Drupal 4.6.10 & 4.7.4 for module maintainers
Heine - October 18, 2006 - 22:45
Drupal 4.6.10 and Drupal 4.7.4 now protect forms by default against cross site request forgeries.
Be sure to read about possible consequences for your 4.6 or 4.7 module.
Offtopic posts will be deleted.
Is there an easy way to find
Is there an easy way to find out which modules will cause problems? I'll try it out with my test install. Hopefully, it isn't too bad as that could dissuade people from the upgrade and leave them open for attack.
–joon
..
I believe a list of affected modules will be available shortly.
Then hopefully there will be some glorious work in the patch queues to get them fixed and we will all upgrade in happiness.
Greg
--
Growing Venture Solutions
Drupal Implementation and Support in Denver, CO
List
- 4.7 modules with at least one form that may stop working
Blockregion.module
Links_weblink
Location.module
Userplus
Evaluation
Organic groups list manager
- 4.6 modules that define at least on raw html form (via <form action ="" etc); this form (and only this form) may fail validation.
backport
bugbits
chatbox
disknode
ecommerce
evaluation
fitb
formproc
gmap
guestbook
htmlarea
htmltidy
i18n
image_pub
phpbb2drupal
qanda
relationship
securesite
sxip
trip_search
typecheck
vocab
voting
-4.6 themes that define at least one raw html form. Only this form will fail validation (mostly search).
argeebee
bidi
blix
bluemarine_smarty
box_grey
box_grey_smarty
burnt
connections
democratica
fancy
foundation
friendselectric
gespaa
greenmarinee
gworks
kubrick
leaf
leaf_smarty
leaves
lincolns_revenge
manji
mollio
noprob
Plain1
rdc
reflection
sands
sands_css
slash
slurpee
spreadfirefox
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
..
Motivation I need to check several sites to see if they are affected by these modules/themes. The list is rather long and I was concerned I would miss one, so I made a little snippet to do the finding work for me.
Below is the snippet of code appropriate for a 4.6 site to see if any of the modules or themes that are affected are enabled OR installed on your site. The 4.7 list is short enough that no snippet seems necessary.
Usage: copy and paste the entire section between and inclusive of the php open and close tags and then paste that into a new node. Select the "PHP code" input format. Then, hit preview on the node and you will see whether the modules are enabled, or just installed but disabled. The printout is a list with enabled modules first.
Known Weaknesses: since it's based upon string matching it's possible this will not identify some modules if someone is using a different name than the names that are in the list - e.g. using one of the below modules as a base for your custom code. Also, if you have taken a theme modified it for a site and changed the name it will not show up in this list but will need updating.
<?php
$array_modules_themes = array("'backport'",
"'bugbits'",
"'chatbox'",
"'customerror'",
"'disknode'",
"'ecommerce'",
"'evaluation'",
"'fckeditor'",
"'fitb'",
"'formproc'",
"'gmap'",
"'guestbook'",
"'htmlarea'",
"'htmltidy'",
"'i18n'",
"'image_pub'",
"'phpbb2drupal'",
"'qanda'",
"'relationship'",
"'securesite'",
"'sxip'",
"'trip_search'",
"'typecheck'",
"'vocab'",
"'voting'",
"'argeebee'",
"'bidi'",
"'blix'",
"'bluemarine_smarty'",
"'box_grey'",
"'box_grey_smarty'",
"'burnt'",
"'connections'",
"'democratica'",
"'fancy'",
"'foundation'",
"'friendselectric'",
"'gespaa'",
"'greenmarinee'",
"'gworks'",
"'kubrick'",
"'leaf'",
"'leaf_smarty'",
"'leaves'",
"'lincolns_revenge'",
"'manji'",
"'mollio'",
"'noprob'",
"'Plain1'",
"'rdc'",
"'reflection'",
"'sands'",
"'sands_css'",
"'slash'",
"'slurpee'",
"'spreadfirefox'",
);
$sql = 'SELECT name, type, status FROM {system} WHERE name IN ('. implode(',', $array_modules_themes) .') ORDER BY status DESC';
$result = db_query($sql);
while ($value = db_fetch_object($result)) {
if ($value->status == 1) {
print '<li><strong><em>'. $value->name .' type: '. $value->type .' status: enabled</em></strong></li>';
}
else {
print '<li>'. $value->name .' type: '. $value->type .' status: installed but disabled</li>';
}
}
?>
Thank you for the list
Thank you for the list Heine. Using 4.7 here. Thank goodness the list is short. Didn't run into any problems. :)
Greggles, you think that would be a good candidate for a handbook entry? Support for 4.6 will die down and some of those modules could linger on without an update.
–joon
How to fix a module
I have the trip_search module installed. Searching still works for my site though. Do I need to do anything with trip_search?
simpletest also stops
simpletest also stops working with 4.7.4
--
Magicball Network -- Little Big Adventure community
vbDrupal [developer]
userplus has been updated
Userplus has been updated for 4.7.4.
-------
http://www.funnymonkey.com
Tools for Teachers
customerror should not have an issue
customerror should not have an issue.
All it uses forms for is for the settings page, and there is no raw HTML forms there.
--
Drupal development and customization: 2bits.com
Personal: Baheyeldin.com
Thanks folks, was holding
Thanks folks, was holding off until something like this was posted.
Has the list been updated since 10/19 ? 4.7 seems to have little
affected modules and no core theme problems ?
John
search.module in 4.6.10 also fails
I just provided a patch for that.