commit 1c91a2ffe3602390067341037604a10c4b944aa6
Author: Hugh Davenport <hugh@catalyst.net.nz>
Date:   Wed Oct 31 13:11:23 2012 +1300

    MDL-35852: Add config option for setting exec paths
    
    This config option (allowexecpath) allows the server administrator
    to revoke the right for any web administrator to set the path to
    an executable via the web interface. These options must be set via
    config.php
    
    Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

diff --git a/config-dist.php b/config-dist.php
index 2e38635..16a69a1 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -465,6 +465,12 @@ $CFG->admin = 'admin';
 // To ensure they are never used even when available:
 //      $CFG->svgicons = false;
 //
+// Some administration options allow setting the path to executable files. This can
+// potentially cause a security risk. Set this option to true to disable editing
+// those config settings via the web. They will need to be set explicitly in the
+// config.php file
+//      $CFG->allowexecpath = true;
+//
 //=========================================================================
 // 8. SETTINGS FOR DEVELOPMENT SERVERS - not intended for production use!!!
 //=========================================================================
diff --git a/lang/en/admin.php b/lang/en/admin.php
index f8be051..a42a22b 100644
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@@ -507,6 +507,7 @@ $string['errorsetting'] = 'Could not save setting:';
 $string['errorwithsettings'] = 'Some settings were not changed due to an error.';
 $string['everyonewhocan'] = 'Everyone who can \'{$a}\'';
 $string['exceptions'] = 'exceptions';
+$string['execpathdisallowed'] = 'Setting executable paths not allowed';
 $string['experimental'] = 'Experimental';
 $string['experimentalsettings'] = 'Experimental settings';
 $string['extendedusernamechars'] = 'Allow extended characters in usernames';
diff --git a/lib/adminlib.php b/lib/adminlib.php
index deef07e..942bff0 100644
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -2033,6 +2033,13 @@ class admin_setting_configexecutable extends admin_setting_configfile {
         '<div class="form-file defaultsnext"><input type="text" size="'.$this->size.'" id="'.$this->get_id().'" name="'.$this->get_full_name().'" value="'.s($data).'" />'.$executable.'</div>',
         $this->description, true, '', $default, $query);
     }
+
+    public function write_setting($data) {
+        if (!get_config('core', 'allowexecpath')) {
+            return '';
+        }
+        return parent::write_setting($data);
+    }
 }
 
 
@@ -6355,7 +6362,9 @@ function format_admin_setting($setting, $title='', $form='', $description='', $l
     }
 
     $override = '';
-    if (empty($setting->plugin)) {
+    if ($setting instanceof admin_setting_configexecutable && !get_config('core', 'allowexecpath')) {
+        $override = '<div class="form-overridden">'.get_string('execpathdisallowed', 'admin').'</div>';
+    } else if (empty($setting->plugin)) {
         if (array_key_exists($setting->name, $CFG->config_php_settings)) {
             $override = '<div class="form-overridden">'.get_string('configoverride', 'admin').'</div>';
         }