Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71806

Improved the UX of the Moodle security report

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_311_STABLE
    • Fixed Branches:
      MOODLE_400_STABLE
    • Pull Master Branch:
      MDL-71806-improve-check-ux
    • Testing Instructions:
      Hide

      Note: On a default setup internal paths will be exposed to the public.
      If you have customised your Apache configuration for testing of the Security checks report, or included an .htaccess file in the past the nyou will need to remove that configuration before testing.

      1. Navigate to Site administration -> Reports -> Security checks
        1. Confirm that each summary has a 'More info' link
        2. Confirm that the 'Check all public / private paths' check has a summary sentence for the warning state
      2. Add the attached .htaccess to your Moodle root
      3. Refresh the page
      4. Reload the security report
        1. Confirm the 'Check all public / private paths' check still has data in the "Summary" column
        2. Confirm the 'Check all public / private paths' check still has a "More info" link
      Show
      Note: On a default setup internal paths will be exposed to the public. If you have customised your Apache configuration for testing of the Security checks report, or included an .htaccess file in the past the nyou will need to remove that configuration before testing. Navigate to Site administration -> Reports -> Security checks Confirm that each summary has a 'More info' link Confirm that the 'Check all public / private paths' check has a summary sentence for the warning state Add the attached .htaccess to your Moodle root Refresh the page Reload the security report Confirm the 'Check all public / private paths' check still has data in the "Summary" column Confirm the 'Check all public / private paths' check still has a "More info" link

      Description

      Version: Moodle 3.11

      Moodle was updated from 2.4 (if I remember correctly). My installation runs in German..

      Website-Administration -> Berichte -> Sicherheitskontrolle

      shows "Alle öffentlichen / privaten Pfade prüfen" with a critical error.

      I fixed all of them by redirecting the listed Files to 404 and most of it worked, but 4 entries are still listed, even though they are configured like the other (before) listed entries like composer.json

      Here the list of files that are still listed:

      • readme.txt Dateien sollten nicht öffentlich sein
      • README Dateien sollten nicht öffentlich sein
      • /upgrade.txt Dateien sollten nicht öffentlich sein
      • phpunit.xml Dateien sollten nicht öffentlich sein

      I tested the setup by trying to load those files over the webbrowser and got 404 back as expected.

       

      The question is now is this a bug or did I do something wrong? I think in regards to this the documentation would need to be updated, as I couldn't find out, if these files should still be accessible by moodle itself locally.

        Attachments

        1. .htaccess
          0.7 kB
        2. image-2021-05-31-12-58-15-178.png
          image-2021-05-31-12-58-15-178.png
          40 kB
        3. image-2021-05-31-22-20-26-572.png
          image-2021-05-31-22-20-26-572.png
          48 kB
        4. image-2021-06-01-10-05-27-750.png
          image-2021-06-01-10-05-27-750.png
          44 kB
        5. MDL-71806.jpg
          MDL-71806.jpg
          52 kB

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            jaiser Steffen Jaiser
            Peer reviewer:
            Dan Marsden Dan Marsden
            Integrator:
            Andrew Lyons Andrew Lyons
            Tester:
            Anna Carissa Sadia Anna Carissa Sadia
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 50 minutes
                50m