This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Drupal-SA-CORE-2018-004 security update

    This document is archived but may contain useful information for troubleshooting future updates. For updated update steps, visit How to upgrade YMCA Website Services.


    To update your OpenY site with security fix from Drupal core https://www.drupal.org/SA-CORE-2018-004 OpenY team is suggesting 2 options- via patch and via Drupal core upgrade(or OpenY upgrade). Drupal core upgrade or OpenY upgrade is not always possible, but security issue should be fixed asap. So consider to apply patch and plan OpenY upgrade later.

    How to apply the patch

    Patching OpenY releases 8.0.1 - 8.1.10 (Drupal cores 8.2.x, 8.3.x, 8.4.x)

    For patching your OpenY release, follow steps below:

    • Login to your production server environment via SSH and find docroot folder of your site codebase. If you installed OpenY by following a tutorial - you should: if your site is located in /var/www/html
    ssh -l root YOUR_SERVER_DOMAIN_NAME
    cd /var/www/html
    
    wget https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/SA-CORE-2018-004.patch
    

    if your site is located in /var/www/openy

    ssh -l root YOUR_SERVER_DOMAIN_NAME
    cd /var/www/openy
    
    wget https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/SA-CORE-2018-004.patch
    

    Now you are ready to patch your site. But before patching - make a backup of the file which is about to be patched

    sudo cp docroot/core/lib/Drupal/Core/Security/RequestSanitizer.php /var/backups/RequestSanitizer.php
    sudo cp docroot/core/modules/file/src/Element/ManagedFile.php /var/backups/ManagedFile.php
    

    To patch your site run the command to test if the patch can be applied:

    patch -p1 --dry-run < SA-CORE-2018-004.patch
    

    You should see a result

    # patch -p1 --dry-run < SA-CORE-2018-004.patch
    checking file core/lib/Drupal/Core/Security/RequestSanitizer.php
    checking file core/modules/file/src/Element/ManagedFile.php
    

    In case if result different - stop on this step and let us know you have issue. In case if all good proceed with a command below, which will patch your site:

    patch -p1 < SA-CORE-2018-004.patch
    

    You should see the same output as previously, but now your site is patched.

    TIP: In case if you are using git repository for your site run

    git add docroot/core/modules/file/src/Element/ManagedFile.php docroot/core/lib/Drupal/Core/Security && git commit -m "Patching OpenY core" && git push
    

    to store your patched core into your own repository.

    ==========================

    How to patch your Digitalocean OpenY install

    In case if you have followed tutorial you should have your OPenY installed on you DigitalOcean server(droplet) in a predictable for current document folder. That’s why we prepared a short how to patch your OpenY site in a most simple way if you are not a Tech Guru, but just a user

    1. Log in as an admin user to your site admin UI by visiting /user/login URI page.
    2. Login to your DigitalOcean cloud console at digitalocean.com and find Access Console in the dropdown for the droplet you are using for the OpenY image
    3. You should see a popup window with a black screen where console asks you for the login. Use root user and a password generated for you upon droplet creation.
    4. After login to a console run the command below, respectively to the version of your Drupal core.

    One line script to patch Drupal core for OpenY

    Type manually exact line

    bash < <(curl -s https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/runSA-CORE-2018-004.sh)
    

    and hit Enter. You should see OpenY was patched message.