my Indiecade 2014 talk
Categories: Game Theory & Design

Murder in Corvis

New RPG Product Reviews - 16 October 2014 - 4:27am
Publisher: Privateer Press
Rating: 4
Originally published at: http://diehardgamefan.com/2014/10/16/book-review-murder-in-corvis-iron-kingdoms/

I’ll admit something upfront. I’ve never been interested in Iron Kingdoms or Warmachine. Both feel like a steampunk version of Warhammer and I already have enough RPGs and miniature combat games to pick up what feels like a derivative of something else. I’ve got a stack of Bones, Tomb Kings, Robotech RPG Tactics and my old D and D Tactics figures from when that game existed. However, I really do like Richard Lee Byers’ stories. I’m more a non-fiction reader, but I enjoy enough of his writing to know I’ll pick up something of his (especially a review copy) if I run into it. Besides, the last time I picked up a book by him from a RPG universe I wasn’t originally interested in (The Festival at Glenelg), I ended up reviewing three adventures from that game. So who knew? Maybe Murder in Corvis would make me curious enough to try out some of Privateer Press’ games. There was only one way to find out.

I wasn’t sure what to expect with Murder in Corvis. Would it read like a gritty pulp thriller? Would it be more like one of those cozy mystery series my wife enjoys? Would it simply be a fantasy novella with a murder as the crux of the story? Would it be something else? The only way was to dip into the story and find out. Unfortunately, you don’t get to find out right away. Before Byers’ novel starts you get a very dull and dry four page introduction to the Iron Kingdoms world. Personally, I would have let the author incorporate this information into the story rather than have a preamble that reads like it was written by Ben Stein, but that’s just me. Most of what is in the introduction has no bearing on the story at all and will serve to bore or confuse newcomers to the Iron Kingdoms. As well, there is a six page glossary in the back, which defines specific creatures, jargon and game terminology that the reader will encounter within the novella. I feel Byers describes all of these terms pretty well in the story itself, so a glossary of this size and the verbose descriptions provided for each one comes off with the publisher either not trusting its audience or simply being VERY condescending to them. Both the preamble and the glossary rubbed me the wrong way and definitely gave me a bad first impression of Iron Kingdoms in general. Honestly, if you had to include both of these, I’d have put a much shorter glossary in the front so that readers know it is there (most people I know don’t flip to the back of a book except for people who like endings ruined and even less read the Table of Contents in a fiction book) and I would have put the “introduction” at the end to act as a, “If you liked this story, here’s more about our world (and product line) that you can purchase,” so as not to intimidate younger/casual readers or worse, make a person think that Murder in Corvis will be as poorly written as that four page look at the world of Iron Kingdoms. I can honestly say after reading Murder in Corvis, I’d probably pick up more stories by Byers in this setting…but I’m not at all inclined to touch the game line(s).

Murder in Corvis is basically the origin story for a motley group of mercenaries that will eventually be called the Black River Irregulars. You have Milo the thief/alchemist, Gardek the Trollkin thief-taker (a trollkin feels like the defacto half-orc for this setting), Elish the arcanist (think techno-mage) forensic detective and Colbie the Mechanik, because changing c’s to k’s is somehow novel or interesting I guess. It’s the typical “one character from different classes to create a balanced party” trope that many fantasy stories have (and probably your own gaming party!), but Byers makes it work in spite of being a cliché (as always). The characters are well defined and nuanced with the cast being treated as an ensemble rather than one starring character and the rest of the team being supporting players. It’s nice to see this, because it’s rare an author treats an entire party as equals. Even in Byers’ previous novels and/or short stories with large casts, there is always a character or two that dominates the “screen time” so to speak. Aoth Fezim, Anton Marivaldi and Erik Nygaard come to mind as examples. I think all fiction authors are guilty of this because you develop a favorite (even if said favorite changes from book to book) and so they get a little more detail and word count devoted to them. Not so with Murder in Corvis. Here each chapter has a different character take center stage even when the other characters still appear in it. It’s a really nice touch that makes the piece stand out. A great example of the balance if I thought Milo was going to be the main character from Chapter One but then it ends with a twist and so I think Gardek is going to now become the main character and the first chapter was just a swerve. With each chapter unfolding though, I realized Byers’ was writing a team story rather than one focused on a single character and I loved the result.

Because Murder in Corvis is an origin story as well as a murder mystery, you get to see how the group forms. Of course, none of them really like each other at first but grow to respect and befriend each other as the story goes on and they have to work together to find the murderer. Each character gets to show off their strengths and how they can complement or protect another teammate. It probably isn’t a spoiler to say the entire team lives, but I was surprised that they lost more fights than they won and that there was a mauling or two along the way. The story flies by pretty quickly even if 126 pages is a bit long for a novella and it left me wanting more adventures with these characters. I still probably wouldn’t be interested in the Iron Kingdoms game, but I’d certainly read another story with these exact characters and author. Of course, I’m not sure if it would be interesting now that they are all chummy-chummy and the interpersonal conflict is gone, but I’d give it a try.

The actual murder mystery itself is worth noting. Apparently there is a serial killer going around. Originally just Gardek the trollkin is hired to find and subdue the killer but after he catches the wrong guy, the four protagonists are forced to team up to find the person behind the slayings. Their quest is a more cerebral one than you might expect from a story based on a fantasy RPG, but there are a few fight scenes here and there. I do like that the book really focused on solving a mystery over hack and slash, even though Byers is quite adept as long detailed fight scenes. By sticking with the detective aspects, the story felt like a murder mystery first and a licensed novelization second. I also liked that the characters didn’t solve the mystery right away, complete with the occasional dead end, false lead and accidental accusation of the wrong being thrown in for good measure. Because of the narrative style, I could give Murder in Corvis to people I know who like murder mysteries but hate gaming fiction and feel they would still enjoy this in spite of its origins.

Overall, I was glad to see that Murder in Corvis is another fine story spawned from the mind of Richard Lee Byers. Unlike some of his other releases, this novella didn’t convince me to pick up the game it was based on and I actually think the weakest points of the release are when the package tries to sell you on Iron Kingdoms instead of allowing you to just read the story, but the novella is an enjoyable murder mystery in a steampunk high fantasy setting. It’s newcomer friendly and the characters will keep you both entertained and interested from beginning to end. If you’ve got five bucks to spare and an afternoon with nothing to do, you could while away the time in worse fashions than reading Murder in Corvis.
Categories: Game Theory & Design

tanay.co.in: SA-CORE-2014-005 - All you need to know to protect your Drupal Site from the latest SQL Injection vulnerability

Planet Drupal - 16 October 2014 - 4:18am

Last night, Drupal Release a security update to its core - v7.32

 

The release addresses the SQL Injection vulnerability described at https://www.drupal.org/SA-CORE-2014-005

 

 

How serious is it?

There are many proof of concepts scripts available all over the internet now. Both python and php variants. So, anyone who is knowledgeable enough to run a php/python script can now login to your Drupal 7 Site as admin, or execute any SQL on your Drupal Database!

[I am not linking them here for the obvious reasons, if you came here searching for those scripts, you are at the wrong place]

 

So, is my site vulnerable?

Most of the Drupal-special webhosts like Acquia, Pantheon, Platform.sh have apparently patched their platforms protecting your Drupal site even if your individual site has not been patched yet. So most of you are safe. You should be worried if you are hosting on one of those generic hosts to whom Drupal is just yet another script or if you are running the site on your own stack.

 

And if you have a CDN like cloudflare infront of your website, then you are safe as well (at least for a while). As of now, I am aware of only cloudflare that has announced that they have updated their Web App Firewall rules to mitigate this vulnerability. So if you are using Cloudflare CDN like I do for this blog site, make sure you turn on this option.

 

How do I fix my Site?

Don’t worry. Fortunately it is very simple. And it would not take more than 2 minutes to fix your site (if you do it via #3 below).

 

If the words like “git”, “patch”, “upgrade” scare you and if you like the words “FTP”, “Filezilla” more then skip directly to #3 below.

 

  • OPTION #1: The first option is to update your site to the latest version of Drupal - 7.32.

  • OPTION #2:But yeah, there is considerable effort involved behind upgrading your Drupal Site. Every upgrade usually would require significant regression testing and this could take a while.

    So, as an alternative, there is a very small patch out there for  you. Apply it and you are all set.
    Patch : https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch

    How do I apply this patch?
    Like any other patch -

  • OPTION #3: [THE SIMPLEST OF ALL] Alternatively, if you do not want to deal with patches or upgrades, or if you are are looking for a quick fix, here you go:

    • FTP to, or open your Drupal Root Directory

    • Navigate to  includes/database/ folder

    • There will be a file named database.inc . Take a backup of the file. We are going to modify the file. Store the backup somewhere safe just in case.

    • Open the file database.inc .

    • At around line 739, you will find a line of code that reads
      foreach ($data as $i => $value) {
      Replace this line with
      foreach (array_values($data) as $i => $value) {

    • Save the file and exit

    • Pat yourself on the back. You are all set now :-)

 


I have no enemies. Should I still fix my site?

Absolutely yes. With the many google dorks that could be used to find Drupal Sites, you could be the subject of random attack. - ie Some noob with the script picking up your site randomly to login as admin and defacing it or playing around with it, or stealing your userbase for spamming!

 

Who found this issue? Who reported it? When was it first reported? ……. Check out the FAQ on Drupal.org for answers - https://www.drupal.org/node/2357241

 
Categories: Drupal

A Farewell Letter to GamerGate - by James Beech

Gamasutra.com Blogs - 16 October 2014 - 3:57am
A veteran game developer weighs in on the life, and apparent death, of GamerGate
Categories: Game Theory & Design

Visitors Voice: What is a good autocomplete?

Planet Drupal - 16 October 2014 - 3:45am
Too often clients add autocomplete as an requirement without much thought. And as an result it is actually making the user experience worse. Instead of helping the users it confuses them. The first rule when designing autocomplete is: the suggestions must be relevant for many! Otherwise don’t make any suggestions at all, since it’s just […]
Categories: Drupal
Syndicate content


Google+
about seo