From 75fbb831c9432e95fd269e4d77bb3d7cdc545bfd Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 19 Dec 2018 17:10:02 +0100 Subject: [PATCH] Fix Setup hardening --- setup/ajax.dataloader.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php index a2e2e149d..c9036a55c 100644 --- a/setup/ajax.dataloader.php +++ b/setup/ajax.dataloader.php @@ -147,7 +147,10 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past $sOperation = Utils::ReadParam('operation', ''); try { - if (!is_writable(utils::GetConfigFilePath())) throw new Exception('Setup operations are not allowed outside of the setup'); + if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath())) + { + throw new Exception('Setup operations are not allowed outside of the setup'); + } switch($sOperation) {