From d31a4047f6778ed558ab1c975f878203de2062e9 Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 19 Dec 2018 17:13:49 +0100 Subject: [PATCH] Fix Setup hardening --- setup/ajax.dataloader.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php index 070db5bbb..6dc61f7cc 100644 --- a/setup/ajax.dataloader.php +++ b/setup/ajax.dataloader.php @@ -121,7 +121,10 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past $sOperation = Utils::ReadParam('operation', ''); try { - if (!is_writable(utils::GetConfigFilePath())) throw new Exception('Setup operations are not allowed outside of the setup'); + if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath())) + { + throw new Exception('Setup operations are not allowed outside of the setup'); + } switch($sOperation) {