Heine

  • Home
  • Drupal
  • About
Home

Drupal

Google Friendconnect Drupal module not recommended (yet)

Heine —Tue, 2010/01/12 - 16:01

The Friendconnect module on code.google.com is not suitable for use on production sites. My message to the 36 people who've already downloaded the module:

Test on a local site only!

I'd rather have posted this as a comments on Bertboerland's Friendconnect story, but his server ran out of steam.

  • Drupal
  • Security
  • Planet Drupal
  • Read more about Google Friendconnect Drupal module not recommended (yet)
  • 6 comments

The OpenID 2.0 Compliance Crusade - Part I

Heine —Mon, 2010/01/11 - 22:50

We released Drupal 6.14 because of a number of vulnerabilities in the OpenID core module. One of those vulnerabilities was caused by not obeying the OpenID 2.0 Authentication specification.

A number of other spec violations was discovered while working on the security issue. This might not be that be surprising, after all, our OpenID implementation was written against a draft, not the final 2.0 specification.

In addition, the issue queue on the OpenID core module hints that the OpenID module is going the way of BlogAPI (another Drupal dodo).

Rather than trying to fix each violation, I decided to correct the immediate issue and then start a belated OpenID 2.0 Compliance Crusade in public, to get our OpenID implementation fully compliant.

Wanna join in? Great! The rest of this post is meant to provide a slightly easier introdcution into the first part of OpenID than the official specs. To prevent disappointment: It's basically a partial retelling of the spec. With this introduction, you should be able to investigate spec violations, and file and review patches for OpenID.

  • Drupal
  • Planet Drupal
  • OpenID
  • Read more about The OpenID 2.0 Compliance Crusade - Part I
  • 1 comment

Using <embed> for XSS

Heine —Fri, 2009/10/30 - 18:38

I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.

It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:

  • Drupal
  • Security
  • Planet Drupal
  • Input Format
  • Read more about Using for XSS
  • 1 comment

Bugfix woes for Drupal 6

Heine —Sun, 2009/09/13 - 10:55

The bugfixing procedure for Drupal 6 is, to say the least, "suboptimal".

Witness Issue #261258, that's been with us since Drupal 6.0. Thirteen releases later and the bug is still present.

Why, you ask? Because bugs should be fixed in HEAD (future release of Drupal) first, before being backported to 6.x-dev.

  • Drupal
  • Planet Drupal
  • Read more about Bugfix woes for Drupal 6
  • 14 comments

The #drupal consultant

Heine —Thu, 2009/08/06 - 10:22

A gem on the Drupal consulting mailinglist (emphasis added):

[...] when she's come up with the particular (and often peculiar) requirements, I haven't charged for the time I spend [...] chatting about it on #drupal

Well, we didn't charge you for the chat either, did we?

  • Drupal
  • Planet Drupal
  • Consulting
  • Read more about The #drupal consultant
  • 9 comments

Varnish vs. page cache graph

Heine —Fri, 2009/07/31 - 21:24

Varnish is running on the same box (lame duck edition) as Apache, and specifically configured to cache pages for anonymous users, not just JS, CSS and images. The pressflow reverse proxy patches were used to prevent sessions for anonymous users. All on Drupal 6.13.

The ab command used to build the graph includes a fake has_js cookie:

ab -n 20000 -C has_js=1 -c [concurrency] http://example.com/

The no cache requests/seconds number decreases from about 7.2 request/s to 4.2 requests/s. A large number of requests fail if the concurrency is increased above 100 for non-varnish setups.

  • Drupal
  • Performance
  • Varnish
  • Read more about Varnish vs. page cache graph
  • 1 comment

Menu access, a new pitfall when going back to Drupal 5

Heine —Mon, 2009/05/25 - 13:56

If you spend a lot of time exclusively in one Drupal version, you develop muscle memory for its API. This can be pretty dangerous as I caught myself writing the following menu item while backporting a Drupal 6 module.

  • Drupal
  • Planet Drupal
  • Pitfalls
  • Read more about Menu access, a new pitfall when going back to Drupal 5

Drupal 6: $base_path doesn't always point to the frontpage

Heine —Sun, 2009/05/17 - 20:13

Dear themers,

<a href="<?php print $base_path ?>" title="<?php print t('Home'); ?>" ...

.... in page.tpl.php breaks Home functionality on many multilingual sites.

  • Drupal
  • Planet Drupal
  • Theming
  • Multilingual
  • Read more about Drupal 6: $base_path doesn't always point to the frontpage
  • 2 comments

A new form element in Drupal core

Heine —Wed, 2009/01/28 - 09:48

This post was written for a development version of Drupal between 6 and 7. The queries and pager need conversion to DBTNG.

With Commit #167487, a new form element has been added to Drupal core (7.x) to provide an alternative means of selecting items. Now, next to 'select' (combobox, list), checkboxes and radios, core carries the 'tableselect' element. This element allows developers to easily create tables with selectable rows. Ideal for those situations where you have to provide a lot of data on the items to the user.

  • Drupal
  • Planet Drupal
  • FAPI
  • Read more about A new form element in Drupal core
  • 17 comments

Drupal HEAD and HTTP 500 errors on IIS 7

Heine —Fri, 2009/01/09 - 12:41

If you use PHP via FastCGI on IIS 7 and installing Drupal HEAD (7.x-dev) results in an HTTP 500 error, you may need to increase a number of timeout settings. The PHP.ini ones are fairly straightforward, but setting the activityTimeout for the FastCGI module is not intuitive.

Open a Command prompt with Administrative rights and enter:

  • Drupal
  • IIS
  • Read more about Drupal HEAD and HTTP 500 errors on IIS 7

Pages

  • « first
  • ‹ previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • next ›
  • last »
Subscribe to Drupal

Recent posts

  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
  • Solving getting bogus dates via MSSQL_QUERY
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About