Author Topic: Security concern about extensions and suggested configuration (Read 990 times)

xavier · November 28, 2012, 05:31:12 am

Hi,

So the latest version of civi wants you to have the url extension set, even if you don't have any extension that needs to be accessed via the web. It's more or less mandatory to set it, otherwise you get error messages all the time nagging you to set it.

On the other hand, it's as well more or less mandatory to have the extension folder to be writable by the webserver user (www-data), so it's possible to download the extensions and install them directly.

When you put the two together, it means that you need to have a web writable folder that is under the public html root and that needs to be able to exectute php.

Am I right it's a security issue? On the usual installation, I try to limit to a strict minimum where www-data can write, and I try to put them (eg. template_c) into a folder that isn't under the web folder.

This is even more of a concern that any trivial bug like if it doesn't properly check files an extension can upload (eg to be really sure it isn't a php), and the extensions are likely to be not as well examined than code in the core.

Would it be possible to have an option of having the extensions that are manually installed only and owned by a different user than www-data? or have an option to disable the url extension check so civi stop screaming if I don't want to use this feature?

Or any better suggestion, including that I'm paranoid and I should take my pills

totten · November 28, 2012, 05:57:09 am

There are a few things you can do:

1. In 4.2, you can disable the downloading feature for extensions by modifying ext_repo_url. IIRC, doing so will suppress warnings about un-writeable folders.

$civicrm_setting['Extension Preferences']['ext_repo_url'] = false;

Perhaps we should add a note to that affect on the wiki:

http://wiki.civicrm.org/confluence/display/CRMDOC42/Extensions

2. It's not necessary to enable execution of .php files in the extensions directory. This is because all extension code is loaded via inclusion -- extensions should not include public-facing .php files. (There are multiple issues with doing that.) This doesn't resolve security concerns, but it should mitigate them.

3. In 4.3, we've done considerable refactoring and unit-testing for the extension-management layer with the goal of letting one store extensions in different, non-writable, sharable locations. See http://issues.civicrm.org/jira/browse/CRM-11045 . To determine where extensions can be stored, see CRM_Extension_System::getFullContainer().

xavier · November 30, 2012, 09:01:41 am

Nice tips. I did update the wiki

X+

CiviCRM Community Forums (archive)

News:

Author Topic: Security concern about extensions and suggested configuration (Read 990 times)

xavier

Security concern about extensions and suggested configuration

totten

Re: Security concern about extensions and suggested configuration

xavier

Re: Security concern about extensions and suggested configuration