Home Explore Help
Register Sign In
Omnimaga
/
SMF2.1
mirror of [email protected]:Omnimaga/SMF2.1.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

! Check and creates htaccess and index.php in the cache directory and the current attachments directory [Bug 4961] [Bug 4965]

emanuele 12 years ago
parent
3efb6a396e
commit
4bd3511df1
2 changed files with 85 additions and 0 deletions
Split View Show Diff Stats
  1. 71 0
      Sources/Security.php
  2. 14 0
      Sources/Subs.php

+ 71 - 0
Sources/Security.php
View File 

@@ -1175,4 +1175,75 @@ function spamProtection($error_type)
 
 	return false;
 
 }
 
 
+/**
 
+ * A generic function to create a pair of index.php and .htaccess files in a directory
 
+ * @param string $path, the (absolute) directory path
 
+ * @param boolean $attachments, if the directory is an attachments directory or not
 
+ * @return true on success, error string if anything fails
 
+ */
 
+function secureDirectory($path, $attachments = false)
 
+{
 
+	if (empty($path))
 
+		return 'empty_path';
 
+
 
+	if (!is_writable($path))
 
+		return 'path_not_writable';
 
+
 
+	$directoryname = basename($path);
 
+
 
+	$errors = array();
 
+	$close = empty($attachments) ? '
 
+</Files>' : '
 
+	Allow from localhost
 
+</Files>
 
+
 
+RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml';
 
+
 
+	if (file_exists($path . '/.htaccess'))
 
+		$errors[] = 'htaccess_exists';
 
+	else
 
+	{
 
+		$fh = @fopen($path . '/.htaccess', 'w');
 
+		if ($fh) {
 
+			fwrite($fh, '<Files *>
 
+	Order Deny,Allow
 
+	Deny from all' . $close);
 
+			fclose($fh);
 
+		}
 
+		$errors[] = 'htaccess_cannot_create_file';
 
+	}
 
+
 
+	if (file_exists($path . '/index.php'))
 
+		$errors[] = 'index-php_exists';
 
+	else
 
+	{
 
+		$fh = @fopen($path . '/index.php', 'w');
 
+		if ($fh) {
 
+			fwrite($fh, '<?php
 
+
 
+// This file is here solely to protect your ' . $directoryname . ' directory.
 
+
 
+// Look for Settings.php....
 
+if (file_exists(dirname(dirname(__FILE__)) . \'/Settings.php\'))
 
+{
 
+	// Found it!
 
+	require(dirname(dirname(__FILE__)) . \'/Settings.php\');
 
+	header(\'Location: \' . $boardurl);
 
+}
 
+// Can\'t find it... just forget it.
 
+else
 
+	exit;
 
+
 
+?>');
 
+			fclose($fh);
 
+		}
 
+		$errors[] = 'index-php_cannot_create_file';
 
+	}
 
+
 
+	if (!empty($errors))
 
+		return $errors;
 
+	else
 
+		return true;
 
+}
 
+
 
 ?>

+ 14 - 0
Sources/Subs.php
View File 

@@ -3022,6 +3022,20 @@ function template_header()
 
 				if (!file_exists($boarddir . '/' . $securityFile))
 
 					unset($securityFiles[$i]);
 
 			}
 
+			// We are already checking so many files...just few more doesn't make any difference! :P
 
+			if (!empty($modSettings['currentAttachmentUploadDir']))
 
+			{
 
+				if (!is_array($modSettings['attachmentUploadDir']))
 
+					$modSettings['attachmentUploadDir'] = @unserialize($modSettings['attachmentUploadDir']);
 
+				$path = $modSettings['attachmentUploadDir'][$modSettings['currentAttachmentUploadDir']];
 
+			}
 
+			else
 
+			{
 
+				$path = $modSettings['attachmentUploadDir'];
 
+				$id_folder_thumb = 1;
 
+			}
 
+			secureDirectory($path, true);
 
+			secureDirectory($cachedir);
 
 
 			if (!empty($securityFiles) || (!empty($modSettings['cache_enable']) && !is_writable($cachedir)))
 
 			{