CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Discussion »
  • Extensions (Moderators: mathieu, totten, kasiawaka) »
  • Security concern about extensions and suggested configuration
Pages: [1]

Author Topic: Security concern about extensions and suggested configuration  (Read 990 times)

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Security concern about extensions and suggested configuration
November 28, 2012, 05:31:12 am
Hi,

So the latest version of civi wants you to have the url extension set, even if you don't have any extension that needs to be accessed via the web. It's more or less mandatory to set it, otherwise you get error messages all the time nagging you to set it.

On the other hand, it's as well more or less mandatory to have the extension folder to be writable by the webserver user (www-data), so it's possible to download the extensions and install them directly.

When you put the two together, it means that you need to have a web writable folder that is under the public html root and that needs to be able to exectute php.

Am I right it's a security issue? On the usual installation, I try to limit to a strict minimum where www-data can write, and I try to put them (eg. template_c) into a folder that isn't under the web folder.

This is even more of a concern that any trivial bug like if it doesn't properly check files an extension can upload (eg to be really sure it isn't a php), and the extensions are likely to be not as well examined than code in the core.

Would it be possible to have an option of having the extensions that are manually installed only and owned by a different user than www-data? or have an option to disable the url extension check so civi stop screaming if I don't want to use this feature?

Or any better suggestion, including that I'm paranoid and I should take my pills ;)
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: Security concern about extensions and suggested configuration
November 28, 2012, 05:57:09 am
There are a few things you can do:

1. In 4.2, you can disable the downloading feature for extensions by modifying ext_repo_url. IIRC, doing so will suppress warnings about un-writeable folders.

$civicrm_setting['Extension Preferences']['ext_repo_url'] = false;

Perhaps we should add a note to that affect on the wiki:

http://wiki.civicrm.org/confluence/display/CRMDOC42/Extensions

2. It's not necessary to enable execution of .php files in the extensions directory. This is because all extension code is loaded via inclusion -- extensions should not include public-facing .php files. (There are multiple issues with doing that.) This doesn't resolve security concerns, but it should mitigate them.

3. In 4.3, we've done considerable refactoring and unit-testing for the extension-management layer with the goal of letting one store extensions in different, non-writable, sharable locations. See http://issues.civicrm.org/jira/browse/CRM-11045 . To determine where extensions can be stored, see CRM_Extension_System::getFullContainer().

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Security concern about extensions and suggested configuration
November 30, 2012, 09:01:41 am
Nice tips. I did update the wiki

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Discussion »
  • Extensions (Moderators: mathieu, totten, kasiawaka) »
  • Security concern about extensions and suggested configuration

This forum was archived on 2017-11-26.