Archives For Sugar 7

In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 7.7.0.0 and 7.7.1.0. Both of these frameworks offer “soft” failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.

Input Sanitization Soft Failures

CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization.

SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.

Strict enforcement of Input Validation and CSRF Form Authentication

You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation ‘validation.soft_fail’ flag as well as the CSRF ‘csrf.soft_fail_form‘ flag.

Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.

$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;

Strictly enforced checks

In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character set.

Also recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.

What you need to do to prepare customizations

In development instances,

Set validation.soft_fail setting to false.

Set disable_unknown_platforms setting to true.

Then run regression tests on your integrations and customizations to very they still work.

In production instances,

Enable warn log level to collect and analyze any input validation or platform name violation warnings.

Other Resources

Slides from the UnCon 2016 session on Sugar’s input validation framework are also available in the Sugar Community.

More information about best practices for using the Platform parameter can also be found on a previous post on this blog.

 

Do you need to set up your Sugar development environment but only have 20 minutes to spare?  With the help of Vagrant, I’ve got you covered. Check out my new video below:

 

Prefer text-based instructions?  Get them here.

You have may have seen a recent video where a menacing figure was growling about Quotes customizations and a “Professor M.”

giphy

Villains hate Professor M.

 

Who is Professor M? Well me technically. But let me share with you the story.

Continue Reading…

The SugarCRM team has embraced our theme for SugarCon this year (CRM Heroes) like never before! Check out these great videos from some of SugarCRM’s best and brightest. You will meet all these heroes (and villains) at UnCon!  Register for SugarCon today!

Want to know who is this mysterious Quotes module engineer? You will have to come to find out!

More videos are below!

Continue Reading…

Here are a couple more UnCon promo videos from SugarCRM’s remarkable technical teams.

First off, we have a video Nick Rose, an experienced solutions architect, and also the Director of Solutions Consulting in the Americas. Come to UnCon and check out Nick’s session on the Understanding the Sugar Platform.

Next, we have the brilliant and humble Robert Gonzalez, Software Engineering Manager on the Product team. You can bet that his tutorial at UnCon will be truly remarkable!

Stay tuned for more videos from the UnCon team!

Register for SugarCon today!

Are you learning about Sugar for the first time?  Or maybe, it has been a while, and you want to see how the Sugar platform has evolved since the Community Edition days?

Watch the video below to learn why SugarCon and UnCon is the perfect way to get started with building on and integrating with Sugar.

Hey there, Sugar Developers!

I’m SugarCRM’s newest Developer Advocate, and I wanted to take a moment to introduce myself.  My name is Lauren Schaefer. Since getting my bachelor’s and master’s degrees in Computer Science at North Carolina State (go pack!), I’ve been slowly migrating north over the years, and I currently live in Pennsylvania.

Continue Reading…