Install tool password can be overwritten by an extensions' ext_localcconf.php
|Priority:||Should have||Due date:|
|Assignee:||Benjamin Mack||% Done:||
Quote from Bernhard Kraft:
I think this should be seen as a security exploit. As a normal admin
should not be able to enter the install tool.
If you deactivate installing of extensions via the install tool
(AllowLocalInstall) so an admin can not install an extension like
quixplorer. And additionally set the "noEdit" flag, then this issue can
of course get avoided.
But I think operators of a site should be aware of this issue. What do
(issue imported from #M14935)
Updated by Francois Suter almost 3 years ago
There are actually other parameters that could be overridden by an extension and which might cause some misery to a site, so it's nearly impossible to check for every situation without actually scanning every extension's ext_localconf.php file which would be a huge overhead (although it could probably also be done by a scheduler task).
To me it seems more like a problem of educating administrators. It could be something that goes in the (upcoming ;-) security guide.
Updated by Benjamin Mack almost 3 years ago
Well, I agree: Administrators should know what they install.
However, here is my solution:
Let's do it with the install tool password similar to the DB connection data:
Set it in localconf.php as a variable, and then make a constant out of it, before including all the extensions stuff.