From 78cad94ff4676ef401d2a75c8448f3726deefd18 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 30 Oct 2015 20:19:23 +0100 Subject: [PATCH] Add support for Redis password auth For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security) This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution. --- config/config.sample.php | 5 +++++ lib/private/memcache/redis.php | 3 +++ 2 files changed, 8 insertions(+) diff --git a/config/config.sample.php b/config/config.sample.php index 288e3a01cf..02e5aba3e9 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -879,11 +879,16 @@ $CONFIG = array( /** * Connection details for redis to use for memory caching. + * + * For enhanced security it is recommended to configure Redis + * to require a password. See http://redis.io/topics/security + * for more information. */ 'redis' => array( 'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock' 'port' => 6379, 'timeout' => 0.0, + 'password' => '', // Optional, if not defined no password will be used. 'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index. ), diff --git a/lib/private/memcache/redis.php b/lib/private/memcache/redis.php index 2147779805..83be662eab 100644 --- a/lib/private/memcache/redis.php +++ b/lib/private/memcache/redis.php @@ -56,6 +56,9 @@ class Redis extends Cache implements IMemcache { } self::$cache->connect($host, $port, $timeout); + if(isset($config['password']) && $config['password'] !== '') { + self::$cache->auth($config['password']); + } if (isset($config['dbindex'])) { self::$cache->select($config['dbindex']);