Drupal 8 Straits

For the third time in 5 years we encounter yet another critical security hole in D8.


Drupal sys-admins should pay close attention to this recent issue as it involves the D8 core API functionality and D7 Services module. If you are not familliar, the functionality that I am refering to applies to code that creates a REST interface for Drupal, which in these days of headless development is a critical vulnerability. This is not the first time that I have written about the pros and cons of D8 vs. D7 but I can not really let this important news event slide by without pontificating a bit.

To quote the excellent article by Dan Goodin in Ars Technica:

For a site to be vulnerable, one of the following conditions must be met:

  • It has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests or
  • It has another Web-services module enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7

Project managers are urging administrators of vulnerable websites to update at once. For sites running version 8.6.x, this involves upgrading to 8.6.10 and sites running 8.5.x or earlier upgrading to 8.5.11. Sites must also install any available security updates for contributed projects after updating the Drupal core. No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

It stands to reason that the most important aspect of this bulletin is the part about Drupal 7 core not being affected by the issue. I am going to venture that perhaps instead of folding supposed “essential” modules into D8 core the focus should have been on core functionality, rather than focusing on the current development vector of ease of use.

The beauty of D7 for me has always been it’s high degree of security. I don’t know of another application that is so completely integrated with the web server environment as to leverage the web servers many modules and services the way D7 does which is what makes it so secure to begin with. Perhaps that was part of the inspiration for Backdrop CMS.

Thank’s for reading. Have a peaceful day.