Drupal Warns of New Remote-Code Bug, the Second in Four Weeks

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.

Where are the sandboxes?

[goombah99]

Why don't developers just write code that doesn't have security holes in it?

Presumably because they can't. It's time we started programing computer resource sandboxes into every application by default.

Linux and Mac, and Windows all have things for this. Macs have a dtrace based sandbox that can be per application or per process.

sandboxes can specify what a process and all child processes can do at the computer resource level. Can they get on the network? Can they access the file system? what files can they access? do they have write permission? how much memory can they use? how much cpu? and so on.

If we always launched processes with these clamped down a lot of security holes would not be exploitable. Why is it these are largely unused?

Failure has 1000 mothers

Oh, stop.

The problem is not with the Code of Conduct. The problem is with an aging codeset pretending to be up to the challenges of 2018.

The people who developed Drupal and made it a thing worth using left the building a long time ago. The people who maintain it now are trying to shoehorn Symphony into their API / hook system while also implementing RESTful web services, upgrading legacy modules, modernize the test framework, working out issues with the templating system, coming up with a decent migration system that doesn't rely on the command line, removing workflow dependencies on Composer, implement a React-based admin interface, etc.

Doing too much all at once doesn't leave them with the time to do much right.

This is all happening while the number of actual committers has dropped by over 70% in the past five years. Wordpress outnumbers Drupal installs 30 to 1. Organizations who traditionally used Drupal as a lightweight content management system are finding it takes heavily customized work to upgrade their websites. ECM customers are finding Drupal lacks governance features that are absolutely necessary to operate multiple digital properties, making it a cheap alternative to a real platform.

Losing your developer base while alienating the people who championed your system in order to pursue the enterprise is terrible for the entire ecosystem.

Just look at the videos from the most recent Drupalcon. The sessions are all over the place, there's one about using Drupal to build video games. Anyone who chooses to use Drupal as a video game platform should be fired, considering the number of other reliable platforms that are available. But it's right there, the community is pushing bad advice on people for how to run their digital enterprise.

Pretending your platform is suitable for use in domains that are well-served by better solutions is a bad idea. Highlighting this sham as an example of the possibilities at your major marketing events is off-the-charts dishonest.

Sure, with all this upheaval, it's natural for a group of volunteer coders to point fingers and blame other people. They're only human.

Every problem with Drupal can be traced back to a failure to prioritize, an incompetent Core development team trying to pass themselves off as experts based on the achievements of others, and sham marketing. The Code of Conduct is just an expression of these other problems. TBH, it's funny watching them flail.