Access Protection of Files

[cmb]

Hello Community,

the core and several plugins protect access to folders with an .htaccess file:

Code: Select all

order deny,allow
deny from all

This does not work under Apache 2.4, unless mod_access_compat is enabled. Up until now Apache 2.4 is not in widespread use, but this is most likely to change in the future, and we should cater for the new version as soon as possible.

According to StackOverflow it is possible to deliver .htaccess files that will work with both versions. I made a slight modification:

Code: Select all

<IfModule !authz_core_module>
    order deny,allow
    deny from all
</IfModule>
<IfModule authz_core_module>
    Require all denied
</IfModule>

This works fine on Apache 2.4 whether mod_access_compat is enabled or not, but I have not yet tested it under Apache 2.2. Anyway, there might be other configurations, so it would be good, if others will test it, too. Just replace the contents of content/.htaccess with the code above and try to navigate to content.htm. If you get "Access forbidden" (or something like this) everything is fine -- otherwise not.

BTW: it is known and documented that .htaccess won't work for other servers (e.g. IIS and NginX). However, I assume many users are not aware of that issue, so we should consider adding a test to the system check, whether access protection of the content/ folder works.

Christoph

[svasti]

we should consider adding a test to the system check, whether access protection of the content/ folder works.

+1, may be in System-Info could be listed which server is used.

[cmb]

may be in System-Info could be listed which server is used

ACK. We could print $_SERVER['SERVER_SOFTWARE'] (if available).

[cmb]

I just noticed that this idea has not yet been implemented for XH 1.5 and 1.6. To not forget it again, I've put it on the roadmap (1.5.10 and 1.6.1).

may be in System-Info could be listed which server is used

ACK. We could print $_SERVER['SERVER_SOFTWARE'] (if available).

I'm not sure if SERVER_SOFTWARE is very useful. According to the PHP manual:

Server identification string, given in the headers when responding to requests.

However, this information is often shortened or even suppressed for security reasons. Anyway, the following patch would add it to the system info (analogous for 1.5, if we want to add it there):

Code: Select all

Index: adminfuncs.php
===================================================================
--- adminfuncs.php	(revision 3)
+++ adminfuncs.php	(working copy)
@@ -158,6 +158,13 @@
     }
     $o .= '</ul>' . "\n" . "\n";
 
+    $serverSoftware = !empty($_SERVER['SERVER_SOFTWARE'])
+        ? $_SERVER['SERVER_SOFTWARE']
+        : $tx['sysinfo']['unknown'];
+    $o .= '<p><b>' . $tx['sysinfo']['webserver'] . '</b></p>' . "\n"
+        . '<ul>' . "\n" . '<li>' . $serverSoftware . '</li>' . "\n"
+        . '</ul>' . "\n\n";
+
     $o .= '<p><b>' . $tx['sysinfo']['php_version'] . '</b></p>' . "\n"
         . '<ul>' . "\n" . '<li>' . phpversion() . '</li>' . "\n"
         . '<li><a href="./?&phpinfo" target="blank"><b>'

This requires two new language strings.

I'll come up with a patch for the system check ASAP.

[cmb]

I'll come up with a patch for the system check ASAP.

Here is a quick draft:

Code: Select all

Index: adminfuncs.php
===================================================================
--- adminfuncs.php    (revision 3)
+++ adminfuncs.php    (working copy)
@@ -132,6 +132,67 @@
 }
 
 /**
+ * Returns the normalized absolute URL path.
+ *
+ * @param string $path A relative path.
+ *
+ * @return string
+ *
+ * @global string The script name.
+ *
+ * @since TODO
+ */
+function XH_absoluteUrlPath($path)
+{
+    global $sn;
+
+    $base = preg_replace('/index\.php$/', '', $sn);
+    $parts = explode('/', $base . $path);
+    $i = 0;
+    while ($i < count($parts)) {
+        switch ($parts[$i]) {
+        case '.':
+            array_splice($parts, $i, 1);
+            break;
+        case '..':
+            array_splice($parts, $i - 1, 2);
+            $i--;
+            break;
+        default:
+            $i++;
+        }
+    }
+    $path = implode('/', $parts);
+    return $path;
+}
+
+/**
+ * Returns whether a resource is access protected.
+ *
+ * @param string $path A normalized absolute URL path.
+ *
+ * @return bool.
+ *
+ * @since TODO
+ */
+function XH_isAccessProtected($path)
+{
+    $host = $_SERVER['HTTP_HOST'];
+    $stream = fsockopen($host, 80, $errno, $errstr, 5);
+    if ($stream) {
+        $request = "HEAD $path HTTP/1.1\r\nHost: $host\r\n"
+            . "User-Agent: CMSimple_XH\r\n\r\n";
+        fwrite($stream, $request);
+        $response = fread($stream, 12);
+        fclose($stream);
+        $status = substr($response, 9);
+        return $status[0] == '4' || $status[1] == '5';
+    } else {
+        return false;
+    }
+}
+
+/**
  * Returns the system information view.
  *
  * @global array The paths of system files and folders.
@@ -195,6 +256,12 @@
     }
     $checks['writable'] = array_unique($checks['writable']);
     sort($checks['writable']);
+    foreach (array($pth['file']['config'], $pth['file']['content']) as $file) {
+        $checks['other'][] = array(
+            XH_isAccessProtected($file), false,
+            sprintf($tx['syscheck']['access_protected'], $file)
+        );
+    }
     if ($tx['locale']['all'] == '') {
         $checks['other'][] = array(true, false, $tx['syscheck']['locale_default']);
     } else {

[svasti]

Seems to work, ... only I get twice:

OK Access to main folders protected
OK Access to main folders protected

Have added to languages/default.php

$tx['syscheck']['access_protected']="Access to main folders protected";
$tx['sysinfo']['unknown']="Webserver could not be determined";
$tx['sysinfo']['webserver']="Webserver";

Why not upload it to the 1.6 code branch? We also need a languages/default.php there

[cmb]

Seems to work

Thanks for testing.

$tx['syscheck']['access_protected']="Access to main folders protected";

There are two files checked: cmsimple/config.php and the content.htm of the current language (more might be added if necessary). To reflect this, the language string might be something like the following:

Code: Select all

$tx['syscheck']['access_protected']="'%s' access protected";

Why not upload it to the 1.6 code branch?

We might better vote first.

We also need a languages/default.php there

cmsimple/languages/default.php and cmsimple/defaultconfig.php are added by the build script, to avoid having to change two files manually. The default files are not strictly necessary during development, IMO.

[Holger]

I'm not sure if SERVER_SOFTWARE is very useful.

Indeed.
I've checked the headers of some of my installations to find out the version but in most cases only "Apache" or "Apache2" gets returned.

Any idea how to find out the correct version on that shared hosts? IMO it's impossible (beside asking the support) .

[cmb]

Any idea how to find out the correct version on that shared hosts? IMO it's impossible (beside asking the support) .

The only thing that comes to my mind is phpinfo(). It might be possible to extract the desired information from there---maybe there's some library available to simplify this task?