diff options
| author | webchick <webchick@24967.no-reply.drupal.org> | 2012-09-26 23:12:35 -0400 |
|---|---|---|
| committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-09-26 23:12:35 -0400 |
| commit | 294e7589598e50f0308f4b6b9b205bd14345976d (patch) | |
| tree | ff7fb2004ed478f008d61077bc3a32eb49898a40 /sites | |
| parent | 06271db913ae5a49ea2f14c61259134e52dfa294 (diff) | |
| download | brdo-294e7589598e50f0308f4b6b9b205bd14345976d.tar.gz brdo-294e7589598e50f0308f4b6b9b205bd14345976d.tar.bz2 | |
Issue #932110 by Albert Volkman, David_Rothstein, marji, jurgenhaas, dcam: On some servers, the Update Manager allows administrators to directly execute arbitrary code even without the PHP module. (Documentation fix)
Diffstat (limited to 'sites')
| -rw-r--r-- | sites/default/default.settings.php | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index 2e5654b2e..0b12bd353 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -528,13 +528,21 @@ $conf['404_fast_html'] = '<html xmlns="http://www.w3.org/1999/xhtml"><head><titl * * The Update manager module included with Drupal provides a mechanism for * site administrators to securely install missing updates for the site - * directly through the web user interface by providing either SSH or FTP - * credentials. This allows the site to update the new files as the user who - * owns all the Drupal files, instead of as the user the webserver is running - * as. However, some sites might wish to disable this functionality, and only - * update the code directly via SSH or FTP themselves. This setting completely + * directly through the web user interface. On securely-configured servers, + * the Update manager will require the administrator to provide SSH or FTP + * credentials before allowing the installation to proceed; this allows the + * site to update the new files as the user who owns all the Drupal files, + * instead of as the user the webserver is running as. On servers where the + * webserver user is itself the owner of the Drupal files, the administrator + * will not be prompted for SSH or FTP credentials (note that these server + * setups are common on shared hosting, but are inherently insecure). + * + * Some sites might wish to disable the above functionality, and only update + * the code directly via SSH or FTP themselves. This setting completely * disables all functionality related to these authorized file operations. * + * @see http://drupal.org/node/244924 + * * Remove the leading hash signs to disable. */ # $conf['allow_authorize_operations'] = FALSE; |