The Drupal Security team has just released a public security announcement, PSA 2016-001.
There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25).
If you run any Drupal sites, please be prepared, and be ready to update your site as soon as this is released.
Drupal 7 and below came with an optional module you can use in your input formats - the "PHP Filter". This allows you to put PHP code into the content of your webpages, and Drupal will process the PHP before rendering the page.
Last week, to appropriate fanfares, Drupal 8 reached Release Candidate stage. That means Drupal 8 tagged releases now have an upgrade path between them, and it also means (very nearly) complete API / hook stability - which means this is the cue for some serious testing and development of contrib themes and modules.
However I made one schoolboy error: I was still using Drush 7.
It's actually quite an understandable mistake - all you had to do was follow the development of Drupal Next, and Drush, but not quite follow it closely enough.
This post is unlikely to interest any of my regular readers, but I'll post it here for the benefit of those who search for the solution to this exact problem.
I've never used it, but I know a lot of people who do. For years, AVG have offered a free anti-virus product. You have to put up with the fact that it will put a signature on the end of your email messages, letting the recipient know that AVG Free scanned the email for viruses.
They offered a "Pro" version that you had to pay for. It has extra features that the free version does not. It doesn't add a note to your incoming and outgoing email. Anecdotally, it may get virus signature updates faster.
In case you missed it, Drush has evolved recently.
Quick primer for beginners follows. (Although, if you haven't heard of Drush, the chances are this post was not written with you in mind. I blog about many subjects, and there aren't many readers who are interested in all of them!)
Drush stands for Drupal shell - it's a very powerful shell environment for managing Drupal sites using the command-line shell.
I'm a believer in paying for things. "Don't steal" - it's one of the ten commandments.
That means, if I want to use a stock photo on a website, on a flyer, on a poster, it should be with the copyright-holder's permission. It's their photo, and it's up to them to decide if I may use it. If I use it without their permission, it's theft.
Yesterday, Drupal 7.28 was released.
People rush to upgrade, knowing that there will be a tranche of bug-fixes that may resolve longstanding issues.
People hesitate to upgrade, because updating Drupal core is not as simple as we'd like.
Other times, the core update is a security release, and you can't afford to wait.
This does not need to be painful!!
You have probably read the official documentation on doing this.
Today is the day that Microsoft's Windows XP reaches "EOL" (End of Life) status. That means they won't be issuing any more updates for it. If security researchers (good guys), or hackers (bad guys), find vulnerabilities with it, Microsoft won't be issuing a fix for them.
This has been widely covered in the media. Apparently, a third of computers worldwide still use XP.
Phew, the heading of this post was a mouthful!
This post is a technical one, that probably won't interest many of my regular readers. However I know there are plenty of people looking for how to do this, so I thought I'd post this in case it helps others later.
mod_security is a free or charge module for the Apache webserver. It allows HTTP requests to be analyzed, using a large number of characteristics. You'd be looking for evidence that someone's request to GET or POST is malicious, and you'd block them if so.
