Development News

Bulgaria PHP Conference 2016

PHP Announcements - 19 hours 20 min ago
Bulgaria PHP Conference is the premier PHP conference, gathering PHP and frontend developers and engineers from all around Europe. Co-organized by the Bulgaria PHP User Group and SiteGround web hosting, the conference is bringing internationally renowned experts from the PHP industry to talk about APIs, Frameworks, Security, Testing, Continuous Integration, and much more! Highlights: 500+ passionate attendees 27 world renowned speakers 4 practical workshops 3 actioned-packed days 1 legendary after party Games, JeoPHPardy, Hackaton Amazing food, swag and gifts inlcuded Get your discounted ticket today. Price increases to the regular one (129 EUR) on September 1, 2016. Still not convinced? Here are several reasons to head to Sofia for Bulgaria PHP Conference.
Categories: Development News, PHP, PHP News

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

Drupal Contributed Security - Wed, 09/20/2017 - 14:48
Description

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Skype Status (skype_status) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Skype Status module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Skype Status project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Page Access - Unsupported - SA-CONTRIB-2017-75

Drupal Contributed Security - Wed, 09/20/2017 - 14:43
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-75
  • Project: Page Access (third-party module)
  • Date: 20-September-2017
Description

This module will provide the option to give the View and Edit access for users and roles on each node pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Page Access module, there is nothing you need to do.

Solution

If you use the Page Access module for Drupal you should uninstall it.

Also see the Page Access project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

What’s new on Drupal.org? - August 2017

Drupal News - Tue, 09/19/2017 - 12:38

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Announcement TLS 1.0 and 1.1 deprecated

Drupal.org uses the Fastly CDN service for content delivery, and Fastly has depreciated support for TLS 1.1, 1.0, and 3DES on the cert we use for Drupal.org, per the mandate by the PCI Security Standards Council. This change took place on 9 Aug 2017. This means that browsers and API clients using the older TLS 1.1 or 1.0 protocols will no longer be supported. Older versions of curl or wget may be affected as well.

Almost time for DrupalCon Vienna

DrupalCon Vienna

DrupalCon Vienna is almost here! From September 26-29 you can join us for keynotes, sessions, and sprinting. Most of the Drupal Association engineering team will be on site, and we'll be hosting a panel discussion about recent updates to Drupal.org, and our plans for the future.

We hope to see you there!

Drupal.org updates 8.4.0 Alpha/Beta/Release Candidate 1

On August 3rd, Drupal 8.4.0 received its alpha release, followed on the 17th by a beta release, and on September 6th by the first release candidate. Several new stable API modules are now included in core for everything from workflow management to media management. Core maintainers hope to reach a stable release of Drupal 8.4 soon.

Improvements to Project Pages

We made a number of improvements to project pages in August, one of which was to clean up the 'Project information' section and add new iconography to make signals about project quality more clear to site builders.

Project information improvements

In the same vein, we've also improved the download table for contrib projects, by making it more clear which releases are recommended by the maintainer, providing pre-release information for minor versions, and displaying recent test results.

Download table improvements

Metadata about security coverage available to Composer

Developers who build Drupal sites using Composer may miss some of the project quality indicators from project pages on Drupal.org. Because of this, we now include information about whether a project receives security advisory coverage in the Composer 'extra' attribute. By including this information in the composer json for each project, we hope to make it easier for developers using Composer to ensure they are only using modules with security advisory coverage. This information is also accessible for developers who may want to make additional tools for managing composer packages.

Automatic issue credit for committers

Just about the last step in resolving any code-related issue is for a project maintainer to commit the changes. To make sure these maintainers are credited for the work they do to review these code changes, we now automatically add issue credit for committers.

Performance Improvements for Events.Drupal.org

With DrupalCon coming up in September we spent a little bit of time tuning the performance of Events.Drupal.org. We managed to resolve a session management bug that was the root cause of a significant slow down, so now the site is performing much better.

Syncing your DrupalCon schedule to your calendar

A long requested feature for our DrupalCon websites has been the ability to sync a user's personal schedule to a calendar service. In August we released an initial implementation of this feature, and we're working on updating it in September to support ongoing syncing - stay tuned!

Membership CTA on Download and Extend

We've added a call to action for new members on the Drupal.org Download and Extend page, which highlights some great words and faces from the community. Membership contributions are a crucial part of funding Drupal.org and DrupalCon, but much the majority of traffic we receive on Drupal.org is anonymous, and may not reach the areas of the site where we've promoted membership in the past. We're hoping this campaign will help us reach a wider audience.

Membership CTA on the Download page

DrupalCI sponsorship

DrupalCI is one of the most critical services the Drupal Association provides to the project, and also one of the more expensive. We've recently added a very small section to highlight how membership contributions help provide testing for the project - and in the future we hope to highlight sponsors who will step up specifically to subsidize testing for the Drupal project.

Infrastructure More semantic labels for testing

In August we added more semantic labels for DrupalCI test configuration. This means that project maintainers no longer have to update their testing targets with each new release of Drupal, they can instead test against the 'pre-release' or 'supported' version, etc. More information can be found in the DrupalCI documentation.

Semantic Labels for Testing

Started PCI audit

In August we also began a PCI audit, and developed a plan of action to reduce the Drupal Association's PCI scope. Protecting our community's personal and financial information is critically important, and with a small engineering team, the more we can offload PCI responsibility onto our payment vendors the better. We'll be continuing to work on these changes into the new year.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

PHP 7.2.0 Release Candidate 2 Released

PHP Announcements - Thu, 09/14/2017 - 12:07
The PHP development team announces the immediate availability of PHP 7.2.0 RC2. This release is the second Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 2 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Relase Candidate will be announced on the 28th of September. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

PHP North West 2017 (PHPNW17)

PHP Announcements - Wed, 09/13/2017 - 15:00
One of the largest and most popular PHP Conferences in Europe, PHPNW17 is a long-running community-based conference, held in Manchester, UK and run on a not-for-profit basis. It is overwhelmingly supported by industry leaders, code experts, web developers and businesses across the world. This year, we are celebrating our 10th conference year, and we aim to be bigger and better than ever before. The PHPNW Conference has a reputation within the PHP community as a "go to" conference due to its inspiring content, friendly atmosphere and networking opportunities. Our delegates come to our Conference because they are specifically interested in new technologies and ways to improve their skills through our tutorials and talks, as well as the awesome (unofficial) corridor track! The conference starts with a tutorial day on 29th September 2017, followed by a three-track conference on the Saturday (30th September) and Sunday (1st October). As an additional bonus we have a populare Unconference running alongside the other three tracks on the Saturday.
Categories: Development News, PHP, PHP News

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

Drupal Contributed Security - Wed, 09/13/2017 - 12:50
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently confirm a user's intent to take unflagging actions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Drupal Association Board Meeting Announcement

Drupal News - Mon, 09/11/2017 - 16:39

The Drupal Association Board of Directors will meet twice during DrupalCon Vienna. They have a board retreat the weekend before the conference and there is  an open board meeting during DrupalCon for the community to attend. Below are details about each meeting.

Board Retreat

During a retreat, the board and the Executive Director meet in an extended executive session to plan and discuss the strategy for the Drupal Association. Normally, the retreat lasts two days and non-board members including staff are invited to participate in presentations and discussions on specific topics.

However for the upcoming retreat in Vienna, we will be exploring a holistic view of the strategy for Drupal and are structuring the retreat differently to accommodate this expanded conversation.

Open Board Meeting

The board will meet again during DrupalCon Vienna on Wednesday, 27 September  from 11:45 - 13:00 in the convention center Business Suite 3-4. This is open to the community and lunch will be served to all who attend. You can also attend remotely via Zoom. See the dial in information below.

The agenda for this meeting includes:

  • Vote to approve last board meeting minutes

  • Executive Update

  • Drupal.org Update

  • DrupalCon Europe Update

  • Community Governance update from the CWG

  • Community Q&A

  • Celebrate departing board members

Those dialing into the meeting can join zoom by registering here: https://zoom.us/webinar/register/1b63252cf48650c9d746f627e8486654

Or join by phone (see link for # by country):

https://zoom.us/zoomconference?m=ZTp9iSy-nW5sqyKJKRfhbTbxDueqU9W   

Webinar ID: 460 900 173

Categories: Development News, Drupal

Drupal 8.4.0-rc1 is available for testing

Drupal News - Thu, 09/07/2017 - 08:47

The first release candidate for the upcoming Drupal 8.4.0 release is now available for testing. Drupal 8.4.0 is expected to be released October 4.

8.4.x includes new stable modules for storing date and time ranges, display form errors inline and manage workflows. New stable API modules for discovering layout definitions and media management are also included. The media API module is new in core, all other new stable modules were formerly experimental. The release also includes several important fixes for content revision data integrity, orphan file management and configuration data ordering among other things. You can read a detailed list of improvements in the announcements of alpha1 and beta1.

What does this mean to me? For Drupal 8 site owners

The final bugfix release of 8.3.x has been released. A final security release window for 8.3.x is scheduled for September 20, but 8.3.x will receive no further releases following 8.4.0, and sites should prepare to update from 8.3.x to 8.4.x in order to continue getting bug and security fixes. Use update.php to update your 8.3.x sites to the 8.4.x series, just as you would to update from (e.g.) 8.3.4 to 8.3.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

For module and theme authors

Drupal 8.4.x is backwards-compatible with 8.3.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.4.x, and test modules and themes with the release candidate now.

For translators

Some text changes were made since Drupal 8.3.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

For core developers

All outstanding issues filed against 8.3.x were automatically migrated to 8.4.x. Future bug reports should be targeted against the 8.4.x branch. 8.5.x will remain open for new development during the 8.4.x release candidate phase. For more information, see the release candidate phase announcement.

Your bug reports help make Drupal better!

Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.

Categories: Development News, Drupal

DrupalCon Europe: Solving for “how to provide unique value”

Drupal News - Wed, 09/06/2017 - 15:56

DrupalCon Europe plays an important role in moving Drupal forward. However, with waning attendance and increasing financial losses, it’s time to find a new path forward so it is sustainable and continues to provide unique value. This blog covers the problem of relevance. In other words: how can DrupalCon Europe provide unique value, meeting the needs and wants for the European community. This blog is part of a series that includes:  

  1. The problem we need to solve for financial sustainability

  2. The problem we need to solve to create unique value

  3. Results from a proposal based on community input

  4. A new path forward for DrupalCon Europe.

As mentioned in our last post, DrupalCon is a human experience. It’s truly about bringing people together to strengthen bonds so they can do something amazing together with Drupal. As seen in the DrupalCon Dublin Wrap and DrupalCon Barcelona Wrap presentations, the event mostly attracts builders from digital agencies (developers, project managers, designers, UX) and digital agency owners. However, our community consists of so many more personas including technical decision makers, end-user business decision makers, as well as content strategists and content editors and other marketing related personas. DrupalCon’s current attendees, and those who don’t attend, have unique needs that they want DrupalCon to address. The question we ask is “How can DrupalCon serve this spectrum of needs while also being a sustainable event?” We start by looking at our current attendee base.

In the last post, we showed how attendance is waning at about 14% per year on average. Sponsor support dropped 17% this year. It’s apparent that DrupalCon Europe is not currently providing value that attendees and sponsors are willing to pay for. We understand that the cost to attend is not just buying the ticket, airfare, and lodging. There is also the opportunity cost of missing billable hours with clients and important time with family. To thrive as an event, DrupalCon Europe’s value needs to outweigh all of these costs.

Why is DrupalCon attracting fewer attendees? To find out, we spent a lot of time this year interviewing Drupal event organizers, core developers, sprint mentors, business owners, sponsors, and other engaged community members. We also conducted a survey that 350+ people participated in. This research started in December 2016 and continued through the year. We found that there are several reasons why fewer people attend DrupalCon ranging from lower-cost camps that provide similar content, to gaps in DrupalCon programming, and high attendance costs.

Event Competition

To understand how DrupalCon Europe can provide unique value through programming, we evaluated the competitive landscape for events. We looked at Drupal events (ex: Camps) and other technology events that attract Drupal developers, especially those working on headless solutions and e-commerce.

You can find the competitive analysis here. The TL;DR is that every Drupal event has some, if not a lot, of the same programming as DrupalCon Europe. The other thing that stands out is that DrupalCon Europe's programming does not cater to business decision makers who want to evaluate Drupal for their organization. However, local communities have started this work with the Splash Awards and similarly coordinated activities.

Doing this competitive analysis helped us see where DrupalCon provides unique value, which is listed in the Strengths portion of the SWOT down below. Still, we need to understand what the region needs to move Drupal and the community forward and what potential attendees want and need out of DrupalCon. So we conducted round table interviews of over 40 European community leaders and organizers and conducted a community survey. Thanks to everyone for participating in these conversations. You can find the survey findings here (spoiler: there is a lot of information in there. It is summarized in the sections below)

Findings from Interviews and Survey

Based on everyone’s input, we created a needs assessment and we also created a DrupalCon Europe SWOT analysis. Below are summaries of key questions asked.

Needs Assessment What Does Drupal Success Look like In Europe in the next 3 to 5 years

The roundtable and survey participants we talked to describe a future where in 3 to 5 years, Drupal 8 will have lower barriers to adoption (modules, usability, UX) and it will grow in market-share, especially in government and enterprise. There was also a shared vision amongst some that Drupal serves the small and mid-sized business market. It will be seen as a leader in each country over competitors like WP and Typo3. There will be enough developers for hire to support that growth. In terms of community, there will be more contributing members, especially from end users, and there will be more people volunteering time to contribute code and run events. The community will be vibrant, healthy, and engaged.

What Europeans want and need for Drupal to thrive

We asked participants what areas need focus to help Drupal achieve their vision of success. Here is a summary of what we learned:

  • Grow talent pool

    • Developers (PHP, Symfony, Javascript) need to get involved to: 1) be hired 2) contribute either by code or time to organize events - basically, the longtime contributors needs backup.
    • Education for developers to learn Drupal and deepen their skill
  • Grow adoption rate

    • not measured by just numbers - because there is no value in going after Squarespace deals. More marketing of Drupal’s power showing big, local case studies.
    • Get Drupal off the island - merge with other tech communities (PHP, JS) to talk about Drupal, organize co-located events, and recruit talent
  • A healthy community (depth of volunteer bench and mental health)

    • Camp support - turnkey websites, templated checklist, and sponsor support.
    • Promote / list country Associations, user groups on D.O
DrupalCon Europe and meeting the needs

Based on this input, it appears that the European community has a good vision for Drupal’s success and what they need to achieve it. We are pleased that DrupalCon Europe already addresses several needs such as:

  • Attracting new developers
  • Teaching developers about Drupal’s contribution culture
  • Getting people off the Drupal island with the PHP and Horizons track, which focuses on other projects and technologies.

We can adjust some programming to address currently unmet needs. For example, there is a need to deepen our community volunteer bench. Perhaps we can use Community Summits to provide mentorship.

However, there are some things DrupalCon Europe may not be able to achieve. For example, there is little support to make DrupalCon a developer event and a business / marketing event. In talking with other OSS projects, we learned that this is common in Europe. The suggestion is to decouple the two needs.

While DrupalCon can be redesigned to better meet needs, it is unclear which stakeholder to prioritize: the Drupal shops / digital agencies who want a marketing event, or the developer community who needs more people to help them build with Drupal and move the project forward. It is also unclear if camps and other Drupal events are better positioned to meet the developer community’s needs better than DrupalCon.

DrupalCon Europe SWOT Analysis

Our survey and roundtable asked other questions like what is special about DrupalCon, where does it not meet your needs, etc. We used that kind of input to create a SWOT analysis for DrupalCon Europe.

SWOT stands for Strengths, Weaknesses, Opportunities and Threats. It helps you organize input so you can consider the best strategy for your business - or in this case, your event.

Here is the DrupalCon Europe SWOT:

  • Strengths:

    • DrupalCon Europe demonstrates the power of Drupal because it is the largest Drupal event. It creates a “Disneyland feeling” that re-energizes excitement for Drupal.
    • It breaks down barriers and fosters greater knowledge sharing across international borders.
    • Because it attracts people from different countries and is the largest Drupal event, it provides the best opportunity to expand your network and learn new thinking.
    • DrupalCon is professionally produced, which improves how Drupal is perceived
    • Dries and other well-known Drupal members are there
    • Offers diverse content (it’s for project managers as well as developers)
    • DevOps and hosting sponsors (e.g. Fastly) feel they connect with the right audience
  • Weakness:

    • Cost is too high (strong agreement on this)
    • Content is not advanced enough. We want to hear about other languages (PHP, Symfony, JS)
    • “I can hear the same speakers at camps, which are cheaper and closer to home”
    • Digital shops who sponsor say there is no ROI. They can’t give more in terms of sponsorship because they put their money into sending staff, which has a hard cost and opportunity cost
  • Opportunity: [note: this section reflects contrasting community opinions]

    • Re-imagine the event to focus on a new audience

      • Attract new developers. Don’t serve the existing advanced developers because they can go to DevDays.
      • Attract and move developers from newcomer to beginner to intermediate only
      • Attract [prospective] end users and then attract Drupal agency sponsors again.
      • Create vertical-specific programming with emphasis on public sector to attract [prospective] end users
      • Don’t focus on business. Just make it even better, bigger for the community
      • Make the event bigger than Drupal. Co-locate with or include more content about PHP, Symfony, Javascript,
    • Make the main goal to attract new developers (including PHP, JS) by only going to three locations: UK, Benelux, Germany
    • Expand programming to talk more about things bigger than Drupal like JavaScript, PHP
    • Bring back the old community feel. Go back to the old days when it was more intimate and run by the community.
    • Shift resources by not doing a DrupalCon and support the camps. [But watch out for community burnout and help when camps get more attendees.]
    • Find a sustainable model for supporting European camps that can also support other regions like Asia Pacific and Latin America.
  • Threats

    • Camps, DevDays compete with DrupalCon head on with same speakers and sprints, yet provide an intimate, localized experience. Sponsorships are more affordable and sponsors can possibly get business at a camp where they can’t at DrupalCon Europe.
    • DrupalCamp London provides a regional event since it attracts attendees from all over [Western] Europe.
    • Other Technology events. Advanced developers want to go to a PHP, JavaScript conference
    • Drupal 8 is not growing and the D7 SMB market is moving to WIX and not D8, especially in certain countries.
    • Some can’t attend because of family commitments
    • Event timing conflicts with when I need to focus on business. Just returning from long summer break and it’s the end of Q3.

Looking at the SWOT, it is good to see consensus about DrupalCon’s strengths and weaknesses. That helps us know what to lean into and what to avoid as we look for solutions. What is concerning is “where do we take DrupalCon?” when looking at the opportunities. The community feedback reflects a wide spectrum of needs that DrupalCon could serve, yet it is quite unclear which ones to prioritize. Also, there was strong consensus that we lower ticket prices. Unfortunately, to lower ticket prices we need to hone our focus, rather than expand it to meet all of the expressed needs.

Summary

Overall, findings showed that there are many needs and opportunities for DrupalCon Europe to tackle. We cannot do all of them and it’s unclear which one is the top priority for the region.

Europe is many countries with many cultures. And Drupal is very flexible both in terms of how you use it technically, and also what personal or professional dream you want to pursue with it. It’s only natural that our research findings showed that the European region has multiple and differing visions for DrupalCon.

In the end, the question remains: where do we focus DrupalCon’s programming to strike at the highest priority needs of the European community and how do we do that in a sustainable way? The next blog in this series shows how we tried to answer it with community members.

Categories: Development News, Drupal

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

Drupal Contributed Security - Wed, 09/06/2017 - 15:21
Description

This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.

This vulnerability is mitigated by the fact that Drupal does not give a session to all visitors, especially when used with advanced caching systems like Varnish.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAPTCHA 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CAPTCHA project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

Drupal Contributed Security - Wed, 09/06/2017 - 13:20
Description

The Clientside Validation module enables you to have clientside (Javascript) validation on your forms.

The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA.

For the 1.x version of this module, this vulnerability is mitigated by the fact that the CAPTCHA module must be enabled and the 'validate captcha' option of the Clientside Validation module must be enabled (this option is enabled by default).

For the 2.x version of this module, this vulnerability is mitigated by the fact that the CAPTCHA module must be enabled and the Clientside Validation captcha submodule must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Clientside Validation 7.x-1.x versions prior to 7.x-1.45.
  • Clientside Validation 7.x-2.x versions prior to 7.x-2.0-beta2.

Drupal core is not affected. If you do not use the contributed Clientside Validation module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Clientside Validation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

DrupalCon Europe: Solving The financial problem

Drupal News - Tue, 09/05/2017 - 15:55

DrupalCon Europe plays an important role in moving Drupal forward by uniting community members across countries for knowledge sharing, networking, and celebrating. Plus, the event is one of the largest events focused on contribution back to the project. However, with waning attendance and financial losses, it’s time to find a new path forward so it is financially sustainable and provides value to the European community. This blog covers the financial problem we need to solve and it is part of a series that includes:  

  1. The problem we need to solve for financial sustainability

  2. The problem we need to solve to create unique value

  3. Results from a proposal based on community input

  4. A new path forward for DrupalCon Europe

The Financial Problem:

DrupalCon is a human experience. We certainly want to focus on the people in the community: what they want to achieve and what that looks like through an improved experience. However, financially the event needs to at least break even for us to continue providing this special experience. That is why we are starting this conversation by framing DrupalCon Europe’s financial problems.

We know that financially-focused blogs can be downright boring and not everyone feels comfortable reading financial statements. So this post provides several kinds of reports to illustrate the problem and we do our best to spell out where the challenges lay. Feel free to leave questions in the comments and we will answer them.

Last year, the Drupal Association contracted with a new financial planner, Summit CPA. They provide a lot more resources and financial insight than we have had in the past. One of the biggest things we learned last September was that DrupalCon Europe loses money. In the past, we did not include staff costs as part of the event cost, so we operated under the understanding that DrupalCon Europe was breaking even at a minimum. Our DrupalCon team spends 50% of their time on this event. Marketing spends close to 50%, the sponsor sales team spends 30%, engineering spends about 15%, and finance spends about 20%. For DrupalCon Europe, the staff costs add up to $220,000 per event.

It wasn’t wrong to not include staff costs in the DrupalCon budget. It just didn’t give the true picture of how this particular program was performing. As we started our financial turnaround last year, we realized that we need each of our programs to be self-sustaining going forward. Except, DrupalCon Europe is not self-sustaining. That puts pressure on the viability of other programs like Drupal.org, which needs to be properly funded to support everyone in the community.

Understanding Financials Through Comparison

One of the best ways to understand a situation is through comparison, so let’s look at DrupalCon Europe versus DrupalCon North America, which consistently operates at a profit due to several factors. We provide several reports below to help you see the comparison and the post walks you through those comparisons.

You will notice that all financials are in U.S dollars (USD). Since the European community works with different currencies, we felt it was less confusing and less prone to error if we kept our reports in USD.

DrupalCon Reports

DrupalCon North America has a net income percentage of up to 38% and makes up 45% of Drupal Association’s annual revenue. Meanwhile, DrupalCon Europe operates at a loss. For example, DrupalCon Dublin lost $176,000 and had a net income percentage of -18%. DrupalCon Vienna is forecasted to lose over $200,000 even with the programming reductions that we made earlier in the year.

DrupalCon North America Weather Report

DrupalCon Europe Weather Report

DrupalCon Europe Financial Challenges

In short, DrupalCon Europe income is lower than DrupalCon North America due to fewer attendees and less sponsor support. However, expense per attendee is higher in Europe. Below is a summary of the main differences that make DrupalCon Europe unsustainable. We invite you to review the Profit & Loss statements and other financial reports so you can have more clarity around these points and possibly find ones we missed.

Greater Expenses than DrupalCon North America

One of the biggest cost difference is related to the convention center. Both DrupalCon Europe and North America are held in this kind of venue due to the attendance size. While DrupalCon Europe has less attendees than the North American event, it is still large enough to require us to be in a convention center.

We looked at moving the event to a hotel, but wifi and catering costs make this option more expensive. Also, hotel-based conferences require a large room block reservation that the Drupal Association would have to financially guarantee, which is a big risk. The European event attendees tend to opt for other lodging options like AirBnB. It’s unlikely we can sell enough hotel rooms to meet the guarantee and will end up paying a large penalty.

By comparing DrupalCon Dublin expenses with DrupalCon Baltimore expenses, you can see that the expense 5710: Facility and Furnishing is $328,000 in Dublin and $129,000 for Baltimore. This is the main expense putting strain on DrupalCon Europe’s sustainability.

It’s also more expensive to send staff and our contracted production team from the United States to Europe for a marathon of an event (up to 10 days).

Less Financial Support than DrupalCon North America

The challenge of funding an expensive, professional event like DrupalCon Europe comes down to two things: smaller attendance and less sponsor support. Here is a breakdown of how these two revenue items differ from DrupalCon North America.

Attendees

Smaller attendance with higher expenses make the event unsustainable. DrupalCon Europe attracts about 1,700 - 1,800 attendees compared to DrupalCon North America, which has over 3,000 attendees. This means there is less ticket revenue to cover costs. And DrupalCon Europe attendance is decreasing each year by about 14% a year on average (if you average in Vienna's forecasted attendance), making it harder to cover costs in the future.

Another attendee difference is that DrupalCon North America attracts end users who are either leveling up their skills or evaluating Drupal or looking for a service provider. Having end users at DrupalCon attracts Drupal shop / digital agency sponsors who get new business by connecting from this audience. Meanwhile, DrupalCon Europe primarily attracts builders (developers, project managers, designers) from Drupal shops / digital agencies. There are very few end users attending DrupalCon Europe. This impacts sponsor revenue as many Drupal shops / digital agencies do not want to sponsor an event where they are much less likely to get a business opportunity.

Sponsors

DrupalCon North America has about $850,000 in sponsor revenue while DrupalCon Europe has $300,000. There are a few reasons for this difference.

A big portion of DrupalCon North America’s sponsor revenue comes from North American Drupal shops / digital agencies. As mentioned, they sponsor because they can connect with the end user attendees who give them business opportunities. They also sponsor because the event is held in a country where they conduct business.

In Europe, and as mentioned above, Drupal shops / digital agencies are much less likely to get a qualified lead because it is primarily a developer event. Additionally, the Drupal shops / digital agencies in Europe support sales in their specific countries. As DrupalCon Europe moves around, sponsors find that the event is in a country where they don’t do business and therefore don’t want to sponsor.

As for the shops/ agencies who do sponsor, they do so to support the community. It’s simply getting harder for them to invest in the event as they chose to put those funds into marketing or operations. It is important to note that hosting and software companies do find value in supporting DrupalCon since they target the developer audience.

A Study of Ticket Sales Profitability

Another way to see how the income and expense challenges make DrupalCon Europe unsustainable is to look at what the sale of a ticket covers and how much is left over to go towards paying expenses.

Here is a report that shows profitability of the early bird and the regular rate ticket for DrupalCon Dublin and DrupalCon Baltimore. It shows that the profitability is:

DrupalCon Dublin

Early Bird Rate

DrupalCon Baltimore

Early Bird Rate

Ticket Profitability before sponsor income

              -$238.05

                       -$0.36

Sponsor income per attendee

                $188.86

                     $244.15

Total Ticket Profitability

                -$49.19

                     $243.79

DrupalCon Dublin

Regular Rate

DrupalCon Baltimore

Regular Rate

Ticket Profitability before sponsor income

              -$133.87

                     $170.39

Sponsor income per attendee

                $188.86

                     $244.15

Total Ticket Profitability

                  $54.99

                     $343.79

As you can see, we lose money for each DrupalCon Europe early bird ticket we sell. You may ask, why would we ever price a ticket that loses money? It’s a good question. When we priced this we did not include staff costs in the overall event costs. We were operating under the understanding that the ticket was making money. We can see now that when we include the staff costs to the overall event costs, this ticket type loses money.

You can also see that not only does the Dublin regular rate earn $300 less profit per ticket compared to Baltimore, that profitability needs to compensate for the losses accrued by the Dublin early bird ticket sales.

Looking more closely at the report, you can also see that having less DrupalCon Europe sponsor support puts the ticket sales profitability at an even greater disadvantage. 

Clearly, DrupalCon Europe has a financial structural issue to solve for.

Blockers to Financial Solutions

There are a few ways to solve the financial problem. Ticket prices could be increased, we could grow attendance to improve the profitability, we could stay in the same venue each year, or we could cap attendance and have a smaller DrupalCon to control costs. We looked at these options and found the following blockers to each solution.

  • Increase ticket prices.

    • We surveyed the European community and found that there was a strong resistance to increasing ticket prices even if more value was delivered. Many see this event as a community event that should be affordable or free. Many believe they pay through their code and non code contribution and don’t want to pay more in ticket costs. Many also told us they want the ticket price to be greatly reduced.

  • Grow ticket sales revenue by expanding who the event serves

    • Attract more “builders”. Both DrupalCon Europe and North America attract a “builder persona” who work at a digital agency or Drupal Shop (developer, project manager, designer, UX). However, North America attracts builders from end users as well whereas DrupalCon Europe does not. It has been challenging to grow the end user / builder attendee at DrupalCon Europe. Part of the challenge is that when an end user adopts Drupal, the Association does not know. There is no closed-loop system that tells the Drupal Association who is using the software. We have to rely on Drupal shops / digital agencies to provide this information or be our marketing channel. In Europe, several agencies said they don’t want their end user attending so they stay positioned as “the trusted source on how to Drupal”.

    • Attract “evaluators”. In North America, the event has a commercial element, attracting decision makers who want to meet with sponsors and learn more about Drupal. This not only grows ticket sales, but it also encourages the high level of sponsor support in North America. However, DrupalCon Europe attendees strongly request that we don’t include a marketing or commercial focus at DrupalCon Europe, keeping it a purely developer event.

  • Hold a smaller event to control costs.

    • We researched this over the past few months. Looking at a 1,000 - 1,200 person event, venue options that can meet our event needs are still too expensive. And after testing the smaller event concept, we found that many community members were dissatisfied with this direction.

    • For DrupalCon Vienna, we controlled costs by making the program smaller by reducing the Monday trainings and summits. We also eliminated other elements like the DrupalCon t-shirt. Despite these changes, we are still operating at a loss due to decreasing attendance. Many expressed they understood why we needed to make these changes, but were unhappy with them. We are grateful to the Drupal Austrian community for bridging this gap and hosting summits and trainings on the Monday before Drupalcon Vienna.

Staff Capacity

This part is a bit sensitive because I’m talking about staff. They gave permission to have these details shared with you.

Last year, when the Drupal Association reduced its staff to bring our expenses in line with our revenue, we eliminated work to match the smaller team capacity. After living with that reality for a year, we can see that we did not do a good job with DrupalCon.

The DrupalCon staff consists of Rachel Friesen, Director of Events, and Amanda, Gonser, Program Manager. Rachel is an operational wizard, who is committed to excellence, and cares deeply about delivering a special experience that meets our community’s needs. Rachel has incredibly streamlined the way we produce DrupalCon from site selections, budgeting, space planning, vendor management, sponsor support, marketing oversight, and so much more. She moves an army of people ranging from the board, staff, vendors, sponsors, and community members through a process that ensures that everything gets done on time with the best possible planning. I am always impressed how Rachel goes the extra mile (er, kilometer), to hear and address everyone’s needs and ideas. It is truly a balancing act.

Many of you likely know Amanda from the DrupalCon emails or you are one of the hundreds of volunteers who work with her. Amanda is high energy, bubbly, focused, and moves hundreds of people through a process that allows everyone to contribute in their special way; track chairs who pick sessions, trainers, local volunteers who create the local experience, a troupe of event photographers, room monitors, social media volunteers, and more. As with all people management, Amanda not only gives volunteers a structure to follow, but she invests time with them to foster relationships. We can not produce DrupalCon without our amazing and generous volunteers and they deserve a meaningful experience.

While producing DrupalCon, many people want to try new things like add a new program to DrupalCon five months before the event or create a new sponsor package. There are certainly great ideas that can level up the experience. Unfortunately, Rachel and Amanda simply do not have the capacity to entertain many new ideas. That’s frustrating for both of them because they want community members to realize their ideas. It’s equally frustrating to the community members. In the end it can create a lose-lose situation.

Over the year, we noticed that Rachel’s and Amanda’s calendar is booked every hour throughout each day. When we talk, they have little time as they run from one meeting to the next. It’s a frenetic pace. We moved to Jira this year and their burndown charts show that they can not complete everything they need to do within a sprint. This pace and high levels of stress are causing health issues.  

Amanda did a capacity study. It showed that she is scheduled to do over 69 weeks of work in a year (and that doesn’t include sick or vacation time). Just a reminder, a year has 52 weeks. Rachel is in a very similar situation. We looked at which work we could eliminate, but at this point there is nothing. Naturally, the situation is untenable and must be addressed immediately.

Given how small our team is, the only way to address this is by adding another staff member or contractor. This means expenses will further increase for DrupalCon Europe. We can go this route, but in the end what this tells me is that we do not have the right operational model to support two DrupalCon per year - let alone the ability to scale back up to three per year.

I want to pause and thank Rachel and Amanda for pushing through this challenging time. Please join me in thanking them. I also want to thank the other Drupal Association staff for going above and beyond to make DrupalCon a special experience. You support Rachel and Amanda in so many ways to deliver a great event for the Drupal community.

Additionally, it can not be said enough how special our volunteers are. They contribute their time and talent while already having full lives that include jobs, family, friends, and other interests. Volunteers could choose to do many other things with their free time, yet they chose to create DrupalCon for all of us. Thank you.

Summary

Phew! That was a longgg DrupalCon financial overview. Thanks for hanging in there. I hope sharing all that data and insight helps answer some of the questions we’ve seen in past blog comments and on Twitter this past year.

As you can see, solving DrupalCon Europe’s sustainability is critical, not only so this event can exist into the future, but so it doesn’t put strain on the sustainability of Drupal.org, which is clearly imperative for the project’s viability. We need to answer the question “how do we balance creating a valuable event with the financial realities of event production and the realities of staff capacity?”

But before we get into solutions, let’s look at what the community wants DrupalCon to achieve.

Our next blog in this series will be about the other problem to solve: How can DrupalCon Europe provide unique value?

Categories: Development News, Drupal

PHP 7.1.9 Released

PHP Announcements - Fri, 09/01/2017 - 02:31
The PHP development team announces the immediate availability of PHP 7.1.9. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.9 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

Kickstarting the Drupal Community Spotlight

Drupal News - Thu, 08/31/2017 - 11:23

Let's face it, it's been a crappy year in many ways. Internally and externally there are pressures that have made all of us think "what's the point?"

Instead of a world where we build and move forward together there is conflict, uncertainty, and so many why moments. From the macro to the micro, communities and ecosystems are struggling. The ideals of open source software often feel exploited, and the feeling of wonderment and discovery as we build together has been cast aside to something that feels very much like... well, work.

Drupal has not been immune. Like I need to tell you that.

For those of us that are optimists, and change makers, and idealists, and believers, nothing hits home the impact of our work than stories about how we use this code called Drupal to create impact. I think the world needs a little of that right now.

So, we have a team, we have energy and we are ready to shine the crap out of the brilliance of the people behind, in front, and to the side of Drupal.

I for one am looking forward to us injecting so much positivity into this community that even the chronic eye rollers won’t be able to help but give a slight smile.

Drupal sprint commit at DrupalCon Baltimore 2017

A highlight of DrupalCon: the live code commit! Photo by Michael Cannon

The first thing we are working on is getting a way to start collecting stories. We might use a form. Or we might build an entire website. Just coz we can. So how about y’all give me a *whoop* *whoop* and start thinking about helping the Drupal Spotlight Committee unlock stories of Drupal impact from across the globe. It’s going to be fun.

Categories: Development News, Drupal

PHP 7.0.23 Released

PHP Announcements - Thu, 08/31/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.23. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.23 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.2.0 Release Candidate 1 Released

PHP Announcements - Thu, 08/31/2017 - 04:53
The PHP development team announces the immediate availability of PHP 7.2.0 Release Candidate 1. This release is the first Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 1 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The second Relase Candidate will be released on the 14th of September. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

DrupalCon Europe: Co-creating a sustainable and valuable event

Drupal News - Wed, 08/30/2017 - 16:38

The Drupal Association is honored to be the stewards of DrupalCon - a program created by the community for the community. It serves many goals ranging from uniting, growing, and strengthening the community to leveling up Drupal skills to accelerating contribution.

This year the Drupal Association has been focusing on DrupalCon Europe, so we can better serve the European community. While we certainly hear good things about the event from attendees, we also hear many comments like “it is too much of a US event” or “content isn’t appealing enough” or ”it is too expensive” or “there isn’t enough business value for sponsors” or “it’s not rock and roll enough”.

We see this play out in the attendance numbers, which decreased 14% on average each year since DrupalCon Amsterdam in 2014. Sponsor revenue decreased as well. And thanks to a more accurate financial reporting approach launched last year, we can see that DrupalCon Europe lost between $100,000 to about $200,000 per event for the last several events. 

This isn’t a sign of Drupal’s health. It is simply a sign that this event is not meeting the community’s needs. We can tell because European Drupal events grew in number, attendance, and type over the last few years. The community clearly wants a different kind of experience.

Drupal Association staff like Amanda Gonser, Program Manager, and Rachel Friesen, Director of Events, come to work each day simply to serve the community and create a DrupalCon experience that delights and helps people feel empowered to move Drupal forward. It pains us knowing that DrupalCon is not hitting the mark for the European community. And, it also pains us that we aren’t able to host DrupalCon in other regions like Asia or South America because they’re not possible with our current operational model for hosting events.

For staff, producing  a special DrupalCon experience is more than a job, it’s a personal mission. So, we are putting a lot of care into figuring out how to make DrupalCon Europe better.

To come up with an event concept that is sustainable and loved (or provides unique value in business speak), we met with many European community members over a period of 10 months and even put out a community survey to gather input. Together, we worked through a process to find a better path forward.

It’s time to open this discovery process up to the greater community so you can understand at a deeper level the problems we are trying to solve and the process we’re using to solve them. Then, we want to discuss the options that we have identified so we can find the best path forward for DrupalCon Europe. I know that together, we can create a sustainable event that strikes at the needs of the European community.

To share the information we’ve gathered and to foster discussion, I am launching a blog series. Starting with this post, it will cover the following topics:

  1. The problem we need to solve for financial sustainability

  2. The problem we need to solve to create unique value

  3. Results from a proposal based on community input

  4. A new path forward for DrupalCon Europe

I encourage discussion in the comment section during the blog series and I will host BOFs at DrupalCon Vienna so we can talk through a path forward. We encourage members to read this blog series so you have as much background information as possible to help inform these discussions.

Thank you for caring about this important community event and giving input into what it looks like in the future.

Categories: Development News, Drupal

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

Drupal Contributed Security - Wed, 08/30/2017 - 13:10
Description

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal.

The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that many modern browsers contain protection against some kinds of Reflected XSS vulnerabilities.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • H5P 7.x-1.x versions prior to 7.x-1.32.

Drupal core is not affected. If you do not use the contributed H5P- Create and Share Rich Content and Applications module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.32

Also see the H5P- Create and Share Rich Content and Applications project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Drupal Contributed Security - Wed, 08/30/2017 - 13:09
Description

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce.

SQL Injection

The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted.

Stored Cross Site Scripting (XSS)

The module did not filter user-supplied text prior to printing that text back to users of the site.

The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Commerce invoice versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Commerce Invoices module, there is nothing you need to do.

Solution

Install the latest version:

Special note: the module's strings have changed. Any site that uses Drupal's localization system should review and update the translated strings on the site.

Also see the Commerce Invoices project page.

Reported by Fixed by Coordinated by Updates

A person above was marked as a member of the security team when they were not

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Syndicate content