Not so highly critical?

The Drupal security team published a PSA to warn about upcoming security advisories. I shared my advice and predicted attacks within the hour after the security advisories are published. The security advisories are now published. Here is my followup.

I applaud the Drupal Security Team for warning about the highly critical updates. However the public service announcement (PSA) left the impression that this event was going to be much more serious than it was. Such a PSA would have been perfectly appropriate for SA-CORE-2014-005 "Drupalgeddon". But the only PSA there was in hindsight.

I guess it is resonable for the Drupal Security Team to be over cautious, especially given the lessons learned from Drupalgeddon fallout. And of course, such decisions and criticism is much easier with hindsight.

But now I am concerned how the Drupal Security Team can realistically raise the level further there is another vulnerability that is as serious as Drupalgeddon. Even if they raise the alert level using language in the PSA, will people still believe them? It reminds me of the boy who cried wolf.

Of course serious vulnerabilities like these are rare events in Drupal, so there is not yet a standard to compare alert levels to.

Drupalgeddon; Are you ready?

Just arrived here? Read my followup first.

Original post

The Drupal security team announced multiple highly critical updates to Drupal contrib modules in PSA-2016-001. Expect attacks within less than one hour from the announcement; 18 hours from the time this article is published. This is probably going to be Drupalgeddon all over again.

My advice

If you are prepared, you will save yourself a lot of time. If you are late or too slow, you will probably find yourself with a lot more work, e.g. the rescue workflow for Drupalgeddon 1.


Don't skimp on the first two. And do at least one of "3. Update a contrib module" or "4. Learn how to apply patches". Which one you choose depends on your skills and how out of date contrib modules are on your Drupal websites. Ideally, do both steps 3 & 4; You might find one of them is significantly challenging for you.

Stages of JavaScript grief

This is one of my favourite blog posts of all time. It is no longer published, but I found it on the wayback machine (internet archive). I am reposting it here for your enjoyment. I hope the original author doesn't mind.

Originally by By Dan Lee, 9 September 2010.

The typical beginning of an Enterprise Developer’s JavaScript education is involuntary in nature. In many cases an engineer with a strong background in Java, or other strongly-typed languages, is informed that their next project requires JavaScript. Like all forced actions, this will be a bumpy road. So bumpy in fact, that the Enterprise Developer will go through a grieving process as they leave behind their beloved strongly-typed language and plunge into the duck-typed world of JavaScript. This process of grief has four distinct stages.

Stage One: Doubt

As I discussed earlier, the Enterprise Developer’s usual introduction to JavaScript is less than stellar. Rightly so, when a developer hears that the next ‘Big Project’ will be done in JavaScript, their first thoughts are of the skeptical variety.

  • Sufferer will indicate that the prospect of using JavaScript will certainly lead to folly.
  • Sufferer will be heard saying things like, “JavaScript? Isn’t that the thing hackers use to screw up your Back button so you can’t leave a page?”

CTO: We've got a sweet new JX-RS REST API in the works and you are going to rewrite the front-end using Dojo! Developer: You do know that Dojo is JavaScript, right?

Terms of engagement template for freelancers

Most people who have worked as freelancers for a while will have a story about a client who never paid. Often freelancers just do not have the time to think about getting a lawyer or writing a contract. Indeed the costs of getting a lawyer involved usually outweigh the risks for most freelancer engagements.

However many times, all the freelancer needs is that the client understands how they roll: the terms of how they engage. To avoid getting burned, I require my clients to either prepay the hours or sign my terms of engagement.

Backcountry ski touring insurance in Canada

I researched and compared travel insurances that include cover for backcountry ski touring for 28 days in Canada for a NZ-resident couple in their thirties. Most travel insurers exclude skiing outside of the ski area, or off-piste. These are the options I found. Most also offer annual options which are comparable to 4-week single trips.

DISCLAIMER: I am not qualified to give financial advice.

Tugo, via Alpine Club of Canada

Security vulnerabilities in UserPro plugin for WordPress

UserPro plugin for WordPress versions up to 2.28 have multiple security vulnerabilities that expose the website they are installed on to a wide scope of attack vectors. The plugin has 27 occurrences a procedure call that is extremely insecure (extract($_POST)) and a futher 57 probably insecure uses of extract().

Syndicate content