Permalink
Browse files

backup/nopasswords MDL-20838 Backups are now never saved with user pa…

…sswords unless $CFG->includeuserpasswordsinbackup is turned on in config.php (only)
  • Loading branch information...
1 parent efb9ebe commit 8bcf4b57497a205d88d5b9c6387fd8069ec1798c @moodler moodler committed Nov 17, 2009
Showing with 15 additions and 4 deletions.
  1. +5 −1 backup/backuplib.php
  2. +3 −3 backup/version.php
  3. +7 −0 config-dist.php
View
@@ -1303,7 +1303,11 @@ function backup_user_info ($bf,$preferences) {
fwrite ($bf,full_tag("POLICYAGREED",4,false,$user->policyagreed));
fwrite ($bf,full_tag("DELETED",4,false,$user->deleted));
fwrite ($bf,full_tag("USERNAME",4,false,$user->username));
- fwrite ($bf,full_tag("PASSWORD",4,false,$user->password));
+ // Prevent user passwords in backup files unless
+ // $CFG->includeuserpasswordsinbackup is defined. MDL-20838
+ if (!empty($CFG->includeuserpasswordsinbackup)) {
+ fwrite ($bf,full_tag("PASSWORD",4,false,$user->password));
+ }
fwrite ($bf,full_tag("IDNUMBER",4,false,$user->idnumber));
fwrite ($bf,full_tag("FIRSTNAME",4,false,$user->firstname));
fwrite ($bf,full_tag("LASTNAME",4,false,$user->lastname));
View
@@ -2,11 +2,11 @@
/// This file defines the current version of the
/// backup/restore code that is being used. This can be
-/// compared against the values stored in the
+/// compared against the values stored in the
/// database (backup_version) to determine whether upgrades should
/// be performed (see db/backup_*.php)
- $backup_version = 2009100600; // The current version is a date (YYYYMMDDXX)
- $backup_release = '1.9.6'; // User-friendly version number
+ $backup_version = 2009111300; // The current version is a date (YYYYMMDDXX)
+ $backup_release = '1.9.7'; // User-friendly version number
?>
View
@@ -148,6 +148,13 @@
// Useful for webhost operators who have alternate methods of backups
// $CFG->disablescheduledbackups = true;
//
+// Allow user passwords to be included in backup files. Very dangerous
+// setting as far as it publishes password hashes that can be unencrypted
+// if the backup file is publicy available. Use it only if you can guarantee
+// that all your backup files remain only privacy available and are never
+// shared out from your site/institution!
+// $CFG->includeuserpasswordsinbackup = true;
+//
// Prevent stats processing and hide the GUI
// $CFG->disablestatsprocessing = true;
//

0 comments on commit 8bcf4b5

Please sign in to comment.