backup/nopasswords MDL-20838 Backups are now never saved with user pa…

…sswords unless the admin has defined $CFG->includeuserbackupsinpasswords in config.php (Merged from 1.9) Credits to Eloy
moodle · Nov 17, 2009 · 0c54aad · 0c54aad
1 parent 185f15c
commit 0c54aad
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/backup/backuplib.php b/backup/backuplib.php
@@ -1102,7 +1102,11 @@ function backup_user_info ($bf,$preferences) {
                 fwrite ($bf,full_tag("POLICYAGREED",4,false,$user->policyagreed));
                 fwrite ($bf,full_tag("DELETED",4,false,$user->deleted));
                 fwrite ($bf,full_tag("USERNAME",4,false,$user->username));
-                fwrite ($bf,full_tag("PASSWORD",4,false,$user->password));
+                // Prevent user passwords in backup files unless
+                // $CFG->includeuserpasswordsinbackup is defined. MDL-20838
+                if (!empty($CFG->includeuserpasswordsinbackup)) {
+                    fwrite ($bf,full_tag("PASSWORD",4,false,$user->password));
+                }
                 fwrite ($bf,full_tag("IDNUMBER",4,false,$user->idnumber));
                 fwrite ($bf,full_tag("FIRSTNAME",4,false,$user->firstname));
                 fwrite ($bf,full_tag("LASTNAME",4,false,$user->lastname));

diff --git a/backup/version.php b/backup/version.php
@@ -2,11 +2,11 @@
 
 /// This file defines the current version of the
 /// backup/restore code that is being used.  This can be
-/// compared against the values stored in the 
+/// compared against the values stored in the
 /// database (backup_version) to determine whether upgrades should
 /// be performed (see db/backup_*.php)
 
-    $backup_version = 2007022100;   // The current version is a date (YYYYMMDDXX)
-    $backup_release = "1.8+";       // User-friendly version number
+    $backup_version = 2007022101;   // The current version is a date (YYYYMMDDXX)
+    $backup_release = "1.8.11";       // User-friendly version number
 
 ?>
diff --git a/config-dist.php b/config-dist.php
@@ -139,6 +139,13 @@
 // Useful for webhost operators who have alternate methods of backups
 //      $CFG->disablescheduledbackups = true;
 //
+// Allow user passwords to be included in backup files. Very dangerous
+// setting as far as it publishes password hashes that can be unencrypted
+// if the backup file is publicy available. Use it only if you can guarantee
+// that all your backup files remain only privacy available and are never
+// shared out from your site/institution!
+//      $CFG->includeuserpasswordsinbackup = true;
+//
 // Prevent stats processing and hide the GUI
 //      $CFG->disablestatsprocessing = true;
 //