Upcoming security changes to Sugar

Matthew Marum —  October 11, 2017

In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 7.7.0.0 and 7.7.1.0. Both of these frameworks offer “soft” failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.

Input Sanitization Soft Failures

CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization.

SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.

Strict enforcement of Input Validation and CSRF Form Authentication

You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation ‘validation.soft_fail’ flag as well as the CSRF ‘csrf.soft_fail_form‘ flag.

Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.

$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;

Strictly enforced checks

In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character set.

Also recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.

What you need to do to prepare customizations

In development instances,

Set validation.soft_fail setting to false.

Set disable_unknown_platforms setting to true.

Then run regression tests on your integrations and customizations to very they still work.

In production instances,

Enable warn log level to collect and analyze any input validation or platform name violation warnings.

Other Resources

Slides from the UnCon 2016 session on Sugar’s input validation framework are also available in the Sugar Community.

More information about best practices for using the Platform parameter can also be found on a previous post on this blog.

 

In Engineering Team, PHP, REST, Sugar 7
permalink

New video! Use Vagrant to start coding with Sugar in 20 minutes

Lauren Schaefer —  October 3, 2017

Do you need to set up your Sugar development environment but only have 20 minutes to spare?  With the help of Vagrant, I’ve got you covered. Check out my new video below:

 

Prefer text-based instructions?  Get them here.

In Community, Dev Tools, General, Sugar 7
permalink

Get your hot hands on the Sugar Mobile SDK!

Matthew Marum —  September 22, 2017

Greg Khanlarov, Director of Mobile Development, is so excited about the launch of the new Sugar Mobile SDK that he is speechless!

If you are coming to SugarCon, make sure you get your hot hands on the new Sugar Mobile SDK first! On Tuesday, you can join Greg for his presentation Sugar Mobile SDK deep dive. Next Wednesday, at the UnCon Tutorials by the Experts, you can meet Greg and other folks from our Mobile development team and learn how to build your first custom Sugar Mobile app.

Read on for more details on the Sugar Mobile SDK!

Continue Reading…

In Community, Engineering Team, JavaScript, Sugar Mobile SDK, SugarCRM Mobile, UnCon
permalink

Professor Marum’s School for Gifted Coders

Matthew Marum —  September 18, 2017

You have may have seen a recent video where a menacing figure was growling about Quotes customizations and a “Professor M.”

giphy

Villains hate Professor M.

 

Who is Professor M? Well me technically. But let me share with you the story.

Continue Reading…

In Community, Engineering Team, News, Sugar 7, UnCon
permalink

UnCon is for CRM Heroes (and Villains)

Matthew Marum —  September 15, 2017

The SugarCRM team has embraced our theme for SugarCon this year (CRM Heroes) like never before! Check out these great videos from some of SugarCRM’s best and brightest. You will meet all these heroes (and villains) at UnCon!  Register for SugarCon today!

Want to know who is this mysterious Quotes module engineer? You will have to come to find out!

More videos are below!

Continue Reading…

In Community, Engineering Team, Sugar 7, UnCon
permalink

Meet our remarkable technical teams!

Matthew Marum —  September 5, 2017

Here are a couple more UnCon promo videos from SugarCRM’s remarkable technical teams.

First off, we have a video Nick Rose, an experienced solutions architect, and also the Director of Solutions Consulting in the Americas. Come to UnCon and check out Nick’s session on the Understanding the Sugar Platform.

Next, we have the brilliant and humble Robert Gonzalez, Software Engineering Manager on the Product team. You can bet that his tutorial at UnCon will be truly remarkable!

Stay tuned for more videos from the UnCon team!

Register for SugarCon today!

In Community, Engineering Team, Sugar 7, UnCon
permalink

The perfect way for beginners to learn about Sugar

Matthew Marum —  August 21, 2017

Are you learning about Sugar for the first time?  Or maybe, it has been a while, and you want to see how the Sugar platform has evolved since the Community Edition days?

Watch the video below to learn why SugarCon and UnCon is the perfect way to get started with building on and integrating with Sugar.

In Community, Conferences, Engineering Team, Sugar 7, UnCon
permalink

Hello from SugarCRM’s newest Developer Advocate!

Lauren Schaefer —  August 16, 2017

Hey there, Sugar Developers!

I’m SugarCRM’s newest Developer Advocate, and I wanted to take a moment to introduce myself.  My name is Lauren Schaefer. Since getting my bachelor’s and master’s degrees in Computer Science at North Carolina State (go pack!), I’ve been slowly migrating north over the years, and I currently live in Pennsylvania.

Continue Reading…

In Community, Engineering Team, Sugar 7
permalink

Using e-mail fields correctly in Sugar

dwheeler —  August 1, 2017

Here is an important message from David Wheeler, a long time Software Engineer and Architect at SugarCRM, about using e-mail fields correctly.

E-mail handling is core to CRM software. Almost everyone we know uses multiple e-mail addresses every single day for both personal or work purposes. So it goes without saying that managing a person’s multiple e-mail addresses correctly is essential in your Sugar customizations and integrations.

History of Sugar E-Mail fields

Several years ago, Sugar changed from using email# named text fields (like email1, email2, etc.) to using an e-mail relationship. This was done to better handle multiple e-mails, multiple relationships, and e-mail attributes like opt in or invalid.

However, use of the email1 field remains particularly persistent. We observe many examples of custom code (and some core code) that still use the old email# fields. This is probably because it is convenient to use the email1 field like a regular text field.

But this is out of date, inaccurate, deprecated, and subject to removal in upcoming Sugar releases.

Below we will describe the proper method for using e-mail fields within Sugar customizations and integrations.

Continue Reading…

In Engineering Team, JavaScript, PHP, REST, Sugar 7, Tip
permalink

Triggering Advanced Workflow processes in PHP customizations

Matthew Marum —  July 26, 2017

An Advanced Workflow process can only be triggered once per PHP process or HTTP request. This is intended to prevent Sugar Administrators from defining infinitely looping processes. (A real catastrophe!) But what does this mean for PHP customizations?

Assume that you have an Advanced Workflow process enabled for the Contacts module that performs an update on this Contact each time it is saved. If you have an Accounts after_save logic hook that performs an update on each related Contact SugarBean then the process will only run against the first related Contact. Any other related Contact that gets saved during your logic hook execution will not have a process run.

This affects not just logic hooks but any other class of PHP customization such as custom API endpoints or jobs.

Workaround

If you really need to run that process more than once in the same request, here is a workaround:

use Sugarcrm\Sugarcrm\ProcessManager\Registry;
...
Registry\Registry::getInstance()->drop('triggered_starts');

Calling this method will clear the internal Advanced Workflow registry that keeps track of the triggered process starts. After calling this method, the same process can then be triggered again inside the same PHP process or HTTP request.

Careful use of this method can make sure that PHP customizations play nicely with processes defined in Advanced Workflow.

In Advanced Workflow, Engineering Team, PHP, Sugar 7, Sugar 7.9.0
permalink