From cb3440c85d52e0c2609dc60b43a22c72f91aee09 Mon Sep 17 00:00:00 2001
From: Denis Flaven <denis.flaven@combodo.com>
Date: Thu, 13 Dec 2018 17:31:21 +0100
Subject: [PATCH] Setup hardening.

---
 setup/ajax.dataloader.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php
index 8f6786f9c..070db5bbb 100644
--- a/setup/ajax.dataloader.php
+++ b/setup/ajax.dataloader.php
@@ -121,6 +121,8 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT");    // Date in the past
 $sOperation = Utils::ReadParam('operation', '');
 try
 {
+	if (!is_writable(utils::GetConfigFilePath())) throw new Exception('Setup operations are not allowed outside of the setup');
+
 	switch($sOperation)
 	{
 		case 'async_action':