From e3b7634581cbc5ee1bb9b33e665d9671d7937bbc Mon Sep 17 00:00:00 2001
From: OpenXE <>
Date: Thu, 8 Dec 2022 11:15:24 +0000
Subject: [PATCH] .htaccess security check feature with automatic repair upon
login - amended
---
.htaccess | 27 +++++++-----
phpwf/plugins/class.acl.php | 85 ++++++++++++++++++++-----------------
www/.htaccess | 33 +++++++-------
3 files changed, 79 insertions(+), 66 deletions(-)
diff --git a/.htaccess b/.htaccess
index a77c94a7..a8f5cbf7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,11 +1,18 @@
# Generated file from class.acl.php
- # Disable directory browsing
- Options -Indexes
-
- Order deny,allow
- Deny from all
-
-
- Order Allow,Deny
- Allow from all
-
\ No newline at end of file
+# For detection of htaccess functionality
+SetEnv OPENXE_HTACCESS on
+# Disable directory browsing
+Options -Indexes
+# Set default page to index.php
+DirectoryIndex "index.php"
+# Deny general access
+Order deny,allow
+
+ Order Allow,Deny
+ Deny from all
+
+# Allow index.php
+
+ Order Allow,Deny
+ Allow from all
+
\ No newline at end of file
diff --git a/phpwf/plugins/class.acl.php b/phpwf/plugins/class.acl.php
index 694ecad9..76286fc8 100644
--- a/phpwf/plugins/class.acl.php
+++ b/phpwf/plugins/class.acl.php
@@ -1214,40 +1214,44 @@ class Acl
}
- // HTACCESS SECURITY
+ // HTACCESS SECURITY
// Check for correct .htaccess settings
// true if ok, else error text
protected function CheckHtaccess() : mixed {
- $nominal = array( '# Generated file from class.acl.php
- # Disable directory browsing
- Options -Indexes
-
- Order deny,allow
- Deny from all
-
-
- Order Allow,Deny
- Allow from all
- ',
- '# Generated file from class.acl.php
- SetEnv OPENXE_HTACCESS on
-
- # Disable directory browsing
- Options -Indexes
-
- Order deny,allow
- Allow from all
-
-
- Order Allow,Deny
- Deny from all
-
-
-
- Order Allow,Deny
- Allow from all
- ');
+ $nominal = array('# Generated file from class.acl.php
+# For detection of htaccess functionality
+SetEnv OPENXE_HTACCESS on
+# Disable directory browsing
+Options -Indexes
+# Set default page to index.php
+DirectoryIndex "index.php"
+# Deny general access
+Order deny,allow
+
+ Order Allow,Deny
+ Deny from all
+
+# Allow index.php
+
+ Order Allow,Deny
+ Allow from all
+',
+'# Generated file from class.acl.php
+# Disable directory browsing
+Options -Indexes
+# Deny access to all *.php
+Order deny,allow
+Allow from all
+
+ Order Allow,Deny
+ Deny from all
+
+# Allow access to index.php
+
+ Order Allow,Deny
+ Allow from all
+');
$script_file_name = $_SERVER['SCRIPT_FILENAME'];
$htaccess_path = array(
@@ -1255,24 +1259,29 @@ class Acl
dirname($script_file_name)."/.htaccess"); // www
for ($count = 0;$count < 2;$count++) {
- $htaccess = file_get_contents($htaccess_path[$count]);
- if ($htacess === false) {
- return("FATAL: ".$htaccess_path[$count]." nicht gefunden");
- }
+ $htaccess = file_get_contents($htaccess_path[$count]);
+
$result = strcmp(trim($htaccess[$count]),trim($nominal[$count]));
- if ($result !== 0) {
- $result = file_put_contents($htaccess_path[$count],$nominal[$count]);
+
+ if (($result !== 0) || ($htaccess === false)) {
+ $result = file_put_contents($htaccess_path[$count],trim($nominal[$count]));
if ($result === false) {
- return("FATAL: ".$htaccess_path[$count]." fehlerhaft");
+
+ if ($htaccess === false) {
+ return("FATAL: ".$htaccess_path[$count]." nicht vorhanden und kann nicht korrigiert werden.");
+ }
+ return("FATAL: ".$htaccess_path[$count]." fehlerhaft und kann nicht korrigiert werden.");
}
}
}
+
if (!isset($_SERVER['OPENXE_HTACCESS'])) {
return("FATAL: htaccess nicht aktiv.");
}
+
return(true);
- // HTACCESS SECURITY END
+ // HTACCESS SECURITY END
}
}
diff --git a/www/.htaccess b/www/.htaccess
index 0e700325..cc24e244 100644
--- a/www/.htaccess
+++ b/www/.htaccess
@@ -1,18 +1,15 @@
-# Generated file from class.acl.php
- SetEnv OPENXE_HTACCESS on
-
- # Disable directory browsing
- Options -Indexes
-
- Order deny,allow
- Allow from all
-
-
- Order Allow,Deny
- Deny from all
-
-
-
- Order Allow,Deny
- Allow from all
-
\ No newline at end of file
+# Generated file from class.acl.php
+# Disable directory browsing
+Options -Indexes
+# Deny access to all *.php
+Order deny,allow
+Allow from all
+
+ Order Allow,Deny
+ Deny from all
+
+# Allow access to index.php
+
+ Order Allow,Deny
+ Allow from all
+
\ No newline at end of file