Author Topic: 4.4.4. security check performance problems (Read 908 times)

nigel_currie · February 14, 2014, 04:50:17 am

Been having performance issues on my staging server post 4.4.4. upgrade. Have narrowed it down to the new security check - if I comment out the line (in CRM_Core_Page):

CRM_Utils_Check_Security::singleton()->showPeriodicAlerts();

It works fine. Any ideas?

Chris Burgess · February 15, 2014, 01:29:02 am

Could you elaborate on "performance problems"?

You can disable the security checks (hidden system setting can be set in civicrm.settings.php, which I can't recall the name of right now).

Chris Burgess · February 16, 2014, 07:28:44 pm

The CiviCRM docs on assigning CiviCRM settings which have no UI are @ https://wiki.civicrm.org/confluence/display/CRMDOC/Override+CiviCRM+Settings - but I don't see the setting to disable security checks in CiviCRM core, so I wonder if that was removed ... if so I'm not sure why.

Anyway, I'm wondering if the performance issue might be because you have a lot of files in the upload directories? Would be useful to have some more information if you're able to give more input.

Eileen · February 16, 2014, 08:03:46 pm

Chris - that page hasn't been edited since Nov - so it wasn't removed - it's a new setting so it was never added...

Chris Burgess · February 16, 2014, 08:12:11 pm

Sorry, that was a bit of a confusing post - bad network here & I was struggling to get https://github.com/civicrm/civicrm-core/blob/master/settings/Core.setting.php to load to check if the setting was in there.

I thought that in my PR 2821 or so, I added a setting (you'll prob recall Eileen, think you helped point me at the right xml) to disable the checks. I think that setting was removed before the PR for CRM-14091 was merged ... or something.

But yeah, I meant "did not get included in the PR" (https://github.com/civicrm/civicrm-core/pull/2475/files) not "was removed from the wiki".

nigel_currie · February 23, 2014, 11:00:56 am

Still having problems with this.

On my staging server (which is accessed by IP address) file_get_contents() times out after 2 minutes as it's disallowed by the firewall. My hosting guys tell me that such calls are a known hacking vector.

Oddly, on the live box it works OK, but the security check fails in checkUploadsAreNotAccessible() when it calls file_get_contents() on the media folder (I'm on Joomla). This folder should be omitted from the check, really, as I can't disallow access with an .htaccess file without breaking loads of stuff.

Chris Burgess · February 23, 2014, 11:07:09 am

× good point re timeout - we should reduce that to a second or two since timing out on the same server will prevent your page loading

× there should be a means to disable this functionality but it may not have made it in with the rest of the PR

× to help you with the live server issue will need more *specific* detail (is it really only after the media dir? Or files within it?)

CiviCRM Community Forums (archive)

News:

Author Topic: 4.4.4. security check performance problems (Read 908 times)

nigel_currie

4.4.4. security check performance problems

Chris Burgess

Re: 4.4.4. security check performance problems

Chris Burgess

Re: 4.4.4. security check performance problems

Eileen

Re: 4.4.4. security check performance problems

Chris Burgess

Re: 4.4.4. security check performance problems

nigel_currie

Re: 4.4.4. security check performance problems

Chris Burgess

Re: 4.4.4. security check performance problems