mahara-contributors team mailing list archive

Thread
Date

[Bug 1387903] Re: Should not be able to execute CLI scripts from the web

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Fri, 17 Apr 2015 02:03:20 -0000
Reply-to: Bug 1387903 <1387903@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1387903

Title:
  Should not be able to execute CLI scripts from the web

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released

Bug description:
  Mahara includes a few scripts that are meant to be executed only from
  the command line (most notably the ones under /admin/cli. Currently,
  though, there's no check to make sure these are being accessed from
  the command-line rather than from the web server!

  This is a security flaw. CLI scripts are intended to be accessible
  only by admins with CLI access to the server.

  Since we put "define('CLI', 1);" at the top of every CLI script, it
  should be easy to safeguard against this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1387903/+subscriptions