From b64b9715d6bd547a3ff6b81fe53ef0bfd7678d7a Mon Sep 17 00:00:00 2001 From: webchick <webchick@24967.no-reply.drupal.org> Date: Thu, 30 Aug 2012 15:30:34 -0700 Subject: [PATCH] Issue #932110 by Albert Volkman, David_Rothstein, marji, jurgenhaas: On some servers, Drupal 7 allows administrators to directly execute arbitrary code even without the PHP module. --- sites/default/default.settings.php | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index b063812d5ea1..10bd2551172d 100755 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -551,13 +551,21 @@ * * The Update Manager module included with Drupal provides a mechanism for * site administrators to securely install missing updates for the site - * directly through the web user interface by providing either SSH or FTP - * credentials. This allows the site to update the new files as the user who - * owns all the Drupal files, instead of as the user the webserver is running - * as. However, some sites might wish to disable this functionality, and only - * update the code directly via SSH or FTP themselves. This setting completely + * directly through the web user interface. On securely-configured servers, + * the Update manager will require the administrator to provide SSH or FTP + * credentials before allowing the installation to proceed; this allows the + * site to update the new files as the user who owns all the Drupal files, + * instead of as the user the webserver is running as. On servers where the + * webserver user is itself the owner of the Drupal files, the administrator + * will not be prompted for SSH or FTP credentials (note that these server + * setups are common on shared hosting, but are inherently insecure). + * + * Some sites might wish to disable the above functionality, and only update + * the code directly via SSH or FTP themselves. This setting completely * disables all functionality related to these authorized file operations. * + * @see http://drupal.org/node/244924 + * * Remove the leading hash signs to disable. */ # $conf['allow_authorize_operations'] = FALSE; -- GitLab