Skip to content

Commit

Permalink
Restore "admin dir" warning on login page
Browse files Browse the repository at this point in the history 
Commit 9da643a modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes #23179
Stopgap measure for issue #23173
  • Loading branch information
@dregad
dregad committed Aug 3, 2017
1 parent c73ae3d commit d6d7dc2
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lang/strings_english.txt
View file
Expand Up @@ -656,7 +656,7 @@ $s_click_to_login = 'Login';
# login.php
$s_warning_plain_password_authentication = '<strong>Warning:</strong> Plain password authentication is used, this will expose your passwords to administrators.';
$s_warning_default_administrator_account_present = '<strong>Warning:</strong> You should disable the default \'administrator\' account or change its password.';
$s_warning_admin_directory_present = '<strong>Warning:</strong> Admin directory should be removed.';
$s_warning_admin_directory_present = '<strong>Warning:</strong> "admin" directory should be removed, or access to it restricted.';
$s_warning_change_setting = '<strong>Warning:</strong> "%1$s" is not set to its default value (%2$s).';
$s_warning_security_hazard = 'This is a potential security hazard as it can expose sensitive information.';
$s_warning_integrity_hazard = 'This will cause MantisBT to continue when errors occurs and may lead to system/data integrity issues.';
Expand Down
7 changes: 7 additions & 0 deletions login_page.php
View file
Expand Up @@ -140,6 +140,13 @@
$t_warnings = array();
$t_upgrade_required = false;
if( config_get_global( 'admin_checks' ) == ON && file_exists( dirname( __FILE__ ) .'/admin' ) ) {
# Check if the admin directory is accessible
$t_admin_dir = dirname( __FILE__ ) . '/admin';
$t_admin_dir_is_accessible = @file_exists( $t_admin_dir . '/.' );
if( $t_admin_dir_is_accessible ) {
$t_warnings[] = lang_get( 'warning_admin_directory_present' );
}

# Generate a warning if default user administrator/root is valid.
$t_admin_user_id = user_get_id_by_name( 'administrator' );
if( $t_admin_user_id !== false ) {
Expand Down

0 comments on commit d6d7dc2

Please sign in to comment.