Disable/enable plugin uploads in config file

[henriquejsfj]

PKP softwares are greatly extensible by plugins and allow admins to upload new (custom) plugins.

However, the ability of running arbitrary code may allow running malicious code.
An attacker may use its resources to get access to the admin account and then upload a malicious plugin (for example, a web shell).

Other softwares like Drupal and Wordpress have suffered with it, although the only effort I saw to avoid it was Drupal Security Review.

My proposal is to add an option in the config.inc.php file like:

; Enable site admin to upload a new plugin
upload_plugin = On

So, setting to Off would revoke site admin permission at uploadPlugin.

I bet most installations don't need to upload a plugin every week, and if I had this option I would certainly set to Off.

Although disabling uploads may reduce the flexibility since it limits the ability to use custom plugins that might not be available in the official repository, an admin may enable it temporally to do its upload and disable again after.

With this suggestion I assume that for an attacker accessing the server is much more difficult than accessing admin account.

Pros:

• Enhanced Security: Disabling uploads reduces the attack surface and makes it harder for attackers to inject malicious code.
• Increased Control: Administrators can choose the level of risk they're comfortable with.

[asmecher]

@henriquejsfj, I'd support a feature add like this.

[jonasraoni]

I think the implementation is simple and I don't see any drawback, as long as it's disabled by default, even when the setting is not present on the config file (for the users that fail to update their config.inc.php properly).

Installing from the plugin gallery should be safer, but I think it's not a big deal to allow an admin to disable it as well, then perhaps something like:

install_plugins = on/safe/off

A separated setting for upgrades could be useful (e.g. allow upgrading plugins that were "approved")

upgrade_plugins = on/safe/off