MDL-68486 auth_shibboleth: Reset convert_data if it uses dataroot file

Upgrade step that resets the 'Data modification API' (convert_data) setting to its default value if this setting is currently configured to use a file located within the $CFG->dataroot directory.

MDL-68486 auth_shibboleth: Reset convert_data if it uses dataroot file
Upgrade step that resets the 'Data modification API' (convert_data) setting to its default value if this setting is currently configured to use a file located within the $CFG->dataroot directory.
06a338f0 · Mihail Geshoski · Jake Dallimore · 6c51299e · 06a338f0 · 06a338f0
Commit 06a338f0 authored Nov 27, 2020 by Mihail Geshoski Committed by Jake Dallimore Jan 13, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 2 deletions

auth/shibboleth/db/upgrade.php auth/shibboleth/db/upgrade.php +23 -1

auth/shibboleth/version.php auth/shibboleth/version.php +1 -1

No files found.
--- a/auth/shibboleth/db/upgrade.php
+++ b/auth/shibboleth/db/upgrade.php
@@ -30,7 +30,7 @@ defined('MOODLE_INTERNAL') || die();
 * @return bool result
 */
 function xmldb_auth_shibboleth_upgrade($oldversion) {
-    global $CFG, $DB;
+    global $CFG, $DB, $OUTPUT;

    // Automatically generated Moodle v3.5.0 release upgrade line.
    // Put any upgrade step following this.
@@ -47,5 +47,27 @@ function xmldb_auth_shibboleth_upgrade($oldversion) {
    // Automatically generated Moodle v3.9.0 release upgrade line.
    // Put any upgrade step following this.

+    if ($oldversion < 2021052501) {
+        // The 'Data modification API' setting in the Shibboleth authentication plugin can no longer be configured
+        // to use files located within the site data directory, as it exposes the site to security risks. Therefore,
+        // we need to find every existing case and reset the 'Data modification API' setting to its default value.
+
+        $convertdataconfig = get_config('auth_shibboleth', 'convert_data');
+
+        if (preg_match('/' . preg_quote($CFG->dataroot, '/') . '/', realpath($convertdataconfig))) {
+            set_config('convert_data', '', 'auth_shibboleth');
+
+            $warn = 'Your \'Data modification API\' setting in the Shibboleth authentication plugin is currently
+            configured to use a file located within the current site data directory ($CFG->dataroot). You are no
+            longer able to use files from within this directory for this purpose as it exposes your site to security
+            risks. This setting has been reset to its default value. Please reconfigure it by providing a path
+            to a file which is not located within the site data directory.';
+
+            echo $OUTPUT->notification($warn, 'notifyproblem');
+        }
+
+        upgrade_plugin_savepoint(true, 2021052501, 'auth', 'shibboleth');
+    }
+
    return true;
 }
--- a/auth/shibboleth/version.php
+++ b/auth/shibboleth/version.php
@@ -25,6 +25,6 @@

 defined('MOODLE_INTERNAL') || die();

-$plugin->version   = 2021052500;        // The current plugin version (Date: YYYYMMDDXX)
+$plugin->version   = 2021052501;        // The current plugin version (Date: YYYYMMDDXX)
 $plugin->requires  = 2021052500;        // Requires this Moodle version
 $plugin->component = 'auth_shibboleth'; // Full name of the plugin (used for diagnostics)