heartbleed.ghosty

How we dealt with Heartbleed and Drupal

I just wanted to share how we have dealt with the Heartbleed bug at work in case there is anyone else out there that runs a Drupal site that needs some help.

Obviously we have patched the servers and got new certificates issued, but the job of resetting passwords is the tricky one.  Now we could use the approach of asking our users to change their passwords, but if more than 5% of users actually did that I would be shocked.

Below is a hook_update snippet of code similar to that we have used to force every user to reset their password.

The code works by forcefully ending every users session (by truncating the sessions table).  We then update every users password with a randomly generated password (that we do not know) to prevent them from being able to log in with their insecure password. Finally, we send every user the reset your password email with the one time login link to make it easy for them to get back in.

function HOOK_update_7???() {
  require_once DRUPAL_ROOT . '/includes/password.inc';

  // Log users out.
  db_truncate('sessions')->execute();

  // Generate a password.
  $password = user_password();

  // Hash password.
  $password = user_hash_password($password);

  // Update all the passwords to hashed generated password, not user 0 or 1.
  $updatepass = db_update('users')
    ->fields(array(
      'pass' => $password,
    ))
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')
    ->execute();

  // Get users to send email.
  $users = db_select('users', 'u')
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')
    ->fields('u', array(
      'uid',
      'name',
      'mail',
      'login',
      'pass',
      'language',
    ))
    ->execute()
    ->fetchAllAssoc('uid');

  // Send emails to the users
  foreach ($users as $user) {
    $mail = _user_mail_notify('password_reset', $user);
  }
}

Why not use a module like Mass Password Reset? Simple, we run 100+ sites on our installation and it would be a pain to run that on all sites.  This is in our profile so all we have to do is deploy the code and run updates.

Kudos goes out to pbz1912 who actually wrote the code.

Edit

As mentioned in the comment from Luca, it’s not best practice to just send your users the reset password email, but to let them know whats going on.  We also used a similar snippet of code to the one below to add some help text to the login form.

function HOOK_form_user_login_alter(&$form, $form_state) {
  $form['heartbleed'] = array(
    '#type' => 'markup',
    '#markup' => t("

Put your friendly help text in here, it will appear above the login form

"), '#weight' => -50, ); }
6 hours

Managed file upload in Drupal theme settings

So you want to add a managed file field to your theme settings to allow for an additional logo, great! Using FAPI and a theme-settings.php file it will be a piece of cake.  Not so fast….

The sticking point here is that a managed file once uploaded has to have its status changed to 1 to make it persist.  If you don’t change that status then cron will come along and merrily remove it after 6 hours, leaving you with a broken image on your theme.

Add the field to the theme settings in the usual way

MYTHEME_form_system_theme_settings_alter(&$form, $form_state) {
  $form['secondary_logo'] = array(
    '#title' => t('Secondary logo'),
    '#description' => t('A description'),
    '#type' => 'managed_file',
    '#upload_location' => 'public://secondary-logo/',
    '#upload_validators' => array(
      'file_validate_extensions' => array('gif png jpg jpeg'),
    ),
    '#default_value' => theme_get_setting('secondary_logo'),
  );
}

This gets the field on the settings screen, but doesn’t allow you to persist by altering the status.  On any normal form you could use hook_form_submit(), but unfortunately this does not work with theme settings.

The fix is to add a custom submit handler to the form, but due to a bug in the theme settings system you need to specify your theme settings file as a dependency.  Add the following to the MYTHEME_form_system_theme_settings_alter function

$form['#submit'][] = 'MYTHEME_settings_form_submit';

// Get all themes.
$themes = list_themes();
// Get the current theme
$active_theme = $GLOBALS['theme_key']
$form_state['build_info']['files'][] = str_replace("/$active_theme.info", '', $themes[$active_theme]->filename) . '/theme-settings.php'

It is important to note that as you are now altering the $form_state variable you need to add an & to the parameter so that it is passed by reference.

Now you can create the submit handler to actually change the status of the file.

function MYTHEME_settings_form_submit(&$form, $form_state) {
$image_fid = $form_state['values']['secondary_logo'];
  $image = file_load($image_fid);
  if (is_object($image)) {
    // Check to make sure that the file is set to be permanent.
    if ($image->status == 0) {
      // Update the status.
      $image->status = FILE_STATUS_PERMANENT;
      // Save the update.
      file_save($image);
      // Add a reference to prevent warnings.
      file_usage_add($image, 'MYTHEME', 'theme', 1);
     }
  }
}

And there you have it, you should be able to keep hold of your file for longer than 6 hours.

Disclaimer

I was put on the right track to this solution and have used code from this stack overflow question.

xbmc-hardware

XBMC needs hardware accelerated OpenGL rendering

Over the weekend I ran updates on my Ubuntu HTPC, and upon reboot it came up with the following message “XBMC needs hardware accelerated OpenGL rendering”.

It turns out that when I ran the updates it also updated fglrx, the graphics driver to run the AMD chip in my machine.  This update dropped support (or so it seems) for my chip, and as such broke my machine.

The fix as it turns out is fairly simple.  Press ctrl + alt + F1 to drop into a terminal. Then uninstall any fglrx packages that you have installed. Run this to find installed packages then use apt-get to remove them

dpkg --get-selections fglrx*

then use apt-get to remove them

sudo apt-get remove fglrx

Next, add the fglrx-legacy PPA and install the legacy package

sudo add-apt-repository ppa:makson96/fglrx
sudo apt-get update
sudo apt-get install fglrx-legacy

Reboot and you should be good to go, or at least this worked for me.

banner-772x250

Bootstrap Shortcodes

Just a bit of self promotion… Introducing Bootstrap-3-shortcodes.

Something that I have been working on in my spare time has finally made its way onto the WordPress Plugin repository.  The plugin provides a load of shortcodes to help you style your wordpress site using the bootstrap components.

It assumes that you are using a base theme that has bootstrap at its core, such as roots. You can then just use the shortcodes in your content.

Enjoy, and if you have any issues then please head over to the Github repo.

firefox-xbmc

Fullscreen Firefox with XBMC

At home I run a custom built HTPC running Ubuntu with XBMC as the main interface.  So that the machine boots into XBMC directly, and to avoid any superfluous applications running, I use XBMC directly as the user-session.

Using the Advanced Launcher plugin I was able to launch firefox, but it always launched in what looked like a windowed interface, and only filled about one quarter of my TV.  Clicking on the maximise window button had no effect.

The reason that it was doing this was because there was no window manager for Firefox to use.

The solution that I came up with was to install Fluxbox and with the help of the following script.

#!/bin/bash
fluxbox&
firefox
pkill -9 fluxbox

The script starts Fluxbox in the background, then launches Firefox, which uses Fluxbox as its window manager, allowing it to be full screen.  Firefox then blocks this script from running until you exit firefox.  Fluxbox then ends and you return to XBMC.

Setup the launcher to use this script, and then you can add it to your home screen, and hey presto, easy access to firefox on you TV.

Personal blog of Simon Yeldon