Commit 620b128f authored by Robert Lyon's avatar Robert Lyon

Bug 1451636: adding a urlsecret config setting

To stop unwarrented access to the lib/cron.php page
and to the admin/upgrade.php page

behatnotneeded

Change-Id: I9eef9e2ddf85bdf8a2424bb9d0972ea4970dfa86
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 172d0e95
......@@ -32,6 +32,14 @@ if (param_integer('finished', 0)) {
redirect();
}
// Check if we have come via browser and have the right urlsecret
if (php_sapi_name() != 'cli') {
$urlsecret = param_alphanumext('urlsecret', null);
if ($urlsecret !== get_config('urlsecret')) {
die_info(get_string('accessdeniednourlsecret', 'error'));
}
}
$smarty = smarty();
$upgrades = check_upgrades();
......
......@@ -90,6 +90,7 @@ $string['notfoundexception'] = 'The page you are looking for could not be found.
$string['accessdenied'] = 'Access denied';
$string['accessdeniedobjection'] = 'Access denied. The objection has already been resolved by another administrator.';
$string['accessdeniedexception'] = 'You do not have access to view this page.';
$string['accessdeniednourlsecret'] = 'You do not have access to this functionality. Please provide the value for "urlsecret" from your config.php file as part of the URL.';
$string['viewnotfoundexceptiontitle'] = 'Page not found';
$string['viewnotfoundexceptionmessage'] = 'You tried to access a page that does not exist.';
......@@ -136,5 +137,5 @@ $string['gdlibrarylackspngsupport'] = 'The installed PHP GD library does not sup
$string['nopasswordsaltset'] = 'No sitewide password salt has been set. Edit your config.php and set the "passwordsaltmain" parameter to a reasonable secret phrase.';
$string['passwordsaltweak'] = 'Your sitewide password salt is not strong enough. Edit your config.php and set the "passwordsaltmain" parameter to a longer secret phrase.';
$string['urlsecretweak'] = 'The $cfg->urlsecret set for this site has not been changed from the default value. Edit your config.php and set the $cgf->urlsecret parameter to a different string (or null if you do not wish to use a urlsecret).';
$string['notproductionsite'] = 'This site is not in production mode. Some data may not be available and/or may be out of date.';
......@@ -664,3 +664,11 @@ MathJax.Hub.Configured();
* - this setting $cfg->maxuploadsize if set
*/
//$cfg->maxuploadsize = 16777216;
/**
* @global string $cfg->urlsecret A secret you need to add to the lib/cron.php or admin/upgrade.php
* URL to run it through the browser rather than the commandline to prevent unauthorised users triggering
* the cron or an upgrade, eg http://example.com/lib/cron.php?urlsecret=mysupersecret. If you do not wish
* to have a url secret set $cfg->urlsecret = null.
*/
$cfg->urlsecret = 'mysupersecret';
......@@ -22,6 +22,15 @@ require_once(get_config('docroot') . 'lib/activity.php');
require_once(get_config('docroot') . 'lib/file.php');
require_once(get_config('docroot') . 'webservice/lib.php');
// Check if we have come via browser and have the right urlsecret
// Note: if your crontab hits this file via curl/http thenyou will need
// to add the urlsecret there for the cron to work.
if (php_sapi_name() != 'cli') {
$urlsecret = param_alphanumext('urlsecret', null);
if ($urlsecret !== get_config('urlsecret')) {
die_info(get_string('accessdeniednourlsecret', 'error'));
}
}
// This is here for debugging purposes, it allows us to fake the time to test
// cron behaviour
$realstart = time();
......
......@@ -1526,6 +1526,11 @@ function site_warnings() {
$warnings[] = get_string('passwordsaltweak', 'error');
}
$urlsecret = get_config('urlsecret');
if (!empty($urlsecret) && $urlsecret == 'mysupersecret') {
$warnings[] = get_string('urlsecretweak', 'error');
}
if (!extension_loaded('mbstring')) {
$warnings[] = get_string('mbstringneeded', 'error');
}
......
......@@ -855,7 +855,7 @@ class BehatGeneral extends BehatBase {
foreach(plugin_types() as $plugintype) {
set_field($plugintype . '_cron', 'nextrun', null);
}
$this->getSession()->visit($this->locate_path('/lib/cron.php'));
$this->getSession()->visit($this->locate_path('/lib/cron.php?urlsecret=mysupersecret'));
}
/**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment