s.probst
/
OpenXE
mirror of https://github.com/OpenXE-org/OpenXE.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

.htaccess security check feature with automatic repair upon login - amended - removed writing to .htaccess

This commit is contained in:
OpenXE 2022-12-08 12:48:49 +00:00
parent e3b7634581
commit 7a530e1274
4 changed files with 34 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.htaccess
View File

@ -15,4 +15,5 @@ Order deny,allow
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>
</Files>
# end

43
phpwf/plugins/class.acl.php
View File

@ -571,6 +571,9 @@ class Acl
public function Login()
{
include dirname(__DIR__).'/../version.php';
$this->app->Tpl->Set('XENTRALVERSION',"V.".$version_revision);
$result = $this->CheckHtaccess();
if ($result !== true) {
$this->app->Tpl->Set('LOGINWARNING_TEXT', "Achtung: Zugriffskonfiguration (htaccess) fehlerhaft. Bitte wenden Sie sich an Ihren an Ihren Administrator. <br>($result)");
@ -1219,7 +1222,8 @@ class Acl
// true if ok, else error text
protected function CheckHtaccess() : mixed {
$nominal = array('# Generated file from class.acl.php
$nominal = array('
# Generated file from class.acl.php
# For detection of htaccess functionality
SetEnv OPENXE_HTACCESS on
# Disable directory browsing
@ -1236,22 +1240,27 @@ Order deny,allow
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>',
'# Generated file from class.acl.php
</Files>
# end
',
'
# Generated file from class.acl.php
# Disable directory browsing
Options -Indexes
# Deny access to all *.php
Order deny,allow
Allow from all
<Files *.php>
<FilesMatch "\.(css|jpg|jpeg|gif|png|svg|js)$">
Order Allow,Deny
Deny from all
</Files>
Allow from all
</FilesMatch>
# Allow access to index.php
<Files index.php>
Order Allow,Deny
Allow from all
</Files>');
</Files>
# end
');
$script_file_name = $_SERVER['SCRIPT_FILENAME'];
$htaccess_path = array(
@ -1259,21 +1268,17 @@ Allow from all
dirname($script_file_name)."/.htaccess"); // www
for ($count = 0;$count < 2;$count++) {
$htaccess = trim(file_get_contents($htaccess_path[$count]));
$htaccess_nominal = trim($nominal[$count]);
$htaccess = file_get_contents($htaccess_path[$count]);
$result = strcmp(trim($htaccess[$count]),trim($nominal[$count]));
$result = strcmp($htaccess,$htaccess_nominal);
if (($result !== 0) || ($htaccess === false)) {
$result = file_put_contents($htaccess_path[$count],trim($nominal[$count]));
if ($result === false) {
if ($htaccess === false) {
return("FATAL: ".$htaccess_path[$count]." nicht vorhanden und kann nicht korrigiert werden.");
}
return("FATAL: ".$htaccess_path[$count]." fehlerhaft und kann nicht korrigiert werden.");
}
if ($result !== 0) {
return("FATAL: ".$htaccess_path[$count]." fehlerhaft.");
}
if ($htaccess === false) {
return("FATAL: ".$htaccess_path[$count]." nicht vorhanden.");
}
}
if (!isset($_SERVER['OPENXE_HTACCESS'])) {

9
www/.htaccess
View File

@ -4,12 +4,13 @@ Options -Indexes
# Deny access to all *.php
Order deny,allow
Allow from all
<Files *.php>
<FilesMatch "\.(css|jpg|jpeg|gif|png|svg|js)$">
Order Allow,Deny
Deny from all
</Files>
Allow from all
</FilesMatch>
# Allow access to index.php
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
</Files>
# end

9
www/themes/new/templates/loginpage.tpl
View File

@ -37,12 +37,9 @@
[PAGE]
<div id="login-footer">
<div class="copyright">
&copy; [YEAR] by OpenXE-org & Xentral&nbsp;ERP&nbsp;Software&nbsp;GmbH.
<br>
[WAWIVERSION]
</br>
OpenXE is free open source software under AGPL-3.0 license, based on <a href="https://xentral.com" target="_blank">Xentral®</a>.
<!-- dead link [LIZENZHINWEIS] -->
&copy; [YEAR] by OpenXE-org & Xentral&nbsp;ERP&nbsp;Software&nbsp;GmbH.<br>
OpenXE is free open source software under AGPL-3.0 license, based on <a href="https://xentral.com" target="_blank">Xentral®</a>.<br>
[XENTRALVERSION]
</div>
</div>