Commit 13727009 authored by Gábor Hojtsy's avatar Gábor Hojtsy

#170638 by JirkaRybka and chx: move update access variable to settings.php, so...

#170638 by JirkaRybka and chx: move update access variable to settings.php, so we can check whether it is wide open, and we have one place for settings
parent 43d73f81
......@@ -25,8 +25,8 @@ UPGRADING
2. Log on as the user with user ID 1. User ID 1 is the first
account created and the main administrator account. User
ID 1 needs to be logged in so that you can access update.php
(step 9) which can only be run by user ID 1. Do not close
your browser until step 10 is complete.
(step 10) which can only be run by user ID 1. Do not close
your browser until step 11 is complete.
3. Place the site in "Off-line" mode, to mask any errors from
site visitors.
......@@ -64,13 +64,14 @@ UPGRADING
Note: if you are unable to access update.php do the following:
- Open update.php with a text editor.
- Open your settings.php with a text editor.
- There is a line near top of update.php that says
$access_check = TRUE;. Change it to $access_check = FALSE;.
- There is a line that says $update_free_access = FALSE;.
Change it to $update_free_access = TRUE;.
- As soon as the script is done, you must change the update.php
script back to its original form to $access_check = TRUE;.
- As soon as the update.php script is done, you must change
the settings.php file back to its original form with
$update_free_access = FALSE;.
11. Finally, return site to "Online" mode so your visitors may resume
browsing.
......
......@@ -274,7 +274,7 @@ function conf_init() {
global $base_url, $base_path, $base_root;
// Export the following settings.php variables to the global namespace
global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access;
$conf = array();
if (file_exists('./'. conf_path() .'/settings.php')) {
......
......@@ -105,7 +105,7 @@ function system_requirements($phase) {
}
$requirements['cron'] += array('description' => '');
$requirements['cron']['description'] .= ' '. t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/logs/status/run-cron')));
$requirements['cron']['description'] .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/logs/status/run-cron')));
$requirements['cron']['title'] = $t('Cron maintenance tasks');
}
......@@ -166,6 +166,23 @@ function system_requirements($phase) {
}
}
// Verify the update.php access setting
if ($phase == 'runtime') {
if (!empty($GLOBALS['update_free_access'])) {
$requirements['update access'] = array(
'value' => $t('Not protected'),
'severity' => REQUIREMENT_ERROR,
'description' => $t('The update.php script is accessible to everyone without authentication check, which is a security risk. You must change the $update_free_access value in your settings.php back to FALSE.'),
);
}
else {
$requirements['update access'] = array(
'value' => $t('Protected'),
);
}
$requirements['update access']['title'] = $t('Access to update.php');
}
// Test Unicode library
include_once './includes/unicode.inc';
$requirements = array_merge($requirements, unicode_requirements());
......
......@@ -93,6 +93,17 @@
$db_url = 'mysql://username:password@localhost/databasename';
$db_prefix = '';
/**
* Access control for update.php script
*
* If you are updating your Drupal installation using the update.php script
* being not logged in as administrator, you will need to modify the access
* check statement below. Change the FALSE to a TRUE to disable the access
* check. After finishing the upgrade, be sure to open this file again
* and change the TRUE back to a FALSE!
*/
$update_free_access = FALSE;
/**
* Base URL (optional).
*
......
......@@ -9,14 +9,10 @@
* instructions.
*
* If you are not logged in as administrator, you will need to modify the access
* check statement below. Change the TRUE to a FALSE to disable the access
* check. After finishing the upgrade, be sure to open this file and change the
* FALSE back to a TRUE!
* check statement inside your settings.php file. After finishing the upgrade,
* be sure to open settings.php again, and change it back to its original state!
*/
// Enforce access checking?
$access_check = TRUE;
/**
* Add a column to a database using syntax appropriate for PostgreSQL.
* Save result of SQL commands in $ret array.
......@@ -427,8 +423,8 @@ function update_results_page() {
$output = '<p class="error">The update process was aborted prematurely while running <strong>update #'. $version .' in '. $module .'.module</strong>. All other errors have been <a href="index.php?q=admin/logs/watchdog">logged</a>. You may need to check the <code>watchdog</code> database table manually.</p>';
}
if ($GLOBALS['access_check'] == FALSE) {
$output .= "<p><strong>Reminder: don't forget to set the <code>\$access_check</code> value at the top of <code>update.php</code> back to <code>TRUE</code>.</strong></p>";
if (!empty($GLOBALS['update_free_access'])) {
$output .= "<p><strong>Reminder: don't forget to set the <code>\$update_free_access</code> value in your <code>settings.php</code> file back to <code>FALSE</code>.</strong></p>";
}
$output .= theme('item_list', $links);
......@@ -482,11 +478,11 @@ function update_info_page() {
function update_access_denied_page() {
drupal_set_title('Access denied');
return '<p>Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>update.php</code> to bypass this access check. To do this:</p>
return '<p>Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>settings.php</code> to bypass this access check. To do this:</p>
<ol>
<li>With a text editor find the update.php file on your system. It should be in the main Drupal directory that you installed all the files into.</li>
<li>There is a line near top of update.php that says <code>$access_check = TRUE;</code>. Change it to <code>$access_check = FALSE;</code>.</li>
<li>As soon as the script is done, you must change the update.php script back to its original form to <code>$access_check = TRUE;</code>.</li>
<li>With a text editor find the settings.php file on your system. From the main Drupal directory that you installed all the files into, go to <code>sites/your_site_name</code> if such directory exists, or else to <code>sites/default</code> which applies otherwise.</li>
<li>There is a line inside your settings.php file that says <code>$update_free_access = FALSE;</code>. Change it to <code>$update_free_access = TRUE;</code>.</li>
<li>As soon as the update.php script is done, you must change the settings.php file back to its original form with <code>$update_free_access = FALSE;</code>.</li>
<li>To avoid having this problem in future, remember to log in to your website as the admin user (the user you first created) before you backup your database at the beginning of the update process.</li>
</ol>';
}
......@@ -815,7 +811,7 @@ function update_task_list($active = NULL) {
ini_set('display_errors', TRUE);
// Access check:
if (($access_check == FALSE) || ($user->uid == 1)) {
if (!empty($update_free_access) || $user->uid == 1) {
include_once './includes/install.inc';
include_once './includes/batch.inc';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment