fix cr in .htaccess; disable drop tables; do not show change password/delete install folder if admin has password; check file permissions/checksum

2025-10-03 00:03:34 +03:00 · 2011-03-04 23:01:24 +01:00 · 2011-03-04 23:01:24 +01:00 · c6c614b3c2
commit c6c614b3c2
parent f832e38e75
6 changed files with 149 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 src/messenger/.idea/workspace.xml
+src/messenger/webim/install/package
 src/messenger/absent_*
 src/messenger/release*
 .DS_Store
--- a/src/messenger/compute_resources.pl
+++ b/src/messenger/compute_resources.pl
@ -1,5 +1,7 @@
 #!/usr/bin/perl

+use Digest::MD5 qw(md5 md5_hex md5_base64);
+
@rules = (
 	["redirect(ed)?\\.tpl", 1],
 	["\\.tpl", 0],
@ -115,8 +117,12 @@ sub file_content($) {
 	my $oldslash = $/;
 	$/ = EOI;
 	$content = <IN1>;
-	$content =~ s/\r//g;
-	close( IN1 );
+    close( IN1 );
+	if($content =~ s/\r//g) {
+	    open( OUT1, "> $input") or die "cannot fix $input";
+	    print OUT1 $content;
+	    close(OUT1);
+	}
 	$/ = $oldslash;
 	return $content;
 }
@ -153,8 +159,21 @@ sub process_php($) {
 	}
 }

+sub file_checksum($) {
+    my ($source) = @_;
+    if($source =~ /\.(png|gif|jpg|ico|wav)$/) {
+    	return "-";
+    }
+
+    my $content = file_content($source);
+    return md5_hex($content);
+}
+
+@allsources = ();
+
 sub process_one($) {
 	my($source) = @_;
+	push @allsources, $source unless $source =~ /$webimPath\/locales/ && $source !~ /$webimPath\/locales\/(en|names)/ || $source =~ /\/package$/;

 	if($source !~ /\.(php|tpl)$/) {
 		return;
@ -216,3 +235,11 @@ for $key(sort grep { $messagekeys{$_} == 1 } keys %messagekeys) {
 	print OUT "$key\n";
 }
 close( OUT );
+
+open( OUT, "> $webimPath/install/package") or die "cannot write file, $!";
+for $key(sort @allsources) {
+    $digest = file_checksum($key);
+    $key =~ s/$webimPath\///;
+    print OUT "$key $digest\n";
+}
+close( OUT );
--- a/src/messenger/webim/.htaccess
+++ b/src/messenger/webim/.htaccess
@ -1,4 +1,4 @@
 <IfModule mod_security.c>
 SecFilterEngine Off
 SecFilterScanPOST Off
-</IfModule>
+</IfModule>
--- a/src/messenger/webim/install/dbperform.php
+++ b/src/messenger/webim/install/dbperform.php
@ -57,6 +57,10 @@ if ($act == "silentcreateall") {
 			create_table($id, $link);
 		}
 	} else if ($act == "dt") {
+
+		# comment this line to be able to drop tables
+		show_install_err("For security reasons, removing tables is disabled by default");
+
 		foreach (array_keys($dbtables) as $id) {
 			mysql_query("DROP TABLE IF EXISTS $id", $link) or show_install_err(' Query failed: ' . mysql_error($link));
 		}
--- a/src/messenger/webim/install/index.php
+++ b/src/messenger/webim/install/index.php
@ -54,6 +54,90 @@ function check_webimroot()
 	return true;
 }

+function fpermissions($file)
+{
+	$perms = fileperms($file);
+	if (($perms & 0x8000) == 0x8000) {
+		$info = '-';
+	} elseif (($perms & 0x4000) == 0x4000) {
+		$info = 'd';
+	} else {
+		$info = '?';
+	}
+
+	// Owner
+	$info .= (($perms & 0x0100) ? 'r' : '-');
+	$info .= (($perms & 0x0080) ? 'w' : '-');
+	$info .= (($perms & 0x0040) ?
+			(($perms & 0x0800) ? 's' : 'x') :
+			(($perms & 0x0800) ? 'S' : '-'));
+
+	// Group
+	$info .= (($perms & 0x0020) ? 'r' : '-');
+	$info .= (($perms & 0x0010) ? 'w' : '-');
+	$info .= (($perms & 0x0008) ?
+			(($perms & 0x0400) ? 's' : 'x') :
+			(($perms & 0x0400) ? 'S' : '-'));
+
+	// World
+	$info .= (($perms & 0x0004) ? 'r' : '-');
+	$info .= (($perms & 0x0002) ? 'w' : '-');
+	$info .= (($perms & 0x0001) ?
+			(($perms & 0x0200) ? 't' : 'x') :
+			(($perms & 0x0200) ? 'T' : '-'));
+
+	return $info;
+}
+
+function check_files()
+{
+	global $page, $errors, $webimroot;
+
+	$packageFile = dirname(__FILE__) . "/package";
+	$fp = @fopen($packageFile, "r");
+	if ($fp === FALSE) {
+		$errors[] = "Cannot open file $webimroot/install/package";
+		if (file_exists($packageFile)) {
+			$errors[] = getlocal2("install.check_permissions", array(fpermissions($packageFile)));
+		}
+		return false;
+	}
+
+	$knownFiles = array();
+	while (!feof($fp)) {
+		$line = fgets($fp, 4096);
+		$keyval = preg_split("/ /", $line, 2);
+		if (isset($keyval[1])) {
+			$knownFiles[$keyval[0]] = trim($keyval[1]);
+		}
+	}
+	fclose($fp);
+
+	foreach ($knownFiles as $file => $sum) {
+		$relativeName = dirname(__FILE__) . "/../$file";
+		if (!is_readable($relativeName)) {
+			if (file_exists($relativeName)) {
+				$errors[] = "Cannot read file $webimroot/$file";
+				$errors[] = getlocal2("install.check_permissions", array(fpermissions($relativeName)));
+			} else {
+				$errors[] = "File is absent: $webimroot/$file";
+			}
+			return false;
+		}
+		if ($sum != "-") {
+			$result = md5_file($relativeName);
+			if ($result != $sum) {
+				$errors[] = "Checksum differs for $webimroot/$file";
+				$errors[] = getlocal("install.check_files");
+				return false;
+			}
+		}
+	}
+
+	$page['done'][] = getlocal("install.0.package");
+	return true;
+}
+
 function check_connection()
 {
 	global $mysqlhost, $mysqllogin, $mysqlpass, $page, $errors, $webimroot;
@ -144,14 +228,28 @@ function check_columns($link)
 	return true;
 }

-function check_sound() {
+function check_sound()
+{
 	global $page;

 	$page['soundcheck'] = true;
 	$page['done'][] = getlocal2("install.5.text", array(
-							"<a id='check-nv' href='javascript:void(0)'>".getlocal("install.5.newvisitor")."</a>",
-							"<a id='check-nm' href='javascript:void(0)'>".getlocal("install.5.newmessage")."</a>"
-					));
+													   "<a id='check-nv' href='javascript:void(0)'>" . getlocal("install.5.newvisitor") . "</a>",
+													   "<a id='check-nm' href='javascript:void(0)'>" . getlocal("install.5.newmessage") . "</a>"
+												  ));
+}
+
+function check_admin($link)
+{
+	global $mysqlprefix;
+	$result = mysql_query("select * from ${mysqlprefix}chatoperator where vclogin = 'admin'", $link);
+	if ($result) {
+		$line = mysql_fetch_array($result, MYSQL_ASSOC);
+		mysql_free_result($result);
+		return $line['vcpassword'] != md5('');
+	}
+
+	return false;
 }

 function check_status()
@ -162,6 +260,10 @@ function check_status()
 		return;
 	}

+	if (!check_files()) {
+		return;
+	}
+
 	$link = check_connection();
 	if (!$link) {
 		return;
@ -186,9 +288,11 @@ function check_status()

 	$page['done'][] = getlocal("installed.message");

-	$page['nextstep'] = getlocal("installed.login_link");
-	$page['nextnotice'] = getlocal2("installed.notice", array("${webimroot}/install/"));
-	$page['nextstepurl'] = "$webimroot/";
+	if (!check_admin($link)) {
+		$page['nextstep'] = getlocal("installed.login_link");
+		$page['nextnotice'] = getlocal2("installed.notice", array("${webimroot}/install/"));
+		$page['nextstepurl'] = "$webimroot/";
+	}

 	$page['show_small_login'] = true;

--- a/src/messenger/webim/locales/en/properties
+++ b/src/messenger/webim/locales/en/properties
@ -166,6 +166,7 @@ image.chat.history=/locales/en/images/history.gif
 image.chat.message=/locales/en/images/message.gif
 image.chat.sprite=/locales/en/images/wmchat.png
 install.0.app=Application path is {0}
+install.0.package=Mibew package is verified.
 install.1.connected=You are connected to MySQL server version {0}
 install.2.create=Create database "{0}"
 install.2.db_exists=Database "{0}" is created.
@ -178,6 +179,8 @@ install.4.notice=Structure of your tables should be adjusted for new version of
 install.5.text=Click to check the sound: {0} and {1}
 install.5.newmessage=New Message
 install.5.newvisitor=New Visitor
+install.check_permissions=Insufficient file permissions {0}
+install.check_files=Please, re-upload files to the server.
 install.connection.error=Could not connect, please check server settings in config.php. Error: {0}
 install.done=Completed:
 install.err.back=Resvole problem and try again. Press <a>back</a> to return to wizard.