heartbleed.ghosty

How we dealt with Heartbleed and Drupal

I just wanted to share how we have dealt with the Heartbleed bug at work in case there is anyone else out there that runs a Drupal site that needs some help.

Obviously we have patched the servers and got new certificates issued, but the job of resetting passwords is the tricky one.  Now we could use the approach of asking our users to change their passwords, but if more than 5% of users actually did that I would be shocked.

Below is a hook_update snippet of code similar to that we have used to force every user to reset their password.

The code works by forcefully ending every users session (by truncating the sessions table).  We then update every users password with a randomly generated password (that we do not know) to prevent them from being able to log in with their insecure password. Finally, we send every user the reset your password email with the one time login link to make it easy for them to get back in.

function HOOK_update_7???() {
  require_once DRUPAL_ROOT . '/includes/password.inc';

  // Log users out.
  db_truncate('sessions')->execute();

  // Generate a password.
  $password = user_password();

  // Hash password.
  $password = user_hash_password($password);

  // Update all the passwords to hashed generated password, not user 0 or 1.
  $updatepass = db_update('users')
    ->fields(array(
      'pass' => $password,
    ))
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')
    ->execute();

  // Get users to send email.
  $users = db_select('users', 'u')
    ->condition('uid', '0', '!=')
    ->condition('uid', '1', '!=')
    ->fields('u', array(
      'uid',
      'name',
      'mail',
      'login',
      'pass',
      'language',
    ))
    ->execute()
    ->fetchAllAssoc('uid');

  // Send emails to the users
  foreach ($users as $user) {
    $mail = _user_mail_notify('password_reset', $user);
  }
}

Why not use a module like Mass Password Reset? Simple, we run 100+ sites on our installation and it would be a pain to run that on all sites.  This is in our profile so all we have to do is deploy the code and run updates.

Kudos goes out to pbz1912 who actually wrote the code.

Edit

As mentioned in the comment from Luca, it’s not best practice to just send your users the reset password email, but to let them know whats going on.  We also used a similar snippet of code to the one below to add some help text to the login form.

function HOOK_form_user_login_alter(&$form, $form_state) {
  $form['heartbleed'] = array(
    '#type' => 'markup',
    '#markup' => t("

Put your friendly help text in here, it will appear above the login form

"), '#weight' => -50, ); }

2 thoughts on “How we dealt with Heartbleed and Drupal”

  1. I would say it’s also important to put a note on the login screen for people struggling to sign in. I for one wouldn’t click a link to reset my password on an email if I didn’t ask to change my password. However I would go to the site, try and login, fail and then change it. A note on that login page saying that all passwords were reset would make me confident that the email I received wasn’t a phishing attempt. Just a thought :)

    1. Funny you should say that… we have put a message on the login form, I just didn’t put that in this post.

      To tackle the whole phishing thing we forewarned our users by sending them an email telling them what we were doing. We included the contents of the reset email in that message so they would know it wasn’t a phishing scam.

Leave a Reply