Access Protection of Files

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Access Protection of Files

Post by cmb » Mon Nov 25, 2013 6:39 pm

Hello Community,

the core and several plugins protect access to folders with an .htaccess file:

Code: Select all

order deny,allow
deny from all
This does not work under Apache 2.4, unless mod_access_compat is enabled. Up until now Apache 2.4 is not in widespread use, but this is most likely to change in the future, and we should cater for the new version as soon as possible.

According to StackOverflow it is possible to deliver .htaccess files that will work with both versions. I made a slight modification:

Code: Select all

<IfModule !authz_core_module>
    order deny,allow
    deny from all
</IfModule>
<IfModule authz_core_module>
    Require all denied
</IfModule>
This works fine on Apache 2.4 whether mod_access_compat is enabled or not, but I have not yet tested it under Apache 2.2. Anyway, there might be other configurations, so it would be good, if others will test it, too. Just replace the contents of content/.htaccess with the code above and try to navigate to content.htm. If you get "Access forbidden" (or something like this) everything is fine -- otherwise not.

BTW: it is known and documented that .htaccess won't work for other servers (e.g. IIS and NginX). However, I assume many users are not aware of that issue, so we should consider adding a test to the system check, whether access protection of the content/ folder works.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

svasti
Posts: 1651
Joined: Wed Dec 17, 2008 5:08 pm

Re: Access Protection of Files

Post by svasti » Tue Nov 26, 2013 12:00 am

cmb wrote: we should consider adding a test to the system check, whether access protection of the content/ folder works.
+1, may be in System-Info could be listed which server is used.

cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Access Protection of Files

Post by cmb » Tue Nov 26, 2013 12:55 pm

svasti wrote:may be in System-Info could be listed which server is used
ACK. We could print $_SERVER['SERVER_SOFTWARE'] (if available).
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Access Protection of Files

Post by cmb » Tue Jan 14, 2014 2:24 pm

I just noticed that this idea has not yet been implemented for XH 1.5 and 1.6. To not forget it again, I've put it on the roadmap (1.5.10 and 1.6.1).
cmb wrote:
svasti wrote:may be in System-Info could be listed which server is used
ACK. We could print $_SERVER['SERVER_SOFTWARE'] (if available).
I'm not sure if SERVER_SOFTWARE is very useful. According to the PHP manual:
Server identification string, given in the headers when responding to requests.
However, this information is often shortened or even suppressed for security reasons. Anyway, the following patch would add it to the system info (analogous for 1.5, if we want to add it there):

Code: Select all

Index: adminfuncs.php
===================================================================
--- adminfuncs.php	(revision 3)
+++ adminfuncs.php	(working copy)
@@ -158,6 +158,13 @@
     }
     $o .= '</ul>' . "\n" . "\n";
 
+    $serverSoftware = !empty($_SERVER['SERVER_SOFTWARE'])
+        ? $_SERVER['SERVER_SOFTWARE']
+        : $tx['sysinfo']['unknown'];
+    $o .= '<p><b>' . $tx['sysinfo']['webserver'] . '</b></p>' . "\n"
+        . '<ul>' . "\n" . '<li>' . $serverSoftware . '</li>' . "\n"
+        . '</ul>' . "\n\n";
+
     $o .= '<p><b>' . $tx['sysinfo']['php_version'] . '</b></p>' . "\n"
         . '<ul>' . "\n" . '<li>' . phpversion() . '</li>' . "\n"
         . '<li><a href="./?&phpinfo" target="blank"><b>'
This requires two new language strings.

I'll come up with a patch for the system check ASAP.
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Access Protection of Files

Post by cmb » Tue Jan 14, 2014 6:02 pm

cmb wrote:I'll come up with a patch for the system check ASAP.
Here is a quick draft:

Code: Select all

Index: adminfuncs.php
===================================================================
--- adminfuncs.php    (revision 3)
+++ adminfuncs.php    (working copy)
@@ -132,6 +132,67 @@
 }
 
 /**
+ * Returns the normalized absolute URL path.
+ *
+ * @param string $path A relative path.
+ *
+ * @return string
+ *
+ * @global string The script name.
+ *
+ * @since TODO
+ */
+function XH_absoluteUrlPath($path)
+{
+    global $sn;
+
+    $base = preg_replace('/index\.php$/', '', $sn);
+    $parts = explode('/', $base . $path);
+    $i = 0;
+    while ($i < count($parts)) {
+        switch ($parts[$i]) {
+        case '.':
+            array_splice($parts, $i, 1);
+            break;
+        case '..':
+            array_splice($parts, $i - 1, 2);
+            $i--;
+            break;
+        default:
+            $i++;
+        }
+    }
+    $path = implode('/', $parts);
+    return $path;
+}
+
+/**
+ * Returns whether a resource is access protected.
+ *
+ * @param string $path A normalized absolute URL path.
+ *
+ * @return bool.
+ *
+ * @since TODO
+ */
+function XH_isAccessProtected($path)
+{
+    $host = $_SERVER['HTTP_HOST'];
+    $stream = fsockopen($host, 80, $errno, $errstr, 5);
+    if ($stream) {
+        $request = "HEAD $path HTTP/1.1\r\nHost: $host\r\n"
+            . "User-Agent: CMSimple_XH\r\n\r\n";
+        fwrite($stream, $request);
+        $response = fread($stream, 12);
+        fclose($stream);
+        $status = substr($response, 9);
+        return $status[0] == '4' || $status[1] == '5';
+    } else {
+        return false;
+    }
+}
+
+/**
  * Returns the system information view.
  *
  * @global array The paths of system files and folders.
@@ -195,6 +256,12 @@
     }
     $checks['writable'] = array_unique($checks['writable']);
     sort($checks['writable']);
+    foreach (array($pth['file']['config'], $pth['file']['content']) as $file) {
+        $checks['other'][] = array(
+            XH_isAccessProtected($file), false,
+            sprintf($tx['syscheck']['access_protected'], $file)
+        );
+    }
     if ($tx['locale']['all'] == '') {
         $checks['other'][] = array(true, false, $tx['syscheck']['locale_default']);
     } else {
Christoph M. Becker – Plugins for CMSimple_XH

svasti
Posts: 1651
Joined: Wed Dec 17, 2008 5:08 pm

Re: Access Protection of Files

Post by svasti » Wed Jan 15, 2014 2:27 pm

Seems to work, ... only I get twice:

OK Access to main folders protected
OK Access to main folders protected

Have added to languages/default.php

$tx['syscheck']['access_protected']="Access to main folders protected";
$tx['sysinfo']['unknown']="Webserver could not be determined";
$tx['sysinfo']['webserver']="Webserver";

Why not upload it to the 1.6 code branch? We also need a languages/default.php there

cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Access Protection of Files

Post by cmb » Wed Jan 15, 2014 2:44 pm

svasti wrote:Seems to work
Thanks for testing.
svasti wrote:$tx['syscheck']['access_protected']="Access to main folders protected";
There are two files checked: cmsimple/config.php and the content.htm of the current language (more might be added if necessary). To reflect this, the language string might be something like the following:

Code: Select all

$tx['syscheck']['access_protected']="'%s' access protected";
svasti wrote:Why not upload it to the 1.6 code branch?
We might better vote first.
svasti wrote:We also need a languages/default.php there
cmsimple/languages/default.php and cmsimple/defaultconfig.php are added by the build script, to avoid having to change two files manually. The default files are not strictly necessary during development, IMO.
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3242
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany
Contact:

Re: Access Protection of Files

Post by Holger » Wed Jan 15, 2014 11:47 pm

cmb wrote:I'm not sure if SERVER_SOFTWARE is very useful.
Indeed.
I've checked the headers of some of my installations to find out the version but in most cases only "Apache" or "Apache2" gets returned.

Any idea how to find out the correct version on that shared hosts? IMO it's impossible (beside asking the support) :( .

cmb
Posts: 13672
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Access Protection of Files

Post by cmb » Thu Jan 16, 2014 12:14 am

Holger wrote:Any idea how to find out the correct version on that shared hosts? IMO it's impossible (beside asking the support) :(.
The only thing that comes to my mind is phpinfo(). It might be possible to extract the desired information from there---maybe there's some library available to simplify this task?
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply