moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-07 01:46:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-69333 report_security: Add checks for many public & private urls

Browse source
This commit is contained in:
Brendan Heywood 2020-10-28 10:21:23 +11:00
parent 63e7f2a64f
commit 6f60d650d3
6 changed files with 314 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

6
report/security/lang/en/report_security.php
View file

@ -66,6 +66,8 @@ $string['check_crawlers_error'] = 'Search engine access is allowed but guest acc
$string['check_crawlers_info'] = 'Search engines may enter as guests.';
$string['check_crawlers_name'] = 'Open to search engines';
$string['check_crawlers_ok'] = 'Search engine access is not enabled.';
$string['check_dotfiles_info'] = 'All dotfiles except /.well-known/* should not be public';
$string['check_dirindex_info'] = 'Directory index should not be enabled';
$string['check_guestrole_details'] = '<p>The guest role is used for guests, not logged in users and temporary guest course access. Please make sure no risky capabilities are allowed in this role.</p>
<p>The only supported legacy type for guest role is <em>Guest</em>.</p>';
$string['check_guestrole_error'] = 'The guest role "{$a}" is incorrectly defined!';
@ -92,7 +94,9 @@ $string['check_preventexecpath_name'] = 'Executable paths';
$string['check_preventexecpath_ok'] = 'Executable paths only settable in config.php.';
$string['check_preventexecpath_warning'] = 'Executable paths can be set in the Admin GUI.';
$string['check_preventexecpath_details'] = '<p>Allowing executable paths to be set via the Admin GUI is a vector for privilege escalation. This must be forced in config.php:</p><p><code>$CFG->preventexecpath = true;<code></p>';
$string['check_publicpaths_name'] = 'Check all public / private paths';
$string['check_publicpaths_generic'] = '{$a} files should not be public';
$string['check_publicpaths_403'] = ' (Returned a 403, ideally should be 404)';
$string['check_riskadmin_detailsok'] = '<p>Please verify the following list of system administrators:</p>{$a}';
$string['check_riskadmin_detailswarning'] = '<p>Please verify the following list of system administrators:</p>{$a->admins}
<p>It is recommended to assign administrator role in the system context only. The following users have (unsupported) admin role assignments in other contexts:</p>{$a->unsupported}';