chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch '1.11.x' of github.com:chamilo/chamilo-lms into 1.11.x

Browse Source
pull/2487/head
Angel Fernando Quiroz Campos 9 years ago
parent 2261829546 acaad73e63
commit 7fc326195a
5 changed files with 133 additions and 103 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 11
      app/Resources/public/css/base.css
  2. 32
      documentation/security.html
  3. 6
      main/inc/lib/display.lib.php
  4. 28
      main/lang/french/trad4all.inc.php
  5. 75
      main/template/default/layout/layout_2_col.tpl

11
app/Resources/public/css/base.css
Unescape View File

@ -6791,6 +6791,10 @@ input.form-control[type="color"] {
margin-top: 20px;
}
.col-xs-6.course-tool:nth-child(2n+1) {
clear: left;
}
/* Extra small devices (phones, less than 768px) */
/* No media query since this is the default in Bootstrap */
@ -6811,6 +6815,13 @@ input.form-control[type="color"] {
/* Medium devices (desktops, 992px and up) */
@media (min-width: 992px) {
.col-xs-6.course-tool:nth-child(2n+1) {
clear: none;
}
.col-md-3.course-tool:nth-child(4n+1) {
clear: left;
}
div.navbar-collapse {
padding-left: 0;
}

32
documentation/security.html
Unescape View File

@ -23,19 +23,20 @@
<li><a href="#3.Using-safe-browsers">Using safe browsers</a></li>
<li><a href="#4.Moving-config-file">Moving your configuration file out of the web directory</a></li>
<li><a href="#5.Files-permissions">Restricting files permissions</a></li>
<li><a href="#6.HSTS">HTTP Headers Security</a></li>
</ol>
<h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
<p>
It is considered a safer behaviour not to disclose server information from your Chamilo page. In order to avoid
both web server and PHP information disclosure, you might want to take the following actions:
</p>
<ul>
<li>Locate the <i>ServerTokens</i> setting inside your Apache configuration and set it to "Prod"</li>
<li>Locate the <i>ServerSignature</i> setting inside your Apache configuration and set it to "Off"</li>
<li>Locate the <i>expose_php</i> setting inside your PHP configuration and set it to "Off"</li>
<li>Reload Apache</li>
</ul>
</p>
<h2><a name="2.Keeping-up-to-date"></a>2. Keeping up to date</h2>
<p>
@ -62,31 +63,46 @@ access to your database if that one isn't well protected and many other stuff we
move the configuration file out of your web directory. If your Chamilo installation is in /var/www/, move your
configuration to /etc/chamilo/configuration.php, for example. Then create a new app/config/configuration.php
file, open it, and write the following:</p>
<p>
<pre>
&lt;?php
require '/etc/chamilo/configuration.php';
</pre>
</p>
<p>
This will prevent direct access to your settings and make it seem totally the same to Chamilo.
</p>
<h2><a name="5.Files-permissions"></a>5. Restricting files permissions</h2>
Making all the Chamilo files world-writable will help you install quickly, and it solves many
<p>Making all the Chamilo files world-writable will help you install quickly, and it solves many
issues for people without much admin experience. However, it's more
secure to make a distinct user owner of all the chamilo files and folders,
and only give read access to the web server to all files, and write access
only to the directories previously mentioned. This way, these files need
only to the directories previously mentioned.</p>
<p>This way, these files need
only be readable and writable by the Apache process owner, not by the
entire world. It would also be advisable to make all writable directory
refuse the interpretation of PHP files (except for the root of the courses
directories). Don't hesitate to hire an experienced administrator to do that,
directories).</p>
<p>Don't hesitate to hire an experienced administrator to do that,
it might be a bit more expensive now, but you'll be happy not to have to loose
all of your data to a hacker who attacked your site.</li>
all of your data to a hacker who attacked your site.</p>
<hr />
<hr />
<h2><a name="6.HSTS">HTTP Headers Security</a></h2>
<p>A relatively recent development in web security, HTTP headers can be modified either
from the web server or from the application (like Chamilo) to increase the security
of your visitors.</p>
<p>These implies several aspects, from simple to complex, to deal with, from stuff like
indicating which websites you say media or libraries can be loaded from, to adding
extra info about your SSL certificate to make sure a hacked certification authority
will not immediately make your certificate useless.</p>
<p>In Chamilo 1.11.6, we have added several parameters, together with recommendations,
to main/install/configuration.dist.php, that you are free to use or ignore,
depending on the level of security you want to achieve.</p>>
<p>To check your portal for possible improvements in terms of headers security,
we highly recommend the <a href="https://securityheaders.io/">securityheaders.io</a>
website. If you want to read more about CSP and all related headers
security techniques, check <a href="https://scotthelme.co.uk/">Scott Helme's blog</a>.
<h2>Authors</h2>
<ul>
<li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,

6
main/inc/lib/display.lib.php
Unescape View File

@ -739,14 +739,14 @@ class Display
}
$size_extra = $size.'/';
// Checking the img/ folder
$icon = $w_code_path.'img/'.$image;
$theme = 'themes/chamilo/icons/';
if ($loadThemeIcon) {
$theme = 'themes/'.api_get_visual_theme().'/icons/';
if (is_file($alternateCssPath.$theme.$image)) {
$icon = $alternateWebCssPath.$theme.$image;
}
// Checking the theme icons folder example: app/Resources/public/css/themes/chamilo/icons/XXX
if (is_file($alternateCssPath.$theme.$size_extra.$image)) {
$icon = $alternateWebCssPath.$theme.$size_extra.$image;

28
main/lang/french/trad4all.inc.php
View File

File diff suppressed because one or more lines are too long

75
main/template/default/layout/layout_2_col.tpl
Unescape View File

@ -1,47 +1,16 @@
{% extends template ~ "/layout/page.tpl" %}
{% block body %}
<div class="row">
{% if plugin_main_top %}
<div class="row">
<div class="page-main-top" class="col-md-12">
{{ plugin_main_top }}
</div>
{% endif %}
<div class="col-md-3">
<div class="sidebar">
{% if plugin_menu_top %}
<div class="siderbar-menu-top">
{{ plugin_menu_top }}
</div>
{% endif %}
{% include template ~ "/layout/login_form.tpl" %}
{% if _u.logged == 1 %}
{{ user_image_block }}
{% endif %}
{{ profile_block }}
{{ course_block }}
{{ teacher_block }}
{{ skills_block }}
{{ certificates_search_block }}
{{ notice_block }}
{{ help_block }}
{{ navigation_course_links }}
{{ search_block }}
{{ classes_block }}
{% if plugin_menu_bottom %}
<div class="sidebar-menu-bottom">
{{ plugin_menu_bottom }}
</div>
{% endif %}
</div>
</div>
<div class="col-md-9">
<div class="row">
<div class="col-md-9 col-md-push-3">
<div class="page-content">
{% if plugin_content_top %}
<div class="page-content-top">
{{ plugin_content_top }}
@ -90,15 +59,49 @@
{% if plugin_content_bottom %}
<div id="plugin_content_bottom">
{{plugin_content_bottom}}
{{ plugin_content_bottom }}
</div>
{% endif %}
</div>
</div>
<div class="col-md-3 col-md-pull-9">
<div class="sidebar">
{% if plugin_menu_top %}
<div class="siderbar-menu-top">
{{ plugin_menu_top }}
</div>
{% endif %}
{% include template ~ "/layout/login_form.tpl" %}
{% if _u.logged == 1 %}
{{ user_image_block }}
{% endif %}
{{ profile_block }}
{{ course_block }}
{{ teacher_block }}
{{ skills_block }}
{{ certificates_search_block }}
{{ notice_block }}
{{ help_block }}
{{ navigation_course_links }}
{{ search_block }}
{{ classes_block }}
{% if plugin_menu_bottom %}
<div class="sidebar-menu-bottom">
{{ plugin_menu_bottom }}
</div>
{% endif %}
</div>
</div>
</div>
{% if plugin_main_bottom %}
<div class="row">
<div class="page-main-bottom" class="col-md-12">
{{ plugin_main_bottom }}
</div>
</div>
{% endif %}
</div>
{% endblock %}

Write Preview
Loading…
Cancel
Save