From 15d4db3b4a7dbc9a7e089f9329a396f8408ed7d9 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Wed, 17 Feb 2016 17:30:51 +1300 Subject: [PATCH] [ss-2015-028] Block unauthenticated access to dev/build/defaults --- dev/DevelopmentAdmin.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev/DevelopmentAdmin.php b/dev/DevelopmentAdmin.php index 348391085..55584cb20 100644 --- a/dev/DevelopmentAdmin.php +++ b/dev/DevelopmentAdmin.php @@ -33,7 +33,8 @@ class DevelopmentAdmin extends Controller { parent::init(); // Special case for dev/build: Defer permission checks to DatabaseAdmin->init() (see #4957) - $requestedDevBuild = (stripos($this->getRequest()->getURL(), 'dev/build') === 0); + $requestedDevBuild = (stripos($this->getRequest()->getURL(), 'dev/build') === 0) + && (stripos($this->getRequest()->getURL(), 'dev/build/defaults') === false); // We allow access to this controller regardless of live-status or ADMIN permission only // if on CLI. Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.