This week the Drupal security team released Drupal core 9.0.8 and 8.9.9 respectively to combat Drupal core - Critical - Remote code execution - SA-CORE-2020-012. As with any critical security vulnerability I strongly recommend that you patch this release ASAP! In an ideal world, you should cut a new branch off of your currently deployed tag/branch and apply this update. Additional feature development / releases can happen later.
Anytime there is an update flagged “critical” or “highly critical” on the risk level meter you should basically drop what you’re doing and patch it ASAP. Like right now.
What’s in the Vulnerability?
“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.”
TLDR this means that you can name a file with PHP in the filename and it might get interpreted and run by the webserver as a PHP file. That’s bad! There’s also a strong warning on the vulnerability report that you audit previously updated files to look for anything out of place or malicious that might have attempted to exploit this vulnerability in the past.
What’s the Update Like?
This update was very painless for me. There was not a database update and it applied cleanly to my Drupal 9.0.7 site with a simple composer update:
composer update drupal/core --all-dependenciesRelated Content
A tutorial for how to use the Drupal plugin system to embed Javascript on a website securely.