Drupal Security Patches

How to manually patch Drupal 7 and 8 with security patches, ahead of the upstream updates.

Contributors: Alex Fornuto, Ari Gold.

Discuss in our Forum Discuss in Slack

When Drupal releases critical security releases, Pantheon takes immediate steps to patch our Drupal upstreams. These updates may not always be accessible for users who:

This doc describes how to manually patch your Drupal core.

 Warning

Use the standard process to update core if the security patch is available to be applied in the Site Dashboard. The advanced method described on this page is intended to be used when a security patch is not yet available as a one-click update in the Site Dashboard, or when handling merge conflicts.

Visit the Drupal Security page for the latest Drupal security announcements and patches.

Apply Patch Using Git

You'll need a local git clone of your site code.

For the steps below, replace $PATCHNUM with the patch number from Drupal and $PATCHPATH with the URL to the patch, or export the variables to your shell session.

  1. Change directory to your site code. For example:

    cd ~/repos/site-name/
  2. Make sure your local copy is up to date:

    git pull origin master
  3. Download and apply the patch:

    curl -O $PATCHPATH
    patch -p1 < $PATCHNUM.patch
  4. Remove the patch file, and stage code changes:

    rm $PATCHNUM.patch
    git add .
  5. Confirm your changes:

    git status
  6. Commit and push your changes back to Pantheon:

    git commit -m "Manually apply Drupal security patch"
    git push origin master

Apply Patch Using Composer

  1. Add patch to your composer.json file:

    {
    "require": {
      "cweagans/composer-patches": "~1.0",
      "drupal/core-recommended": "^8.8",
    },
  2. Add a patches folder to the root of your composer.json file.

  3. Add an extras section inside your composer.json file:

    "extra": {
      "patches-file": "local/path/to/your/composer.patches.json"
    }
  4. Run composer install.

    This removes the core version, including libraries and dependencies, before re-downloading the core (plus libraries and dependencies), and applying the patch.

Apply and Manage Drupal Module Patches with Composer

Read Drupal's documentation to learn more about applying and managing module patches with Composer.

Lock Multidev Environments

As an additional security measures, sites with Multidev environments should consider locking them until they can be patched. If you have Terminus installed on your local computer, you can lock all environments at once with the following Bash script:

#!/bin/bash

#############################################################
# This script will, for a specified Pantheon site, lock all #
# multidev environments for the site.                       #
############################################################

# Asks user for the site name.
read -p 'Site name: ' SITE

# Define a user name and password to lock the site with.
read -p 'Username to unlock the environments (NOT your Pantheon account username): ' USER
read -sp 'Password: ' PASSWORD

echo

ALL_ENVS="$(terminus env:list $SITE --field=id | grep -v live | grep -v dev | grep -v test)"

for ENV in $ALL_ENVS ; do
  is_locked="$(terminus lock:info "$SITE.$ENV" --field=locked)"
  if [[ "$is_locked" == "true" ]] ; then
    echo "# $SITE.$ENV is already locked"
  else
    echo "# Locking $SITE.$ENV"
    terminus lock:enable "$SITE.$ENV" "$USER" "$PASSWORD"
  fi
done

See Also