Web Design and Development

Drupal 8.x core release on Monday -- PSA-2016-002

Drupal - Sun, 07/17/2016 - 09:54
  • Advisory ID: DRUPAL-PSA-2016-002
  • Project: Drupal
  • Version: 8.x
  • Date: 2016-July-17
  • Security risk: TBD
  • Vulnerability: TBD

We will be doing a Drupal 8 core patch release on Monday, July 18th. This will occur between 14:15 UTC and 19:00 UTC.

There will not be a Drupal 7 release during this window.

Why is this release being issued?

The Drupal security team has learned that a third-party Drupal 8 dependency will be making a security release on Monday, July 18th and in accordance we will be making a Drupal 8 release soon after. We will not disclose details of the third-party update in advance of that release and cannot respond to requests for further information. This security release is for the dependency only and does not affect Drupal 7 sites. Other mitigating factors will be included with our published SA.

What about the regularly scheduled release window on Wednesday, July 20?

We are moving the regularly scheduled window two days earlier to provide the third-party dependency update, so this replaces that window.

There will not be another core release on Wednesday, July 20th.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

What’s new on Drupal.org? - June 2016

Drupal - Fri, 07/15/2016 - 08:20

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

In June the Drupal Association had our annual staff retreat, where the remote team members joined the Portland, OR team for a three day retreat. This year's retreat was particularly important as we found our feet as a smaller, leaner team, and focused on our organizational roadmap for the next twelve months.

For the engineering team in particular, our focus will be on maintaining the critical systems that make project successful: issue queues, updates, testing, packaging, etc, while at the same time finding new ways to support and enable Drupal's evolution.

These were some heady days, but even as we worked through the best ways to continue serving the Drupal community on a strategic level in June, we also found the time to keep making Drupal.org a better home.

Drupal.org updates Documentation Migration

A long running initiative this year has been the creation of a new Documentation system for Drupal.org, a topic we've touched on in many prior updates as it has begun to come online. We are very happy to say that we are moving to the next stage of the documentation project: moving from development to migration.

In June tvn recruited several volunteers to join our documentation migration team, and to become some of the first maintainers for the new Documentation Guides. General documentation, such as Understanding Drupal, Structure Guide, etc. will be migrated first. Documentation for contributed projects will follow in the coming weeks.

Maintainers of contributed projects, who currently have their documentation on Drupal.org, will be added as maintainers to respective documentation guides and are encouraged to clean/tidy up their documentation post-migration.

if you are interested in helping, or sign up as a maintainer for some of the new documentation guides.

Composer Repositories are now in Beta

Drupal.org's Composer repositories allow developers building sites with Drupal to use the Composer command line tool for dependency management. In June we collected feedback from a variety of users, as well as the community volunteers who assisted us with the Composer Community Initiative.

We spent the month iterating quickly on the alpha implementation: fixing bugs and rebuilding the meta data to ensure that users get consistent and expected results. Because of those fixes, and after gathering yet more feedback from the community, we were able to move the Drupal.org Composer repositories to beta.

We encourage you to begin transitioning your composer based workflows to use Drupal.org's composer facade. Package names are stable, and downtimes will be planned and announced. For more information on how to use Drupal.org's Composer repositories, read our documentation.

Better issue credit tools for maintainers

The Drupal.org issue credit system is a unique innovation of our community. By allowing users to attribute their contributions as volunteers, to their employers, or to client customers, we have an insight into the contribution ecosystem for Drupal that is unparalleled among open source projects. We've also already seen the impact of incentivizing organizations to give back to Drupal, by using the credit system as the basis for organization rankings in the marketplace.

In June we added two new tools for maintainers to improve how they grant credit to users. Firstly, maintainers can now deselect the automatic credit attribution for users who have submitted patches. This change was important to prevent gaming the credit system. Secondly, we've given the maintainers the ability to credit users who have not commented in the issue. Whether that help was provided in IRC, Slack, on a video call, or in a sprint room, maintainers can now ensure that those users who helped resolve an issue receive credit for their contributions. Any user who is credited this way can edit their credit attribution if they want to extend that attribution to a supporting organization or customer.

Friendly path aliases for release nodes

We also made a relatively small change that will have a big impact. Path auto is now enabled for project releases, so you for any project a specific release can now be found at:
And you can also find a list of all the releases for a project at:

Take, for example, the Token module:

You can find the complete index of releases for this project at: https://www.drupal.org/project/token/releases and individual releases now have friendly urls, like this one: https://www.drupal.org/project/token/releases/8.x-1.0-alpha2

Spam Fighting Improvements

Fighting spam on Drupal.org is a never ending battle, but in June we deployed a refinement to our spam fighting tools that helps us to find patterns in registration behavior and prevent spam registrations before they've even started. After flipping on our latest iteration of this spam fighting tool we saw an immediate and dramatic drop-off in suspicious account registrations. With the additional data we've been able to collect we already see ways to improve this even further, so we hope to continue make Drupal.org a cleaner home for the community.

Highlighting Supporting Technologies

Drupal is many things to many different people, but one central function of Drupal is to be the hub of interconnected and complementary technologies. Several of the companies that build these technologies have chosen to support the Drupal project by becoming supporters. To better highlight some of these supporting technologies that work well with Drupal, we've added a supporting technologies listing to the marketplace.

Sustaining support and maintenance DrupalCon

DrupalCon Dublin is coming up soon, from September 26 - 30th. This year we smashed all our previous records for session submissions, and the caliber of speakers and topics is higher than ever before.

In June we opened registration for the event. We encourage you to buy your tickets now! Early bird registration will end soon.


Infrastructure is the bedrock of Drupal.org - and we're continuing to tune the infrastructure for efficiency, economy, and performance. Alongside the launch of registration for DrupalCon Dublin, we implemented APDQC to improve the performance of the Events website under heavy load.

We've also been upgrading our configuration management from Puppet 3 to Puppet 4, and continuing to standardize our configuration across all of our environments to make our infrastructure durable, consistent, and portable.


As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Drupal - Tue, 07/12/2016 - 08:18

There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.

Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal 7.50 released

Drupal - Thu, 07/07/2016 - 11:28

Drupal 7.50, the next release in the Drupal 7 series, is now available for download. It contains a variety of new features, improvements, and bug fixes (no security fixes).

Wait... Drupal 7.50?

Yes, there is a version jump compared to the previous 7.44 release; this is to indicate that this Drupal 7 point release is a bit larger than past ones and makes a few more changes and new features available than normal.

Updating your existing Drupal 7 sites is recommended. Backwards compatibility is still being maintained, although read on to find out about a couple of changes that might need your attention during the update.

Download Drupal 7.50 Notable changes

There are a variety of new features, performance improvements, security-related enhancements (although no fixes for direct security vulnerabilities) and other notable changes in this release. The release notes provide a comprehensive list, but here are some highlights.

New "administer fields" permission added for trusted users

The administrative interface for adding and configuring fields has always been something that only trusted users should have access to. To make that easier, there is now a dedicated permission which is required (in addition to other existing administrative permissions) to be able to access the field UI.

For example, you can now assign the "administer taxonomy" permission (but withhold the new "administer fields" permission) to allow low-level administrators to manage taxonomy terms but not change the field structure. Read the change record for more information.

Protection against clickjacking enabled by default

Clickjacking is a technique a malicious site owner can use to attempt attacks on other sites, by embedding the victim's site into an iframe on their own site.

To stop this, Drupal will now prevent your site from being embedded in an iframe on another domain. This is the default behavior, but it can be adjusted if necessary; see the change record to find out more.

Support for full UTF-8 (emojis, Asian symbols, mathematical symbols) is now possible on MySQL

If content creators on your site have been clamoring to use emojis, it's now possible on Drupal sites running MySQL (it was previously possible on PostgreSQL and SQLite). Turning this capability on requires the database to meet certain requirements, plus editing the site's settings.php file and potentially other steps, as described in the change record.

Improved support for recent PHP versions, including PHP 7

Drupal core's automated test suite is now fully passing on a variety of environments where there were previously some failures (PHP 5.4, 5.5, 5.6, and 7). We have also fixed several bugs affecting those versions. These PHP versions are officially supported by Drupal 7 and recommended for use where possible.

Because PHP 7 is the newest release (and not yet used on many production sites) extra care should still be taken with it, and there are some known bugs, especially in contributed modules (see the discussion for more details). However anecdotal evidence from a variety of users suggests that Drupal 7 can be successfully used on PHP 7, both before and after the 7.50 release.

Improved performance (and new PHP warnings) when Drupal is trying to find a file that does not exist

When Drupal cannot find a file that it expects to be in the filesystem, it will no longer continually search for it on a large number of page requests (previously, this could significantly hurt your site's performance). Instead, it will record a PHP warning about the problem.

Read the change record for more information, and make sure your production site is not configured to show warning messages like this on the screen, since it is not desirable for site visitors to see them. (In order to configure this, go to "Administration" → "Configuration" → "Development" → "Logging and errors" and set the "Error messages to display" option to "None".)

Improvements to help search engines index your site's images/CSS/JavaScript

Modern search engine web crawlers read images, CSS and JavaScript (just like a regular web browser) when crawling a site, and they use this information to improve search results.

Drupal's default robots.txt file now includes rules to allow search engines to access more of these files than it previously allowed them to, which may help certain search engines better index your site. See the change record for additional details.

More information
  • You can find the full list of changes between the previous 7.44 release and the current 7.50 release by reading the 7.50 release notes.
  • Also see the release notes for additional update information and known issues discovered after the release.
  • You can find a complete list of all changes in the stable 7.x branch in the git commit log.
  • Translators should be aware of a few administrative-facing translatable string changes and additions in this release.
Security information Future releases
  • Drupal 7 is being actively maintained, so more maintenance releases will be made available, according to our monthly release cycle.
  • We will consider continuing to do larger Drupal 7 releases like this one every six months or so (where the next larger release will be 7.60, in keeping with Drupal's new release cycle) if there is interest and continued contributions from the community. See the ongoing discussion for further details.
New Drupal 7 co-mainainers

In case you missed the news earlier, we recently added two new Drupal 7 co-maintainers: Fabianx (@fabianfranz) and stefan.r (@stefan_arrr)! Despite only having been official maintainers for the past two weeks, they put in an enormous amount of effort and skill into Drupal 7.50, which was essential in getting it out the door with all the improvements mentioned above.


Overall, 230 people were credited with helping to fix issues included in this release:

akoepke, alanburke, Alan D., alberto56, Albert Volkman, alexmoreno, alexpott, amontero, andypost, ar-jan, arosboro, askibinski, attiks, basvredeling, beejeebus, benjy, Berdir, bmateus, borisson_, botris, bradjones1, brianV, broeker, c960657, Carsten Müller, catch, checker, chintan.vyas, chirhotec, Christian DeLoach, ChristophWeber, chx, cilefen, ciss, ckng, colinmccabe, corbacho, criz, cspitzlay, cwoky, dagmar, DamienMcKenna, damien_vancouver, darol100, Darren Oh, das-peter, Dave Reid, davic, david_garcia, David_Rothstein, dawehner, dcam, DerekL, donutdan4114, droplet, DuaelFr, e._s, eesquibel, eiriksm, Elijah Lynn, emcniece, Eric_A, EvanSchisler, ExTexan, Fabianx, felribeiro, fgm, fietserwin, forestgardener, gcardinal, geerlingguy, gielfeldt, Girish-jerk, greggles, GrigoriuNicolae, Gábor Hojtsy, hass, Henrik Opel, heyyo, hgoto, hussainweb, idebr, ifrik, imanol.eguskiza, IRuslan, izaaksom, jackbravo, jacob.embree, jbekker, jbeuckm, jduhls, jenlampton, jeroen.b, jhodgdon, jibran, joachim, joegraduate, joelpittet, johnpicozzi, joseph.olstad, joshtaylor, Josh Waihi, jp.stacey, jsacksick, jthorson, JvE, jweowu, kala4ek, Kars-T, Ken Ficara, kenorb, kevinquillen, Kgaut, KhaledBlah, klausi, klokie, kristiaanvandeneynde, kristofferwiklund, ksenzee, k_zoltan, leschekfm, Liam Morland, lOggOl, lokapujya, Lowell, lucastockmann, Lukas von Blarer, maciej.zgadzaj, marcelovani, mariagwyn, Mark Theunissen, marvin_B8, maximpodorov, mayaz17, MegaChriz, mfb, mgifford, micaelamenara, mikeytown2, Mile23, mimran, minax.de, miro_dietiker, mistermoper, Mixologic, mohit_aghera, mondrake, mpv, mr.baileys, MustangGB, Neograph734, nevergone, nicholas.alipaz, nicrodgers, NikitaJain, nithinkolekar, nod_, Noe_, onelittleant, opdavies, orbmantell, oriol_e9g, ParisLiakos, pashupathi nath gajawada, Peacog, Perignon, Peter Bex, peterpoe, pfrenssen, PieterDC, pietmarcus, pjcdawkins, pjonckiere, Polonium, pounard, presleyd, pwaterz, pwolanin, rafaolf, rbmboogie, realityloop, rhclayto, rocketeerbkw, rpayanm, rupertj, Sagar Ramgade, sanduhrs, scor, scottalan, scuba_fly, sdstyles, snehi, soaratul, SocialNicheGuru, Spleshka, stefan.r, stovak, sun, Sutharsan, svanou, Sweetchuck, swentel, sylus, s_leu, tadityar, talhaparacha, tatisilva, tbradbury, therealssj, travelvc, TravisCarden, TravisJohnston, treyhunner, tsphethean, tstoeckler, tucho, tuutti, twistor, TwoD, typhonius, vasi1186, Wim Leers, Xano, xjm, yannickoo, yched, YesCT, zaporylie, Zerdiox, and znerol.

(This list was auto-generated, so apologies if anyone was left out.)

Your name could be on a list like this in the future; see the Ways to get involved page to find out how.

Thank you to everyone who helped with Drupal 7.50!

A roadmap for making Drupal more API-first

Drupal - Thu, 07/07/2016 - 07:06

Republished from buytaert.net

In one of my recent blog posts, I articulated a vision for the future of Drupal's web services, and at DrupalCon New Orleans, I announced the API-first initiative for Drupal 8. I believe that there is considerable momentum behind driving the web services initiative. As such, I want to provide a progress report, highlight some of the key people driving the work, and map the proposed vision from the previous blog post onto a rough timeline.

Here is a bird's-eye view of the plan for the next twelve months:

8.2 (Q4 2016) 8.3 (Q2 2017) Beyond 8.3 (2017+) New REST API capabilities
Waterwheel initial release New REST API capabilities
JSON API module GraphQL module?
Entity graph iterator? New REST API capabilities

Wim Leers (Acquia) and Daniel Wehner (Chapter Three) have produced a comprehensive list of the top priorities for the REST module. We're introducing significant REST API advancements in Drupal 8.2 and 8.3 in order to improve the developer experience and extend the capabilities of the REST API. We've been focused on configuration entity support, simplified REST configuration, translation and file upload support, pagination, and last but not least, support for user login, logout and registration. All this work starts to address differences between core's REST module and various contributed modules like Services and RELAXed Web Services. More details are available in my previous blog post.

Many thanks to Wim Leers (Acquia), Daniel Wehner (Chapter Three), Ted Bowman (Acquia),Alex Pott (Chapter Three), and others for their work on Drupal core's REST modules. Though there is considerable momentum behind efforts in core, we could always benefit from new contributors. Please consider taking a look at the REST module issue queue to help!

Waterwheel initial release

As I mentioned in my previous post, there has been exciting work surrounding Waterwheel, an SDK for JavaScript developers building Drupal-backed applications. If you want to build decoupled applications using a JavaScript framework (e.g. Angular, Ember, React, etc.) that use Drupal as a content repository, stay tuned for Waterwheel's initial release later this year.

Waterwheel aims to facilitate the construction of JavaScript applications that communicate with Drupal. Waterwheel's JavaScript library allows JavaScript developers to work with Drupal without needing deep knowledge of how requests should be authenticated against Drupal, what request headers should be included, and how responses are molded into particular data structures.

The Waterwheel Drupal module adds a new endpoint to Drupal's REST API allowing Waterwheel to discover entity resources and their fields. In other words, Waterwheel intelligently discovers and seamlessly integrates with the content model defined on any particular Drupal 8 site.

A wider ecosystem around Waterwheel is starting to grow as well. Gabe Sullice, creator of the Entity Query API module, has contributed an integration of Waterwheel which opens the door to features such as sorts, conditions and ranges. The Waterwheel team welcomes early adopters as well as those working on other REST modules such as JSON API and RELAXed or using native HTTP clients in JavaScript frameworks to add their own integrations to the mix.

Waterwheel is the currently the work of Matt Grill (Acquia) and Preston So (Acquia), who are developing the JavaScript library, and Ted Bowman (Acquia), who is working on the Drupal module.

JSON API module

In conjunction with the ongoing efforts in core REST, parallel work is under way to build a JSON API module that embraces the JSON API specification. JSON API is a particular implementation of REST that provides conventions for resource relationships, collections, filters, pagination, and sorting, in addition to error handling and full test coverage. These conventions help developers build clients faster and encourages reuse of code.

Thanks to Mateu Aguiló BoschEd Faulkner and Gabe Sullice, who are spearheading the JSON API module work. The module could be ready for production use by the end of this year and included as an experimental module in core by 8.3. Contributors to JSON API are meeting weekly to discuss progress moving forward.

Beyond 8.3: GraphQL and entity graph iterator

While these other milestones are either certain or in the works, there are other projects gathering steam. Chief among these is GraphQL, which is a query language I highlighted in my Barcelona keynote and allows for clients to tailor the responses they receive based on the structure of the requests they issue.

One of the primary outcomes of the New Orleans web services discussion was the importance of a unified approach to iterating Drupal's entity graph; both GraphQL and JSON API require such an "entity graph iterator." Though much of this is still speculative and needs greater refinement, eventually, such an "entity graph iterator" could enable other functionality such as editable API responses (e.g. aliases for custom field names and timestamp formatters) and a unified versioning strategy for web services. However, more help is needed to keep making progress, and in absence of additional contributors, we do not believe this will land in Drupal until after 8.3.

Thanks to Sebastian Siemssen, who has been leading the effort around this work, which is currently available on GitHub.

Validating our work and getting involved

In order to validate all of the progress we've made, we need developers everywhere to test and experiment with what we're producing. This means stretching the limits of our core REST offerings, trying out JSON API for your own Drupal-backed applications, reporting issues and bugs as you encounter them, and participating in the discussions surrounding this exciting vision. Together, we can build towards a first-class API-first Drupal.

Special thanks to Preston So for contributions to this blog post and to Wim Leers for feedback during its writing.