Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60234

Add possibility to disable admin warning if a development libs directory exists

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Prerequisites:

      • Make sure that your Moodle installation contains a /node_modules and / or /vendor directory. It does not matter if this directory contains any files
      • Login to Moodle as admin

      Test 1

      • Go the the systems notification page (/admin/index.php)
      • You will see a warning box saying "Directories with development libraries, especially <em>/vendor</em> and <em>/node_modules</em>, should not be present on public sites. See the <a href="{$a->moreinfourl}">security overview report</a> for more details."
      • Add this to your config.php file:

        $CFG->disabledevlibdirscheck = true;
        

      • Go the the systems notification page (/admin/index.php) again
      • You must not see the warning box again

      Test 2

      • Go the the security overview report (/report/security/index.php)
      • You will see a warning saying "The vendor directory should not be present on public sites." and / or "The node_modules directory should not be present on public sites." (depending which directories you created at the very beginning of this test)
      • Add this to your config.php file:

        $CFG->disabledevlibdirscheck = true;
        

      • Go the the security overview report (/report/security/index.php) again
      • You must still see the same warnings as above.
      Show
      Prerequisites: Make sure that your Moodle installation contains a /node_modules and / or /vendor directory. It does not matter if this directory contains any files Login to Moodle as admin Test 1 Go the the systems notification page (/admin/index.php) You will see a warning box saying "Directories with development libraries, especially <em>/vendor</em> and <em>/node_modules</em>, should not be present on public sites. See the <a href="{$a->moreinfourl}">security overview report</a> for more details." Add this to your config.php file: $CFG->disabledevlibdirscheck = true; Go the the systems notification page (/admin/index.php) again You must not see the warning box again Test 2 Go the the security overview report (/report/security/index.php) You will see a warning saying "The vendor directory should not be present on public sites." and / or "The node_modules directory should not be present on public sites." (depending which directories you created at the very beginning of this test) Add this to your config.php file: $CFG->disabledevlibdirscheck = true; Go the the security overview report (/report/security/index.php) again You must still see the same warnings as above.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_33_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-60234-master

      Description

      MDL-59969 introduced a warning for admins if there are development libraries in the Moodle directory and advises to remove them or at least prevent access to them in the webserver. I am grateful for this hint as it gives a big heads-up to admins.

      However, there are deployment strategies where you want to have the development libraries on the development / staging systems and just push the whole Moodle codebase (including development libraries) to the prod system when doing an update for production.

      As a thorough admin, I prefer having the same codebase on all systems of the software lifecycle and will, of course, forbid web access to /node_modules and /vendor (besides other files like README.md, CHANGELOG.md which might leak other sensitive information like software versions).

      For me, this warning from MDL-59969 now is a false-positive because it only checks for the existence of /node_modules or /vendor on the server and not if they really can be accessed by a browser. It would be great if there could be a live check (via curl for example) for the availability of these directories before showing the warning. However, I am aware that this would be a tightrope walk between prevent bugging the admin with a useless warning and triggering a false-negative in webserver configuration edge cases.

        Attachments

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Nov/17