Skip navigation
All Places > Developer > Blog > 2017 > October
2017

Sugar Fall '17 (7.10) is now available!

 

You've heard all about this, but I'll recap. SugarCRM's fall 2017 release is a Sugar On-Demand only release. This is the first release that follows our new Sugar release process. Our on-premise customers will get a roll up spring release that includes features from this fall and subsequent winter release. So all of our customers will enjoy all of the same advanced features--just not all at once.

 

Here are some of the great developer resources available for the Sugar Fall '17 release (also known as Sugar 7.10).

 

Last, but not least, we will be providing developer downloads of On-Demand releases such as 7.10 that can be used by Sugar developers for code development and test purposes.

 

On-Demand Developer Builds

 

Sugar Developers have long relied on local development environments to prepare their Sugar customizations and integrations regardless of whether a particular customer was running in Sugar On-Demand or On-Site. Use of modern IDEs and debuggers as well as file system access all require running Sugar code outside of the On-Demand environment.

 

As we plan to evolve our On-Demand environment to support more development use cases, we have made a pragmatic decision to allow authorized SugarCRM Customers and Partners to download On-Demand Developer Builds via the Sugar Community.

 

Access to this space is restricted to users who have Download Software permission associated with their Sugar Community account. Check out the On-Boarding Sugar Developers guide to learn more about how to make sure that developers within your organization are registered and have appropriate permissions to access the Developer Builds space. Note that it currently can take up to 24 hours for the permission to access the Developer Builds space to update once permission is granted.

 

We are providing source code downloads as a courtesy and on an "AS IS" basis for the sole purposes of development and quality assurance. Production use of Sugar 7.10 code outside of Sugar On-Demand is unsupported and will not be tolerated. Please review the terms of use in the OD Developer Builds space for more details on restrictions.

 

Keep up to date with Sugar Developer News!

 

Did you miss the recent Sugar Fall '17 Release developer webinar? If you were there, you would have learned all about the Developer Builds space sooner. So, don't miss the next one! Sign up for Sugar Developer News today!

In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 7.7.0.0 and 7.7.1.0. Both of these frameworks offer "soft" failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.

 

Input Sanitization Soft Failures

CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization. SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.

 

Strict enforcement of Input Validation and CSRF Form Authentication

You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation 'validation.soft_fail' flag as well as the CSRF 'csrf.soft_fail_form' flag.Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.

$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;

 

Strictly enforced checks

In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character setAlso recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.

 

What you need to do to prepare customizations

In development instances,Set validation.soft_fail setting to false. Set disable_unknown_platforms setting to true. Then run regression tests on your integrations and customizations to very they still work.In production instances, Enable warn log level to collect and analyze any input validation or platform name violation warnings.

 

Other Resources

Slides from the UnCon 2016 session on Sugar's input validation framework are also available in the Sugar Community. More information about best practices for using the Platform parameter can also be found on a previous post on this blog.

Do you need to set up your Sugar development environment but only have 20 minutes to spare?  With the help of Vagrant, I've got you covered. Check out my new video below:

 

Prefer text-based instructions?  Get them here.