9.2. Searching Core and Contrib for Vulnerabilities
Why rob banks? According to Willie Sutton, the answer is "Because that's where the money is." So, as you crack Drupal, you should begin with the location that likely has the most weaknesses: contributed modules. Certainly there are weaknesses in Drupal core, but Drupal's richest concentration of weaknesses will almost always lie in any contributed modules and themes or custom work done for a site.
How much more likely is there to be a weakness in contributed modules or custom code? Well, if you look at the one case mentioned at the beginning of Chapter 6, you are about 100 times more likely to find a weakness in contrib and custom themes than in core. Looking at all of the issues that have been publicly announced on drupal.org, there are more than twice as many issues in contributed modules as in core. While there is a wide spread between twice as many and 100 times as many, the underlying message is clear: Contributed modules and custom code are a target-rich environment.
9.2.1. Using Grep to Search for Common Mistakes
The first technique is to use command-line tools to search for patterns of text that will identify commonly made mistakes. For this specific example, you'll use the Concurrent Version System (CVS) client tool to get a local copy of all the files for Drupal's contributed modules. Then you'll use the grep command to search for patterns inside the code. There are many other tools for searching text files, but
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
