Baikal New configuration process allows for a very easy unsecure installation

New configuration process allows for a very easy unsecure installation

Open ghost opened this issue 5 years ago • 4 comments

Baikal version: 0.7.0+

Expected behaviour: After setting the config/baikal.yaml as an unattended install, /admin/install should be disabled.

Current behaviour: After setting the config/baikal.yaml as an unattended install, /admin/install is available and configuration values including the mysql password are available in the HTML source. In order to turn off the installation wizard you manually have to add the Specific/INSTALLATION_DISABLED file which normally is created when finishing the installation wizard.

Steps to reproduce:

Unzip baikal.
Instead of following installation wizard by browsing to /admin/install, add config/baikal.yaml manually.
Start baikal.
Browse to /admin/install and see all configuration values in HTML source without having to log in or authenticate.

I would suggest 2 changes:

Include the 'installation_disabled' as a configuration option in config/baikal.yaml instead of using a separate file. Add the new configuration option 'installation disabled' to the default config with value false. Change it to true upon finishing the installation wizard. Anyone installing the project by setting config/baikal.yaml manually as an unattended install is confronted with the configuration option and will set it to true.
Never, ever, ever, ever send secret configuration values to the client for any reason. Even if the /admin/install/ is available it should not show the mysql password.

Hope this helps! A huge thank you to all developers for this amazing piece of software, enabling self hosters everywhere.

EDIT: Would be happy to contribute a fix for this. But before starting, I would love some feedback on my suggested changes.