From: Jo R. <jr...@sv...> - 2006-09-17 01:59:46
|
FYI, I've already added a bunch of little patches. Here is the latest. On Sat, Sep 16, 2006 at 03:24:20PM -0700, Jo Rhett wrote: > > >On Thu, Mar 23, 2006 at 10:28:09AM -0600, Jim Hu wrote: > > >>Vuln #2 is related to the publish scripts, which we technically say > > >>we don't support. We may need someone to take this on. Anybody? > > > On Apr 27, 2006, at 9:42 PM, Jo Rhett wrote: > > >I'll own it. > > My apologies for the extreme late delay getting to this. > > Attached is an updated publish.php. It has the following changes: > > 1. It fixes the security problem mentioned above. > > 2. It integrates publish.ical.php and publish.mozilla.php into a single > file again. No need to have two files. > > 3. It supports external authentication (ie .htaccess) for CGI users > > 4. It supports php authentication with mod_rewrite but without mod_php > > 5. Logging is improved > > 6. Internal Documentation is updated and clarified for Sunbird/Lightning > users. (the docs may not work for old Mozilla cal users, but I don't know > anyone who still has this -- testers?) > > 7. Minor code cleanup to be consistent with the rest of the code base. > > And from this point forward I'll start looking at bugs in the sourceforge > system and taking on those related to publish. Sorry for the delay. > > -- > Jo Rhett > senior geek > SVcolo : Silicon Valley Colocation > <?php > > /* > Extension to PHP iCalendar for supporting publishing from Apple iCal > Date: 11.12.2003 > Author: Dietrich Ayala > Copyright 2003 Dietrich Ayala > > Description: > This allows iCal to publish to your PHP iCalendar site *without* WebDAV support. > This helps with commercial hosts where WebDAV is not available. > > Features: > - supports publishing and deleting calendars > - does not require WebDAV > > Installation: > 1. place this file in your PHP iCalendar calendars directory (or anywhere else) > 2. configure path to PHP iCalendar config file (below) > 3. make sure that PHP has write access to the calendars directory (or whatever you set $calendar_path to) > 4. set up directory security on your calendars directory > 5. turn on publishing in your PHP iCalendar config file by setting $phpicalendar_publishing to 1. > > Security: > The calendars directory should be configured to require authentication. > This protects any private calendar data, and prevents unauthorized users > from updating or deleting your calendar data. > > Three methods of HTTP authorization are supported. > > 1. Server-provided authentication - This can be done via any method supported by > your webserver. There is much documentation available on the web for doing > per-directory authentication for Apache. > > 2. PHP authentication against $auth_internal_username and $auth_internal_password. > > 2a. using mod_php it just works. > > 2b. If you can't configure the server for http authentication, and you are running > PHP in CGI mode *AND* you have mod_rewrite enabled, then you should put the > following lines in the .htaccess file in your directory: > > <IfModule mod_rewrite.c> > RewriteEngine on > RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] > </IfModule> > > Usage (Apple iCal): > 1. Open iCal, select a calendar for publishing > 2. Select "Publish" from the "Calendar" menu > 3. Configure to your liking, and set the URL to (eg): http://example.com/path/to/publish.php > 4. Click the "Publish" button > 5. Some PHP versions require a '?' at the end of the URL (eg): http://localhost/~dietricha/calendar/calendars/publish.php? > > Usage (Sunbird Calendar): > 1. Create a new calendar in Sunbird > Type Remote > Location http://example.com/path/to/publish.php/calendarname.ics > calendarname.ics should be a unique filename and must end with .ics > Username: either your web server username, or auth_internal_username > Password: either your web server password, or auth_internal_password > > Hints: > 1. PHP 4.3.0 or greater is required > 2. Your version of php and apache MUST support $_SERVER['PATH_INFO'] > 3. Depending on your web server environment, you may need to set safe_mode = Off > (this won't be necessary if you are using a wrapper like cgiwrap or suexec) > > Troubleshooting: > You can turn on logging by setting the PHPICALENDAR_LOG_PUBLISHING constant to 1 below. > This will write out a log file to the same directory as this script. > Don't forget to turn off logging when done!! > */ > > // include PHP iCalendar configuration variables > include('../config.inc.php'); > > // set calendar path, or just use current directory...make sure there's a trailing slash > if (isset($calendar_path) && $calendar_path != '') { > if (substr($calendar_path, -1, 1) !='/') $calendar_path = $calendar_path.'/'; > } else { > $calendar_path = ''; > } > // allow/disallow publishing > > $phpicalendar_publishing = isset($phpicalendar_publishing) ? $phpicalendar_publishing : 0; > define( 'PHPICALENDAR_PUBLISHING', $phpicalendar_publishing ); > > // toggle logging > define( 'PHPICALENDAR_LOG_PUBLISHING', 1 ); > > // Require authentication > if (!isset($_SERVER['REMOTE_USER'])) { > > // Require authentication > if (!isset($_SERVER['HTTP_AUTHORIZATION'])) { > list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) > = explode( ':', base64_decode( substr($_SERVER['HTTP_AUTHORIZATION'], 6) ) ); > } > > if (!isset($_SERVER['PHP_AUTH_USER'])) { > header('WWW-Authenticate: Basic realm="phpICalendar"'); > header('HTTP/1.0 401 Unauthorized'); > echo 'You must be authorized!'; > exit; > } else { > // logmsg($_SERVER['PHP_AUTH_PW'] . '|' . $_SERVER['PHP_AUTH_USER']); > if ($_SERVER['PHP_AUTH_USER'] != $auth_internal_username || $_SERVER['PHP_AUTH_PW'] != $auth_internal_password) { > header('WWW-Authenticate: Basic realm="phpICalendar"'); > header('HTTP/1.0 401 Unauthorized'); > echo 'You must be authorized!'; > exit; > } > } > } > > // only allow publishing if explicitly enabled > if(PHPICALENDAR_PUBLISHING != 1) { > header('WWW-Authenticate: Basic realm="ERROR: Calendar Publishing is disabled on this server"'); > header('HTTP/1.0 401 Unauthorized'); > echo 'You must be authorized!'; > exit; > } > > // unpublishing > if($_SERVER['REQUEST_METHOD'] == 'DELETE') > { > // get calendar filename > $calendar_file = $calendar_path.substr($_SERVER['REQUEST_URI'] , ( strrpos($_SERVER['REQUEST_URI'], '/') + 1) ) ; > > logmsg('received request to delete '.$calendar_file); > > // remove calendar file > if(!unlink($calendar_file)) > { > logmsg('unable to delete the calendar file'); > } > else > { > logmsg('deleted'); > } > return; > } > > // publishing > if($_SERVER['REQUEST_METHOD'] == 'PUT'){ > // get calendar data > if($fp = fopen('php://input','r')){ > while(!@feof($fp)){ > $data .= fgets($fp,4096); > } > > @fclose($fp); > }else{ > logmsg('unable to read input data'); > } > > if(isset($data)){ > if (isset($_SERVER['PATH_INFO'])) { > preg_match("/\/([\w\.\+]*).ics/i",$_SERVER['PATH_INFO'],$matches); > $calendar_name = $matches[1]; > preg_replace( "/+/", " ", $calendar_name ); > } > > // If we don't have it from path info, use the supplied calendar name > if( ! isset($calendar_name) ) { > > $cal_arr = explode("\n",$data); > > foreach($cal_arr as $k => $v){ > if(strstr($v,'X-WR-CALNAME:')){ > $arr = explode(':',$v); > $calendar_name = trim($arr[1]); > break; > } > } > } > > // Remove any invalid characters from the filename > preg_replace( "/[^\w\.\- ]/", '', $calendar_name ); > > // If we don't have a name, assume default > $calendar_name = isset($calendar_name) ? $calendar_name : 'default'; > > logmsg('received request to update ' . $calendar_name); > > // write to file > if($fp = fopen($calendar_path.$calendar_name.'.ics','w+')){ > fputs($fp, $data, strlen($data) ); > @fclose($fp); > }else{ > logmsg( 'could not open file '.$calendar_path.$calendar_name.'.ics' ); > } > } > } > if ($_SERVER['REQUEST_METHOD'] == 'GET') { > if (isset($_SERVER['PATH_INFO'])) { > preg_match("/\/([ A-Za-z0-9._]*).ics/i",$_SERVER['PATH_INFO'],$matches); > $icsfile = $matches[1]; > // get calendar data > if (file_exists($calendar_path . $icsfile . '.ics') && > is_readable($calendar_path . $icsfile . '.ics') && > is_file($calendar_path . $icsfile . '.ics') > ) { > echo file_get_contents($calendar_path . $icsfile . '.ics'); > } > } > } > > exit; > > > // for logging > function logmsg($str){ > if(defined('PHPICALENDAR_LOG_PUBLISHING') && PHPICALENDAR_LOG_PUBLISHING == 1) { > if($fp = fopen('publish_log.txt','a+')) { > $logline = $_SERVER['REMOTE_ADDR'] . date(' Y-m-d H:i:s ') . ${str} . "\n"; > fputs($fp, $logline, strlen($logline) ); > fclose($fp); > } > } > } > ?> > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel -- Jo Rhett senior geek SVcolo : Silicon Valley Colocation |