Re: [PHPiCalendar-DEV] Updated publish.php

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

FYI, I've already added a bunch of little patches.  Here is the latest.

On Sat, Sep 16, 2006 at 03:24:20PM -0700, Jo Rhett wrote:
> > >On Thu, Mar 23, 2006 at 10:28:09AM -0600, Jim Hu wrote:
> > >>Vuln #2 is related to the publish scripts, which we technically say
> > >>we don't support.  We may need someone to take this on.  Anybody?
> 
> > On Apr 27, 2006, at 9:42 PM, Jo Rhett wrote:
> > >I'll own it.
> 
> My apologies for the extreme late delay getting to this.
> 
> Attached is an updated publish.php.  It has the following changes:
> 
> 1. It fixes the security problem mentioned above.
> 
> 2. It integrates publish.ical.php and publish.mozilla.php into a single
> file again.  No need to have two files.
> 
> 3. It supports external authentication (ie .htaccess) for CGI users
> 
> 4. It supports php authentication with mod_rewrite but without mod_php
> 
> 5. Logging is improved
> 
> 6. Internal Documentation is updated and clarified for Sunbird/Lightning
> users. (the docs may not work for old Mozilla cal users, but I don't know
> anyone who still has this -- testers?)
> 
> 7. Minor code cleanup to be consistent with the rest of the code base.
> 
> And from this point forward I'll start looking at bugs in the sourceforge
> system and taking on those related to publish.  Sorry for the delay.
> 
> -- 
> Jo Rhett
> senior geek
> SVcolo : Silicon Valley Colocation

> <?php
> 
> /*
> Extension to PHP iCalendar for supporting publishing from Apple iCal
> Date: 11.12.2003
> Author: Dietrich Ayala
> Copyright 2003 Dietrich Ayala
> 
> Description:
> This allows iCal to publish to your PHP iCalendar site *without* WebDAV support.
> This helps with commercial hosts where WebDAV is not available.
> 
> Features:
> - supports publishing and deleting calendars
> - does not require WebDAV
> 
> Installation:
> 1. place this file in your PHP iCalendar calendars directory (or anywhere else)
> 2. configure path to PHP iCalendar config file (below)
> 3. make sure that PHP has write access to the calendars directory (or whatever you set $calendar_path to)
> 4. set up directory security on your calendars directory
> 5. turn on publishing in your PHP iCalendar config file by setting $phpicalendar_publishing to 1.
> 
> Security:
> The calendars directory should be configured to require authentication. 
> This protects any private calendar data, and prevents unauthorized users
> from updating or deleting your calendar data.
> 
> Three methods of HTTP authorization are supported.
> 
> 1. Server-provided authentication - This can be done via any method supported by 
>    your webserver. There is much documentation available on the web for doing 
>    per-directory authentication for Apache.
> 
> 2. PHP authentication against $auth_internal_username and $auth_internal_password.
> 
>  2a. using mod_php it just works.
> 
>  2b. If you can't configure the server for http authentication, and you are running
>      PHP in CGI mode *AND* you have mod_rewrite enabled, then you should put the
>      following lines in the .htaccess file in your directory:
> 
> <IfModule mod_rewrite.c>
> RewriteEngine on
> RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
> </IfModule>
> 
> Usage (Apple iCal):
> 1. Open iCal, select a calendar for publishing
> 2. Select "Publish" from the "Calendar" menu
> 3. Configure to your liking, and set the URL to (eg): http://example.com/path/to/publish.php
> 4. Click the "Publish" button
> 5. Some PHP versions require a '?' at the end of the URL (eg): http://localhost/~dietricha/calendar/calendars/publish.php?
> 
> Usage (Sunbird Calendar):
> 1. Create a new calendar in Sunbird
> 	Type Remote
> 	Location http://example.com/path/to/publish.php/calendarname.ics
> 		calendarname.ics should be a unique filename and must end with .ics
> 	Username: either your web server username, or auth_internal_username 
> 	Password: either your web server password, or auth_internal_password 
> 
> Hints:
> 1. PHP 4.3.0 or greater is required
> 2. Your version of php and apache MUST support $_SERVER['PATH_INFO']
> 3. Depending on your web server environment, you may need to set safe_mode = Off
>    (this won't be necessary if you are using a wrapper like cgiwrap or suexec) 
> 
> Troubleshooting:
> You can turn on logging by setting the PHPICALENDAR_LOG_PUBLISHING constant to 1 below.
> This will write out a log file to the same directory as this script.
> Don't forget to turn off logging when done!!
> */
> 
> // include PHP iCalendar configuration variables
> include('../config.inc.php');
> 
> // set calendar path, or just use current directory...make sure there's a trailing slash
> if (isset($calendar_path) && $calendar_path != '') {
> 	if (substr($calendar_path, -1, 1) !='/') $calendar_path = $calendar_path.'/';
> } else {
> 	$calendar_path = '';
> }
> // allow/disallow publishing
> 
> $phpicalendar_publishing = isset($phpicalendar_publishing) ? $phpicalendar_publishing : 0;
> define( 'PHPICALENDAR_PUBLISHING', $phpicalendar_publishing );
> 
> // toggle logging
> define( 'PHPICALENDAR_LOG_PUBLISHING', 1 );
> 
> // Require authentication 
> if (!isset($_SERVER['REMOTE_USER'])) {
> 
> 	// Require authentication 
> 	if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
> 		list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])
> 			= explode( ':', base64_decode( substr($_SERVER['HTTP_AUTHORIZATION'], 6) ) );
> 	}
> 
> 	if (!isset($_SERVER['PHP_AUTH_USER'])) {
> 		header('WWW-Authenticate: Basic realm="phpICalendar"');
> 		header('HTTP/1.0 401 Unauthorized');
> 		echo 'You must be authorized!';
> 		exit;
> 	} else {
> 		// logmsg($_SERVER['PHP_AUTH_PW'] . '|' . $_SERVER['PHP_AUTH_USER']);
> 		if ($_SERVER['PHP_AUTH_USER'] != $auth_internal_username || $_SERVER['PHP_AUTH_PW'] != $auth_internal_password) {
> 			header('WWW-Authenticate: Basic realm="phpICalendar"');
> 			header('HTTP/1.0 401 Unauthorized');
> 			echo 'You must be authorized!';
> 			exit;
> 		}
> 	}
> }
> 
> // only allow publishing if explicitly enabled
> if(PHPICALENDAR_PUBLISHING != 1) {
> 	header('WWW-Authenticate: Basic realm="ERROR: Calendar Publishing is disabled on this server"');
> 	header('HTTP/1.0 401 Unauthorized');
> 	echo 'You must be authorized!';
> 	exit;
> }
> 
> // unpublishing
> if($_SERVER['REQUEST_METHOD'] == 'DELETE')
> {
> 	// get calendar filename
> 	$calendar_file = $calendar_path.substr($_SERVER['REQUEST_URI'] , ( strrpos($_SERVER['REQUEST_URI'], '/') + 1) ) ;
> 	
> 	logmsg('received request to delete '.$calendar_file);
> 	
> 	// remove calendar file
> 	if(!unlink($calendar_file))
> 	{
> 		logmsg('unable to delete the calendar file');
> 	}
> 	else
> 	{
> 		logmsg('deleted');
> 	}
> 	return;
> }
> 
> // publishing
> if($_SERVER['REQUEST_METHOD'] == 'PUT'){
> 	// get calendar data
> 	if($fp = fopen('php://input','r')){
> 		while(!@feof($fp)){
> 			$data .= fgets($fp,4096);
> 		}
> 		
> 		@fclose($fp);
> 	}else{
> 		logmsg('unable to read input data');
> 	}
> 	
> 	if(isset($data)){
> 		if (isset($_SERVER['PATH_INFO'])) {
> 			preg_match("/\/([\w\.\+]*).ics/i",$_SERVER['PATH_INFO'],$matches);
> 			$calendar_name = $matches[1];
> 			preg_replace( "/+/", " ", $calendar_name );
> 		}
> 
> 		// If we don't have it from path info, use the supplied calendar name
> 		if( ! isset($calendar_name) ) {
> 		
> 			$cal_arr = explode("\n",$data);
> 		
> 			foreach($cal_arr as $k => $v){
> 				if(strstr($v,'X-WR-CALNAME:')){
> 					$arr = explode(':',$v);
> 					$calendar_name = trim($arr[1]);
> 					break;
> 				}
> 			}
> 		}
> 		
> 		// Remove any invalid characters from the filename
> 		preg_replace( "/[^\w\.\- ]/", '', $calendar_name );
> 
> 		// If we don't have a name, assume default
> 		$calendar_name = isset($calendar_name) ? $calendar_name : 'default';
> 
> 		logmsg('received request to update ' . $calendar_name);
> 
> 		// write to file
> 		if($fp = fopen($calendar_path.$calendar_name.'.ics','w+')){
> 			fputs($fp, $data, strlen($data) );
> 			@fclose($fp);
> 		}else{
> 			logmsg( 'could not open file '.$calendar_path.$calendar_name.'.ics' );
> 		}
> 	}
> }
> if ($_SERVER['REQUEST_METHOD'] == 'GET') {
> 	if (isset($_SERVER['PATH_INFO'])) {
> 		preg_match("/\/([ A-Za-z0-9._]*).ics/i",$_SERVER['PATH_INFO'],$matches);
> 		$icsfile = $matches[1];
> 		// get calendar data
> 		if (file_exists($calendar_path . $icsfile . '.ics') &&
> 			is_readable($calendar_path . $icsfile . '.ics') &&
> 			is_file($calendar_path . $icsfile . '.ics')
> 		) {
> 			echo file_get_contents($calendar_path . $icsfile . '.ics');
> 		}
> 	}
> }
> 
> exit;
> 
> 
> // for logging
> function logmsg($str){
> 	if(defined('PHPICALENDAR_LOG_PUBLISHING') && PHPICALENDAR_LOG_PUBLISHING == 1) {
> 		if($fp = fopen('publish_log.txt','a+')) {
> 			$logline = $_SERVER['REMOTE_ADDR'] . date(' Y-m-d H:i:s ') . ${str} . "\n";
> 			fputs($fp, $logline, strlen($logline) );
> 			fclose($fp);
> 		}
> 	}
> }
> ?>

> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

> _______________________________________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel

-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation