[Linpha-cvs] SF.net SVN: linpha: [4590] trunk/linpha2
Status: Inactive
Brought to you by:
bzrudi
Menu
▾
▴
[Linpha-cvs] SF.net SVN: linpha: [4590] trunk/linpha2
|
From: <fan...@us...> - 2006-10-25 19:52:55
|
Revision: 4590
http://svn.sourceforge.net/linpha/?rev=4590&view=rev
Author: fangehrn
Date: 2006-10-25 12:48:04 -0700 (Wed, 25 Oct 2006)
Log Message:
-----------
2006-10-25 flo
* fixed installation issues
* secured $_SERVER['PHP_SELF']
Modified Paths:
--------------
trunk/linpha2/ChangeLog
trunk/linpha2/get_image.php
trunk/linpha2/get_thumb.php
trunk/linpha2/install/footer.php
trunk/linpha2/install/header.php
trunk/linpha2/install/header_html.php
trunk/linpha2/install/index.php
trunk/linpha2/install/lib.install.php
trunk/linpha2/install/lib.requirements.php
trunk/linpha2/install/step10_postsettings.php
trunk/linpha2/install/step11_finish.php
trunk/linpha2/install/step1_license.php
trunk/linpha2/install/step2_requirements.php
trunk/linpha2/install/step3_dbtype.php
trunk/linpha2/install/step4_selectdirectories.php
trunk/linpha2/install/step5_getlogin.php
trunk/linpha2/install/step6_selectdatabase.php
trunk/linpha2/install/step7_selectprefix.php
trunk/linpha2/install/step8_testing.php
trunk/linpha2/install/step9_createtables.php
trunk/linpha2/lib/include/calender.php
trunk/linpha2/lib/include/common.php
trunk/linpha2/lib/lang/language.php
trunk/linpha2/lib/plugins/watermark/func.watermark.php
Added Paths:
-----------
trunk/linpha2/docs/dev/security.txt
Modified: trunk/linpha2/ChangeLog
===================================================================
--- trunk/linpha2/ChangeLog 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/ChangeLog 2006-10-25 19:48:04 UTC (rev 4590)
@@ -1,3 +1,7 @@
+2006-10-25 flo
+ * fixed installation issues
+ * secured $_SERVER['PHP_SELF']
+
2006-10-19 flo
* added basic new images
* finished comments
Added: trunk/linpha2/docs/dev/security.txt
===================================================================
--- trunk/linpha2/docs/dev/security.txt (rev 0)
+++ trunk/linpha2/docs/dev/security.txt 2006-10-25 19:48:04 UTC (rev 4590)
@@ -0,0 +1,9 @@
+
+Some security related stuff, which should never be forgotten:
+
+
+- secure $_SERVER['PHP_SELF'] (done in lib/include/common.php)
+
+- disable Magic Quotes (common.php) and use addslashes() on every sql query
+
+- check every data coming by the user (GET/POST/COOKIE)
\ No newline at end of file
Modified: trunk/linpha2/get_image.php
===================================================================
--- trunk/linpha2/get_image.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/get_image.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -27,6 +27,8 @@
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','.'); }
+include_once(LINPHA_DIR.'/lib/include/common.php');
+
/**
* check for valid id
*/
Modified: trunk/linpha2/get_thumb.php
===================================================================
--- trunk/linpha2/get_thumb.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/get_thumb.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -25,6 +25,8 @@
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','.'); }
+include_once(LINPHA_DIR.'/lib/include/common.php');
+
/**
* check for valid id
*/
Modified: trunk/linpha2/install/footer.php
===================================================================
--- trunk/linpha2/install/footer.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/footer.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,7 +17,7 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
-if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
+if(!defined('LINPHA_DIR')) { exit(1); }
/**
* linpha installer
Modified: trunk/linpha2/install/header.php
===================================================================
--- trunk/linpha2/install/header.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/header.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,7 +17,7 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
-if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
+if(!defined('LINPHA_DIR')) { exit(1); }
/**
* linpha installer
Modified: trunk/linpha2/install/header_html.php
===================================================================
--- trunk/linpha2/install/header_html.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/header_html.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,7 +17,7 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
-if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
+if(!defined('LINPHA_DIR')) { exit(1); }
/**
* linpha installer
Modified: trunk/linpha2/install/index.php
===================================================================
--- trunk/linpha2/install/index.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/index.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -24,7 +24,7 @@
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/lib.install.php');
/**
Modified: trunk/linpha2/install/lib.install.php
===================================================================
--- trunk/linpha2/install/lib.install.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/lib.install.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,6 +17,8 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+if(!defined('LINPHA_DIR')) { exit(1); }
+
/**
* Take care of translation
*
@@ -199,7 +201,8 @@
{
if( ! installIsAbsolutePath( $path ) )
{
- $path = str_ireplace("../", " ", $path );
+ //$path = str_ireplace("../", " ", $path );
+ $path = realpath($path);
}
/**
@@ -458,11 +461,38 @@
*/
function initInitialDirectories($dirs)
{
-$init_ok = true;
-echo tr("Creating Required Directories")."... ";
-
try
{
+ $init_ok = true;
+ echo "<h2>".tr("Checking Directory Permissions")."</h2><br />";
+
+ /**
+ * checking album directory
+ */
+ echo tr("Album Directory")."... ";
+ if( is_dir( $dirs['album'] ) )
+ {
+ if( is_writable( $dirs['album'] ) )
+ {
+ echo success_msg();
+ echo '<br /> ('.$_SESSION['album_dir'].' => '.installLinRealpath( $dirs['album'] ).')';
+ }
+ else
+ {
+ echo warning_msg();
+ echo '<br /> ('.$_SESSION['album_dir'].' => '.installLinRealpath( $dirs['album'] ).')';
+ echo "<br />".tr("Album Directory Not Writable. Some Features May Not Work")."<br />";
+ }
+ }
+ else
+ {
+ throw new Exception(failed_msg()."<br />".$_SESSION['album_dir']."<br />".tr("No Valid Directory Found"));
+ }
+
+
+ echo "<br /><br />";
+ echo tr("Creating Required Directories")."... ";
+
$array = array('sql','cache','tmp');
foreach($array AS $value)
{
@@ -489,7 +519,7 @@
}
else
{
- throw new Exception(failed_msg()."<br />".tr("Please Delete Folder Manually"));
+ throw new Exception(failed_msg()."<br />".tr("Directory Allready Exists, Please Delete Folder Manually"));
}
}
@@ -513,7 +543,8 @@
}
catch(Exception $error)
{
- echo "Error: ".$error -> getMessage();
+ echo $error -> getMessage();
+ echo '<br /> ('.$_SESSION[$value.'_dir'].' => '.installLinRealpath( $dirs[$value] ).')<br />';
$init_ok = false;
}
Modified: trunk/linpha2/install/lib.requirements.php
===================================================================
--- trunk/linpha2/install/lib.requirements.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/lib.requirements.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,6 +17,8 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+if(!defined('LINPHA_DIR')) { exit(1); }
+
/**
* @package Installation
*/
Modified: trunk/linpha2/install/step10_postsettings.php
===================================================================
--- trunk/linpha2/install/step10_postsettings.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step10_postsettings.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
*/
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
include_once(LINPHA_DIR.'/install/lib.requirements.php');
Modified: trunk/linpha2/install/step11_finish.php
===================================================================
--- trunk/linpha2/install/step11_finish.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step11_finish.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -22,7 +22,7 @@
*/
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR."/install/header.php");
include_once(LINPHA_DIR."/install/header_html.php");
include_once(LINPHA_DIR."/lib/classes/linpha.class.php");
Modified: trunk/linpha2/install/step1_license.php
===================================================================
--- trunk/linpha2/install/step1_license.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step1_license.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
*/
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
include_once(LINPHA_DIR.'/install/header_html.php');
Modified: trunk/linpha2/install/step2_requirements.php
===================================================================
--- trunk/linpha2/install/step2_requirements.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step2_requirements.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
include_once(LINPHA_DIR.'/install/lib.requirements.php');
include_once(LINPHA_DIR.'/install/header_html.php');
Modified: trunk/linpha2/install/step3_dbtype.php
===================================================================
--- trunk/linpha2/install/step3_dbtype.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step3_dbtype.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
/**
Modified: trunk/linpha2/install/step4_selectdirectories.php
===================================================================
--- trunk/linpha2/install/step4_selectdirectories.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step4_selectdirectories.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
*/
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','..'); }
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
$album_dir = (isset($_SESSION['album_dir']) ? $_SESSION['album_dir'] : 'albums');
@@ -73,8 +73,9 @@
(-> <?php echo installLinRealpath( installGetFullPath($album_dir) ) ?>)
<br /><br />
-<h2><?php echo tr("Warning: All Existing Subdirectories Will Be Deleted"); ?></h2>
<br />
+<h2 style="color: red;"><?php echo tr("Warning: All directories below will be deleted if they exists !!"); ?></h2>
+<br />
<div class="boxalign">
<?php echo tr("Sql Directory").":"; ?>
Modified: trunk/linpha2/install/step5_getlogin.php
===================================================================
--- trunk/linpha2/install/step5_getlogin.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step5_getlogin.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
/**
@@ -72,38 +72,8 @@
if(isset($_POST['cmd_step4']))
{
/**
- * validate writable directories
+ * checking album, sql, cache and tmp directory
*/
- echo "<h2>".tr("Checking Directory Permissions")."</h2><br />";
-
- /**
- * checking album directory
- */
- echo tr("Album Directory")."... ";
- if( is_dir( $dirs['album'] ) )
- {
- if( is_writable( $dirs['album'] ) )
- {
- echo success_msg();
- echo '<br /> ('.$_SESSION['album_dir'].' => '.installLinRealpath( $dirs['album'] ).')';
- }
- else
- {
- echo warning_msg();
- echo '<br /> ('.$_SESSION['album_dir'].' => '.installLinRealpath( $dirs['album'] ).')';
- echo "<br />".tr("Album Directory Not Writable. Some Features May Not Work")."<br />";
- }
- }
- else
- {
- echo failed_msg();
- echo '<br /> ('.$_SESSION['album_dir'].')';
- echo "<br />".tr("No Valid Directory Found")."!";
- }
-
- /**
- * checking sql, cache and tmp directory
- */
if(initInitialDirectories($dirs) != true)
{
$show_next_button = false;
Modified: trunk/linpha2/install/step6_selectdatabase.php
===================================================================
--- trunk/linpha2/install/step6_selectdatabase.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step6_selectdatabase.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
include_once(LINPHA_DIR.'/install/header_html.php');
Modified: trunk/linpha2/install/step7_selectprefix.php
===================================================================
--- trunk/linpha2/install/step7_selectprefix.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step7_selectprefix.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
@@ -130,8 +130,18 @@
}
break;
case "sqlite":
- $dirs = initSessionValues();
- initInitialDirectories($dirs);
+
+ /**
+ * checking album, sql, cache and tmp directory
+ */
+ $dirs = initSessionValues();
+ if(initInitialDirectories($dirs) != true)
+ {
+ $show_next_button = false;
+ include_once(LINPHA_DIR.'/install/footer.php');
+ exit();
+ }
+
echo tr("Testing File Connection")."<br /><br />";
echo tr("Connecting SQLite Database")."... ";
@@ -185,6 +195,8 @@
}
+echo "<br /><br />";
+
if(isset($error_nr))
{
echo "</form>";
Modified: trunk/linpha2/install/step8_testing.php
===================================================================
--- trunk/linpha2/install/step8_testing.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step8_testing.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
include_once(LINPHA_DIR.'/install/header_html.php');
Modified: trunk/linpha2/install/step9_createtables.php
===================================================================
--- trunk/linpha2/install/step9_createtables.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/install/step9_createtables.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -23,7 +23,7 @@
* linpha installer
* @package Installation
*/
-
+include_once(LINPHA_DIR.'/lib/include/common.php');
include_once(LINPHA_DIR.'/install/header.php');
/**
Modified: trunk/linpha2/lib/include/calender.php
===================================================================
--- trunk/linpha2/lib/include/calender.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/lib/include/calender.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -18,6 +18,9 @@
*/
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','../..'); }
+
+include_once(LINPHA_DIR.'/lib/include/common.php');
+
$style['tablebg']="#B3BCDE";
/**
Modified: trunk/linpha2/lib/include/common.php
===================================================================
--- trunk/linpha2/lib/include/common.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/lib/include/common.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -2,6 +2,65 @@
if(!defined('LINPHA_DIR')) { exit(1); }
/**
+ * some common used stuff
+ *
+ * always include this file which has no "if(!defined('LINPHA_DIR')) { exit(1); }" on top
+ * that means:
+ * - index.php, get_image.php, get_thumb.php
+ * - admin/index.php
+ * - lib/include/calendar.php, lib/lang/language.php,
+ * - install/index.php, install/step*
+ */
+
+
+/**
+ * secure PHP_SELF
+ *
+ * added from linpha1 patch 1432469
+ *
+ * short description:
+ * with the url http://example.com/tests/simple.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo
+ * PHP_SELF is: /tests/simple.php/"><script>alert('xss')</script><foo
+ * and thats dangerous
+ *
+ * further details about the PHP_SELF XSS problem:
+ * http://blog.phpdoc.info/archives/13-XSS-Woes.html
+ */
+ /**
+ * Added by Roland Haeder <web...@mx...>
+ *
+ * This code came from my free mailexchange script called 'MXChange'
+ * Please refer the pages on http://www.mxchange.org for further details
+ *
+ */
+ // Secure the PHP_SELF variable by first making all HTML code unuseable
+ $_SERVER['PHP_SELF'] = htmlentities($_SERVER['PHP_SELF']);
+
+ // Split it up into path and filename
+ $SELF_DIR = dirname($_SERVER['PHP_SELF']);
+ $SELF_FILE = basename($_SERVER['PHP_SELF']);
+
+ // Check for a .php inside the $SELF_DIR...
+ while (ereg(".php", $SELF_DIR))
+ {
+ // Correct the dirname
+ $SELF_DIR = substr($SELF_DIR, 0, (strpos($SELF_DIR, ".php") + 4));
+ // Rewrite filename...
+ $SELF_FILE = basename($SELF_DIR);
+ // ... and dirname
+ $SELF_DIR = dirname($SELF_DIR);
+ }
+
+ // Put both together again and let's pray it is secured now...
+ $_SERVER['PHP_SELF'] = $SELF_DIR."/".$SELF_FILE;
+
+ // Remove uneccessary variables
+ unset($SELF_DIR);
+ unset($SELF_FILE);
+
+
+
+/**
* Magic Quotes stuff
*/
/**
Modified: trunk/linpha2/lib/lang/language.php
===================================================================
--- trunk/linpha2/lib/lang/language.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/lib/lang/language.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -28,6 +28,8 @@
if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','../..'); }
+include_once(LINPHA_DIR.'/lib/include/common.php');
+
print_xhtml_header();
print_menu_head();
Modified: trunk/linpha2/lib/plugins/watermark/func.watermark.php
===================================================================
--- trunk/linpha2/lib/plugins/watermark/func.watermark.php 2006-10-20 10:18:59 UTC (rev 4589)
+++ trunk/linpha2/lib/plugins/watermark/func.watermark.php 2006-10-25 19:48:04 UTC (rev 4590)
@@ -17,7 +17,7 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
-if(!defined('LINPHA_DIR')) { define('LINPHA_DIR','../..'); }
+if(!defined('LINPHA_DIR')) { exit(1); }
/**
* @uses get_thumbs_on_fly.php, file_download.php
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
