Add support for Redis password auth

For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security)

This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.
This commit is contained in:
Lukas Reschke 2015-10-30 20:19:23 +01:00
parent 6911d8f0a4
commit 78cad94ff4
2 changed files with 8 additions and 0 deletions

View file

@ -879,11 +879,16 @@ $CONFIG = array(
/** /**
* Connection details for redis to use for memory caching. * Connection details for redis to use for memory caching.
*
* For enhanced security it is recommended to configure Redis
* to require a password. See http://redis.io/topics/security
* for more information.
*/ */
'redis' => array( 'redis' => array(
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock' 'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379, 'port' => 6379,
'timeout' => 0.0, 'timeout' => 0.0,
'password' => '', // Optional, if not defined no password will be used.
'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index. 'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
), ),

View file

@ -56,6 +56,9 @@ class Redis extends Cache implements IMemcache {
} }
self::$cache->connect($host, $port, $timeout); self::$cache->connect($host, $port, $timeout);
if(isset($config['password']) && $config['password'] !== '') {
self::$cache->auth($config['password']);
}
if (isset($config['dbindex'])) { if (isset($config['dbindex'])) {
self::$cache->select($config['dbindex']); self::$cache->select($config['dbindex']);