city-of-turku / kada Goto Github PK

Github notified us of an insecure version being used in the Omega theme. This doesn't impact site security, since the library is only used on developer workstations while building the theme, and I'm not sure if it's even actually used since it's not under the subtheme but under the inherited template theme.

1 ) Currently, domain- and language-specific site names are set to be overridden by the name of the domain. This has been done by exporting the variable domain_sitename_override=true to the Domains feature.

This means we can't have translatable site names like "City of Kada" <--> "Kadan kaupunki" because the site name and thus part of the page title is overridden to the name of the domain, "Kada.fi".

There doesn't seem to be a reason to enforce this setting across the whole platform; multilingual domain site names seem to be working just fine without the override setting enabled.

Thus, the domain_sitename_override variable should be removed from the Domains feature so changing the setting on KADA installations will not leave the feature unnecessarily overridden, as that would require a separate feature override to be generated for it for every separate installation.

2 ) Elsewhere in the code, hooks are used to override various titles, e.g. titles in http://www.turku.fi/term/77/rss.xml, and these hooks hardcode installation-dependent strings. See e.g. kada_export_feature_views_pre_render() in kada_export_feature.module.

Instead of replacing the hardcoded "Turku.fi" with a hardcoded dummy domain, we should use the multilingual domain variable site_name to construct titles.

Thus, to avoid having to override the same things at every installation, we need to refactor to remove hardcoding as in 2), which can be only be done after removing the override variable as detailed in 1).

But, is there something that's being overlooked here? Custom domain-handling code should be using domain machine names and never need to touch domain variables anyway, so things should be safe on that front.

Disable user self registration by default in a feature.

See https://github.com/City-of-Turku/kada/blob/master/code/themes/custom/driveturku/templates/html.tpl.php#L63

Remove the SMTP module from the general configuration feature, it's a per-installation detail that should be in every site's own configuration if necessary.

When I run build.
$ ./build.sh new

Build fails to the next line. I haw my virtual machine where I haw installed other Drupal sites. But is there soma other dependence that I need?

Unable to download openlayers from https://github.com/openlayers/openlayers/releases/download/release-2.13.1/OpenLayers-2.13.1.zip. [error]
** BUILD ERROR: 'Make failed - check your makefile'

The project is licensed under the same license as Drupal itself, namely GNU General Public License 2 or later.

KADA Drupal distribution. Copyright © 2017 City of Turku, http://www.turku.fi/, [email protected]

Can you clarify this double licensing? What parts are actually (c) if everything is GPL, too?

Something I only just noticed downstream: The installation profile is still using some tkufi-prefixed names for features that have already been renamed using the kada prefix.

You are currently sharing checksum salt of Radioactivity module here:

https://github.com/DigiTurku/kada/blob/master/code/modules/features/tkufi_configuration_feature/tkufi_configuration_feature.strongarm.inc#L3193

The same checksum salt is used at https://www.turku.fi making it easy to bypass data authenticity verification used in emit.php of Radioactivity module. By using the salt in the previous link one could try to distort the results produced by the algorithms in Radioactivity module.

In addition to that it may be possible to get access to system files since an attacker could easily make a request to emit.php by using customized parameters. One of the parameters used in emit.php is storage which is directly used in require_once, and since there is no data authenticity verification, an attacker could try file inclusion attack for reading files outside of Radioactivity module by using NUL byte attack, file traversal attack etc.

You should not share salts or any security credentials for public. Especially if the same security credentials are used at https://www.turku.fi.

A local patch has been added to change php-proauth download url from Github. The patch should be removed if the original location comes back online. I'm having suspicion that the takedown is related to recent OAuth module security issue.

Referenced commit: 948f82d

Documentation mentions Vagrant but there is no Vagrantfile but there is docker-compose.yml file without any mention in the documentation?

How should one setup local developing environment?

”There are Views that do not provide any access checks.”

or succeeds but gives Fatal error (all features checked):

Fatal error: Class name must be a valid object or a string in /vagrant/current/sites/all/modules/contrib/feeds/plugins/FeedsPlugin.inc on line 59

Installation was done in the UI: http://local.kada.fi/install.php?profile=kadaprofile

Most of the times, installation failed.