Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-17099

ezcache.php: Get confirmation when clearing dangerous directories (patch)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 4.2.0, 4.3.0, 4.4.0alpha5
    • Fix Version/s: 4.2.1, 4.3.1, 4.4.0beta2
    • Component/s: Caching
    • Labels:
      None

      Description

      Given a combination of unfortunate conditions, like this:

      • Bad ini settings, such as CacheDir=/
      • The patch for related issue #17097 is not applied
      • The option --purge is used
      • ezcache.php is run as root

      ...it is possible to end up deleting the system wide root directory of a unix system, i.e. destroying the system. We can't make a complete fix for this because the settings allow you to use cache directories outside of the eZ Publish directory, and we can't (shouldn't) block the use of the root user. However, the patch reduces the chance of this happening by showing a list of dangerous directories and requiring the user to confirm them.

      A directory is considered dangerous if it is outside of the eZ Publish directory, and has less than two path elements:

      • Dangerous: /foo
      • OK: /foo/bar

      Root directories (like / and C:) will be refused.

        Attachments

        1. ezcache.php-warning.diff
          4 kB
          (inactive) Gunnstein Lye

          Issue Links

            Activity

              People

              • Assignee:
                gl (inactive) Gunnstein Lye
                Reporter:
                gl (inactive) Gunnstein Lye
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: