LN Webworks: Drupal 7 End-of-Life Announcement and Changes: What You Need to Know
Drupal 7 is approaching its end of life. Website owners and administrators must be aware of the important changes to stay updated. In a recent announcement, the Drupal Security Team provided important updates regarding the end-of-life date and changes to the support for Drupal 7.
Here are the recent changes related to Drupal
Despite being an older version, Drupal 7 continues to be utilized by many websites around the world. The end of Drupal 7 necessitates website owners to migrate to a newer version for continued security, stability, and feature enhancements.
1. Drupal 7 End-of-Life Date and Support Changes:Drupal 7's end-of-life has been extended until January 5, 2025. However, this extension marks the final one. The Drupal Security Team has adjusted the level of support provided, affecting security advisories and issue resolution for Drupal 7.
Web Wash: How to use Checkboxes and Radio Buttons on Field Widgets in Drupal
The Drop Times: I Am Not Your Statistic: Killing User Personas and Reimagining Consumers
The Drop Times: DropTops of DrupalCon: Vox Populi from Delegates
LN Webworks: CKEditor 5 & Drupal 10: Fueling Innovation in Content Creation
Even before its official release in December 2022, Drupal 10 became the talk of the town. One of the major reasons behind the buzz it created and continues to create even today is the presence of CKEditor 5. It is a cutting-edge JavaScript-rich text editor that possesses MVC architecture, virtual DOM, and a custom data model. On top of it, the text editor is enriched with an incredible UI and phenomenal UX which empowers users to manage media and tables seamlessly. They can also leverage the power of auto-formatting and other splendid features to create and edit engaging content.
As Drupal already enjoys the stature of being a cutting-edge content management system, its combination with CKEditor 5 has resulted in a top-notch digital experience platform. Here, we’ll take a deep plunge into the unfathomable potential of the powerful duo: CKEditor 5 and Drupal 10.
Chapter Three: Hot Takes from DrupalCon Pittsburgh
Talking Drupal: Talking Drupal #404 - Content Modeling
Today we are talking about Drupal Content Modeling with our hosts.
For show notes visit: www.talkingDrupal.com/404
Topics- What is Drupal Content Modeling
- How does content modeling help with a project
- What types of entities do you model
- Who should maintain the content model
- Best practices
- What questions should you ask
- How to decide what type of field
- What to do when you get it wrong
- What tools do you use
Nic Laflin - www.nLighteneddevelopment.com @nicxvan John Picozzi - www.epam.com @johnpicozzi Sean T. Walsh - @seantwalsh
MOTW CorrespondentMartin Anderson-Clutz - @mandclu Field Tools Provide tools to analyze and manage your use of fields and display modes in your Drupal site.
The Drop Times: Igniting Brilliance: Unleashing the Star Power Within
"Your playing small does not serve the world." - Marianne Williamson.
The stars glitter like celestial jewels in the vast expanse of the night sky, captivating our imaginations and filling us with a sense of wonder. Each one holds a unique brilliance, radiating light that guides us through the darkness. Similarly, within each of us, there exists a powerful light, a luminosity waiting to be unleashed. It is the light of our potential, our dreams, and our ability to inspire others. As Marianne Williamson eloquently said, "Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure."
Often, we find ourselves tethered by self-doubt and fear, hesitant to embrace our true potential. But what if we dared to break free from those chains? What if we dared to embrace our inner radiance, igniting the star power that resides within?
The journey towards self-realization begins with acknowledging that we possess an innate brilliance. Just as stars have their distinct glow, we, too, have unique gifts, talents, and passions waiting to be nurtured and shared with the world. Each of us holds within us the power to create, heal, and transform lives.
However, it is not enough to recognize our light; we must also cultivate and nourish it. Just as stars are formed from the fusion of cosmic elements, we can unlock our full potential through self-discovery, growth, and continuous learning. Embracing our strengths and weaknesses, and embarking on a journey of personal development, empowers us to shine ever brighter.
In the digital era, where the online realm is teeming with possibilities, Drupal stands as a guiding star, empowering individuals and organizations to transform their visions into reality. Drupal, an open-source content management system (CMS), harnesses the power of technology to amplify our brilliance on the web.
Drupal's vibrant community is a galaxy of passionate contributors who collaborate and share their knowledge, propelling the platform forward. Through their collective brilliance, Drupal evolves and adapts to the ever-changing digital landscape. The community's dedication to open-source principles ensures that Drupal remains accessible and continuously improves, fostering a culture of learning and growth.
Over the past few days, The Drop Times has been covering a myriad of captivating stories within the Drupal universe.
Here's a report about Elliott Mower's session at DrupalCon. Read our report on Mathias Bolt-Lesniak's presentation on The Big Impact of Open Source. TDT also shares insights from Dries Buytaert's blog post, which delves into the intricate details of his keynote address at Pittsburgh.
Tim Ludwig of Acquia shared his firsthand experience as a marketer attending the conference, emphasizing the warm and welcoming atmosphere permeating the event.
Automattic, the parent company of WordPress, has generously donated €20,000 to support the next phase of development for Drupal Gutenberg, a module created by Norway-based agency Frontkom.
Coming to the blog posts related to Drupal, one notable blog post published by Agileana serves as a timely reminder for website owners to embrace the forward momentum of Drupal 8 or 9. In another enlightening blog post by New Target, the exploration of building a scalable website using Drupal captures the attention of developers and business owners alike. A blog post published by Lullabot, discusses the concept of a content matrix and its significance in organizing and optimizing website content.
An article published by Sigzen compares the scalability of PHP and Node.js, two popular programming languages for web development. A new blog post by Matt Glaman titled "Registering Services in Drupal Service Container Without a Module" explains how to register services in the Drupal service container without creating a custom module.
Security, a critical aspect of any digital presence, takes center stage in a blog post published on People's Blog, where a Drupal Security Checklist is shared.
Another compelling blog post by Cyber-Duck delves into the aftermath of extending Drupal 7's End of Life. A recent article published by Bounteous discusses the concept of composable architecture and its relevance to Drupal as a headless CMS. Promet Source shares an enlightening blog post about Drupal 10, emphasizing its potential as a game-changer for government websites.
Drupal Swag Shop has opened a full range of Pride Month merchandise. With the new range of products, Swag Shop offers a chance to celebrate Pride Month with Drupal. An article published by IronStar explains the results of the 2023 Drupal Local Development Survey. The 9th Episode of Chromatic's Drupal 7 End of Lile (EoL) podcast is out. In the new episode, Mark Dorison and Dave Look discuss mainly the EoL extension of Drupal 7.
Acquia has announced enhancements to its digital experience platform, Acquia DXP, to create more personalized customer experiences.
On the community front, TDT highlights the dynamic nature of the Drupal community by sharing news of meetups taking place across France, with Bordeaux being the next exciting destination. DrupalCamp Spain, Sevilla 2023, is scheduled for 21-23 September. The call to submit sessions is open now.
And remember, you can always visit The Drop Times to read more and stay connected to the vibrant Drupal community.
Kazima Abbas
Sub Editor, TheDropTimes
LN Webworks: Empowering Developers for Growth in IT with Drupal
By far, 2023 has been a turbulent year for the IT industry. Numerous professionals had to suffer from the excruciating pain of being laid off. Even those working at tech giants such as Google, Meta, and Microsoft had to swallow the bitter pill of sudden unemployment. However, the ‘State of the Tech Workforce’ report by CompTIA has brought some good news for IT professionals. It suggests that the tech industry will soon witness an addition of a plethora of new jobs. It also highlights that the opportunities for software developers and engineers will grow by approximately 4.7%.
Whether you are an experienced IT professional or a fresher, it is time to get all psyched up to leverage the new opportunities that will come your way. But, to be able to take your professional life to a whole new sphere of success, it is crucial to align yourself with cutting-edge and in-demand industry tools and skills. In this blog, we’ll examine Drupal development as the pedestal for taking your career on an upward spiral of growth.
The Accidental Coder: Drupal 10 Sandbox in 10 Easy Steps
mcdruid.co.uk: Insecure Deserialisation and IDOR, oh my!
A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.
The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).
The fix was released over 4 years ago so sufficient time has passed for me to share some more details.
The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this:
( 'tablefield/export/%/%/%/%/%' => array( 'page callback' => 'tablefield_export_csv', 'page arguments' => array(2, 3, 4, 5, 6), 'title' => 'Export Table Data', 'access arguments' => array('export tablefield'), ),https://git.drupalcode.org/project/tablefield/-/blob/7.x-3.3/tablefield....
The callback function that would pass requests to looked like this:
/** * Menu callback to export a table as a CSV. * * @param string $entity_type * The type of entity, e.g. node. * @param string $entity_id * The id of the entity. * @param string $field_name * The machine name of the field to load. * @param string $langcode * The language code specified. * @param string $delta * The field delta to load. */ function tablefield_export_csv($entity_type, $entity_id, $field_name, $langcode, $delta) { $filename = sprintf('%s_%s_%s_%s_%s.csv', $entity_type, $entity_id, $field_name, $langcode, $delta); $uri = 'temporary://' . $filename; // Attempt to load the entity. $ids = array($entity_id); $entity = entity_load($entity_type, $ids); $entity = array_pop($entity); // Ensure that the data is available and that we can load a // temporary file to stream the data. if (isset($entity->{$field_name}[$langcode][$delta]['value']) && $fp = fopen($uri, 'w+')) { $table = unserialize($entity->{$field_name}[$langcode][$delta]['value']); ...snip...https://git.drupalcode.org/project/tablefield/-/blob/7.x-3.3/tablefield....
So this page callback takes several parameters from the URL and uses them to load the value of a specific field on a given entity.
It is assumed that this will be a tablefield, and that its content will be serialised tablular data.
The callback passes the value of the field to PHP's unserialize() in order to reconstruct the tabular data in order to export it to a CSV file.
Can you spot a problem here?
It's possible for an attacker to pass any combination of the parameters $entity_type, $entity_id, $field_name, $langcode, $delta in order to load an arbitrary field from the database, and the value stored in that field will be passed to unserialize(). Oops.
In order for this to be an exploitable vulnerability on a site, two conditions need to be met. The attacker must be able to:
- Store their payload in an entity's field.
- Access the "Export Table Data" callback (in other words they need to have the "export tablefield" permission).
It's good that the callback is protected by its own permission, but it seems likely that this permission may be granted to fairly low privileged or even anonymous users.
As for storing a payload in an entity field, this too is something that low privileged or even anonymous users are quite often able to do on Drupal sites.
If a user can post a comment, for example, that comment is stored as an entity field. A comment field could be passed to tablefield's callback with a URL like this:
$ curl http:// example.com /tablefield/export/comment/1/comment_body/und/0In my original report of this vulnerability I gave the following as an example payload:
O:11:"Archive_Tar":1:{s:13:"_temp_tarname";s:23:"/tmp/now_you_see_me.txt";}This is a serialised object of Drupal 7's Archive_Tar class, which is based on PEAR's Archive_Tar.
At the time of the report, the class destructor would "clean up" by calling unlink() on the value of _temp_tarname if it was set.
public function __destruct() { $this->_close(); // ----- Look for a local copy to delete if ($this->_temp_tarname != '') { @unlink($this->_temp_tarname); } }https://github.com/pear/Archive_Tar/blob/19bb8e95490d3e3ad92fcac95500ca8...
So when this example payload was stored in a comment, then loaded by the callback and passed to unserialize() the Archive_Tar object would briefly be reanimated, then the destructor would be called and the file specified in the payload would be deleted.
This could be used, for example, to delete a .htaccess file protecting a sensitive directory, or preventing PHP uploads from being executed. An attacker with an appetite for destruction might simply try to delete settings.php
Other gadget chains may be available on a given site, but Drupal 7 core does not have many classes that make good candidates for this.
Comments weren't the only viable vector, but they were probably the most likely entity field that an attacker might be able to write to.
After this report was submitted to the Drupal Security Team, the maintainers of the module responded almost immediately and were exemplary in the way they handled the issue and worked on releasing the fix. We also co-ordinated with the Backdrop Security team.
https://www.drupal.org/sa-contrib-2019-045 was rated as Critical 16/25. The fix we agreed on was simply that the callback should check that the given entity field was actually managed by tablefield before passing its value to unserialize():
// Ensure this is a tablefield. $field_info = field_info_field($field_name); if (!$field_info || $field_info['type'] != 'tablefield') { return drupal_not_found(); }https://git.drupalcode.org/project/tablefield/-/compare/7.x-3.4...7.x-3....
Since then, I got a PR merged upstream to harden the destructor in Archive_Tar which means the example payload would no longer delete any arbitrary file.
Tags: drupal-planetsecurityPromet Source: 10 Reasons to for Government to Love Drupal 10
Community Working Group posts: 2023 Aaron Winborn Award Winner: Randy Fay
During DrupalCon Pittsburgh 2023, the members of the Drupal Community Working Group were pleased to announce the winner of the 2023 Aaron Winborn Award, Randy Fay (rfay).
About RfayRandy joined our Drupal community more than 17 years ago and has been an engaged member ever since. Randy loves dueling with computers and his career has spanned Apple ][ home automation, Unix/Linux kernel driver development, Windows, Drupal, and loads of fun system administration and DevOps work. After years of Drupal work he delights in maintaining DDEV, which provides an easy way to do web development on a local computer. Oh, and he’s done lots of traveling by bicycle, including a 2 1/2 year journey through the Americas from the Yukon to Patagonia.
Many NominationsThis year, there were 17 different individuals nominated for the award. In the coming weeks, the CWG will be contacting all nominees to let them know of their nomination, sharing some details about what their nominators wrote about them, and thank them for their continued work in the community.
Several community members nominated Randy for the 2023 Aaron Winborn Award. Here are a few of the things they said:
As a nearly 18-year member of the Drupal community, Randy has made countless contributions to the growth and success of the platform. His work on important projects such as the "Examples for Developers" modules, as well as many projects in the commerce suite, has been invaluable to the community. He has also been a wonderful speaker at camps and conferences, sharing his expertise and insights with others.
In addition to his impressive technical skills, Randy's tireless work on the DDEV project has been a game-changer for Drupal developers. His commitment to creating a local development tool that simplifies and streamlines the development process has saved countless hours of work for developers around the world.
What sets Randy apart, however, is his unwavering commitment to kindness and his above-and-beyond dedication to the Drupal community. He is always willing to lend a helping hand, whether it's through trainings, mentorship, or simply being a friendly and supportive presence within the community.
His contributions have been immeasurable, and his character and commitment to the Drupal community make him a shining example of what this award represents.
About the Aaron Winborn AwardThe award is named after a long-time Drupal contributor who lost his battle with ALS in 2015. This award recognizes an individual who, like Aaron, demonstrates personal integrity, kindness, and an above-and-beyond commitment to the Drupal project and community.
Previous winners of the award are Cathy Theys, Gabór Hojtsy, Nikki Stevens, Kevin Thull, Leslie Glynn, Baddý Breidert, AmyJune Hineline, and Angie Byron. Current CWG members, along with previous winners, selected the winner based on nominations submitted by Drupal community members.
Nominations for the 2024 award will open in early 2024.
Agaric Collective: Display lists naturally with the In Other Words module for Drupal
It is common for a Drupal site to list multiple items. It could be several authors of a single article, the days a recreation center is open, or the flavors an ice cream parlor serves. Clean, structured data is a strong point of Drupal, but the display of that structured content is limited out of the box. That is why DevCollaborative partnered with the Agaric Tech Collective to complete a stable release of In Other Words, a Drupal module that gives site builders the power to configure precise and natural ways to display lists of items.
LN Webworks: 5 Must-Have CMS Features Your Enterprise Applications Needs in 2023
Enterprise-level content management systems (CMSs) are software applications that empower businesses to manage their digital content and assets seamlessly. They are equipped with cutting-edge tools and resources required to develop phenomenal sites with engaging content. With a CMS, you can create and update web pages even without any know-how in design and coding. These incredible aspects have given rise to an immense fondness for enterprise applications across the globe. According to research, 73 million sites use a CMS. Besides, 43.6% of sites have been custom-built with CMSs like Drupal. Seems intriguing, doesn’t it?
Nonprofit Drupal posts: June Drupal for Nonprofits Chat: DrupalCon Debrief
Join us TOMORROW, Thursday, June 14 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)
In this month's informal chat, we'll be talking about DrupalCon Pittsburgh. What did we learn? What went well? What could be better? Got something specific on your mind? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!
All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.
This free call is sponsored by NTEN.org and open to everyone.
-
Join the call: https://us02web.zoom.us/j/81817469653
-
Meeting ID: 818 1746 9653
Passcode: 551681 -
One tap mobile:
+16699006833,,81817469653# US (San Jose)
+13462487799,,81817469653# US (Houston) -
Dial by your location:
+1 669 900 6833 US (San Jose)
+1 346 248 7799 US (Houston)
+1 253 215 8782 US (Tacoma)
+1 929 205 6099 US (New York)
+1 301 715 8592 US (Washington DC)
+1 312 626 6799 US (Chicago) -
Find your local number: https://us02web.zoom.us/u/kpV1o65N
-
- Follow along on Google Docs: https://nten.org/drupal/notes
The Drop Times: Open Source as a Humanitarian Opportunity
LN Webworks: Views Responsive Grids: Drupal 10’s Incredible Feature for Responsive Web Design
Drupal is an ingenious content management system (CMS) known for astonishing the world with unbelievable features every now and then. Recently, the release of the latest Drupal 10, packed with awe-inspiring features caused a sensation worldwide. Views Responsive Grids is a Drupal 10 feature that contributed a fair share to the buzz it created. This phenomenal feature has revolutionized responsive design. Once you get a glimpse of the magic Views Responsive Grids can create, you cannot help but make Drupal 10 your new companion.
Wondering why everyone sings praises of this Drupal 10 feature? Let’s take an intriguing journey to help you understand what makes Views Responsive Grids worthy of it. But, before that, here is a prophecy for you: after getting acquainted with what this feature can do for you, you will also be prompted to join the club of its admirers.
DrupalEasy: DrupalCon Pittsburgh 2023 Superlatives
Unless you've been living underneath a Druplicon-shaped rock, you're probably aware that DrupalPalooza Pittsburgh took place June 5-8. If so, I'm guessing that your Drupal newsfeed is full of wrap-up articles and summaries that may feel a bit redundant (I know that mine is and that they do).
It is in the spirit of hopefully spicing up your Drupal news consumption that this will not be one of those blog posts. Rather, in my somewhat still high-school-aged mind, I'm rolling back the clock to present the DrupalCon Pittsburgh 2023 Superlatives 🎉
Best session (that I attended): Drupal Distributions & Recipes Initiative Update - but don't get too excited, Mr. Jim Birch (the presenter) 😜, as I really don't go to a whole lot of sessions normally. That being said, it is difficult not to get excited about Recipes and this session was exactly what I was hoping for.
Most "It's about time" thing: Randy Fay winning the Aaron Winborn Award.
Most fulfilling personal moment: The DrupalEasy Learning Community alumni and mentor lunch. Having so many of our graduates and mentors in one place was quite gratifying, even if they did turn teasing me into a competitive sport.
Most of the alumni present were from our long-running 12-week, best practice and beginner focused Drupal Career Online http://drupaleasy.com/dco (next semester begins August 28.)
Best official/unofficial party: The Lullabot Party. There are a few things I really need at a party these days: a volume level where I don't have to scream to have a conversation, an outdoor area, activities, and good food and drink. This one was 4-for-4. The Pins x Pints Barcade Bash from Acquia came in a close second.
Favorite session that I didn't see in person but have since watched: Advanced Render Cache Debugging presented by Jody Hamilton and Janez Urevc. I'll watch pretty much anything having to do with Drupal caching, and this was one of the better presentations I've ever seen on the topic. Well worth your time.
Most useful thing that I really liked but probably not too many other people did: The distance between the expo hall and the session rooms.
Biggest question I left with: Which hosting companies are going to step up and fully support (and promote) hosting plans for Automatic Updates (and therefore Project Browser) for less technical Drupal site-builders?
Best new "thing": I am not a fan of draws (even though I do love soccer,) but in this case I really can't pick one. Both Pitch-burg and the Drupal Association Member Breakfast were fantastic additions this year. I love incentivizing folks to join the Drupal Association (especially with free food.) Also, I was a bit skeptical of Pitch-burg at first, but I really enjoyed how Dries weaved it into his keynote, and I am really looking forward to seeing how the funded projects turn out.
Best contributed module release that took place during DrupalCon: Smart Trim 2.1.0
Biggest complaint: Why was the Single Directory Components session in such a small room? Silly.
Worst accommodations: Mine (shared with Gwendolyn, Sara, John, and Ryan.) We were in an Airbnb that was located by itself in the middle of a mostly-abandoned, overgrown industrial park. We had difficulty getting ride-share drivers there after dark. Seriously. Perhaps we need to read the reviews more carefully next time.
Biggest personal takeaways: Single Directory Components and Recipes are the future of Drupal. Also, the average age of community members needs to get younger (no offense, REDACTED.)
Best completely unofficial social event: The Pirates/A's baseball game on Wednesday afternoon (that led into Wednesday evening.)
Most inconvenient alarm: Thursday, 5am, in the bedroom of our sketchy Airbnb so I could finish prep for the Intro to Module Development workshop I was teaching at 9am.
Favorite image from another DrupalCon Pittsburgh wrap-up blog post: Ted Bowman (T-Bone to his friends) shot-gunning a beer(?) on the keynote stage on Mike Herchel's blog.