MDL-68486 auth_shibboleth: Reset convert_data if it uses dataroot file

Upgrade step that resets the 'Data modification API' (convert_data) setting to its default value if this setting is currently configured to use a file located within the $CFG->dataroot directory.
gjb2048 · Jan 13, 2021 · 06a338f · 06a338f
1 parent 6c51299
commit 06a338f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/auth/shibboleth/db/upgrade.php b/auth/shibboleth/db/upgrade.php
@@ -30,7 +30,7 @@
  * @return bool result
  */
 function xmldb_auth_shibboleth_upgrade($oldversion) {
-    global $CFG, $DB;
+    global $CFG, $DB, $OUTPUT;
 
     // Automatically generated Moodle v3.5.0 release upgrade line.
     // Put any upgrade step following this.
@@ -47,5 +47,27 @@ function xmldb_auth_shibboleth_upgrade($oldversion) {
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
 
+    if ($oldversion < 2021052501) {
+        // The 'Data modification API' setting in the Shibboleth authentication plugin can no longer be configured
+        // to use files located within the site data directory, as it exposes the site to security risks. Therefore,
+        // we need to find every existing case and reset the 'Data modification API' setting to its default value.
+
+        $convertdataconfig = get_config('auth_shibboleth', 'convert_data');
+
+        if (preg_match('/' . preg_quote($CFG->dataroot, '/') . '/', realpath($convertdataconfig))) {
+            set_config('convert_data', '', 'auth_shibboleth');
+
+            $warn = 'Your \'Data modification API\' setting in the Shibboleth authentication plugin is currently
+            configured to use a file located within the current site data directory ($CFG->dataroot). You are no
+            longer able to use files from within this directory for this purpose as it exposes your site to security
+            risks. This setting has been reset to its default value. Please reconfigure it by providing a path
+            to a file which is not located within the site data directory.';
+
+            echo $OUTPUT->notification($warn, 'notifyproblem');
+        }
+
+        upgrade_plugin_savepoint(true, 2021052501, 'auth', 'shibboleth');
+    }
+
     return true;
 }
diff --git a/auth/shibboleth/version.php b/auth/shibboleth/version.php
@@ -25,6 +25,6 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2021052500;        // The current plugin version (Date: YYYYMMDDXX)
+$plugin->version   = 2021052501;        // The current plugin version (Date: YYYYMMDDXX)
 $plugin->requires  = 2021052500;        // Requires this Moodle version
 $plugin->component = 'auth_shibboleth'; // Full name of the plugin (used for diagnostics)