Background

SugarCRM’s hosting objective is to maintain the integrity of the standard Sugar functionality when we upgrade a customer instance, and limit any negative impact our upgrade has on the customer’s modifications.

Prior to Sugar 5.2.0j (Patch J), Module Loader did not have the ability to detect whether the changes being uploaded are deemed “upgrade-safe”. For example, if a customer were to upload a module that modified standard Sugar functionality, an upgrade of the instance (new patch, new release) could impact those modifications, resulting in a production problem for the customer.

Modifications using the rest of the Developer Tools section of Admin are considered upgrade-safe. This includes Studio, Module Builder, and Workflow.

New Access Controls

Sugar 5.2.0j (Patch J) introduces a new Module Loader feature, the Module Scanner.  Module Scanner grants system administrators the control they need to determine the precise set of actions that they’re willing to offer in their hosting environment.  This feature will be available in all editions of Sugar, and will be put into action by the Sugar Open Cloud.  Anyone else who is hosting Sugar products will have the opportunity to take advantage of this feature as well.  This feature will also be available in Sugar 5.5.0 RC1 and later versions of Sugar.

The specific Module Loader restrictions for the Sugar Open Cloud are documented in the Sugar Knowledge Base.

Enable Package Scan

Scanning is disabled in default installations of Sugar, and can be enabled through a configuration setting.  This setting is added to config.php or config_override.php, and is not available to Administrator users to modify through the Sugar interface.

To enable Package Scan and its associated scans, add this setting to config.php or config_override.php:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘packageScan’] = true;

There are two categories of access controls now available:

1. File scanning
2. Module Loader actions

Enable File Scan

By enabling Package Scan, File Scan will be performed on all files in the package uploaded through Module Loader.  File Scan will be performed when a Sugar administrator attempts to install the package.

File Scan performs two types of checks:

1. File extension must be in the approved list of valid extension types
   1. The default list of valid extension types is detailed in Appendix A.
   2. Files do not contain function calls that are considered suspicious, based on a blacklist.
      1. Backticks (`) are never allowed by File Scan.
      2. The default blacklist of functions is detailed in Appendix B.

To disable File Scan, add the following configuration setting to config.php or config_override.php:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘disableFileScan’] = true;

To add more file extensions to the approved list of valid extension types, add the file extensions to the validExt array. The example below adds a .log file extension and .htaccess to the valid extension type list:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘validExt’] = array(‘log’, ‘htaccess’);

To add additional function calls to the black list, add the function calls to the blackList array.  The example below blocks the strlen() and strtolower() functions from being included in the package:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘blackList’] = array(‘strlen’, ‘strtolower’);

To override the black list and allow a specific function to be included in packages, add the function call to the  blackListExempt array.  The example below removes the restriction for the file_put_contents() function, allowing it to be included in the package:

$GLOBALS[‘sugar_config’][‘moduleInstaller’]['blackListExempt’] = array(‘file_put_contents’);

Disable Module Loader Actions

Certain Module Loader actions may be considered less desirable than others to a system administrator.  A system administrator may wish to allow some Module Loader actions, but disable specific actions that could impact the upgrade-safe integrity of the Sugar instance.

By default, all Module Loader actions are allowed.  Enabling Package Scan does not affect the Module Loader actions.

To disable specific Module Loader actions, add the action to the disableActions array.  The example below restricts the pre_execute and post_execute actions:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘disableActions’] = array(‘pre_execute’, ‘post_execute’);

A list of all actions available in Module Loader is detailed in Appendix C.

Edit, 2009-08-27, 11:30am:  An additional configuration parameter is also now available in Sugar 5.2.0j.

$GLOBALS['sugar_config']['disable_uw_upload'] = true;

This configuration parameter blocks the upload capabilities of the Upgrade Wizard, intended for hosting providers.  It behaves similarly to the use_common_ml_dir parameter for Module Loader.

Restricted Copy

To ensure upgrade-safe customizations, it is necessary for system administrators to restrict the copy action to prevent modifying the existing Sugar source code files.  New files may be added anywhere (to allow new modules to be added), but any core Sugar source code file may not be overwritten.  This is enabled by default when you enable Package Scan.

To disable Restricted Copy, use this configuration setting:

$GLOBALS[‘sugar_config’][‘moduleInstaller’][‘disableRestrictedCopy’] = true;

Appendix A – Default Valid File Extensions

1. png
2. gif
3. jpg
4. css
5. js
6. php
7. txt
8. html
9. htm
10. tpl
11. md5
12. pdf

Appendix B – Default Blacklist of Functions

1. eval
2. exec
3. system
4. shell_exec
5. passthru
6. chgrp
7. chmod
8. chown
9. file_put_contents
10. file
11. fileatime
12. filectime
13. filegroup
14. fileinode
15. filemtime
16. fileowner
17. fileperms
18. fopen
19. is_executable
20. is_writable
21. is_writeable
22. lchgrp
23. lchown
24. linkinfo
25. lstat
26. mkdir
27. parse_ini_file
28. rmdir
29. stat
30. tempnam
31. touch
32. ulink
33. getimagesize
34. copy
35. link
36. rename
37. symlink
38. move_uploaded_file
39. chdir
40. chroot
41. sugar_chown
42. sugar_fopen
43. sugar_mkdir
44. sugar_file_put_contents
45. sugar_chgrp
46. sugar_chmod
47. sugar_touch

Appendix C – Module Loader Actions

1. pre_execute – Called before a package is installed
2. install_mkdirs – Creates directories
3. install_copy – Copies files or directories
4. install_images – Install images into the custom directory
5. install_menus – Installs menus to a specific page or the entire Sugar application
6. install_userpage – Adds a section to the User page
7. install_dashlets – Installs dashlets into the Sugar application
8. install_administration – Installs an administration section into the Admin page
9. install_connectors – Installs Sugar Cloud Connectors
10. install_vardefs – Modifies existing vardefs
11. install_layoutdefs – Modifies existing layouts
12. install_layoutfields – Adds custom fields
13. install_relationships – Adds relationships
14. install_languages – Installs language files
15. install_logichooks – Installs a new logic hook
16. post_execute – Called after a package is installed

This entry was posted on Friday, August 14th, 2009 at 7:35 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.