From 78cad94ff4676ef401d2a75c8448f3726deefd18 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 30 Oct 2015 20:19:23 +0100
Subject: Add support for Redis password auth

For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security)

This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.
---
 config/config.sample.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'config')

diff --git a/config/config.sample.php b/config/config.sample.php
index 288e3a01cff..02e5aba3e94 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -879,11 +879,16 @@ $CONFIG = array(
 
 /**
  * Connection details for redis to use for memory caching.
+ *
+ * For enhanced security it is recommended to configure Redis
+ * to require a password. See http://redis.io/topics/security
+ * for more information.
  */
 'redis' => array(
 	'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
 	'port' => 6379,
 	'timeout' => 0.0,
+	'password' => '', // Optional, if not defined no password will be used.
 	'dbindex' => 0, // Optional, if undefined SELECT will not run and will use Redis Server's default DB Index.
 ),
 
-- 
cgit v1.2.3