For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security) This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.tags/v9.0beta1
@@ -879,11 +879,16 @@ $CONFIG = array( | |||
/** | |||
* Connection details for redis to use for memory caching. | |||
* | |||
* For enhanced security it is recommended to configure Redis | |||
* to require a password. See http://redis.io/topics/security | |||
* for more information. | |||
*/ | |||
'redis' => array( | |||
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock' | |||
'port' => 6379, | |||
'timeout' => 0.0, | |||
'password' => '', // Optional, if not defined no password will be used. | |||
'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index. | |||
), | |||
@@ -56,6 +56,9 @@ class Redis extends Cache implements IMemcache { | |||
} | |||
self::$cache->connect($host, $port, $timeout); | |||
if(isset($config['password']) && $config['password'] !== '') { | |||
self::$cache->auth($config['password']); | |||
} | |||
if (isset($config['dbindex'])) { | |||
self::$cache->select($config['dbindex']); |