General help

Increase Variable Limit?

 
Picture of Roman Cylwa
Increase Variable Limit?
 

Hello, 

I'm continuing from the progress that was made here: 

https://moodle.org/mod/forum/discuss.php?d=353660

To summarize: There were problems with the backup/restore functionality and this was partially resolved by increasing some PHP settings. This would work when user enrollment data was not selected and may sometimes work when it is selected, and I am looking to get this to work entirely with user enrollment data included in these backups. 

I have examined certain database tables that (I assume) go in to these backups and while size limits are not a factor, variable counts likely are a factor that would affect these backups. I could try to increase php_max_input_vars but I've read elsewhere that doing so could included security risks, which I'd like to avoid. 

We're running Moodle v.3.0.9+ (another upgrade is on the way), PHP v.5.6.30, and on Windows Server 2008 - IIS 7, MS SQL Management Studio 2008.

If anyone can help out please let me know. 

Thank you in advance. 

 
Average of ratings: -
Picture of Ken Task
Re: Increase Variable Limit?
Particularly helpful Moodlers

According to:

http://php.net/manual/en/info.configuration.php

max_input_vars 1000 PHP_INI_PERDIR Available since PHP 5.3.9.

So that setting could be global or per directory.

If going the per directory route then one would need to figure out which directories .... would assume moodledata/temp/backup would be at least one as backups and restores uses that location for creating as well as exracting parts of a backup.

'spirit of sharing', Ken


 
Average of ratings: -
Picture of Roman Cylwa
Re: Increase Variable Limit?
 

Hi Ken, 

Thanks again for your response. 

If I'm understanding this correctly, I should modify the .htaccess file within my Moodle directory with the changes to max_input_vars?


 
Average of ratings: -
Picture of Ken Task
Re: Increase Variable Limit?
Particularly helpful Moodlers

Please see:
https://www.digitalocean.com/community/tutorials/how-to-use-the-htaccess-file
There's a security concern on that page also.

Since you run M$:
https://docs.microsoft.com/en-us/iis/application-frameworks/install-and-configure-php-on-iis/enable-per-site-php-configuration-on-iis-60-and-iis-7-and-above

Section on Enable the User-Defined INI files?

Be sure to check out the comments - first posting - dated Sept. 3 2017
by Startover909

Some reflection ...

moodledata should not be in a directly accessible from the web directory.
The only thing that should be able to interact with moodledata/temp/backup/
is Moodle code.

The making of a backup is basically queries made of DB to build the contents
of the backup file ... extension .mbz and by defaults is stored in
moodledata/filedir (that sea of files) OR if set, to a designated directory.
Which, would not be accessible by browser.   Only way (use that term loosely),
set up of a file system repo in one course.

The restoring of courses .... users have to upload a backup file (.mbz) which
ends up in moodledata/temp/backup/ un-compressed ... Moodle gives the un-compressed .mbz a contenthash directory and the .mbz file is un-compressed there
into the various folders/xml files moodle will use to restore the course.

Hmmmm ... if in semi paranoid mode ... maybe teachers, even admins, should not be allowed to restore courses.   Is it possible to build a .mbz moodle backup that is valid to Moodle and which Moodle would restore?   Yes.  

Ok, what could be malicious in the .mbz?   A M$ file (docx, xlsx, etc) file with a marcrovirus etc.?   Yes, possible ... so that would mean you need to run antivirus on server and setup Moodle to use it on all uploaded files ... not just backups.

Will an .exe file, if allowed to be uploaded, execute on the web server or on the workstation of the user/browser that attempted to execute it?

Bottom line .. moodle is very concerned and has always been concerned about security.  Even to the point where some functionality is lost.

So ... maybe you should:
1. run a good antivirus package on the server and make sure it's virus definitions
are always up to date.

2. don't trust Moodle code and have some sort of powershell script that runs a virus scan of moodledata/temp/ and of the sea of files in moodledata/filedir/ - only the new files ... not the ones that have been there and scanned previously.

3. always keep your moodle code up-to-date.

#3 has been the issue with most sites running open source ... be it Moodle, or Joomla, or WordPresses, or ... whatever ... never has and probably will never be an 'intstall it once and forget it'!

All of the above ... deferred to any Moodle HQ Security person or Moodle Community
Security person especially versed in Windows platform.

'spirit of sharing', Ken

 
Average of ratings: -
Picture of Roman Cylwa
Re: Increase Variable Limit?
 

Thanks Ken, 

This is an interesting read but I'm still not entirely clear on what my next actions should be. There are plans for us to upgrade Moodle again in the near-future and we do run anti-virus software scans on this server regularly. 

As always, your help is appreciated. 

 
Average of ratings: -
Picture of Ken Task
Re: Increase Variable Limit?
Particularly helpful Moodlers

Let's review this thread ...

it begins with

"I could try to increase php_max_input_vars but I've read elsewhere that doing so could included security risks, which I'd like to avoid."

Initial response informed max_input_vars setting was a per directory ... can could be applied via .htaccess in the directory where you want the value to increase or via php.ini in directory where you want that value to increase.

I assumed you were concerned about security risks ... and tried to link to things related to 'security risks' which was a poor attempt to say ... 'everything has an element of risk' on port 80 these days.

But ... moodle security is pretty good ... moodledata should be well protected ... only php scripts from moodle code related to backups/restores would have access (unless you as the administrator of that server have done something to allow.

See:

https://www.cvedetails.com/vulnerability-list/vendor_id-2105/product_id-3590/Moodle-Moodle.html

Look down the list ... note the version of Moodle and see if any involve (specifically) max_input-vars and moodledata or just moodledata

https://www.cvedetails.com/google-search-results.php?q=moodle+moodledata&sa=Search

Please see:

https://docs.moodle.org/33/en/Security_recommendations

note that is for 3.3 ... and from eveything one can read about reasons for security breaches and how to prevent them, think you'll find that the #1 recommendation is to always keep software up to date.

Administration of your server is up to you ...  the method by which you address those security concerns is up to you also ... that's really the bottom line. ;)

'spirit of sharing', Ken

 
Average of ratings: -
Picture of Roman Cylwa
Re: Increase Variable Limit?
 

Hi again,

I will be working on this from a test server and if it's successful and the security risks are viable then we'll apply this same technique to the production server.

I have modified the php.ini file to include [PATH=C:\My_Moodle_Directory] and when I compare the phpinfo values for localhost and for this directory I do see the differences between the local and master values for max_input_vars settings. When I restart the server and launch Moodle I will get an error stating a 'database driver problem detected' and 'Microsoft Drivers for SQL Server for PHP are not installed or not configured properly'. I've checked and the drivers are good on the test server and when I comment the [PATH=] in php.ini and restart this problem is gone.

Any idea why Moodle may be behaving this way or how to proceed for here?

Thanks again.

 
Average of ratings: -