Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-74489

Admin presets export tool should treat salt config as sensitive to the site

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 4.0
    • 4.0
    • Administration
    • MOODLE_400_STABLE
    • MOODLE_400_STABLE
    • Hide

      New site

      1. Log in as admin
      2. Navigate to General > Security > Site security settings in site administration
      3. Confirm Settings with passwords value contains:

        badges_badgesalt@@none, calendar_exportsalt@@none
        

      Upgraded site

      1. Checkout previous weekly release
      2. Checkout fixed branch
      3. Run upgrade
      4. Log in as admin
      5. Navigate to General > Security > Site security settings in site administration
      6. Confirm Settings with passwords value contains:

        badges_badgesalt@@none, calendar_exportsalt@@none
        

      Create preset without sensitive settings

      1. Navigate to General > Site admin presets in site administration
      2. Press Create preset
        • Name: Without settings with passwords
        • Include settings with passwords: No
        • Press Create preset
      3. Press Actions > Download
      4. Confirm that the following settings are not present in the preset XML:
        • <BADGES_BADGESALT>...randomchars...</BADGES_BADGESALT>
        • <CALENDAR_EXPORTSALT>...randomchars...</CALENDAR_EXPORTSALT>

      Create preset with sensitive settings

      1. Press Create preset
        • Name: With settings with passwords
        • Include settings with passwords: Yes
        • Press Create preset
      2. Press Actions > Download
      3. Confirm that the following settings are present in the preset XML:
        • <BADGES_BADGESALT>...randomchars...</BADGES_BADGESALT>
        • <CALENDAR_EXPORTSALT>...randomchars...</CALENDAR_EXPORTSALT>
      Show
      New site Log in as admin Navigate to General > Security > Site security settings in site administration Confirm Settings with passwords value contains: badges_badgesalt@@none, calendar_exportsalt@@none Upgraded site Checkout previous weekly release Checkout fixed branch Run upgrade Log in as admin Navigate to General > Security > Site security settings in site administration Confirm Settings with passwords value contains: badges_badgesalt@@none, calendar_exportsalt@@none Create preset without sensitive settings Navigate to General > Site admin presets in site administration Press Create preset Name: Without settings with passwords Include settings with passwords: No Press Create preset Press Actions > Download Confirm that the following settings are not present in the preset XML: <BADGES_BADGESALT>...randomchars...</BADGES_BADGESALT> <CALENDAR_EXPORTSALT>...randomchars...</CALENDAR_EXPORTSALT> Create preset with sensitive settings Press Create preset Name: With settings with passwords Include settings with passwords: Yes Press Create preset Press Actions > Download Confirm that the following settings are present in the preset XML: <BADGES_BADGESALT>...randomchars...</BADGES_BADGESALT> <CALENDAR_EXPORTSALT>...randomchars...</CALENDAR_EXPORTSALT>

      For the following two admin configuration values:

      Badge settings

      Salt for hashing the recipient's email address badges_badgesalt
      Default: badges1563459714
       
      Using a hash allows backpack services to confirm the badge earner without having to expose their email address. This setting should only use numbers and letters.
       
      Note: For recipient verification purposes, please avoid changing this setting once you start issuing badges.
      

      Calendar

      Calendar export salt calendar_exportsalt
      Default: 4cCjHcc8dTIDoECqTDCsK9z00JBckT7Gmp66c1SdiON8JYzigEcxVuv1yAIp
       
      This random text is used for improving of security of authentication tokens used for exporting of calendars. Please note that all current tokens are invalidated if you change this hash salt.
      

      Neither setting is considered "sensitive" by the admin presets tool, and will therefore always be exported regardless of the state of the "Include settings with passwords" (I note there are various other secret phrases and passwords that are considered "sensitive")

      Unsure whether this is an improvement or a bug. I've considered it as a bug because a user can potentially cause destructive changes to their site if unknowingly changing either of these salt values (by invalidating all existing calendar URLs and badge assignments), when they import a preset to their site that contains either setting

            pholden Paul Holden
            pholden Paul Holden
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Jun Pataleta Jun Pataleta
            Gladys Basiana Gladys Basiana
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 30 minutes
                1h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.