From 6045da4fec00d094624930ed941456a511f34b55 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Tue, 30 Aug 2016 17:43:46 +1000 Subject: [PATCH 1/2] CRM-15925 - CRM/Upgrade - Add post-upgrade msg re: "import SQL datasource" --- CRM/Upgrade/Incremental/php/FourSix.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CRM/Upgrade/Incremental/php/FourSix.php b/CRM/Upgrade/Incremental/php/FourSix.php index 02bd171b3dd1..6b73c6e8a6f5 100644 --- a/CRM/Upgrade/Incremental/php/FourSix.php +++ b/CRM/Upgrade/Incremental/php/FourSix.php @@ -78,6 +78,9 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) { // if ($rev == '4.6.21') { // $postUpgradeMessage .= '

' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'"); // } + if ($rev == '4.6.21') { + $postUpgradeMessage .= '

' . ts("By default, CiviCRM now disables the ability to import directly fro SQL. To use this feature, you must explicitly grant permission 'import SQL datasource'."); + } } From 759fafaa68233d1d3ecb90beb4519896423a861c Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Tue, 30 Aug 2016 17:48:50 +1000 Subject: [PATCH 2/2] CRM-15928 - Display warning if is enabled --- CRM/Utils/Check/Security.php | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/CRM/Utils/Check/Security.php b/CRM/Utils/Check/Security.php index a8f5b24ce99e..d18363a4fd49 100644 --- a/CRM/Utils/Check/Security.php +++ b/CRM/Utils/Check/Security.php @@ -62,11 +62,32 @@ public function checkAll() { $this->checkLogFileIsNotAccessible(), $this->checkUploadsAreNotAccessible(), $this->checkDirectoriesAreNotBrowseable(), - $this->checkFilesAreNotPresent() + $this->checkFilesAreNotPresent(), + $this->checkRemoteProfile() ); return $messages; } + /** + * Discourage use of remote profile forms. + */ + public function checkRemoteProfile() { + $messages = array(); + + if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions')) { + $messages[] = new CRM_Utils_Check_Message( + __FUNCTION__, + ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in system settings. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.', + array(1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1')) + ), + ts('Remote Profiles Enabled') + ); + } + + return $messages; + } + + /** * Check if our logfile is directly accessible. *