Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-15716

Tighten dataroot security checks and warn the administrator 'loudly'

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.7, 1.7.5, 1.8.6, 1.9.2
    • Fix Version/s: 1.9.3
    • Labels:
      None
    • Affected Branches:
      MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      The attached patch adds additional checks for the moodledata directory during early installation phases (much earlier than the current check inside admin/index.php), uses stronger warning messages, lets the user click on a link to actually check whether the moodle data directory is accessible from the web or not (which is far easier than trying to check it from the server itself, as it is quite complicated and depend on a lot of configuration factors) and refuses to continue the installation if the moodledata directory appears to be accesible, unless the user explicitly confirms that s/he has verified the directory is not accesible. See the attached image (called install.png) to view all the details mentionned above.

      In addition to it, the current check inside admin/index.php is extended to visually notify the admin about the potential problem with moodledata, as it may happen that moodle has been installed with some automated installer that completely hides the installation process, including the warnings and the confirmation checkbox (fantastico is an example of this). So the patchs adds a visual notification about the potential problem to the administration block notifications area (see attached image called admin_block.png). When you click on it, it displays a stronger warning than the current one, lets the administration click on a link to check the moodledata directory accessibility from the web and offers a button to remove the warning (both from the administration block, and the admin notifications page).

      Given that there are thousands of Moodle install all over the world with their moodledata directory open to anyone, and that having access to moodledata basically means you can do whatever you want with that moodle install (you can steal the admin user session, for example), I think it's really important to add this check & visual notification to help those people configure their sites correctly.

      I'm attaching patches for 1.5, 1.6, 1.7. 1.8, 1.9 and HEAD current as of today.

      Saludos. Iñaki.

        Attachments

          Activity

            People

            Assignee:
            skodak Petr Skoda
            Reporter:
            iarenaza Iñaki Arenaza
            Tester:
            Nicolas Connault
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              15/Oct/08