Drupal Planet

Bay Area Drupal Camp: Only a Few More Sleeps Until BADCamp 2018 💥💥

18 godzin 13 minutes ago
Only a Few More Sleeps Until BADCamp 2018 💥💥 Drupal Planet rob.thorne Wed, 10/17/2018 - 23:53 🎡🎡 Only One Week Until BADCamp 2018!!! 💥💥

 

🎪🎪🎪🎪🎪🎪🎪🎪

BADCamp is just a week away. Make sure you're prepared by following our checklist below.

🎪🎪🎪🎪🎪🎪🎪🎪

 

1. Volunteer for BADCamp!

BADCamp is 100% free because of our amazing volunteers. Help us keep it that way by signing up for a volunteer shift.

We are still looking for a few volunteers to help staff registration, summits and sessions. Remember, when you volunteer, mentor or speak you'll get Drupal credit on your Drupal.org profile as well.

AND... volunteers that sign-up as room monitors can get access to sessions that are otherwise full. There are lots of perks, so don't wait!

Signing up is simple and it's easy to find slots that work with your schedule.

Sign-up to Volunteer

2. Make Sure You Are Registered!

While BADCamp is both awesome and free, signing up for BADCamp helps us plan and ensures you receive event specific information.

 

3. Want to be Trained? You Need to Sign Up for Training

A few last-minute cancellations mean a we have a couple of seats still available. Sign up now to reserve your spot!

 

4. Want to Attend a Summit? You Should Sign-up Today!

Wednesday and Thursday, we are hosting great summits that facilitate conversations and connections with people in specific industries or with specific skills. Come dive deep into the issues that matter and collaborate freely. Sign-up today.

 

5. Don't Miss Out. Organize Your BADCamp with a Schedule?

With so many awesome activities it may be hard to remember where you should be. Make your schedule in advance so you can maximize your time and follow along on your mobile device! Start your schedule.

6. Join us at the Contribution Lounge for Coffee, Community and Code!

This is a great chance to help make Drupal bigger and better. This year, the BADCamp Contribution Lounge will be located at the Martin Luther King, Jr. Student Union Building on Wednesday/Thursday and the Alumni House - Bechtel Conference Room on Friday/Saturday.

The Lounge has internet access and an ample supply of coffee and water. Come participate!

Check the schedule for time and location details.

 

7. Thursday Events

Thirsty for good conversation and great beers? Join the inaugural BADCamp Pub Crawl. Register today and watch Jason's Twitter handle for information as the night progresses.

AND....

BADCamp 2018 Games Night: Get together with other BADCampers for board games and other entertainments at Victory Point Cafe in downtown Berkeley. So we can figure out how many tables we need, register here if you want to do this! Gaming will start around 7pm.

8. Friday Parties (Yes! More Than One!)

Come to the Big BADCamp Party at The Marsh Theatre on Friday night 8pm to 11pm generously sponsored by Platform.sh.

You will have drink tickets burning a hole in our pocket, so come early and be prepared for a good time. There will be great music, and ample space on the Dance Floor along with rooftop views. There will also be tables and quiet areas to chat.

The fun won't stop there! Free buses will be leaving the Marsh for a Late Night Party that includes unique pizzas, glow in the dark juggling performances, weird absinthe drinks, and all things circus disco.

Get details here.

 

 

Sponsors

A BIG thanks Platform.sh, Pantheon & DDEV and all our sponsors who have committed early. Without them this magical event wouldn’t be possible. We are also looking for MORE sponsors to help keep BADCamp free and awesome. Interested in sponsoring BADCamp? Contact matt@badcamp.net or anne@badcamp.net.

Would you have been willing to pay for your ticket?  If so, then you can give back to the camp by purchasing an individual sponsorship at the level most comfortable for you. As our thanks, we will be handing out some awesome BADCamp swag as our thanks.

    See You At BADCamp!!

myDropWizard.com: Drupal 6 core security update for SA-CORE-2018-006 (and mimemail and htmlmail)

18 godzin 49 minutes ago

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-006

The following vulnerabilities mentioned in the security advisory also affect Drupal 6:

  • External URL injection through URL aliases - Moderately Critical - Open Redirect

  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

The first vulnerability is in Drupal 6 core, however, the 2nd is only present in the contrib modules: htmlmail, and mimemail. If you don't use those modules, you're not affected by the 2nd vulnerability.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Jacob Rockowitz: Acknowledging individuals contributing to Drupal

21 godzin 46 minutes ago

In my last blog post, I explained, "Why I am one of the top contributors to Drupal?" and examined my ongoing contribution to the Webform module for Drupal 8. My post was inspired by Dries Buytaert's annual who sponsors Drupal development post. Now I want to dig into that list of who’s and acknowledge other individuals contributing to Drupal.

I am deliberately limiting the discussed contributors to people that I have had minimal or no direct interaction with online or in-person. I want to explore their contributions based on their online presence versus directly interviewing them.

The Drunken Monkey

I genuinely value Drunken Monkey's contribution to Drupal's Search API module.

We rarely appreciate an API module until we have to start using them and diving into the code. The Search API module for Drupal 8 is a magnificent example of great code which conquers one of the hardest challenges in programming: naming things.

For a recent project, I was diving into Search API's code, and Drunkey Monkey helped me out when I discovered Issue #2907518: Breakup tracking of content entities into smaller chunks to prevent memory limit issue. For the developers out there, if you read through the issue to the final patch, you will notice that Drunken Monkey manages to even improve some APIs while fixing the problem.

The Search API Guy

The first place to understand who is who in the Drupal community is people's user profiles. The most immediate thing that stands out about Drunkey Monkey is that he is…

This statement is something I can relate to because I...Read More

Security advisories: Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

1 dzień 1 godzina ago
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17
Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

TEN7 Blog's Drupal Posts: Episode 041: Steve Persch

1 dzień 5 godzin ago
It is our pleasure to welcome to the TEN7 podcast Steve Persch, lead developer advocate at Pantheon. Here's what we're discussing in this podcast: Steve's background; Celebrating a Drupal birthday; Theater background and blogging; WordPress experience; Improv comedy and Comedy Sports gaining self confidence; Experience at Palantir in Chicago; Contributing to Workbench; Discovering Git; Teaching WordPress' Guttenberg editor; What the WordPress & Drupal communities can learn from each other; The 2018 Twin Cities Open Source CMS Unconference; WordPress, Drupal & Joomla; Supporting Backdrop; Alexander Hamilton; Steve Vector (alias)

Hook 42: September Accessibility (A11Y) Talks - Love thy Keyboard

1 dzień 16 godzin ago

Keyboard accessibility is vital, as many assistive devices emulate the keyboard. Using semantic HTML one can achieve an accessible User Interface (UI) with less code than non-semantic markup.

By managing and guiding focus with semantic HTML, developing an accessible UI is rather easy. Semantic HTML plays an important role in not only accessibility but SEO (Search Engine Optimization) as well. Although we are aware of it, it's often overlooked.

In September’s accessibility talk, Sarbbottam Bandyopadhyay shared the trade-offs of using semantic vs non-semantic markup with an everyday example. He also shared how to manage and guide focus. It was a brief presentation emphasizing the various aspects of keyboard accessibility. He concluded with a brief introduction to WAI-ARIA.

Sarbbottam is a frontend engineer, with more than 14 years experience. He currently works at LinkedIn. He is part of LinkedIn's core accessibility team, focusing primarily on web accessibility. He’s been involved with web accessibility since his Yahoo days.