Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-17099

ezcache.php: Get confirmation when clearing dangerous directories (patch)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 4.2.0, 4.3.0, 4.4.0alpha5
    • Fix Version/s: 4.2.1, 4.3.1, 4.4.0beta2
    • Component/s: Caching
    • Labels:
      None

      Description

      Given a combination of unfortunate conditions, like this:

      • Bad ini settings, such as CacheDir=/
      • The patch for related issue #17097 is not applied
      • The option --purge is used
      • ezcache.php is run as root

      ...it is possible to end up deleting the system wide root directory of a unix system, i.e. destroying the system. We can't make a complete fix for this because the settings allow you to use cache directories outside of the eZ Publish directory, and we can't (shouldn't) block the use of the root user. However, the patch reduces the chance of this happening by showing a list of dangerous directories and requiring the user to confirm them.

      A directory is considered dangerous if it is outside of the eZ Publish directory, and has less than two path elements:

      • Dangerous: /foo
      • OK: /foo/bar

      Root directories (like / and C:) will be refused.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gl (inactive) Gunnstein Lye
              Reporter:
              gl (inactive) Gunnstein Lye
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: