Module Loader Restrictions
SugarCRM’s hosting objective is to maintain the integrity of the standard Sugar functionality when we upgrade a customer instance, and limit any negative impact our upgrade has on the customer’s modifications. All instances hosted on OnDemand have package scanner enabled by default. This setting is not configurable and all packages must pass the package scan for installation to the OnDemand environment.
Access Controls
The Module Loader includes a Module Scanner, which grants system administrators the control they need to determine the precise set of actions that they are willing to offer in their hosting environment. This feature is available in all editions of Sugar. Anyone who is hosting Sugar products can advantage of this feature as well.
The specific Module Loader restrictions for the Sugar Open Cloud are documented in the Sugar Knowledge Base.
Enable Package Scan
Scanning is disabled in default installations of Sugar, and can be enabled through a configuration setting. This setting is added to config.php or config_override.php, and is not available to Administrator users to modify through the Sugar interface. Please note that this setting can only be managed on an On-Site deployment and cannot be disabled for the OnDemand environment.
To enable Package Scan and its associated scans, add this setting to config_override.php:
$sugar_config['moduleInstaller']['packageScan'] = true;
There are two categories of access controls now available:
- File scanning
- Module Loader actions
Enable File Scan
By enabling Package Scan, File Scan will be performed on all files in the package uploaded through Module Loader. File Scan will be performed when a Sugar administrator attempts to install the package. Please note that these settings can only be managed on an on-site deployment. These settings are not permitted to be modified when hosted on OnDemand.
File Scan performs three checks:
- File extension must be in the approved list of valid extension types.
- The default list of valid extension types are detailed below:
- css
- gif
- hbs
- htm
- html
- jpg
- js
- md5
- php
- png
- tpl
- txt
- xml
- The default list of valid extension types are detailed below:
- Files do not contain classes that are considered suspicious, based on a blacklist:
- Variable classes are not permitted. i.e $class().
- The default list of blacklisted classes are:
- lua
- pclzip
- reflection
- reflectionclass
- reflectionexception
- reflectionextension
- reflectionfunction
- reflectionfunctionabstract
- reflectionmethod
- reflectionobject
- reflectionparameter
- reflectionproperty
- reflectionzendextension
- reflector
- splfileinfo
- splfileobject
- ziparchive
- Files do not contain function calls that are considered suspicious.
- Variable functions are not permitted. i.e $func().
- Backticks (`) are never allowed by File Scan.
- The default list of blacklisted PHP functions are:
- addfunction
- addserver
- array_diff_uassoc
- array_diff_ukey
- array_filter
- array_intersect_uassoc
- array_intersect_ukey
- array_map
- array_reduce
- array_udiff
- array_udiff_assoc
- array_udiff_uassoc
- array_uintersect
- array_uintersect_assoc
- array_uintersect_uassoc
- array_walk
- array_walk_recursive
- call_user_func
- call_user_func
- call_user_func_array
- call_user_func_array
- chdir
- chgrp
- chmod
- chroot
- chwown
- clearstatcache
- construct
- consume
- consumerhandler
- copy
- copy_recursive
- create_cache_directory
- create_custom_directory
- create_function
- dir
- disk_free_space
- disk_total_space
- diskfreespace
- eio_busy
- eio_chmod
- eio_chown
- eio_close
- eio_custom
- eio_dup2
- eio_fallocate
- eio_fchmod
- eio_fchown
- eio_fdatasync
- eio_fstat
- eio_fstatvfs
- eio_fsync
- eio_ftruncate
- eio_futime
- eio_grp
- eio_link
- eio_lstat
- eio_mkdir
- eio_mknod
- eio_nop
- eio_open
- eio_read
- eio_readahead
- eio_readdir
- eio_readlink
- eio_realpath
- eio_rename
- eio_rmdir
- eio_sendfile
- eio_stat
- eio_statvfs
- eio_symlink
- eio_sync
- eio_sync_file_range
- eio_syncfs
- eio_truncate
- eio_unlink
- eio_utime
- eio_write
- error_log
- escapeshellarg
- escapeshellcmd
- eval
- exec
- fclose
- fdf_enum_values
- feof
- fflush
- fgetc
- fgetcsv
- fgets
- fgetss
- file
- file_exists
- file_get_contents
- file_put_contents
- fileatime
- filectime
- filegroup
- fileinode
- filemtime
- fileowner
- fileperms
- filesize
- filetype
- flock
- fnmatch
- fopen
- forward_static_call
- forward_static_call_array
- fpassthru
- fputcsv
- fputs
- fread
- fscanf
- fseek
- fstat
- ftell
- ftruncate
- fwrite
- get
- getbykey
- getdelayed
- getdelayedbykey
- getimagesize
- glob
- header_register_callback
- ibase_set_event_handler
- ini_set
- is_callable
- is_dir
- is_executable
- is_file
- is_link
- is_readable
- is_uploaded_file
- is_writable
- is_writeable
- iterator_apply
- lchgrp
- lchown
- ldap_set_rebind_proc
- libxml_set_external_entity_loader
- link
- linkinfo
- lstat
- mailparse_msg_extract_part
- mailparse_msg_extract_part_file
- mailparse_msg_extract_whole_part_file
- mk_temp_dir
- mkdir
- mkdir_recursive
- move_uploaded_file
- newt_entry_set_filter
- newt_set_suspend_callback
- ob_start
- open
- opendir
- parse_ini_file
- parse_ini_string
- passthru
- passthru
- pathinfo
- pclose
- pcntl_signal
- popen
- preg_replace_callback
- proc_close
- proc_get_status
- proc_nice
- proc_open
- readdir
- readfile
- readline_callback_handler_install
- readline_completion_function
- readlink
- realpath
- realpath_cache_get
- realpath_cache_size
- register_shutdown_function
- register_tick_function
- rename
- rewind
- rmdir
- rmdir_recursive
- session_set_save_handler
- set_error_handler
- set_exception_handler
- set_file_buffer
- set_local_infile_handler
- set_time_limit
- setclientcallback
- setcompletecallback
- setdatacallback
- setexceptioncallback
- setfailcallback
- setserverparams
- setstatuscallback
- setwarningcallback
- setworkloadcallback
- shell_exec
- spl_autoload_register
- sqlite_create_aggregate
- sqlite_create_function
- sqlitecreateaggregate
- sqlitecreatefunction
- stat
- sugar_chgrp
- sugar_chmod
- sugar_chown
- sugar_file_put_contents
- sugar_file_put_contents_atomic
- sugar_fopen
- sugar_mkdir
- sugar_rename
- sugar_touch
- sybase_set_message_handler
- symlink
- system
- tempnam
- timestampnoncehandler
- tmpfile
- tokenhandler
- touch
- uasort
- uksort
- umask
- unlink
- unzip
- unzip_file
- usort
- write_array_to_file
- write_encoded_file
- xml_set_character_data_handler
- xml_set_default_handler
- xml_set_element_handler
- xml_set_end_namespace_decl_handler
- xml_set_external_entity_ref_handler
- xml_set_notation_decl_handler
- xml_set_processing_instruction_handler
- xml_set_start_namespace_decl_handler
- xml_set_unparsed_entity_decl_handler
- The default list of blacklisted class functions are:
- SugarLogger::setLevel
- SugarAuotLoader::put
- SugarAuotLoader::unlink
Modifying File Scan
To disable File Scan, add the following configuration setting to config_override.php:
$sugar_config['moduleInstaller']['disableFileScan'] = false;
To add more file extensions to the approved list of valid extension types, add the file extensions to the validExt array. The example below adds a .log file extension and .htaccess to the valid extension type list in config_override.php:
$sugar_config['moduleInstaller']['validExt'] = array(
'log',
'htaccess'
);
To add additional function calls to the black list, add the function calls to the blackList array. The example below blocks the strlen() and strtolower() functions from being included in the package:
$sugar_config['moduleInstaller']['blackList'] = array(
'strlen',
'strtolower'
);
To override the black list and allow a specific function to be included in packages, add the function call to the blackListExempt array. The example below removes the restriction for the file_put_contents() function, allowing it to be included in the package:
$sugar_config['moduleInstaller']['blackListExempt'] = array(
'file_put_contents'
);Restricted Copy
To ensure upgrade-safe customizations, it is necessary for system administrators to restrict the copy action to prevent modifying the existing Sugar source code files. New files may be added anywhere (to allow new modules to be added), but any core Sugar source code file must not be overwritten. This is enabled by default when you enable Package Scan.
To disable Restricted Copy, use this configuration setting:
$sugar_config['moduleInstaller']['disableRestrictedCopy'] = true;Module Loader Actions
- pre_execute : Called before a package is installed
- install_copy : Copies files or directories
- install_images : Install images into the custom directory
- install_menus : Installs menus to a specific page or the entire Sugar application
- install_userpage : Adds a section to the User page
- install_dashlets : Installs dashlets into the Sugar application
- install_administration : Installs an administration section into the Admin page
- install_connectors : Installs Sugar Cloud Connectors
- install_vardefs : Modifies existing vardefs
- install_layoutdefs : Modifies existing layouts
- install_layoutfields : Adds custom fields
- install_relationships : Adds relationships
- install_languages : Installs language files
- install_logichooks : Installs a new logic hook
- post_execute : Called after a package is installed
Disabling Module Loader Actions
Certain Module Loader actions may be considered less desirable than others by a System Administrator. A System Administrator may want to allow some Module Loader actions, but disable specific actions that could impact the upgrade-safe integrity of the Sugar instance.
By default, all Module Loader actions are allowed. Enabling Package Scan does not affect the Module Loader actions.
To disable specific Module Loader actions, add the action to the disableActions array. The example below restricts the pre_execute and post_execute actions:
$sugar_config['moduleInstaller']['disableActions'] = array(
'pre_execute',
'post_execute'
);Disabling Upgrade Wizard
If you are hosting Sugar and wish to lock down the upgrade wizard, you can set disable_uw_upload to true in the config_override. This is intended for hosting providers to prevent unwanted upgrades.
$sugar_config['disable_uw_upload'] = true;