Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60234

Add possibility to disable admin warning if a development libs directory exists

XMLWordPrintable

    • MOODLE_33_STABLE
    • MOODLE_34_STABLE
    • MDL-60234-master
    • Easy
    • Hide

      Prerequisites:

      • Make sure that your Moodle installation contains a /node_modules and / or /vendor directory. It does not matter if this directory contains any files
      • Login to Moodle as admin

      Test 1

      • Go the the systems notification page (/admin/index.php)
      • You will see a warning box saying "Directories with development libraries, especially <em>/vendor</em> and <em>/node_modules</em>, should not be present on public sites. See the <a href="{$a->moreinfourl}">security overview report</a> for more details."
      • Add this to your config.php file: 

        $CFG->disabledevlibdirscheck = true;

      • Go the the systems notification page (/admin/index.php) again
      • You must not see the warning box again

      Test 2

      • Go the the security overview report (/report/security/index.php)
      • You will see a warning saying "The vendor directory should not be present on public sites." and / or "The node_modules directory should not be present on public sites." (depending which directories you created at the very beginning of this test)
      • Add this to your config.php file: 

        $CFG->disabledevlibdirscheck = true;

      • Go the the security overview report (/report/security/index.php) again
      • You must still see the same warnings as above.
      Show
      Prerequisites: Make sure that your Moodle installation contains a /node_modules and / or /vendor directory. It does not matter if this directory contains any files Login to Moodle as admin Test 1 Go the the systems notification page (/admin/index.php) You will see a warning box saying "Directories with development libraries, especially <em>/vendor</em> and <em>/node_modules</em>, should not be present on public sites. See the <a href="{$a->moreinfourl}">security overview report</a> for more details." Add this to your config.php file: $CFG->disabledevlibdirscheck = true; Go the the systems notification page (/admin/index.php) again You must not see the warning box again Test 2 Go the the security overview report (/report/security/index.php) You will see a warning saying "The vendor directory should not be present on public sites." and / or "The node_modules directory should not be present on public sites." (depending which directories you created at the very beginning of this test) Add this to your config.php file: $CFG->disabledevlibdirscheck = true; Go the the security overview report (/report/security/index.php) again You must still see the same warnings as above.

      MDL-59969 introduced a warning for admins if there are development libraries in the Moodle directory and advises to remove them or at least prevent access to them in the webserver. I am grateful for this hint as it gives a big heads-up to admins.

      However, there are deployment strategies where you want to have the development libraries on the development / staging systems and just push the whole Moodle codebase (including development libraries) to the prod system when doing an update for production.

      As a thorough admin, I prefer having the same codebase on all systems of the software lifecycle and will, of course, forbid web access to /node_modules and /vendor (besides other files like README.md, CHANGELOG.md which might leak other sensitive information like software versions).

      For me, this warning from MDL-59969 now is a false-positive because it only checks for the existence of /node_modules or /vendor on the server and not if they really can be accessed by a browser. It would be great if there could be a live check (via curl for example) for the availability of these directories before showing the warning. However, I am aware that this would be a tightrope walk between prevent bugging the admin with a useless warning and triggering a false-negative in webserver configuration edge cases.

            abias Alexander Bias
            abias Alexander Bias
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Andrew Lyons Andrew Lyons
            Ryan Wyllie Ryan Wyllie
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.