mirror of
https://github.com/ChristianLight/tutor.git
synced 2024-12-12 14:17:46 +00:00
security: disable python-evaluated input by default
As described in issue #284, tutor does not come with codejail enabled out of the box. Actually, we don't even have a working plugin, yet. To prevent users from running unsafe code, we explicitely disable python-evaluated input by disabling the "python" interpreter. This might break some courses; thus, this is a non-backward compatible change.
This commit is contained in:
parent
58c77ad3fb
commit
a79d194bbc
@ -4,7 +4,8 @@ Note: Breaking changes between versions are indicated by "💥".
|
||||
|
||||
## Unreleased
|
||||
|
||||
- [Bugfix] Fix discussion notification not work.
|
||||
- 💥[Security] Disable python-evaluated input by default as we don't run codejail.
|
||||
- [Bugfix] Fix missing discussion notifications.
|
||||
- [Improvement] Better error logging when loading a plugin from an incompatible version.
|
||||
|
||||
## v11.2.11 (2021-05-18)
|
||||
|
@ -136,5 +136,15 @@ JWT_AUTH["JWT_ISSUERS"] = [
|
||||
}
|
||||
]
|
||||
|
||||
# Disable codejail support
|
||||
# explicitely configuring python is necessary to prevent unsafe calls
|
||||
import codejail.jail_code
|
||||
codejail.jail_code.configure("python", "nonexistingpythonbinary", user=None)
|
||||
# another configuration entry is required to override prod/dev settings
|
||||
CODE_JAIL = {
|
||||
"python_bin": "nonexistingpythonbinary",
|
||||
"user": None,
|
||||
}
|
||||
|
||||
{{ patch("openedx-common-settings") }}
|
||||
######## End of settings common to LMS and CMS
|
||||
|
Loading…
Reference in New Issue
Block a user