IMPORTANT SECURITY FIX - this makes sure $CFG can not be overridden

diff --git a/config-dist.php b/config-dist.php
index 4a4b0733a29ec8b705ea2c1e473dad34caf5ac9e..0093b62f288a51467de92d297fa80bdd13c7c617 100644 (file)
--- a/config-dist.php
+++ b/config-dist.php
@@ -28,6 +28,7 @@
 //                                                                       //\r
 ///////////////////////////////////////////////////////////////////////////\r
 \r
+unset($CFG);  // Ignore this line\r
 \r
 //=========================================================================\r
 // 1. DATABASE SETUP\r
@@ -48,6 +49,9 @@ $CFG->dbname    = "moodle";      // database name, eg moodle
 $CFG->dbuser    = "username";    // your database username\r
 $CFG->dbpass    = "password";    // your database password\r
 \r
+$CFG->dbpersist = true;          // Use persistent database connection? \r
+                                 // (should be 'true' for 99% of sites)\r
+\r
 $CFG->prefix    = "mdl_";        // Prefix to use for all table names\r
 \r
 \r

diff --git a/lib/setup.php b/lib/setup.php
index 134c774ce4ad82b86f733944631ceb783b8fc80e..34b8875a5af4346f27963eb64b66049bb681f268 100644 (file)
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -140,6 +140,9 @@
 /// Eventually I'll go through and upgrade all the code to make this unnecessary
 
     if (isset($_REQUEST)) {
+        if (isset($_REQUEST['CFG'])) {
+            unset($_REQUEST['CFG']);  // We don't want to overwrite $CFG!
+        }
         extract($_REQUEST);
     }
     if (isset($_SERVER)) {