Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The (non-included) elFinder library may contain example files that can be dangerous. hook_requirements() could be implemented to look for the demo code and, if found, suggest to remove that code.
This issue was reported to the security team by emmonsaza and ecrazor. It was decided that it could be fixed in public as a security improvement.
Comments
Comment #1
mcdruidIt looks like there's a check for these files in the module's hook_init which then calls watchdog.
As Pere Orga says, I'd have thought hook_requirements would be where this belongs; apart from anything else doing a handful of file_exists calls followed by onel to watchdog during init is not without cost.
Comment #2
gregglesI can see the merit of hook_init for a problem as dangerous as this. I think drupal_set_message if the user has at least one of a variety of 'admin*' permissions would also make sense.
Comment #3
ph0enix CreditAttribution: ph0enix commentedImproved checks. If the demo files has been found in the system there are will be watchdog and generic error message. Also this check now performing at hook_requirements so module will not enabled without removing demo files.
Comment #9
NWOM CreditAttribution: NWOM commented