From 7a530e12745401da9527c8f16b89fe521f3071aa Mon Sep 17 00:00:00 2001
From: OpenXE <>
Date: Thu, 8 Dec 2022 12:48:49 +0000
Subject: [PATCH] .htaccess security check feature with automatic repair upon
login - amended - removed writing to .htaccess
---
.htaccess | 3 +-
phpwf/plugins/class.acl.php | 43 ++++++++++++++------------
www/.htaccess | 9 +++---
www/themes/new/templates/loginpage.tpl | 9 ++----
4 files changed, 34 insertions(+), 30 deletions(-)
diff --git a/.htaccess b/.htaccess
index a8f5cbf7..f10b3464 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,4 +15,5 @@ Order deny,allow
Order Allow,Deny
Allow from all
-
\ No newline at end of file
+
+# end
diff --git a/phpwf/plugins/class.acl.php b/phpwf/plugins/class.acl.php
index 76286fc8..8e8db8bf 100644
--- a/phpwf/plugins/class.acl.php
+++ b/phpwf/plugins/class.acl.php
@@ -571,6 +571,9 @@ class Acl
public function Login()
{
+ include dirname(__DIR__).'/../version.php';
+ $this->app->Tpl->Set('XENTRALVERSION',"V.".$version_revision);
+
$result = $this->CheckHtaccess();
if ($result !== true) {
$this->app->Tpl->Set('LOGINWARNING_TEXT', "Achtung: Zugriffskonfiguration (htaccess) fehlerhaft. Bitte wenden Sie sich an Ihren an Ihren Administrator.
($result)");
@@ -1219,7 +1222,8 @@ class Acl
// true if ok, else error text
protected function CheckHtaccess() : mixed {
- $nominal = array('# Generated file from class.acl.php
+ $nominal = array('
+# Generated file from class.acl.php
# For detection of htaccess functionality
SetEnv OPENXE_HTACCESS on
# Disable directory browsing
@@ -1236,22 +1240,27 @@ Order deny,allow
Order Allow,Deny
Allow from all
-',
-'# Generated file from class.acl.php
+
+# end
+',
+'
+# Generated file from class.acl.php
# Disable directory browsing
Options -Indexes
# Deny access to all *.php
Order deny,allow
Allow from all
-
+
Order Allow,Deny
- Deny from all
-
+ Allow from all
+
# Allow access to index.php
Order Allow,Deny
Allow from all
-');
+
+# end
+');
$script_file_name = $_SERVER['SCRIPT_FILENAME'];
$htaccess_path = array(
@@ -1259,21 +1268,17 @@ Allow from all
dirname($script_file_name)."/.htaccess"); // www
for ($count = 0;$count < 2;$count++) {
+ $htaccess = trim(file_get_contents($htaccess_path[$count]));
+ $htaccess_nominal = trim($nominal[$count]);
- $htaccess = file_get_contents($htaccess_path[$count]);
-
- $result = strcmp(trim($htaccess[$count]),trim($nominal[$count]));
+ $result = strcmp($htaccess,$htaccess_nominal);
- if (($result !== 0) || ($htaccess === false)) {
- $result = file_put_contents($htaccess_path[$count],trim($nominal[$count]));
- if ($result === false) {
-
- if ($htaccess === false) {
- return("FATAL: ".$htaccess_path[$count]." nicht vorhanden und kann nicht korrigiert werden.");
- }
- return("FATAL: ".$htaccess_path[$count]." fehlerhaft und kann nicht korrigiert werden.");
- }
+ if ($result !== 0) {
+ return("FATAL: ".$htaccess_path[$count]." fehlerhaft.");
}
+ if ($htaccess === false) {
+ return("FATAL: ".$htaccess_path[$count]." nicht vorhanden.");
+ }
}
if (!isset($_SERVER['OPENXE_HTACCESS'])) {
diff --git a/www/.htaccess b/www/.htaccess
index cc24e244..885fdd46 100644
--- a/www/.htaccess
+++ b/www/.htaccess
@@ -4,12 +4,13 @@ Options -Indexes
# Deny access to all *.php
Order deny,allow
Allow from all
-
+
Order Allow,Deny
- Deny from all
-
+ Allow from all
+
# Allow access to index.php
Order Allow,Deny
Allow from all
-
\ No newline at end of file
+
+# end
diff --git a/www/themes/new/templates/loginpage.tpl b/www/themes/new/templates/loginpage.tpl
index ef538d1f..0540019b 100644
--- a/www/themes/new/templates/loginpage.tpl
+++ b/www/themes/new/templates/loginpage.tpl
@@ -37,12 +37,9 @@
[PAGE]