From ae384ef160523b6847fa43e7a4fe37303c5dfe1c Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Thu, 15 May 2003 15:59:52 +0000
Subject: [PATCH] New configuration variable: secureforms (defaults to
'true')
Replaces the old $CFG->buggy_referer (reverses it, in fact) and can
now be set in the configuration page (no need for it in config.php).
---
admin/config.html | 15 +++++++++++++++
admin/config.php | 9 ++++++++-
config-dist.php | 14 +-------------
lang/en/moodle.php | 1 +
lib/defaults.php | 1 +
lib/weblib.php | 4 ++--
6 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/admin/config.html b/admin/config.html
index 64f9ff2bf7..63eb1653ec 100644
--- a/admin/config.html
+++ b/admin/config.html
@@ -287,6 +287,21 @@
<?php print_string("configframename") ?>
</td>
</tr>
+<tr valign=top>
+ <td align=right><p>secureforms:</td>
+ <td>
+ <?php
+ unset($options);
+ $options[0] = get_string("no");
+ $options[1] = get_string("yes");
+
+ choose_from_menu ($options, "secureforms", $config->secureforms, "", "", "");
+ ?>
+ </td>
+ <td>
+ <?php print_string("configsecureforms") ?>
+ </td>
+</tr>
<tr>
diff --git a/admin/config.php b/admin/config.php
index 623b3ab171..944e868e15 100644
--- a/admin/config.php
+++ b/admin/config.php
@@ -33,9 +33,16 @@
}
+/// This is to overcome the "insecure forms paradox"
+ if (isset($secureforms) and $secureforms == 0) {
+ $match = "nomatch";
+ } else {
+ $match = "";
+ }
+
/// If data submitted, then process and store.
- if ($config = data_submitted()) {
+ if ($config = data_submitted($match)) {
validate_form($config, $err);
diff --git a/config-dist.php b/config-dist.php
index 0093b62f28..d9b99e4a46 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -111,7 +111,7 @@ $CFG->directorypermissions = 0777;
//=========================================================================
-// 6. ADMIN LOCATION (most people can just ignore this setting)
+// 6. DIRECTORY LOCATION (most people can just ignore this setting)
//=========================================================================
// A very few webhosts use /admin as a special URL for you to access a
// control panel or something. Unfortunately this conflicts with the
@@ -122,18 +122,6 @@ $CFG->directorypermissions = 0777;
$CFG->admin = "admin";
-//=========================================================================
-// 7. TROUBLESHOOTING (most people can just ignore this setting)
-//=========================================================================
-// A very small percentage of servers have a bug which causes HTTP_REFERER
-// not to work. The symptoms of this are that you fill out the configure
-// form during Moodle setup but when hit save you find yourself on the
-// same form, unable to progress. If this happens to you, come back here
-// and set the following to true. Otherwise this should always be false.
-
-$CFG->buggy_referer = false;
-
-
//=========================================================================
// ALL DONE! To continue your setup, visit your Moodle web page.
//=========================================================================
diff --git a/lang/en/moodle.php b/lang/en/moodle.php
index 9dbc420169..e2539888d6 100644
--- a/lang/en/moodle.php
+++ b/lang/en/moodle.php
@@ -66,6 +66,7 @@ $string['configcountry'] = "If you set a country here, then this country will be
$string['configdebug'] = "If you turn this on, then PHP's error_reporting will be increased so that more warnings are printed. This is only useful for developers.";
$string['configgdversion'] = "Indicate the version of GD that is installed. The version shown by default is the one that has been auto-detected. Don't change this unless you really know what you're doing.";
$string['configerrorlevel'] = "Choose the amount of PHP warnings that you want to be displayed. Normal is usually the best choice.";
+$string['configsecureforms'] = "Moodle can use an additional level of security when accepting data from web forms. If this is enabled, then the browser's HTTP_REFERER variable is checked against the current form address. In a very few cases this can cause problems if the user is using a firewall (eg Zonealarm) configured to strip HTTP_REFERER from their web traffic. Symptoms are getting 'stuck' on a form. If your users are having problems with the login page (for example) you might want to disable this setting, although it might leave your site more open to brute-force password attacks. If in doubt, leave this set to 'Yes'.";
$string['confightmleditor'] = "Choose whether or not to allow use of the embedded HTML text editor. Even if you choose allow, this editor will only appear when the user is using a compatible browser (IE 5.5 or later). Users can also choose not to use it.";
$string['configintro'] = "On this page you can specify a number of configuration variables that help make Moodle work properly on your server. Don't worry too much about it - the defaults will usually work fine and you can always come back to this page later and change these settings.";
$string['configintroadmin'] = "On this page you should configure your main administrator account which will have complete control over the site. Make sure you give it a secure username and password as well as a valid email address. You can create more admin accounts later on.";
diff --git a/lib/defaults.php b/lib/defaults.php
index db054facd6..02f3d63985 100644
--- a/lib/defaults.php
+++ b/lib/defaults.php
@@ -8,6 +8,7 @@
"changepassword" => true,
"country" => "",
"debug" => 7,
+ "secureforms" => true,
"framename" => "_top",
"gdversion" => 1,
"guestloginbutton" => 1,
diff --git a/lib/weblib.php b/lib/weblib.php
index b0eba3b8d9..81b386be0f 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -134,11 +134,11 @@ function match_referer($goodreferer = "") {
/// goodreferer is not specified, use qualified_me as the goodreferer
global $CFG;
- if (!empty($CFG->buggy_referer)) {
+ if (empty($CFG->secureforms)) { // Don't bother checking referer
return true;
}
- if ($goodreferer == "nomatch") {
+ if ($goodreferer == "nomatch") { // Don't bother checking referer
return true;
}
--
2.39.5