wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for Redis password auth

Browse source 
For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security)

This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.
This commit is contained in:
Lukas Reschke 2015-10-30 20:19:23 +01:00
parent 6911d8f0a4
commit 78cad94ff4
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/config.sample.php
View file

@ -879,11 +879,16 @@ $CONFIG = array(
/**
* Connection details for redis to use for memory caching.
*
* For enhanced security it is recommended to configure Redis
* to require a password. See http://redis.io/topics/security
* for more information.
*/
'redis' => array(
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379,
'timeout' => 0.0,
'password' => '', // Optional, if not defined no password will be used.
'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
),

3
lib/private/memcache/redis.php
View file

@ -56,6 +56,9 @@ class Redis extends Cache implements IMemcache {
}
self::$cache->connect($host, $port, $timeout);
if(isset($config['password']) && $config['password'] !== '') {
self::$cache->auth($config['password']);
}
if (isset($config['dbindex'])) {
self::$cache->select($config['dbindex']);