Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-15716

Tighten dataroot security checks and warn the administrator 'loudly'

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      The attached patch adds additional checks for the moodledata directory during early installation phases (much earlier than the current check inside admin/index.php), uses stronger warning messages, lets the user click on a link to actually check whether the moodle data directory is accessible from the web or not (which is far easier than trying to check it from the server itself, as it is quite complicated and depend on a lot of configuration factors) and refuses to continue the installation if the moodledata directory appears to be accesible, unless the user explicitly confirms that s/he has verified the directory is not accesible. See the attached image (called install.png) to view all the details mentionned above.

      In addition to it, the current check inside admin/index.php is extended to visually notify the admin about the potential problem with moodledata, as it may happen that moodle has been installed with some automated installer that completely hides the installation process, including the warnings and the confirmation checkbox (fantastico is an example of this). So the patchs adds a visual notification about the potential problem to the administration block notifications area (see attached image called admin_block.png). When you click on it, it displays a stronger warning than the current one, lets the administration click on a link to check the moodledata directory accessibility from the web and offers a button to remove the warning (both from the administration block, and the admin notifications page).

      Given that there are thousands of Moodle install all over the world with their moodledata directory open to anyone, and that having access to moodledata basically means you can do whatever you want with that moodle install (you can steal the admin user session, for example), I think it's really important to add this check & visual notification to help those people configure their sites correctly.

      I'm attaching patches for 1.5, 1.6, 1.7. 1.8, 1.9 and HEAD current as of today.

      Saludos. Iñaki.

        Attachments

          Activity

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                15/Oct/08