From 9a2b5e0b4f28aac950934d6e1c9fa1aee3574f5b Mon Sep 17 00:00:00 2001
From: Hugh Davenport <hugh@catalyst.net.nz>
Date: Thu, 28 Mar 2013 14:32:48 +1300
Subject: [PATCH] MDL-35852 Add config option to prevent changes to
 configexecutable settings

---
 config-dist.php   |  6 ++++++
 lang/en/admin.php |  1 +
 lib/adminlib.php  | 14 ++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/config-dist.php b/config-dist.php
index 0dd7032419157..378d3416435ec 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -456,6 +456,12 @@
 // To ensure they are never used even when available:
 //      $CFG->svgicons = false;
 //
+// Some administration options allow setting the path to executable files. This can
+// potentially cause a security risk. Set this option to true to disable editing
+// those config settings via the web. They will need to be set explicitly in the
+// config.php file
+//      $CFG->preventexecpath = true;
+//
 //=========================================================================
 // 7. SETTINGS FOR DEVELOPMENT SERVERS - not intended for production use!!!
 //=========================================================================
diff --git a/lang/en/admin.php b/lang/en/admin.php
index ab04fa3f17cfb..63d3f2afc5b23 100644
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@@ -513,6 +513,7 @@
 $string['errorwithsettings'] = 'Some settings were not changed due to an error.';
 $string['everyonewhocan'] = 'Everyone who can \'{$a}\'';
 $string['exceptions'] = 'exceptions';
+$string['execpathnotallowed'] = 'Setting executable paths disabled in config.php';
 $string['experimental'] = 'Experimental';
 $string['experimentalsettings'] = 'Experimental settings';
 $string['extendedusernamechars'] = 'Allow extended characters in usernames';
diff --git a/lib/adminlib.php b/lib/adminlib.php
index be26db438df80..c23128822e424 100644
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -2107,6 +2107,16 @@ public function output_html($data, $query='') {
         '<div class="form-file defaultsnext"><input type="text" size="'.$this->size.'" id="'.$this->get_id().'" name="'.$this->get_full_name().'" value="'.s($data).'" />'.$executable.'</div>',
         $this->description, true, '', $default, $query);
     }
+    /**
+     * checks if execpatch has been disabled in config.php
+     */
+    public function write_setting($data) {
+        global $CFG;
+        if (!empty($CFG->preventexecpath)) {
+            return '';
+        }
+        return parent::write_setting($data);
+    }
 }
 
 
@@ -2125,6 +2135,7 @@ class admin_setting_configexecutable extends admin_setting_configfile {
      * @return string XHTML field
      */
     public function output_html($data, $query='') {
+        global $CFG;
         $default = $this->get_defaultsetting();
 
         if ($data) {
@@ -2136,6 +2147,9 @@ public function output_html($data, $query='') {
         } else {
             $executable = '';
         }
+        if (!empty($CFG->preventexecpath)) {
+            $this->visiblename .= '<div class="form-overridden">'.get_string('execpathnotallowed', 'admin').'</div>';
+        }
 
         return format_admin_setting($this, $this->visiblename,
         '<div class="form-file defaultsnext"><input type="text" size="'.$this->size.'" id="'.$this->get_id().'" name="'.$this->get_full_name().'" value="'.s($data).'" />'.$executable.'</div>',