s.probst/OpenXE
1
0
Fork 0
mirror of https://github.com/OpenXE-org/OpenXE.git synced 2024-11-14 20:17:14 +01:00
Code Issues Projects Releases Wiki Activity

.htacces security check feature with automatic repair upon login

Browse Source
This commit is contained in:
OpenXE 2022-12-07 21:31:26 +00:00
parent e5637b226e
commit 87e941516e
4 changed files with 102 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.htaccess Normal file
View File

@ -0,0 +1,11 @@
# Generated file from class.acl.php
# Disable directory browsing
Options -Indexes
Order deny,allow
Deny from all
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>

75
phpwf/plugins/class.acl.php
View File

@ -570,12 +570,20 @@ class Acl
public function Login()
{
$this->app->Tpl->Set('LOGINWARNING', 'display:none;visibility:hidden;');
if($this->IsInLoginLockMode() === true){
$this->app->Tpl->Set('LOGINWARNING', '');
$result = $this->CheckHtaccess();
if ($result !== true) {
$this->app->Tpl->Set('LOGINWARNING_TEXT', "Achtung: Zugriffskonfiguration (htaccess) fehlerhaft. Bitte wenden Sie sich an Ihren an Ihren Administrator. <br>($result)");
return;
}
if($this->IsInLoginLockMode() === true)
{
$this->app->Tpl->Set('LOGINWARNING_TEXT', 'Achtung: Es werden gerade Wartungsarbeiten in Ihrem System (z.B. Update oder Backup) durch Ihre IT-Abteilung durchgeführt. Das System sollte in wenigen Minuten wieder erreichbar sein. Für Rückfragen wenden Sie sich bitte an Ihren Administrator.');
return;
}
$this->app->Tpl->Set('LOGINWARNING_VISIBLE', 'hidden');
$multidbs = $this->app->getDbs();
if(count($multidbs) > 1)
{
@ -1206,4 +1214,65 @@ class Acl
}
// HTACCESS SECURITY
// Check for correct .htaccess settings
// true if ok, else error text
protected function CheckHtaccess() : mixed {
$nominal = array( '# Generated file from class.acl.php
# Disable directory browsing
Options -Indexes
Order deny,allow
Deny from all
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>',
'# Generated file from class.acl.php
SetEnv OPENXE_HTACCESS on
# Disable directory browsing
Options -Indexes
Order deny,allow
Allow from all
<Files *.php>
Order Allow,Deny
Deny from all
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>');
$script_file_name = $_SERVER['SCRIPT_FILENAME'];
$htaccess_path = array(
dirname(dirname($script_file_name))."/.htaccess", // root
dirname($script_file_name)."/.htaccess"); // www
for ($count = 0;$count < 2;$count++) {
$htaccess = file_get_contents($htaccess_path[$count]);
if ($htacess === false) {
return("FATAL: ".$htaccess_path[$count]." nicht gefunden");
}
$result = strcmp(trim($htaccess[$count]),trim($nominal[$count]));
if ($result !== 0) {
$result = file_put_contents($htaccess_path[$count],$nominal[$count]);
if ($result === false) {
return("FATAL: ".$htaccess_path[$count]." fehlerhaft");
}
}
}
if (!isset($_SERVER['OPENXE_HTACCESS'])) {
return("FATAL: htaccess nicht aktiv.");
}
return(true);
// HTACCESS SECURITY END
}
}

18
www/.htaccess Normal file
View File

@ -0,0 +1,18 @@
# Generated file from class.acl.php
SetEnv OPENXE_HTACCESS on
# Disable directory browsing
Options -Indexes
Order deny,allow
Allow from all
<Files *.php>
Order Allow,Deny
Deny from all
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>

2
www/themes/new/templates/loginpage.tpl
View File

@ -31,7 +31,7 @@
Willkommen bei OpenXE ERP.<br/>
Bitte gib Deinen Benutzernamen und Passwort ein!
</div>
<div style="[LOGINWARNING]" class="warning"><p>Achtung: Es werden gerade Wartungsarbeiten in Ihrem System (z.B. Update oder Backup) durch Ihre IT-Abteilung durchgeführt. Das System sollte in wenigen Minuten wieder erreichbar sein. Für Rückfragen wenden Sie sich bitte an Ihren Administrator.</p></div>
<div [LOGINWARNING_VISIBLE] class="warning"><p>[LOGINWARNING_TEXT]</p></div>
[SPERRMELDUNGNACHRICHT]
[PAGE]