Feed aggregator

KnackForge: How to update Drupal 8 core?

Drupal Planet -

How to update Drupal 8 core?

Let's see how to update your Drupal site between 8.x.x minor and patch versions. For example, from 8.1.2 to 8.1.3, or from 8.3.5 to 8.4.0. I hope this will help you.

  • If you are upgrading to Drupal version x.y.z

           x -> is known as the major version number

           y -> is known as the minor version number

           z -> is known as the patch version number.

Sat, 03/24/2018 - 10:31

qed42.com: Securing Cookie for 3rd Party Identity Management in Drupal

Drupal Planet -

Securing Cookie for 3rd Party Identity Management in Drupal Body

We are in an era where we see a lots of third party integrations being done in projects. In Drupal based projects, cookie management is done via Drupal itself to maintain session, whether it be a pure Drupal project or decoupled Drupal project,.

But what when we have a scenario where user’s information is being managed by a third party service and no user information is being saved on Drupal? And when the authentication is done via some other third party services? How can we manage cookie in this case to run our site session and also keep it secure?

One is way is to set and maintain cookie on our own. In this case, our user’s will be anonymous to Drupal. So, we keep session running based on cookies! The user information will be stored in cookie itself, which then can be validated when a request is made to Drupal.

We have a php function to set cookie called setCookie() , which we can use to create and destroy cookie. So, the flow will be that a user login request which is made to website is verified via a third party service and then we call setCookie function which sets the cookie containing user information. But, securing the cookie is must, so how do we do that?

For this, let’s refer to Bakery module to see how it does it. It contains functions for encrypting cookie, setting it and validating it.

To achieve this in Drupal 8, we will write a helper class let’s say “UserCookie.php” and place it in ‘{modulename}/src/Helper/’. Our cookie helper class will contain static methods for setting cookie and validating cookie. Static methods so that we will be able to call them from anywhere.

We will have to encrypt cookie before setting it so we will use openssl_encrypt() php function in following manner:

/** * Encrypts given cookie data. * * @param string $cookieData * Serialized Cookie data for encryption. * * @return string * Encrypted cookie. */ private static function encryptCookie($cookieData) { // Create a key using a string data. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Create an initialization vector to be used for encryption. $iv = openssl_random_pseudo_bytes(16); // Encrypt cookie data along with initialization vector so that initialization // vector can be used for decryption of this cookie. $encryptedCookie = openssl_encrypt($iv . $cookieData, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); // Add a signature to cookie. $signature = hash_hmac('sha256', $encryptedCookie, $key); // Encode signature and cookie. return base64_encode($signature . $encryptedCookie); }
  1. String parameter in openssl_digest can be replaced with any string you feel like that can be used as key. You can keep simple keyword too.
  2. Key used should be same while decryption of data.
  3. Same initialization vector will be needed while decrypting the data, so to retrieve it back we append this along with cookie data string.
  4. We also add a signature which is generate used the same key used above. We will verify this key while validating cookie.
  5. Finally, we encode both signature and encrypted cookie data together.

For setting cookie:
 

/** * Set cookie using user data. * * @param string $name * Name of cookie to store. * @param mixed $data * Data to store in cookie. */ public static function setCookie($name, $data) { $data = (is_array($data)) ? json_encode($data) : $data; $data = self::encrypt($data); setcookie($name, $cookieData,Settings::get('SOME_DEFAULT_COOKIE_EXPIRE_TIME'), '/'); }

Note: You can keep 'SOME_COOKIE_KEY' and 'SOME_DEFAULT_COOKIE_EXPIRE_TIME' in your settings.php. Settings::get() will fetch that for you.
Tip: You can also append and save expiration time of cookie in encrypted data itself so that you can also verify that at time of decryption. This will stop anyone from extending the session by setting cookie timing manually.

Congrats! We have successfully encrypted the user data and set it into a cookie.

Now let’s see how we can decrypt and validate the same cookie.

To decrypt cookie:

/** * Decrypts the given cookie data. * * @param string $cookieData * Encrypted cookie data. * * @return bool|mixed * False if retrieved signature doesn't matches * or data. */ public static function decryptCookie($cookieData) { // Create a key using a string data used while encryption. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Reverse base64 encryption of $cookieData. $cookieData = base64_decode($cookieData); // Extract signature from cookie data. $signature = substr($cookieData, 0, 64); // Extract data without signature. $encryptedData = substr($cookieData, 64); // Signature should match for verification of data. if ($signature !== hash_hmac('sha256', $encryptedData, $key)) { return FALSE; } // Extract initialization vector from data appended while encryption. $iv = substr($string, 64, 16); // Extract main encrypted string data which contains profile details. $encrypted = substr($string, 80); // Decrypt the data using key and // initialization vector extracted above. return openssl_decrypt($encrypted, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); }
  1. We generate the same key using same string parameter given while encryption.
  2. Then we reverse base64 encoding as we need extract signature to verify it.
  3. We generate same signature again as we have used the same key which was used to creating signature while encryption. If doesn’t signatures doesn’t matches, validation fails!
  4. Else, we extract initialization vector from the encrypted data and use to decrypt the data return to be utilized.
/** * Validates cookie. * * @param string $cookie * Name of cookie. * * @return boolean * True or False based on cookie validation. */ public static function validateCookie($cookie) { if (self::decryptCookie($cookieData)) { return TRUE; } return FALSE; }

We can verify cookie on requests made to website to maintain our session. You can implement function for expiring cookie for simulating user logout. We can also use decrypted user data out of cookie for serving user related pages.

navneet.singh Mon, 10/30/2017 - 13:45

Security updates for Friday

LWN Headlines -

Security updates have been issued by Arch Linux (chromium), Debian (jackson-databind, libvirt, and mysql-5.5), Fedora (SDL2_image), Mageia (db53, kernel, poppler, and wpa_supplicant, hostapd), Oracle (httpd), Red Hat (ansible, chromium-browser, httpd, java-1.8.0-openjdk, kernel, and kernel-rt), and Scientific Linux (httpd and kernel).

First Mass-Produced Electric Truck Unveiled

Slashdot -

AmiMoJo shares a report from NHK WORLD: Japan's Mitsubishi Fuso Truck and Bus has unveiled what it says is the world's first mass-produced electric truck, as automakers around the world go all out to develop cars that run on battery power. The vehicle can carry about 3 tons of cargo and travel about 100 kilometers on a single charge. The truck, unveiled on Thursday, will be used by Japan's largest convenience store chain, Seven-Eleven. Seven-Eleven President Kazuki Furuya says some people complain about the noise delivery vehicles make, and says he is very impressed at how quiet the electric truck is.

Read more of this story at Slashdot.

Error'd: Legitimate Links

The Daily WTF -

"Swedish...Russian...English....same, difference!" wrote Fred.

 

Scott P. writes, "I had 6 right and 5 wrong on this online quiz, but apparently I did better than that, getting '10 out of correct'."

 

"I had to accept information while trying to modify a booking through the official Iberia Airlines app," Mario writes.

 

Ben S. wrote, "YouTube would like to... umm... do a sorta complicated thing, is that OK?

 

"So, do I follow the text box or do I follow the suggestion?" writes Chuk G.

 

Adam S. writes, "Do I smoke? ...Maybe?"

 

[Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today!

Blue Origin Successfully Test Fires Game-Changing BE-4 Rocket Engine

Slashdot -

Jeff Bezos' Blue Origin space venture has successfully test-fired its BE-4 rocket engine, marking a key step in the development of its own New Glenn rocket as well as United Launch Alliance's next-generation rocket. GeekWire reports: ULA has been waiting for months to get good news about the BE-4 tests in West Texas. The company wanted to see a successful full-scale test before going ahead with plans to use the BE-4 engine on its Vulcan rocket, which is due to have its first flight in 2019. A Blue Origin competitor, Aerojet Rocketdyne, has been waiting in the wings with its AR1 engine, which ULA saw as a "Plan B" for the Vulcan in case the BE-4 faltered. Wednesday's initial hot-firing didn't reach full power or full duration, but the test's success nevertheless reduces the likelihood that ULA would turn to the AR1. The BE-4 engine, which uses liquefied natural gas as fuel, is built at Blue Origin's production facility in Kent, Wash., and shipped down to Texas for testing. Assuming that it's accepted for ULA's use, engine production will eventually shift to a factory in Huntsville, Ala. Engines for the orbital-class New Glenn rocket will go to Blue Origin's rocket factory in Florida, which is due to be completed by the end of this year.

Read more of this story at Slashdot.

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus'

Slashdot -

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

Read more of this story at Slashdot.

Could VR Field Trips Replace the Real Thing?

Slashdot -

turkeydance shares a report from RTV6, which cites a new editorial in the journal Science that explores the question, "Could VR field trips replace the real thing?" Virtual field trips have been around for a while, but they used to be pretty boring: some photos, some text -- basically a Wikipedia entry. But they've come a long way. Nearpod and Google Expeditions let students immerse themselves in places they couldn't normally visit, like Antarctica or even Mars. These virtual field trips are safer and easier to organize than real outings, and they might soon be cheaper, too. Douglas McCauley, assistant professor of ecology at the University of California, Santa Barbara, says traditional field trips have already declined under budget constraints, so schools might be tempted to simply make a switch. McCauley says he's excited about the possibilities of VR. Taking students back to prehistoric times or forward to witness the results of climate change could be a powerful teaching tool.

Read more of this story at Slashdot.

Appnovation Technologies: SEO for Drupal Series, Part 1: Project Discovery and The Google Algorithm

Drupal Planet -

SEO for Drupal Series, Part 1: Project Discovery and The Google Algorithm SEO for Drupal Part One - Project Discovery and The Google Algorithm In this new, fortnightly ‘A-Z of Drupal SEO and SEM’ series of Appnovation blog posts, we’ll see what it takes to turn a Drupal site into a traffic magnet, driving traffic growth and providing better Call to Action fulfillments without us...

Senators Announce New Bill That Would Regulate Online Political Ads

Slashdot -

An anonymous reader quotes a report from The Verge: As tech companies face continued scrutiny over Russian activity on their ad platforms, Senators today announced legislation meant to regulate political ads on the internet. The new bill, called the Honest Ads Act, would require companies like Facebook and Google to keep copies of political ads and make them publicly available. Under the act, the companies would also be required to release information on who those ads were targeted to, as well as information on the buyer and the rates charged for the ads. The new rules would bring disclosure rules more in line with how political ads are regulated in mediums like print and TV, and apply to any platform with more than 50 million monthly viewers. The companies would be required to keep and release data on anyone spending more than $500 on political ads in a year. It's unclear how well the bill will fare. Companies like Facebook have been successfully fighting regulations for years. But this latest attempt has some bipartisan support: the act, sponsored by Sen. Amy Klobuchar (D-MN) and Sen. Mark Warner (D-VA) is also co-sponsored by Sen. John McCain (R-AZ). "Americans deserve to know who's paying for the online ads," Klobuchar said at a press conference announcing the legislation.

Read more of this story at Slashdot.

Denuvo's DRM Now Being Cracked Within Hours of Release

Slashdot -

Denuvo, an anti-tamper technology and digital rights management scheme, isn't doing a very good job preventing PC games from being copied. According to Ars Technica, Denuvo releases are being publicly cracked within a day of their launch. From the report: This week's release of South Park: The Fractured but Whole is the latest to see its protections broken less than 24 hours after its release, but it's not alone. Middle Earth: Shadow of War was broken within a day last week, and last month saw cracks for Total War: Warhammer 2 and FIFA 18 the very same day as their public release. Then there's The Evil Within 2, which reportedly used Denuvo in prerelease review copies but then launched without that protection last week, effectively ceding the game to immediate potential piracy. Those nearly instant Denuvo cracks follow summer releases like Sonic Mania, Tekken 7, and Prey, all of which saw DRM protection cracked within four to nine days of release. But even that small difference in the "uncracked" protection window can be important for game publishers, who usually see a large proportion of their legitimate sales in those first few days of availability. The presence of an easy-to-find cracked version in that launch window (or lack thereof) could have a significant effect on the initial sales momentum for a big release. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers.

Read more of this story at Slashdot.

Verizon Loses 18,000 Pay TV Subscribers, Signals Delay For Live TV Streaming Service

Slashdot -

Verizon announced on Thursday that its FiOS video service lost 18,000 net pay TV subscribers in the third quarter, compared with the addition of 36,000 subscribers in the year-ago period and 15,000 subscriber drop in the second quarter. Hollywood Reporter reports: The company said the drop in the latest quarter was "reflecting the ongoing shift from traditional linear video to over-the-top offerings." Verizon, led by chairman and CEO Lowell McAdam, ended the third quarter with a total of 4.6 million subscribers to its FiOS video service, which competes with cable and satellite TV companies. Asked about a planned over-the-top (OTT) TV service from Verizon, Ellis said that the company continues to feel that "there's an opportunity for us to play," but signaling a delay, he emphasized that the company "doesn't want to launch a me-too product." He didn't provide any guidance on when the OTT service would launch, saying that was still "TBD" (to be determined), or what content it could offer beyond saying it was likely to be built "around live programming." Verizon also reported Thursday that it added 66,000 net new FiOS broadband connections in the third quarter to end it with 5.8 million.

Read more of this story at Slashdot.

How Google's Pixel 2 'Now Playing' Song Identification Works

Slashdot -

An anonymous reader shares a report from VentureBeat, written by Emil Protalinski: The most interesting Google Pixel 2 and Pixel 2 XL feature, to me, is Now Playing. If you've ever used Shazam or SoundHound, you probably understand the basics: The app uses your device's microphone to capture an audio sample and creates an acoustic fingerprint to compare against a central song database. If a match is found, information such as the song title and artist are sent back to the user. Now Playing achieves this with two important differentiators. First, Now Playing detects songs automatically without you explicitly asking -- the feature works when your phone is locked and the information is displayed on the Pixel 2's lock screen (you'll eventually be able to ask Google Assistant what's currently playing, but not yet). Secondly, it's an on-device and local feature: Now Playing functions completely offline (we tested this, and indeed it works with mobile data and Wi-Fi turned off). No audio is ever sent to Google.

Read more of this story at Slashdot.

Lullabot: React in Drupal Core?

Drupal Planet -

Matt and Mike talk with Drupal core committter Lauri Eskola, Drupal JavaScript maintainers Théodore Biadala, and Matthew Grill, and Lullabot's own Senior Technical Architect Sally Young about adopting a front-end JavaScript framework, specifically React into Drupal core.

Amazon Spends $350K On Seattle Mayor's Race

Slashdot -

reifman writes: Until this summer, Amazon had never contributed more than $15,000 to a city political campaign in Seattle, but this year's different. The company is a lead funder in the Seattle Chamber of Commerce's PAC which dropped $525,000 Monday on Jenny Durkan's PAC, the centrist business candidate. Her opponent Cary Moon is an advocate for affordable housing, which complicates Amazon's growth, and city-owned community broadband. Comcast and Century Link joined Amazon contributing $25,000 and $82,500 respectively to the Chamber's PAC. Amazon's $350,000 contribution represents .00014 of its CY 2016 net profit.

Read more of this story at Slashdot.

Apple Watch's LTE Suspended In China Possibly Due To Government Security Concerns

Slashdot -

The Apple Watch Series 3's best new feature has been mysteriously blocked in China. According to a report from The Wall Street Journal, China has cut off the Apple Watch's LTE connectivity on Sept. 28 after brief availability from China Unicom. Industry analysts claim that the suspension is probably from governmental concerns about not being able to track and confirm users of the device. AppleInsider reports: Apple issued a brief statement confirming the situation, and referring customers to China Unicom. Neither China Unicom, nor Chinese regulators have made any statement on the matter. The issue may stem from the eSIM in the Apple Watch. Devices like the iPhone have state-owned telecom company-issued SIM cards -- and the eSIM is embedded in the device by Apple. "The eSIM (system) isn't mature enough yet in China," one analyst said. "The government still needs to figure out how they can control the eSIM." The LTE version of the Apple Watch had only a trial certificate to operate on the Chinese LTE network. An analyst who asked not to be identified expects that Ministry of Industry and Information Technology may take months to figure out how the government will deal with the eSIM, and issue a formal certificate for operation.

Read more of this story at Slashdot.

Almost Half of Tech Workers Worry About Losing Their Jobs Because of Ageism, Says Survey

Slashdot -

An anonymous reader quotes a report from SiliconBeat: More than 40 percent of tech workers worry about losing their jobs because of age, a new survey shows. Jobs site Indeed also found that 18 percent of those who work in the tech industry worry "all the time" about losing their jobs because of ageism. The release of the survey Thursday comes amid other news about diversity -- or lack thereof -- in tech workplaces. Often when we report about diversity issues, readers wonder about older workers. The Indeed survey offers insight into the age of the tech workforce: It's young. Indeed concluded from surveying more than 1,000 respondents in September that the tech workforce is composed of about 46 percent millennials, with 36 percent of respondents saying the average employee age at their company is 31 to 35, and 17 percent saying that the average worker age at their company is 20 to 30. What about Generation X and baby boomers? Twenty-seven percent of respondents said the average age of employees at their company is 36 to 40, while 26 percent of respondents said the workers at their companies are 40 and older.

Read more of this story at Slashdot.

Alphabet Invests $1 Billion In Lyft

Slashdot -

Lyft announced Thursday that Google-parent Alphabet is leading a $1 billion financing round into the ride-hailing company. This ups Lyft's valuation from $7.5 billion to $11 billion. The funding is coming from CapitalG, one of Alphabet's investment firms. CNET reports: "CapitalG is honored to work with Lyft's compelling founders and strong leadership team," David Lawee, CapitalG partner, said in a statement. "Ridesharing is still in its early days and we look forward to seeing Lyft continue its impressive growth." Compared with Uber, Lyft has long been the small dog in the ride-hailing world. Before now, it's received $2.6 billion in venture funding, whereas Uber has received $12.9 billion and is valued at $68 billion. Alphabet's investment in Lyft could be a sore spot for rival Uber. Uber is currently locked in a legal battle with Waymo.

Read more of this story at Slashdot.

Consumer Reports Expects Tesla's Model 3 To Have 'Average Reliability'

Slashdot -

There may be only a few hundred Tesla Model 3s on the street, but Consumer Reports already has an opinion on the new car's dependability. From a report: "We are predicting that the Model 3 should have about average reliability," said Jake Fisher, director of auto testing for Consumer Reports. Average may irritate Tesla fans and the nearly 500,000 people who have reserved a Model 3, but Fisher believes people should understand what Consumer Reports expects from the new car. "We don't go around recommending that people buy cars that are below average, so if it is average or better, that is not a bad thing at all," said Fisher. "But let's be very clear, we are not giving it super high marks. We are saying it is basically par for the course." Consumer Reports has yet to buy a Model 3 and put it through a battery of tests, as the magazine does for dozens of vehicles. In addition, so few Model 3 cars have been delivered that Fisher and his team have yet to get a sense of how owners feel about their new Tesla.

Read more of this story at Slashdot.

Canada's 'Super Secret Spy Agency' Is Releasing a Malware-Fighting Tool To the Public

Slashdot -

Matthew Braga, reporting for CBC News: Canada's electronic spy agency says it is taking the "unprecedented step" of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats. The Communications Security Establishment (CSE) rarely goes into detail about its activities -- both offensive and defensive -- and much of what is known about the agency's activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years. But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government's sprawling infrastructure each day. "It's a tool that helps our analysts know what to look at, because it's overwhelming for the number of people we have to be able to protect things," Scott Jones, who heads the agency's IT security efforts, said in an interview with CBC News. On the one hand, open sourcing Assemblyline's code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its "super secret spy agency" reputation in the interest of greater transparency.

Read more of this story at Slashdot.

Pages

Subscribe to Heydon Consulting aggregator