10 Ways Drupal 8 Will Be More Secure

September 22, 2015

Drupalcon Barcelona

Peter Wolanin

Acquia Engineering & Drupal Security Team

pwolanin

Photo by amazeelabs, by-nc-sa

#1) Twig as template engine

Twig as template engine

  • New theme template system instead of phptemplate
  • http://twig.sensiolabs.org/
  • "modern", OO-based approach

Twig: keep the themers away from PHP

  • Templates allow looping and recursion
  • No access to Drupal api or SQL

Twig: escaping by default

Drupal security model is inverted compared to Drupal 7. Text output in a template is escaped by default, unless it was previously escaped or marked safe

Text that has been escaped is encapsulated in a SafeString object. Beware legacy theme_ functions

PHP vs Twig


<div id="<?php print $block_html_id; ?>" class="<?php print $classes; ?>"<?php print $attributes; ?>>

  <?php print render($title_prefix); ?>
<?php if ($block->subject): ?>
  <h2<?php print $title_attributes; ?>><?php print $block->subject ?></h2>
<?php endif;?>
  <?php print render($title_suffix); ?>

  <div class="content"<?php print $content_attributes; ?>>
    <?php print $content ?>
  </div>
</div>
              

PHP vs Twig


<div{{ attributes }}>
  {{ title_prefix }}
  {% if label %}
    <h2{{ title_attributes }}>{{ label }}</h2>
  {% endif %}
  {{ title_suffix }}
  {% block content %}
    {{ content }}
  {% endblock %}
</div>
              

#2) Removed PHP text filter and the use of PHP as a configuration import format

PHP module removed from core

  • Encourages proper code management
  • Removes risk of exposure to anonymous (yes I've seen it in the wild)
  • Reduces the impact of admin accounts being compromosed

PHP not used as an import format

  • See upcoming point #3
  • Configuration import can be allowed witout allowing code execution

#3) Site configuration exportable, manageable as code, and versionable

Configuration Management Initiative (CMI)

  • Drush integration, as well as UI tools to compare current to expected
  • Configuration can be locked in production and deployed from QA (needs some small contrib code)
  • Much easier to track an auditable history of configuration changes

#4) User content entry and filtering improved

WYSIWYG in core

WYSIWYG in core

Local image input filter in core

Local image input filter got invented to allow images on drupal.org

Ported to Drupal 8 for everyone

#5) Hardened user session and session ID handling

Session Handling Security

Session IDs hashed when stored. Storing only the hashed value prevents session hijacking if the session storage (e.g. database backup) is exposed.

Extra bonues - www. not stripped from session cookie name

Remove mixed SSL support from core

Support for sessions that work both SSL and non-SSL (Secure Pages) removed. Encourages full SSL.

Will have to replace the session handling service if you really need this.

#6) Automated CSRF token protection in route definitions

CSRF token management in the routing system

Routes can specify token protection for GET requests, instead of requiring hand coded protection using API functions.


entity.shortcut.link_delete_inline:
  path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline'
  defaults:
    _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline'
  requirements:
    _entity_access: 'shortcut.delete'
    _csrf_token: 'TRUE'

#7) Trusted host patterns enforced for requests

Trusted hosts listed in settings.php

Easier way to block unexpected host names accessing Drupal (phishing, cache poisoining, etc)

Site status report will warn you if this is not set up

#8) PDO MySQL limited to executing single statements

Limit PDO MySQL if PHP supports it

Requires PHP 5.5.21+ or 5.6.5+ for PDO MySQL change.

There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used

#9) Clickjacking protection enabled by default

Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. (A small change, but one people notice)

#10) Core JavaScript API Compatible with CSP

Inline JS removed from #attached

Adding inline JS is no longer a supported part of the render system

Converted drupalSettings from JavaScript to JSON, to allow for CSP in the future

Thanks! Questions?

  • Contact me: https://www.drupal.org/user/49851/contact