Anyone using the Mage_Backup module? #2024
Replies: 4 comments 5 replies
-
Looks like it was disabled by a security patch. I've never used it and would vote to remove it. |
Beta Was this translation helpful? Give feedback.
-
In terms of functionality I see that there are no issues. The module continues to do what it needs to do. I activated it by editing the /etc/modules/Mage_All.xml file, as well as in Blackend> Advanced> "Disable Modules Output" section. For a user who does not have access to the Terminal and does not know how to make dumps and rollbacks of the database is still useful. Its elimination must be analyzed in detail both in terms of its integration into the code and the elimination of its facilities. This is an explanation from Magento team when 1.9.4.0 was released:
At a first evaluation I would not vote to remove the module from the OpenMage code. |
Beta Was this translation helpful? Give feedback.
-
I tried to understand why this module was disabled in 1.9.4.0, given that backing up this way from Backend was a handy solution for small and medium-sized stores. The Magento team made only a brief statement: "It no longer meets compliance requirements. Saved backups should be encrypted". Instead of finding a solution to this issue they chose to disable it. Over time starting with November 2018 there have been discussions that if it is enabled it creates a security hole in Magento. This created a false impression about this module, when in fact the issue was completely different. If someone gets backups they can use the information, some of them confidential about sales, customers. If what is saved by this module is secured and protected from being accessed from outside then there would be no issues. Whoever has access to a server will not be interested in the files located in /var/backup when he can access any information in the file system and database. This module can be left alone in OpenMage and if data security over backups is ensured it can be enabled by those who need it. Reading the forums of the time there were enough who missed it. If you choose to remove it through PR #2259 please offer in README.md alternative solutions for making backups. At that time Magento showed a couple but the link is no longer available and it doesn't exist in the Internet Archive. |
Beta Was this translation helpful? Give feedback.
-
@addison74 I appreciate your investigative report. I vote to remove it as it increases the attack surface. It's a security liability. |
Beta Was this translation helpful? Give feedback.
-
Just noticed today that the Mage_Backup module is disabled by default and I'm wondering if anyone actually finds it useful or is it a dead module that can potentially be removed in the future like Compiler and others?
Beta Was this translation helpful? Give feedback.
All reactions