Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
RTBC/Fixed
- #2535944: patch Details for file permissions security review report
- #2797371: false positive when restrict access is explicitly false
- #3079918: File permission test returns false positives when symbolic links are involved
- #3028264: Unnecessary check for is_dir('..')
- #3331646: Fix test cases
- #3329679: Add support for configurable asset paths and stream wrapper added in Drupal core 10.1
- #2592609: Recommend to drupal 8 to move /vendor/ outside of the webroot
- #1244238: Check that cron has been run recently - in the last 72 hours
- #2914467: Notice: Security Review now integrated in DRD
- #2581071: Remove checking base_url in TrustedHosts check
- #2678112: Make fields check more useful with risky content (allowlist of content?)
- #1244226: Check that uid 1 account is blocked
- #2476973: Document ability to ignore writable paths for the filesystem check
- #830970: test password strength by comparing the password to the username
- #3221065: Field check out of memory
- #3008957: Refactor trusted hosts check
- #3224996: Only check default view access if it is used
Issues to fix/resolve:
None!
Nice to get to
Comments
Comment #2
banviktor CreditAttribution: banviktor at CARD.com commentedComment #3
gregglesHI Viktor! Any thoughts on #2852943: [meta] Create 8.x-1.0 as an interim step?
Comment #4
banviktor CreditAttribution: banviktor at CARD.com commentedComment #5
banviktor CreditAttribution: banviktor at CARD.com commentedComment #6
banviktor CreditAttribution: banviktor at CARD.com commentedComment #7
hugovk CreditAttribution: hugovk at Digia commentedWould be great to get a release out at some point to remove:
drupal/security_review:dev-1.x: Dev releases are not covered by Drupal security advisories.
Is there anything major preventing a beta, RC or stable release? Is there a release schedule?
Thank you!
Comment #8
dsnopekIt would be sooo sweet to transition to using plugins for the security checks before a 1.0:
#2623148: Make security checks into plugins
This was something I had wanted to work on, but priorities changed and I wasn't able to, and certainly if the other maintainers want to release we shouldn't block on that.
Comment #9
smustgrave CreditAttribution: smustgrave at Mobomo commentedbased on https://www.drupal.org/project/security_review/issues/2852943#comment-14... this should be renamed
Comment #10
smustgrave CreditAttribution: smustgrave at Mobomo commentedmore IS to come later
Comment #11
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #12
smustgrave CreditAttribution: smustgrave at Mobomo commentedso since the 8.x branch was 8.x-1.x I couldn't use 1.0.x and instead 2.0.x
But doing a 2.0.0 release now. Once more of these land can immediately do the next release.
Comment #13
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #14
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #15
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #16
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #17
smustgrave CreditAttribution: smustgrave at Mobomo commentedMuch needed update
Comment #18
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #19
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #20
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #21
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #22
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #23
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #24
smustgrave CreditAttribution: smustgrave at Mobomo commentedOne last round of testing and we are good.
Comment #26
smustgrave CreditAttribution: smustgrave at Mobomo commentedJust did a release!