Commit e1853f50 authored by solotandem's avatar solotandem

Prevent unauthenticated remote code execution.

  Only allow command line invocation of the 'coder_upgrade.run.php' script
  by the 'exec' call within the submit handler of coder_upgrade.
parent 10046789
......@@ -51,6 +51,12 @@
* Copyright 2009-11 by Jim Berry ("solotandem", http://drupal.org/user/240748)
*/
if (!script_is_cli()) {
// Without proper web server configuration, this script can be invoked from a
// browser and is vulnerable to misuse.
return;
}
// Save memory usage for printing later (when code is loaded).
$usage = array();
save_memory_usage('start', $usage);
......@@ -210,3 +216,12 @@ function error_handler($code, $message, $file, $line) {
}
throw new ErrorException($message, 0, $code, $file, $line);
}
/**
* Returns boolean indicating whether script is being run from the command line.
*
* @see drupal_is_cli()
*/
function script_is_cli() {
return (!isset($_SERVER['SERVER_SOFTWARE']) && (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)));
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment