commit 9c61c58234f9d87d4e1508e82305920e74fd9b31 Author: Hugh Davenport Date: Mon Sep 24 13:23:39 2012 +1200 Remove clamav from site admin options Bug #1055232 When a site administrator can manipulate the path for the clamav scanner, they could produce either a reverse shell, or allow any user to execute arbitrary remote commands by setting it to an uploaded reverse shell, or to /bin/bash respectively. Other executable paths, namely pathtozip, and pathtounzip are only set via config.php, and not through the site admin interface. This option, pathtoclam, should follow the same design. Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896 Signed-off-by: Hugh Davenport Conflicts: htdocs/admin/site/options.php diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php index 8cae7dc..10a7f66 100644 --- a/htdocs/admin/site/options.php +++ b/htdocs/admin/site/options.php @@ -303,14 +303,6 @@ $siteoptionform = array( 'help' => true, 'disabled' => in_array('viruschecking', $OVERRIDDEN), ), - 'pathtoclam' => array( - 'type' => 'text', - 'title' => get_string('pathtoclam', 'admin'), - 'description' => get_string('pathtoclamdescription', 'admin'), - 'defaultvalue' => get_config('pathtoclam'), - 'help' => true, - 'disabled' => in_array('pathtoclam', $OVERRIDDEN), - ), 'antispam' => array( 'type' => 'select', 'title' => get_string('antispam', 'admin'), @@ -541,7 +533,7 @@ function siteoptions_fail(Pieform $form, $field) { function siteoptions_submit(Pieform $form, $values) { $fields = array( - 'sitename','lang','theme', 'pathtoclam', + 'sitename','lang','theme', 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn', 'allowpublicviews', 'allowpublicprofiles', 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend',