diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-10-30 20:19:23 +0100 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2015-11-23 17:14:39 +0100 |
| commit | a57f153ad78a82c815d3789357f43053f23a42ce (patch) | |
| tree | 71cfaf1bfdd8e5568c50064c3e2deed905999d9d /config | |
| parent | b2d9a3a08dbca7f5376c5dd65414f5a73671dbf2 (diff) | |
| download | nextcloud-server-a57f153ad78a82c815d3789357f43053f23a42ce.tar.gz nextcloud-server-a57f153ad78a82c815d3789357f43053f23a42ce.zip | |
Add support for Redis password auth
For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security)
This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.
Diffstat (limited to 'config')
| -rw-r--r-- | config/config.sample.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index 288e3a01cff..02e5aba3e94 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -879,11 +879,16 @@ $CONFIG = array( /** * Connection details for redis to use for memory caching. + * + * For enhanced security it is recommended to configure Redis + * to require a password. See http://redis.io/topics/security + * for more information. */ 'redis' => array( 'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock' 'port' => 6379, 'timeout' => 0.0, + 'password' => '', // Optional, if not defined no password will be used. 'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index. ), |