From a57f153ad78a82c815d3789357f43053f23a42ce Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 30 Oct 2015 20:19:23 +0100
Subject: Add support for Redis password auth

For enhanced security it is recommended to configure Redis to only accept connections with a password. (http://redis.io/topics/security)

This is especially critical since Redis supports the LUA scripting language and thus a simple SSRF vulnerability (as proven in http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ for example) may lead to a remote code execution.
---
 lib/private/memcache/redis.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lib/private/memcache')

diff --git a/lib/private/memcache/redis.php b/lib/private/memcache/redis.php
index 21477798059..83be662eabf 100644
--- a/lib/private/memcache/redis.php
+++ b/lib/private/memcache/redis.php
@@ -56,6 +56,9 @@ class Redis extends Cache implements IMemcache {
 			}
 
 			self::$cache->connect($host, $port, $timeout);
+			if(isset($config['password']) && $config['password'] !== '') {
+				self::$cache->auth($config['password']);
+			}
 
 			if (isset($config['dbindex'])) {
 				self::$cache->select($config['dbindex']);
-- 
cgit v1.2.3