basic detection of sites with misconfigured dataroot SC#295

diff --git a/admin/index.php b/admin/index.php
index 96a92dc73e3b3ef1ad20edd963fd535cbade6dbb..9fafc7bab05282c7d093d5043dcb7dbf663f6aa6 100644 (file)
--- a/admin/index.php
+++ b/admin/index.php
@@ -403,6 +403,10 @@
         print_simple_box(get_string('globalsquoteswarning', 'admin'), 'center', '60%');
     }
 
+    if (is_dataroot_insecure()) {
+        print_simple_box(get_string('datarootsecuritywarning', 'admin', $CFG->dataroot), 'center', '60%');
+    }
+
 /// If no recently cron run
     $lastcron = get_field_sql('SELECT max(lastcron) FROM ' . $CFG->prefix . 'modules');
     if (time() - $lastcron > 3600 * 24) {

diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
index 2160ea763e3879968235755942c62f3cb4981a1f..538eddbaa05f1b69f77cc04d3a7b81157a69151c 100644 (file)
--- a/lang/en_utf8/admin.php
+++ b/lang/en_utf8/admin.php
@@ -160,6 +160,7 @@ $string['configzip'] = 'Indicate the location of your zip program (Unix only, op
 $string['confirmation'] = 'Confirmation';
 $string['confirminstall'] = 'You are about to install language pack ($a), are you sure?';
 $string['cronwarning'] = 'The <a href=\"cron.php\">cron.php maintenance script</a> has not been run for at least 24 hours.';
+$string['datarootsecuritywarning'] = 'Your site configuration might not be secure. Please make sure that your dataroot directory ($a) is not directly accesible via web.';
 $string['dbmigrate'] = 'Moodle Database Migration';
 $string['dbmigrationdeprecateddb'] = '<font color=\"#ff0000\">This database is migrated to a new UTF8 database and deprecated. Please edit your config.php and use the new database for this moodle.</font>';
 $string['dbmigrationdupfailed'] = 'Database duplication failed with possible error:<font color=\"#ff0000\"><pre>$a</pre></font>';

diff --git a/lib/adminlib.php b/lib/adminlib.php
index 3d7dbf4d65914da2de4973843e72bdd06c7a7722..9ffbd96b56bb212d7505c7b1169585c7f75be6c3 100644 (file)
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -547,4 +547,34 @@ function upgrade_log_callback($string) {
     return $string;
 }
 
+/**
+ * Try to verify that dataroot is not accessible from web.
+ * It is not 100% correct but might help to reduce number of vulnerable sites.
+ *
+ * Protection from httpd.conf and .htaccess is not detected properly.
+ */
+function is_dataroot_insecure() {
+    global $CFG;
+
+    $siteroot = str_replace('\\', '/', strrev($CFG->dirroot.'/')); // win32 backslash workaround
+
+    $rp = preg_replace('|https?://[^/]+|i', '', $CFG->wwwroot, 1);
+    $rp = strrev(trim($rp, '/'));
+    $rp = explode('/', $rp);
+    foreach($rp as $r) {
+        if (strpos($siteroot, '/'.$r.'/') === 0) {
+            $siteroot = substr($siteroot, strlen($r)+1); // moodle web in subdirectory
+        } else {
+            break; // probably alias root
+        }
+    }
+
+    $siteroot = strrev($siteroot);
+    $dataroot = str_replace('\\', '/', $CFG->dataroot.'/');
+
+    if (strpos($dataroot, $siteroot) === 0) {
+        return true;
+    }
+    return false;
+}
 ?>