security_review 7.x-1.1

Security Review 7.x-1.1 release for Drupal 7 includes minor bug fixes and new and improved security checks to help you maintain a secure Drupal site.

New features

• Sensitive temporary files not found
• PHP files in the Drupal files directory cannot be executed
• Base URL is set in settings.php
• Views are access controlled

Improved drush options including running specific checks, showing results, and printing more check details. Run drush help secrev for more info.

If you're implementing custom Security Review checks via hook_security_checks() be sure to update your callbacks and help functions for this release. See the API.txt for more info.

Upgrading from 7.x-1.0

If you are running Security Review 7.x-1.0 it is recommended that you disable the module prior to replacing it with 7.x-1.1. You do not need to uninstall the module but because some menu callbacks have changed disabling the old module and re-enabling after replacing with the new is required (or clearing cache).

Changelog since 7.x-1.0

• #1228742 by coltrane: Include line item in Status Report.
• #1946106 by coltrane: File system check fails on a subdirectory multisite configuration.
• #2055845 by coltrane: Added List which field and revision dangerous tags were found in.
• #2071775 by coltrane: Private files in relative directories such as ../private are not a problem.
• #1955974 by mgifford, coltrane: Improve text of file permissions check
• Followup #2001092 by coltrane: Add include settings.php as additional way to check for base_url() being set.
• #2063615 by coltrane: Added Review unsafe tags and update.
• #2065257 by coltrane: Put menu callbacks and forms in separate inc file.
• Followup to Issue #1645750 Fixed identify private files as a non-dangerous writable dir.
• #1207852 by coltrane: Added verbose switch for drush command and optional specific checks.
• #2063609 by coltrane: Added Make unsafe tag list alterable.
• #2058969 by coltrane: Followup to checklist running without installing module.
• #2058969 by coltrane: Allow checklist to be run without installing module.
• #1907618 by coltrane: Added Check for temporary files like settings.php~.
• #2051167 by coltrane: Fixed Identify /sites/temp directory as a non-dangerous writable dir.
• Minor update to README for acquia.com URL
• Fix date exception and remove left-over comments
• Followup to Issue #2001092 by coltrane: Tokenize settings.php for base_url discovery
• Bumping security_review.inc version
• #1645750 by coltrane, greggles: Fixed identify private files as a non-dangerous writable dir.
• #1907618 by coltrane | ghazlewood: Added Check for temporary files like settings.php~.
• #2001092 by coltrane: Added Check for base_url() in settings.php.
• #1173402 by coltrane | vegantriathlete: Ignore the .git directory as well as CVS and .svn and .bzr and maybe some others.
• #1388134 by coltrane | mototribe: Added show date of last run.
• #1462920 by coltrane | greggles: Added check for presence and correctness of the files/.htaccess file.
• #921972 by coltrane: Allow drupal_alter of ignored files for permission scan
• #2006438 by coltrane: Added Create PHP file in files directory and attempt to execute.
• #1831912 by coltrane | mgifford: Fixed PHP Notice on security_review().help.inc.
• #1882280 by erikwebb: Fixed Fatal error when entity does not provide a label entity key.
• #1927872 by snufkin: Fixed Documentation on security_review_check_input_formats() is misleading.
• Web tests for Security Review module
• #1207832 by coltrane: Update untrusted roles text
• #1736860 by couturier and coltrane: Spelling Error.
• #1569666 by greggles: Added uploads report doesn't link to helpful places.
• #1645752 by greggles: Fixed make files security check more paranoid.
• #1569426 by greggles: Added Bring that views access check back.
• Correct hook when run is invoked without the checklist
• #1361640 by coltrane | snufkin: Fixed Unable to access filefield or views reports.