Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-15716

Tighten dataroot security checks and warn the administrator 'loudly'

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6.7, 1.7.5, 1.8.6, 1.9.2
    • 1.9.3
    • Administration, Installation
    • None
    • MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
    • MOODLE_19_STABLE

    Description

      The attached patch adds additional checks for the moodledata directory during early installation phases (much earlier than the current check inside admin/index.php), uses stronger warning messages, lets the user click on a link to actually check whether the moodle data directory is accessible from the web or not (which is far easier than trying to check it from the server itself, as it is quite complicated and depend on a lot of configuration factors) and refuses to continue the installation if the moodledata directory appears to be accesible, unless the user explicitly confirms that s/he has verified the directory is not accesible. See the attached image (called install.png) to view all the details mentionned above.

      In addition to it, the current check inside admin/index.php is extended to visually notify the admin about the potential problem with moodledata, as it may happen that moodle has been installed with some automated installer that completely hides the installation process, including the warnings and the confirmation checkbox (fantastico is an example of this). So the patchs adds a visual notification about the potential problem to the administration block notifications area (see attached image called admin_block.png). When you click on it, it displays a stronger warning than the current one, lets the administration click on a link to check the moodledata directory accessibility from the web and offers a button to remove the warning (both from the administration block, and the admin notifications page).

      Given that there are thousands of Moodle install all over the world with their moodledata directory open to anyone, and that having access to moodledata basically means you can do whatever you want with that moodle install (you can steal the admin user session, for example), I think it's really important to add this check & visual notification to help those people configure their sites correctly.

      I'm attaching patches for 1.5, 1.6, 1.7. 1.8, 1.9 and HEAD current as of today.

      Saludos. Iñaki.

      Attachments

        1. admin_block.png
          19 kB
          Iñaki Arenaza
        2. admin_index.png
          64 kB
          Iñaki Arenaza
        3. install.png
          24 kB
          Iñaki Arenaza
        4. public_dataroot_stable19_8.patch
          15 kB
          Petr Skoda
        5. tighten-dataroot-security-checks-16-v3.diff
          10 kB
          Iñaki Arenaza
        6. tighten-dataroot-security-checks-17-v3.diff
          10 kB
          Iñaki Arenaza
        7. tighten-dataroot-security-checks-18-v3.diff
          10 kB
          Iñaki Arenaza
        8. tighten-dataroot-security-checks-19-v3.diff
          10 kB
          Iñaki Arenaza
        9. tighten-dataroot-security-checks-head-v3.diff
          10 kB
          Iñaki Arenaza

        Activity

          People

            skodak Petr Skoda
            iarenaza Iñaki Arenaza
            Nicolas Connault Nicolas Connault
            David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, Matteo Scaramuccia, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              15/Oct/08