From c6c614b3c2e795647db13a7ea37e6f3c0ace1ab1 Mon Sep 17 00:00:00 2001 From: Evgeny Gryaznov Date: Fri, 4 Mar 2011 23:01:24 +0100 Subject: [PATCH] fix cr in .htaccess; disable drop tables; do not show change password/delete install folder if admin has password; check file permissions/checksum --- .gitignore | 1 + src/messenger/compute_resources.pl | 31 +++++- src/messenger/webim/.htaccess | 2 +- src/messenger/webim/install/dbperform.php | 4 + src/messenger/webim/install/index.php | 118 ++++++++++++++++++++-- src/messenger/webim/locales/en/properties | 3 + 6 files changed, 149 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index d493e88f..d4a3c328 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ src/messenger/.idea/workspace.xml +src/messenger/webim/install/package src/messenger/absent_* src/messenger/release* .DS_Store diff --git a/src/messenger/compute_resources.pl b/src/messenger/compute_resources.pl index 1a665b5c..e8d53830 100755 --- a/src/messenger/compute_resources.pl +++ b/src/messenger/compute_resources.pl @@ -1,5 +1,7 @@ #!/usr/bin/perl +use Digest::MD5 qw(md5 md5_hex md5_base64); + @rules = ( ["redirect(ed)?\\.tpl", 1], ["\\.tpl", 0], @@ -115,8 +117,12 @@ sub file_content($) { my $oldslash = $/; $/ = EOI; $content = ; - $content =~ s/\r//g; - close( IN1 ); + close( IN1 ); + if($content =~ s/\r//g) { + open( OUT1, "> $input") or die "cannot fix $input"; + print OUT1 $content; + close(OUT1); + } $/ = $oldslash; return $content; } @@ -153,8 +159,21 @@ sub process_php($) { } } +sub file_checksum($) { + my ($source) = @_; + if($source =~ /\.(png|gif|jpg|ico|wav)$/) { + return "-"; + } + + my $content = file_content($source); + return md5_hex($content); +} + +@allsources = (); + sub process_one($) { my($source) = @_; + push @allsources, $source unless $source =~ /$webimPath\/locales/ && $source !~ /$webimPath\/locales\/(en|names)/ || $source =~ /\/package$/; if($source !~ /\.(php|tpl)$/) { return; @@ -216,3 +235,11 @@ for $key(sort grep { $messagekeys{$_} == 1 } keys %messagekeys) { print OUT "$key\n"; } close( OUT ); + +open( OUT, "> $webimPath/install/package") or die "cannot write file, $!"; +for $key(sort @allsources) { + $digest = file_checksum($key); + $key =~ s/$webimPath\///; + print OUT "$key $digest\n"; +} +close( OUT ); diff --git a/src/messenger/webim/.htaccess b/src/messenger/webim/.htaccess index 7cf8aa64..4a3ca54e 100644 --- a/src/messenger/webim/.htaccess +++ b/src/messenger/webim/.htaccess @@ -1,4 +1,4 @@ SecFilterEngine Off SecFilterScanPOST Off - + diff --git a/src/messenger/webim/install/dbperform.php b/src/messenger/webim/install/dbperform.php index 7c13be46..ec5dd729 100644 --- a/src/messenger/webim/install/dbperform.php +++ b/src/messenger/webim/install/dbperform.php @@ -57,6 +57,10 @@ if ($act == "silentcreateall") { create_table($id, $link); } } else if ($act == "dt") { + + # comment this line to be able to drop tables + show_install_err("For security reasons, removing tables is disabled by default"); + foreach (array_keys($dbtables) as $id) { mysql_query("DROP TABLE IF EXISTS $id", $link) or show_install_err(' Query failed: ' . mysql_error($link)); } diff --git a/src/messenger/webim/install/index.php b/src/messenger/webim/install/index.php index 37b29a68..b6389804 100644 --- a/src/messenger/webim/install/index.php +++ b/src/messenger/webim/install/index.php @@ -54,6 +54,90 @@ function check_webimroot() return true; } +function fpermissions($file) +{ + $perms = fileperms($file); + if (($perms & 0x8000) == 0x8000) { + $info = '-'; + } elseif (($perms & 0x4000) == 0x4000) { + $info = 'd'; + } else { + $info = '?'; + } + + // Owner + $info .= (($perms & 0x0100) ? 'r' : '-'); + $info .= (($perms & 0x0080) ? 'w' : '-'); + $info .= (($perms & 0x0040) ? + (($perms & 0x0800) ? 's' : 'x') : + (($perms & 0x0800) ? 'S' : '-')); + + // Group + $info .= (($perms & 0x0020) ? 'r' : '-'); + $info .= (($perms & 0x0010) ? 'w' : '-'); + $info .= (($perms & 0x0008) ? + (($perms & 0x0400) ? 's' : 'x') : + (($perms & 0x0400) ? 'S' : '-')); + + // World + $info .= (($perms & 0x0004) ? 'r' : '-'); + $info .= (($perms & 0x0002) ? 'w' : '-'); + $info .= (($perms & 0x0001) ? + (($perms & 0x0200) ? 't' : 'x') : + (($perms & 0x0200) ? 'T' : '-')); + + return $info; +} + +function check_files() +{ + global $page, $errors, $webimroot; + + $packageFile = dirname(__FILE__) . "/package"; + $fp = @fopen($packageFile, "r"); + if ($fp === FALSE) { + $errors[] = "Cannot open file $webimroot/install/package"; + if (file_exists($packageFile)) { + $errors[] = getlocal2("install.check_permissions", array(fpermissions($packageFile))); + } + return false; + } + + $knownFiles = array(); + while (!feof($fp)) { + $line = fgets($fp, 4096); + $keyval = preg_split("/ /", $line, 2); + if (isset($keyval[1])) { + $knownFiles[$keyval[0]] = trim($keyval[1]); + } + } + fclose($fp); + + foreach ($knownFiles as $file => $sum) { + $relativeName = dirname(__FILE__) . "/../$file"; + if (!is_readable($relativeName)) { + if (file_exists($relativeName)) { + $errors[] = "Cannot read file $webimroot/$file"; + $errors[] = getlocal2("install.check_permissions", array(fpermissions($relativeName))); + } else { + $errors[] = "File is absent: $webimroot/$file"; + } + return false; + } + if ($sum != "-") { + $result = md5_file($relativeName); + if ($result != $sum) { + $errors[] = "Checksum differs for $webimroot/$file"; + $errors[] = getlocal("install.check_files"); + return false; + } + } + } + + $page['done'][] = getlocal("install.0.package"); + return true; +} + function check_connection() { global $mysqlhost, $mysqllogin, $mysqlpass, $page, $errors, $webimroot; @@ -144,14 +228,28 @@ function check_columns($link) return true; } -function check_sound() { +function check_sound() +{ global $page; $page['soundcheck'] = true; $page['done'][] = getlocal2("install.5.text", array( - "".getlocal("install.5.newvisitor")."", - "".getlocal("install.5.newmessage")."" - )); + "" . getlocal("install.5.newvisitor") . "", + "" . getlocal("install.5.newmessage") . "" + )); +} + +function check_admin($link) +{ + global $mysqlprefix; + $result = mysql_query("select * from ${mysqlprefix}chatoperator where vclogin = 'admin'", $link); + if ($result) { + $line = mysql_fetch_array($result, MYSQL_ASSOC); + mysql_free_result($result); + return $line['vcpassword'] != md5(''); + } + + return false; } function check_status() @@ -162,6 +260,10 @@ function check_status() return; } + if (!check_files()) { + return; + } + $link = check_connection(); if (!$link) { return; @@ -186,9 +288,11 @@ function check_status() $page['done'][] = getlocal("installed.message"); - $page['nextstep'] = getlocal("installed.login_link"); - $page['nextnotice'] = getlocal2("installed.notice", array("${webimroot}/install/")); - $page['nextstepurl'] = "$webimroot/"; + if (!check_admin($link)) { + $page['nextstep'] = getlocal("installed.login_link"); + $page['nextnotice'] = getlocal2("installed.notice", array("${webimroot}/install/")); + $page['nextstepurl'] = "$webimroot/"; + } $page['show_small_login'] = true; diff --git a/src/messenger/webim/locales/en/properties b/src/messenger/webim/locales/en/properties index ab9643c1..4ad88b2f 100644 --- a/src/messenger/webim/locales/en/properties +++ b/src/messenger/webim/locales/en/properties @@ -166,6 +166,7 @@ image.chat.history=/locales/en/images/history.gif image.chat.message=/locales/en/images/message.gif image.chat.sprite=/locales/en/images/wmchat.png install.0.app=Application path is {0} +install.0.package=Mibew package is verified. install.1.connected=You are connected to MySQL server version {0} install.2.create=Create database "{0}" install.2.db_exists=Database "{0}" is created. @@ -178,6 +179,8 @@ install.4.notice=Structure of your tables should be adjusted for new version of install.5.text=Click to check the sound: {0} and {1} install.5.newmessage=New Message install.5.newvisitor=New Visitor +install.check_permissions=Insufficient file permissions {0} +install.check_files=Please, re-upload files to the server. install.connection.error=Could not connect, please check server settings in config.php. Error: {0} install.done=Completed: install.err.back=Resvole problem and try again. Press back to return to wizard.