From: moodler Date: Thu, 15 May 2003 15:59:52 +0000 (+0000) Subject: New configuration variable: secureforms (defaults to 'true') X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=ae384ef160523b6847fa43e7a4fe37303c5dfe1c;p=moodle.git New configuration variable: secureforms (defaults to 'true') Replaces the old $CFG->buggy_referer (reverses it, in fact) and can now be set in the configuration page (no need for it in config.php). --- diff --git a/admin/config.html b/admin/config.html index 64f9ff2bf7..63eb1653ec 100644 --- a/admin/config.html +++ b/admin/config.html @@ -287,6 +287,21 @@ + +

secureforms: + + secureforms, "", "", ""); + ?> + + + + + diff --git a/admin/config.php b/admin/config.php index 623b3ab171..944e868e15 100644 --- a/admin/config.php +++ b/admin/config.php @@ -33,9 +33,16 @@ } +/// This is to overcome the "insecure forms paradox" + if (isset($secureforms) and $secureforms == 0) { + $match = "nomatch"; + } else { + $match = ""; + } + /// If data submitted, then process and store. - if ($config = data_submitted()) { + if ($config = data_submitted($match)) { validate_form($config, $err); diff --git a/config-dist.php b/config-dist.php index 0093b62f28..d9b99e4a46 100644 --- a/config-dist.php +++ b/config-dist.php @@ -111,7 +111,7 @@ $CFG->directorypermissions = 0777; //========================================================================= -// 6. ADMIN LOCATION (most people can just ignore this setting) +// 6. DIRECTORY LOCATION (most people can just ignore this setting) //========================================================================= // A very few webhosts use /admin as a special URL for you to access a // control panel or something. Unfortunately this conflicts with the @@ -122,18 +122,6 @@ $CFG->directorypermissions = 0777; $CFG->admin = "admin"; -//========================================================================= -// 7. TROUBLESHOOTING (most people can just ignore this setting) -//========================================================================= -// A very small percentage of servers have a bug which causes HTTP_REFERER -// not to work. The symptoms of this are that you fill out the configure -// form during Moodle setup but when hit save you find yourself on the -// same form, unable to progress. If this happens to you, come back here -// and set the following to true. Otherwise this should always be false. - -$CFG->buggy_referer = false; - - //========================================================================= // ALL DONE! To continue your setup, visit your Moodle web page. //========================================================================= diff --git a/lang/en/moodle.php b/lang/en/moodle.php index 9dbc420169..e2539888d6 100644 --- a/lang/en/moodle.php +++ b/lang/en/moodle.php @@ -66,6 +66,7 @@ $string['configcountry'] = "If you set a country here, then this country will be $string['configdebug'] = "If you turn this on, then PHP's error_reporting will be increased so that more warnings are printed. This is only useful for developers."; $string['configgdversion'] = "Indicate the version of GD that is installed. The version shown by default is the one that has been auto-detected. Don't change this unless you really know what you're doing."; $string['configerrorlevel'] = "Choose the amount of PHP warnings that you want to be displayed. Normal is usually the best choice."; +$string['configsecureforms'] = "Moodle can use an additional level of security when accepting data from web forms. If this is enabled, then the browser's HTTP_REFERER variable is checked against the current form address. In a very few cases this can cause problems if the user is using a firewall (eg Zonealarm) configured to strip HTTP_REFERER from their web traffic. Symptoms are getting 'stuck' on a form. If your users are having problems with the login page (for example) you might want to disable this setting, although it might leave your site more open to brute-force password attacks. If in doubt, leave this set to 'Yes'."; $string['confightmleditor'] = "Choose whether or not to allow use of the embedded HTML text editor. Even if you choose allow, this editor will only appear when the user is using a compatible browser (IE 5.5 or later). Users can also choose not to use it."; $string['configintro'] = "On this page you can specify a number of configuration variables that help make Moodle work properly on your server. Don't worry too much about it - the defaults will usually work fine and you can always come back to this page later and change these settings."; $string['configintroadmin'] = "On this page you should configure your main administrator account which will have complete control over the site. Make sure you give it a secure username and password as well as a valid email address. You can create more admin accounts later on."; diff --git a/lib/defaults.php b/lib/defaults.php index db054facd6..02f3d63985 100644 --- a/lib/defaults.php +++ b/lib/defaults.php @@ -8,6 +8,7 @@ "changepassword" => true, "country" => "", "debug" => 7, + "secureforms" => true, "framename" => "_top", "gdversion" => 1, "guestloginbutton" => 1, diff --git a/lib/weblib.php b/lib/weblib.php index b0eba3b8d9..81b386be0f 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -134,11 +134,11 @@ function match_referer($goodreferer = "") { /// goodreferer is not specified, use qualified_me as the goodreferer global $CFG; - if (!empty($CFG->buggy_referer)) { + if (empty($CFG->secureforms)) { // Don't bother checking referer return true; } - if ($goodreferer == "nomatch") { + if ($goodreferer == "nomatch") { // Don't bother checking referer return true; }