commit 069fc498a7eaec8aa2cae52de75df17efbaa2f8a Author: Hugh Davenport Date: Wed Oct 31 13:11:23 2012 +1300 MDL-35852: Add config option for setting exec paths This config option (allowexecpath) allows the server administrator to revoke the right for any web administrator to set the path to an executable via the web interface. These options must be set via config.php Signed-off-by: Hugh Davenport diff --git a/config-dist.php b/config-dist.php index 2e38635..16a69a1 100644 --- a/config-dist.php +++ b/config-dist.php @@ -465,6 +465,12 @@ $CFG->admin = 'admin'; // To ensure they are never used even when available: // $CFG->svgicons = false; // +// Some administration options allow setting the path to executable files. This can +// potentially cause a security risk. Set this option to true to disable editing +// those config settings via the web. They will need to be set explicitly in the +// config.php file +// $CFG->allowexecpath = true; +// //========================================================================= // 8. SETTINGS FOR DEVELOPMENT SERVERS - not intended for production use!!! //========================================================================= diff --git a/lang/en/admin.php b/lang/en/admin.php index f8be051..a42a22b 100644 --- a/lang/en/admin.php +++ b/lang/en/admin.php @@ -507,6 +507,7 @@ $string['errorsetting'] = 'Could not save setting:'; $string['errorwithsettings'] = 'Some settings were not changed due to an error.'; $string['everyonewhocan'] = 'Everyone who can \'{$a}\''; $string['exceptions'] = 'exceptions'; +$string['execpathdisallowed'] = 'Setting executable paths not allowed'; $string['experimental'] = 'Experimental'; $string['experimentalsettings'] = 'Experimental settings'; $string['extendedusernamechars'] = 'Allow extended characters in usernames'; diff --git a/lib/adminlib.php b/lib/adminlib.php index deef07e..5ce5e28 100644 --- a/lib/adminlib.php +++ b/lib/adminlib.php @@ -1762,6 +1762,9 @@ class admin_setting_configtext extends admin_setting { * @return mixed true if ok string if error found */ public function validate($data) { + if ($this instanceof admin_setting_configexecutable && !get_config('core', 'allowexecpath')) { + return get_string('validateerror', 'admin'); + } // allow paramtype to be a custom regex if it is the form of /pattern/ if (preg_match('#^/.*/$#', $this->paramtype)) { if (preg_match($this->paramtype, $data)) { @@ -6355,7 +6358,9 @@ function format_admin_setting($setting, $title='', $form='', $description='', $l } $override = ''; - if (empty($setting->plugin)) { + if ($setting instanceof admin_setting_configexecutable && !get_config('core', 'allowexecpath')) { + $override = '
'.get_string('execpathdisallowed', 'admin').'
'; + } else if (empty($setting->plugin)) { if (array_key_exists($setting->name, $CFG->config_php_settings)) { $override = '
'.get_string('configoverride', 'admin').'
'; }