When you do [url]http://www.yoursite.com/index.php?cc[/url] to clear cache… Any person can do it or only the one logged to admin center?
It should require an admin login. It appears to allow anyone to clear cache - this should be reported as a bug.
Bob
This is one of the things I hate about the 2.0 branch, in 1.3.5 there was a link in the back end to clear the cache among other things that were useful and now no longer available in 2.0., any body can clear the cache now, this should not be allowed.
[quote name=‘gasngrills’]This is one of the things I hate about the 2.0 branch, in 1.3.5 there was a link in the back end to clear the cache among other things that were useful and now no longer available in 2.0., any body can clear the cache now, this should not be allowed.[/QUOTE]
I don’t have 1.3.5 installed so cannot test but I wouldn’t be surprised if the same flaw existed there.
In 2.0, you can add the command to clear cache to your ‘Quick Menu’.
Bob
To allow the clearing of the cache to be done from the admin area only, open the “init.php” file in the base directory of your store.
Change the following code:
// Clean up templates cache
if (isset($_GET['cc'])) {
fn_rm(DIR_COMPILED, false);
fn_rm(DIR_CACHE, false);
}
to this:
// Clean up templates cache
if (isset($_GET['cc']) [COLOR="Red"]&& $_SERVER["PHP_SELF"] == '/admin.php'[/COLOR]) {
fn_rm(DIR_COMPILED, false);
fn_rm(DIR_CACHE, false);
}
Now you can only clear the cache from inside the admin section.
Edit: Replace the “admin.php” part with the secret name of your admin script.
Thanks for the fix, adodric.
I’ve submitted this as a bug so we get an official fix in a future version:
[url]http://forum.cs-cart.com/vbugs.php?do=view&vbug_id=1908[/url]
Bob
not sure that’s such a good fix. Anyone could just put in the admin.php URL and then still run the clear cache script. One should rather check if the admin session is registered.
I’m sure the CS cart guys will come up with the right fix though.
[quote name=‘Lima Bean’]not sure that’s such a good fix. Anyone could just put in the admin.php URL and then still run the clear cache script. One should rather check if the admin session is registered.
I’m sure the CS cart guys will come up with the right fix though.[/QUOTE]
Well first off you should change the “admin.php” to match whatever you use in your store for security. Secondly, if outside people know your admin location then you possibly have bigger issues than the clearing of the cache. If they’re there for malicious behavior that won’t top their list.
If you really want to, it should be very easy to add a check for the admin’s session if you’re really worried about it.
would it be a quick fix if to change CC to something like MYSECRETWORD… Will be unique to that website and no one will know… Not the best work around but a really quick one and fairly secure.
[quote name=‘TexasGuy’]would it be a quick fix if to change CC to something like MYSECRETWORD… Will be unique to that website and no one will know… Not the best work around but a really quick one and fairly secure.[/QUOTE]
Yeah, I was thinking about that also. You can easily change the “cc” to be anything you want for clearing the cache. Thanks for posting this.
Would checking if the user logged in is an admin be so hard? Everything else is security through obscurity, which is bs.
It’s convenient to clear the cache while on any page.
[quote name=‘phazei’]Would checking if the user logged in is an admin be so hard? Everything else is security through obscurity, which is bs.
It’s convenient to clear the cache while on any page.[/QUOTE]
The main issue is that they have the code for clearing the cache before the session data is created, so there is no way to tell if the user is logged in as an admin. You can probably move the code for clearing the cache to after the session is created, I just haven’t taken the time to delve deeper to see if there is a reason that they clear it where they do.
It would be pretty easy to make a link for it in the admin section that calls a custom page and remove the ‘cc’ requirement, but that wouldn’t accomplish what you’re saying as far as ease of use from anywhere. I haven’t gone beyond my initial reply as far as looking into the code for it, mostly because I’m not worried about someone clearing my site’s cache. I may even disable the cache entirely depending on the results of some testing I plan to run before I go live.