[Linpha-cvs] SF.net SVN: linpha: [4784] trunk/linpha2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 4784
          http://linpha.svn.sourceforge.net/linpha/?rev=4784&view=rev
Author:   bzrudi
Date:     2007-11-07 09:56:52 -0800 (Wed, 07 Nov 2007)

Log Message:
-----------
"Security fixes"

Modified Paths:
--------------
    trunk/linpha2/ChangeLog
    trunk/linpha2/install/lib.install.php
    trunk/linpha2/install/step10_postsettings.php
    trunk/linpha2/install/step11_finish.php
    trunk/linpha2/install/step1_license.php
    trunk/linpha2/install/step2_requirements.php
    trunk/linpha2/install/step3_dbtype.php
    trunk/linpha2/install/step4_selectdirectories.php
    trunk/linpha2/install/step5_getlogin.php
    trunk/linpha2/install/step6_selectdatabase.php
    trunk/linpha2/install/step7_selectprefix.php
    trunk/linpha2/install/step8_testing.php
    trunk/linpha2/install/step9_createtables.php
    trunk/linpha2/lib/classes/linpha.functions.php
    trunk/linpha2/lib/include/sql.data.php

Modified: trunk/linpha2/ChangeLog
===================================================================

--- trunk/linpha2/ChangeLog	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/ChangeLog	2007-11-07 17:56:52 UTC (rev 4784)
@@ -1,3 +1,8 @@
+2007-12-06 bzrudi
+ * Installer: create random folder names for /cache and /tmp directory to
+   prevent direct access to image cache (security). 
+ * linpha.log is now created as something like linpha-xH6gHH.log (security)
+      
 2007-11-06 bzrudi
  * moved sql.data.php out of install folder into /lib/include to make sure we 
    can delete /install folder after installation.

Modified: trunk/linpha2/install/lib.install.php
===================================================================
--- trunk/linpha2/install/lib.install.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/lib.install.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -419,4 +419,5 @@
 } 
 
 
-?>
\ No newline at end of file
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step10_postsettings.php
===================================================================
--- trunk/linpha2/install/step10_postsettings.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step10_postsettings.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -80,15 +80,15 @@
 
 <?php
 echo "<h2>".i18n_install("Please Choose LinPHA2 Install Location")."</h2><hr>";
-echo i18n_install("Internet - Public Available Over The Internet.")."<br />";
-echo i18n_install("Intranet - Running In A Secure Local Network")."<br /><br />";
+echo i18n_install("<b>Internet</b> - Public Available Over The Internet.")."<br />";
+echo i18n_install("<b>Intranet</b> - Running In A Secure Local Network")."<br /><br />";
 ?>
 <div align="center">
 	<div class="box4">
 	<input type='radio' name='sys_public_installation' value='1' checked=checked>
-	<?php echo i18n_install("Internet"); ?>&nbsp;
+	<?php echo i18n_install("<b>Internet</b>"); ?>&nbsp;
 	<input type='radio' name='sys_public_installation' value='0' >
-	<?php echo i18n_install("Intranet"); ?>&nbsp;
+	<?php echo i18n_install("<b>Intranet</b>"); ?>&nbsp;
 	</div>
 
 </div>
@@ -182,4 +182,5 @@
 );
 $do_javascript_disable_button = true;
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step11_finish.php
===================================================================
--- trunk/linpha2/install/step11_finish.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step11_finish.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -195,7 +195,7 @@
 
 if($_POST['sys_public_installation'])
 {
-    echo "<b><br>".i18n_install("For security reasons you have to remove the /install directory before continuing!")."</b>";
+    echo "<span style='color: red;'><b><br />".i18n_install("For security reasons you have to remove the /install directory before continuing!")."</b></span>";
 }
 
 ?>
@@ -208,4 +208,6 @@
 session_destroy();
 
 include_once(LINPHA_DIR.'/install/footer.php');
+
+/* vi: set ts=4 sw=4 sts=4 */
 ?>

Modified: trunk/linpha2/install/step1_license.php
===================================================================
--- trunk/linpha2/install/step1_license.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step1_license.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -38,4 +38,6 @@
 $array_check = array('check01' => 'checkbox');
 $do_javascript_disable_button = true;
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step2_requirements.php
===================================================================
--- trunk/linpha2/install/step2_requirements.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step2_requirements.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -410,7 +410,7 @@
 /**
  * checking album and var folder are protected from outside
  */
-	print_line_left( i18n_install("Album And System Folder Protected From Outside") );
+	print_line_left( i18n_install("Album Folder Protection") );
 	
 	$ret = installCheckProtectedFromOutside();
 	if( $ret == 1 )
@@ -418,7 +418,7 @@
 		print_line_middle( i18n_install("Yes") );
 		print_line_right(success_msg());
 		print_line_info(
-			i18n_install("The /albums and /var folders are protected from outside.").
+			i18n_install("The /albums folder is protected from outside.").
 			i18n_install("Please see <a href=\"http://linpha.sourceforge.net/wiki/index.php/Secure_LinPHA\">here</a> for more details.")
 		);
 	}
@@ -427,7 +427,7 @@
 		print_line_middle( i18n_install("No") );
 		print_line_right(warning_msg());
 		print_line_info(
-			i18n_install("The /albums and /var folders are not protected from outside!").
+			i18n_install("The /albums folder is not protected from outside!").
 			i18n_install("Please see <a href=\"http://linpha.sourceforge.net/wiki/index.php/Secure_LinPHA\">here</a> for more details.")
 		); 
 	}
@@ -436,7 +436,7 @@
 		print_line_middle( i18n_install("Unknown") );
 		print_line_right(warning_msg());
 		print_line_info(
-			i18n_install("Cannot determine wether the /albums and /var folders are protected from outside!").
+			i18n_install("Cannot determine wether the /albums folder is protected from outside!").
 			i18n_install("Please see <a href=\"http://linpha.sourceforge.net/wiki/index.php/Secure_LinPHA\" target=\"_blank\">here</a> for more details.")
 		); 
 	}
@@ -533,4 +533,6 @@
 </div>
 <?php
 }
+
+/* vi: set ts=4 sw=4 sts=4 */
 ?>

Modified: trunk/linpha2/install/step3_dbtype.php
===================================================================
--- trunk/linpha2/install/step3_dbtype.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step3_dbtype.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -133,4 +133,6 @@
 
 <?php
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step4_selectdirectories.php
===================================================================
--- trunk/linpha2/install/step4_selectdirectories.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step4_selectdirectories.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -28,8 +28,8 @@
 
 $album_dir = (isset($_SESSION['album_dir']) ? $_SESSION['album_dir'] : 'albums');
 $sql_dir = (isset($_SESSION['sql_dir']) ? $_SESSION['sql_dir'] : 'var/sql');
-$cache_dir = (isset($_SESSION['cache_dir']) ? $_SESSION['cache_dir'] : 'var/cache');
-$tmp_dir = (isset($_SESSION['tmp_dir']) ? $_SESSION['tmp_dir'] : 'var/tmp');
+$cache_dir = (isset($_SESSION['cache_dir']) ? $_SESSION['cache_dir'] : 'var/'.random_password(12));
+$tmp_dir = (isset($_SESSION['tmp_dir']) ? $_SESSION['tmp_dir'] : 'var/'.random_password(12));
 
 
 /**
@@ -74,7 +74,7 @@
 <br /><br />
 
 <br />
-<h2 style="color: red;"><?php echo i18n_install("Warning: All Directories Below Will Be Deleted If Exists !"); ?></h2><hr>
+<h2 style="color: red;"><?php echo i18n_install("Note: For security reasons folder names were named random!"); ?></h2><hr>
 <br />
 
 <div class="boxalign">
@@ -113,4 +113,6 @@
 );
 $do_javascript_disable_button = true;
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step5_getlogin.php
===================================================================
--- trunk/linpha2/install/step5_getlogin.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step5_getlogin.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -147,4 +147,6 @@
 
 $do_javascript_disable_button = true;
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step6_selectdatabase.php
===================================================================
--- trunk/linpha2/install/step6_selectdatabase.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step6_selectdatabase.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -60,10 +60,12 @@
 }
 
 
+	echo "<h1>".i18n_install("Testing Server Connection")."</h1><hr /><br />";
+	
 switch($_SESSION['sql_dbtype'])
 {
 case "mysql":
-	echo i18n_install("Testing Server Connection")."<br /><br />";
+
 	echo i18n_install("Connecting MySQL-Server... ");
 
 	$link = @mysql_connect($_SESSION['sql_hostname'].":".$_SESSION['sql_dbport'], 
@@ -104,6 +106,9 @@
 case "oci8po":
 	$_SESSION['allowed_to_create_db'] = false;
 break;
+default:
+	$_SESSION['allowed_to_create_db'] = false;
+break;
 
 // case "sqlite": sqlite goes directly to stage8
 }
@@ -232,4 +237,6 @@
 }
 
 include_once(LINPHA_DIR.'/install/footer.php');
+
+/* vi: set ts=4 sw=4 sts=4 */
 ?>

Modified: trunk/linpha2/install/step7_selectprefix.php
===================================================================
--- trunk/linpha2/install/step7_selectprefix.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step7_selectprefix.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -223,4 +223,6 @@
 
 }
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step8_testing.php
===================================================================
--- trunk/linpha2/install/step8_testing.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step8_testing.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -307,4 +307,6 @@
 
 echo '<br /><br />';
 include_once(LINPHA_DIR.'/install/footer.php');
-?>
\ No newline at end of file
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/install/step9_createtables.php
===================================================================
--- trunk/linpha2/install/step9_createtables.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/install/step9_createtables.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -233,4 +233,6 @@
 		}
 
 include_once(LINPHA_DIR.'/install/footer.php');
+
+/* vi: set ts=4 sw=4 sts=4 */
 ?>

Modified: trunk/linpha2/lib/classes/linpha.functions.php
===================================================================
--- trunk/linpha2/lib/classes/linpha.functions.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/lib/classes/linpha.functions.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -910,4 +910,32 @@
 	return $accept_lang;
 }
 
-?>
\ No newline at end of file
+/**
+ * generates a random string/password in given length
+ * @author  bzrudi
+ * @param  int length of random string to generate
+ * @return  string random string
+ * @package  functions 
+
+ */
+function random_string($len)
+{
+	$pass = '';
+	$lchar = 0;
+	$char = 0;
+	for($i = 0; $i < $len; $i++)
+	{
+		while($char == $lchar)
+		{
+			$char = rand(48, 109);
+			if($char > 57) $char += 7;
+			if($char > 90) $char += 6;
+		}
+		$pass .= chr($char);
+		$lchar = $char;
+	}
+	return $pass;
+}
+
+/* vi: set ts=4 sw=4 sts=4 */
+?>

Modified: trunk/linpha2/lib/include/sql.data.php
===================================================================
--- trunk/linpha2/lib/include/sql.data.php	2007-11-06 18:05:36 UTC (rev 4783)
+++ trunk/linpha2/lib/include/sql.data.php	2007-11-07 17:56:52 UTC (rev 4784)
@@ -98,7 +98,7 @@
 	'sys_user_autologin' => '1',
 
 
-	'plugins_log_filename' => 'var/linpha.log',
+	'plugins_log_filename' => 'var/linpha-'.random_string(6).'log',
 	'plugins_log_syslog_enable' => '0',
 	'plugins_log_syslog_add_events' => '',
 	'plugins_log_email_enable' => '0',


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


