Commit c6943950 authored by tbrehm's avatar tbrehm
Browse files

Some fixes in folder protection.

parent 2c273e99
...@@ -92,6 +92,8 @@ class web_module { ...@@ -92,6 +92,8 @@ class web_module {
$app->modules->registerTableHook('ftp_user','web_module','process'); $app->modules->registerTableHook('ftp_user','web_module','process');
$app->modules->registerTableHook('shell_user','web_module','process'); $app->modules->registerTableHook('shell_user','web_module','process');
$app->modules->registerTableHook('webdav_user','web_module','process'); $app->modules->registerTableHook('webdav_user','web_module','process');
$app->modules->registerTableHook('web_folder','web_module','process');
$app->modules->registerTableHook('web_folder_user','web_module','process');
// Register service // Register service
$app->services->registerService('httpd','web_module','restartHttpd'); $app->services->registerService('httpd','web_module','restartHttpd');
......
...@@ -1195,7 +1195,7 @@ class apache2_plugin { ...@@ -1195,7 +1195,7 @@ class apache2_plugin {
//* Create or update the .htaccess folder protection //* Create or update the .htaccess folder protection
function web_folder_user($event_name,$data) { function web_folder_user($event_name,$data) {
global $app, $conf; global $app, $conf;
$app->uses('system'); $app->uses('system');
if($event_name == 'web_folder_user_delete') { if($event_name == 'web_folder_user_delete') {
...@@ -1213,17 +1213,19 @@ class apache2_plugin { ...@@ -1213,17 +1213,19 @@ class apache2_plugin {
} }
//* Get the folder path. //* Get the folder path.
$folder_path = realpath($website['document_root'].'/web/'.$folder['path']); if(substr($folder['path'],0,1) == '/') $folder['path'] = substr($folder['path'],1);
if(substr($folder['path'],-1) == '/') $folder['path'] = substr($folder['path'],0,-1);
$folder_path = escapeshellcmd($website['document_root'].'/web/'.$folder['path']);
if(substr($folder_path,-1 != '/')) $folder_path .= '/'; if(substr($folder_path,-1 != '/')) $folder_path .= '/';
//* Check if the resulting path is inside the docroot //* Check if the resulting path is inside the docroot
if(substr($folder_path,0,strlen($website['document_root'])) != $website['document_root']) { if(stristr($folder_path,'..') || stristr($folder_path,'./') || stristr($folder_path,'\\')) {
$app->log('Folder path is outside of docroot.',LOGLEVEL_DEBUG); $app->log('Folder path "'.$folder_path.'" contains .. or ./.',LOGLEVEL_DEBUG);
return false; return false;
} }
//* Create the folder path, if it does not exist //* Create the folder path, if it does not exist
if(!is_dir($folder_path)) exec('mkdir -p '.escapehsellarg($folder_path)); if(!is_dir($folder_path)) exec('mkdir -p '.$folder_path);
//* Create empty .htpasswd file, if it does not exist //* Create empty .htpasswd file, if it does not exist
if(!is_file($folder_path.'.htpasswd')) { if(!is_file($folder_path.'.htpasswd')) {
...@@ -1232,13 +1234,20 @@ class apache2_plugin { ...@@ -1232,13 +1234,20 @@ class apache2_plugin {
$app->log('Created file'.$folder_path.'.htpasswd',LOGLEVEL_DEBUG); $app->log('Created file'.$folder_path.'.htpasswd',LOGLEVEL_DEBUG);
} }
if($data['new']['username'] != $data['old']['username'] || $data['new']['active'] == 'n') {
$app->system->removeLine($folder_path.'.htpasswd',$data['old']['username'].':');
$app->log('Removed user: '.$data['old']['username'],LOGLEVEL_DEBUG);
}
//* Add or remove the user from .htpasswd file //* Add or remove the user from .htpasswd file
if($event_name == 'web_folder_user_delete') { if($event_name == 'web_folder_user_delete') {
$app->system->removeLine($folder_path.'.htpasswd',$data['new']['username'].':'); $app->system->removeLine($folder_path.'.htpasswd',$data['old']['username'].':');
$app->log('Removed user: '.$data['new']['username'],LOGLEVEL_DEBUG); $app->log('Removed user: '.$data['old']['username'],LOGLEVEL_DEBUG);
} else { } else {
$app->system->replaceLine($folder_path.'.htpasswd',$data['new']['username'].':',$data['new']['username'].':'.$data['new']['password'],0,1); if($data['new']['active'] == 'y') {
$app->log('Added or updated user: '.$data['new']['username'],LOGLEVEL_DEBUG); $app->system->replaceLine($folder_path.'.htpasswd',$data['new']['username'].':',$data['new']['username'].':'.$data['new']['password'],0,1);
$app->log('Added or updated user: '.$data['new']['username'],LOGLEVEL_DEBUG);
}
} }
//* Create the .htaccess file //* Create the .htaccess file
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment