Security advisories: Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Planet Drupal - 17 October 2018 - 9:42am
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by


Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Categories: Drupal

GDC 2019 is now open for registration!

Social/Online Games - Gamasutra - 17 October 2018 - 8:58am

Now's the time to register for GDC 2019! You'll want to look at pass options and register early to get the best price. Plus, some passes have limited quantities so if you†™re interested, don't wait! ...

Categories: Game Theory & Design


New Drupal Modules - 17 October 2018 - 7:20am
Categories: Drupal

Dynamic Entity List

New Drupal Modules - 17 October 2018 - 7:20am
Categories: Drupal

Breaking the VR Speed Barrier: Sprint Vector's Fluid Locomotion Technology - by Lauren Irvine Blogs - 17 October 2018 - 6:25am
Never a developer to shy away from a technical challenge, Survios's second game "Sprint Vector" was created to tackle an issue persistent in VR since its inception: locomotion. So naturally the studio built a game where speedrunning is its heart and soul.
Categories: Game Theory & Design

How Yacht Club Games Created Shovel Knight's Specter Knight, Plague Knight, and Propeller Knight Bosses - by David Craddock Blogs - 17 October 2018 - 6:24am
In another batch of stories from David L. Craddock's "Shovel Knight" published by Boss Fight Books, the author discusses how developer Yacht Club Games designed Shovel Knight's Specter Knight, Plague Knight, and Propeller Knight boss battles.
Categories: Game Theory & Design

Metaspoilers and how they can influence the player experience. - by Bruno Freitas Blogs - 17 October 2018 - 6:23am
In this post I will talk about metaspoiler, a term I create to talk about spoilers that transcends the original media and will analyze some examples.
Categories: Game Theory & Design

Top 3 Game Career Planning Videos from Ask Gamedev - by Matt AG Blogs - 17 October 2018 - 6:20am
Today Ask Gamedev turns 1 year old! If you haven't heard of Ask Gamedev, we're a YouTube channel made up of game industry veterans and we make videos on game design, marketing games, career planning and more. Here are our top 3 videos on career planning:
Categories: Game Theory & Design

TEN7 Blog's Drupal Posts: Episode 041: Steve Persch

Planet Drupal - 17 October 2018 - 6:01am
It is our pleasure to welcome to the TEN7 podcast Steve Persch, lead developer advocate at Pantheon. Here's what we're discussing in this podcast: Steve's background; Celebrating a Drupal birthday; Theater background and blogging; WordPress experience; Improv comedy and Comedy Sports gaining self confidence; Experience at Palantir in Chicago; Contributing to Workbench; Discovering Git; Teaching WordPress' Guttenberg editor; What the WordPress & Drupal communities can learn from each other; The 2018 Twin Cities Open Source CMS Unconference; WordPress, Drupal & Joomla; Supporting Backdrop; Alexander Hamilton; Steve Vector (alias)
Categories: Drupal

IQ In Dungeons And Dragons

Gnome Stew - 17 October 2018 - 5:35am

So you may be expecting this to be another one of those articles going on at length about how much smarter RPG nerds are than other people. It’s not that. But we do have an article that disagrees with that position in our archives if you’d like to read it. It doesn’t quite predate Unpopular Opinion Puffin, which is a shame because it would have made a stellar example of the meme and that would be a good excuse why we didn’t include it.

So that aside, where the hell am I headed instead? Well, here’s a common rule of thumb for Dungeons & Dragons or any RPG that shares its 3d6 stat generation (or RPGs that have a similar range of stats): Your character’s IQ is equal to their INT score times ten. In fact, Gary is said to have repeatedly endorsed this interpretation. This came up on a discussion board I’m part of recently and I had a minor epiphany I’d like to share here (along with some math). While it may be valid to say: “Your INT score times ten is equal to the approximate real world IQ equivalent to their mental capacity”, it is absolutely not valid to say “Your character’s game world IQ is equal to their INT times ten.” Minor difference, but to me, the fun part is why this is clearly the case.

The explanation starts with something called the Flynn Effect. Very loosely, this effect says that aggregate results on IQ tests change, sometimes dramatically, over time. But why then do IQ scores stay in the same range and are interpreted the same all the time? In order for IQ scores to be useful, they have to be standardized even over time so they are routinely normalized so that recorded IQs at a given time follow a normal distribution with a mean of 100 and a standard deviation of 15.

Which of course means that after converting a 3d6 stat score which has mean 10.5 and standard deviation of square root(35/4)* to an in game world IQ score, INT 10 would not be an IQ of 100. INT 10.5 would be an IQ of 100. Similarly, shifting by a stat point would not change your IQ 10 points. It would change it by 15/square root(35/4) or about 5.1 points.

Now, of course different roll methods will result in different conversions but surprisingly enough PC rolling methods aren’t really of interest. In most campaign worlds if we include both assumed and explicit instances generic NPCs will so outweigh PCs and NPCs of interest that the game world’s “IQ distribution” will be based entirely on generic NPC INT scores. This means that for most common 3d6 stat systems, in world IQ scores would be based off of a 3d6 roll. Of course the message board where this came up was a 1e message board, which often used three “averaging dice” for generic NPC scores. These are six sided dice with faces 2,3,3,4,4,5. Those dice create a less bell shaped curve with the same mean of 10.5 but a standard deviation of square root(11/4). So INT 10.5 would still be IQ of 100, and shifting by a stat point changes your game world IQ by 15/square root(11/4) or about 9 points. Which is pretty darn close to Gary’s rule of thumb after all.

One last note: All adding a bonus or a penalty to a stat does is shift the distribution over by that much. So if you’re looking at a +2 INT race, just add +2 to the mean score and keep the standard deviation the same. So for the below table, you’d just add 2 to every value in the INT column.

INT Score 3d6 game world IQ 3 averaging dice game world IQ 1 52 14 2 57 23 3 62 32 4 67 41 5 72 50 6 77 59 7 82 68 8 87 77 9 92 86 10 97 95 10.5 100 100 11 103 105 12 108 114 13 113 123 14 118 132 15 123 141 16 128 150 17 133 159 18 138 168 19 143 177 20 148 186


*Variance of a single d6 is 35/12. Since the 3d6 are independent of one another, the variance of the three of them added is 3* 35/12 or 35/4. Standard deviation is of course square root of variance.

** Variance for a single averaging die is 11/12. Independent, so variance for 3 is 11/4. Standard Deviation is then square root(11/4)

Categories: Game Theory & Design

Supermassive black holes and supercomputers

Virtual Reality - Science Daily - 17 October 2018 - 5:08am
The universe's deep past is beyond the reach of even the mighty Hubble Space Telescope. But a new review explains how creation of the first stars and galaxies is nevertheless being mapped in detail, with the aid of computer simulations and theoretical models -- and how a new generation of supercomputers and software is being built that will fill in the gaps.
Categories: Virtual Reality

Business of Gaming Retail: Managing Employees

RPGNet - 17 October 2018 - 12:00am
Retaining employees saves money.
Categories: Game Theory & Design

Hook 42: September Accessibility (A11Y) Talks - Love thy Keyboard

Planet Drupal - 16 October 2018 - 6:08pm

Keyboard accessibility is vital, as many assistive devices emulate the keyboard. Using semantic HTML one can achieve an accessible User Interface (UI) with less code than non-semantic markup.

By managing and guiding focus with semantic HTML, developing an accessible UI is rather easy. Semantic HTML plays an important role in not only accessibility but SEO (Search Engine Optimization) as well. Although we are aware of it, it's often overlooked.

In September’s accessibility talk, Sarbbottam Bandyopadhyay shared the trade-offs of using semantic vs non-semantic markup with an everyday example. He also shared how to manage and guide focus. It was a brief presentation emphasizing the various aspects of keyboard accessibility. He concluded with a brief introduction to WAI-ARIA.

Sarbbottam is a frontend engineer, with more than 14 years experience. He currently works at LinkedIn. He is part of LinkedIn's core accessibility team, focusing primarily on web accessibility. He’s been involved with web accessibility since his Yahoo days.

Categories: Drupal

Configuration Normalizer

New Drupal Modules - 16 October 2018 - 5:08pm

Configuration Normalizer processes configuration to prepare it for comparison.

Developer usage

This module can be used to wrap any configuration storage, creating a read-only version of the storage for which any data read will be returned in a normalized form.

The most common usage would be to minimize non-meaningful differences when comparing configuration data from different sources.

Categories: Drupal

DrupalCon News: DrupalCon Seattle: Where cutting-edge content, networking & contributing come together.

Planet Drupal - 16 October 2018 - 5:06pm

As you’re performing a cost-benefit analysis about attending DrupalCon Seattle — and the days tick closer to the early-bird registration deadline of October 31 — we have valuable feedback from DrupalCon attendees to share.

Categories: Drupal

agoradesign: Using a cart event subscriber to automatically add order items in Drupal Commerce

Planet Drupal - 16 October 2018 - 1:59pm
This time I'm showing you, how you can automatically add another order item after a product has been added to the cart in Drupal Commerce 2.x. The most important info here is, how you can pass the pitfall of possible transient data problems here.
Categories: Drupal

Webform Mail ID

New Drupal Modules - 16 October 2018 - 11:21am

Enable this module to append the subject to the message ID of mail sent via Webform submissions. This can help you better categorize your mail in Mailgun as the tags will be more specific and not just "webform_submission."

Categories: Drupal

Epic sues YouTubers for using and selling Fortnite cheats

Social/Online Games - Gamasutra - 16 October 2018 - 10:50am

Epic Games has filed a lawsuit against two YouTubers, accusing the pair of copyright infringement and breach of contract for both using and promoting the use of Fortnite cheats. ...

Categories: Game Theory & Design

New reservoir computer marks first-ever microelectromechanical neural network application

Virtual Reality - Science Daily - 16 October 2018 - 10:19am
A group of researchers reports the construction of the first reservoir computing device built with a microelectromechanical system. The neural network exploits the nonlinear dynamics of a microscale silicon beam to perform its calculations. The group's work looks to create devices that can act simultaneously as a sensor and a computer using a fraction of the energy a normal computer would use.
Categories: Virtual Reality

agoradesign: Remove or replace the add to cart message in Drupal Commerce 2.x

Planet Drupal - 16 October 2018 - 9:49am
Commerce ships with a default success message after adding a product to the shopping cart. This is done via an event subscriber, in order to be easy customizable. However, removing, replacing or extending existing services in Drupal 8 is a thing, not every developer is used to do. I'll show you, how easy this is.
Categories: Drupal


Subscribe to As If Productions aggregator