diff --git a/inc/Ui/Admin.php b/inc/Ui/Admin.php
index 07146e598..d3bbc6503 100644
--- a/inc/Ui/Admin.php
+++ b/inc/Ui/Admin.php
@@ -28,9 +28,10 @@ class Admin extends Ui {
$this->menu = $this->getPluginList();
echo '
';
echo p_locale_xhtml('admin');
- $this->showSecurityCheck();
+
$this->showMenu('admin');
$this->showMenu('manager');
+ $this->showSecurityCheck();
$this->showVersion();
$this->showMenu('other');
echo '
';
@@ -75,16 +76,15 @@ class Admin extends Ui {
* it verifies either:
* 'savedir' has been moved elsewhere, or
* has protection to prevent the webserver serving files from it
+ *
+ * The actual check is carried out via JavaScript. See behaviour.js
*/
protected function showSecurityCheck() {
global $conf;
if(substr($conf['savedir'], 0, 2) !== './') return;
$img = DOKU_URL . $conf['savedir'] .
'/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
- echo '
- ';
+ echo '';
}
/**
diff --git a/inc/lang/en/lang.php b/inc/lang/en/lang.php
index 000368ac2..9e56d6f84 100644
--- a/inc/lang/en/lang.php
+++ b/inc/lang/en/lang.php
@@ -171,6 +171,7 @@ $lang['js']['media_done_btn'] = 'Done';
$lang['js']['media_drop'] = 'Drop files here to upload';
$lang['js']['media_cancel'] = 'remove';
$lang['js']['media_overwrt'] = 'Overwrite existing files';
+$lang['js']['data_insecure'] = 'WARNING: It seems your data directory is not properly secured. Please read about Web Access Security in DokuWiki.';
$lang['rssfailed'] = 'An error occurred while fetching this feed: ';
$lang['nothingfound'] = 'Nothing was found.';
diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 70b60ef9a..41702fad7 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -56,6 +56,7 @@ var dw_behaviour = {
dw_behaviour.checkWindowsShares();
dw_behaviour.subscription();
dw_behaviour.pageRestoreConfirm();
+ dw_behaviour.securityCheck();
dw_behaviour.revisionBoxHandler();
jQuery(document).on('click','#page__revisions input[type=checkbox]',
@@ -204,6 +205,36 @@ var dw_behaviour = {
}
});
}
+ },
+
+ /**
+ * Check that access to the data directory is properly secured
+ *
+ * A successful check (a 403 error was returned when loading the image) is saved
+ * to session storage and not repeated again until the next browser session. This
+ * avoids overeager security bans (see #3363)
+ */
+ securityCheck: function () {
+ var $checkDiv = jQuery('#security__check');
+ if (!$checkDiv.length) return;
+ if (sessionStorage.getItem('dw-security-check:' + DOKU_BASE)) {
+ // check was already executed successfully
+ $checkDiv.remove();
+ return;
+ }
+
+ var img = new Image();
+ img.onerror = function () {
+ // successful check will not be repeated during session
+ $checkDiv.remove();
+ sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
+ }
+ img.onload = function () {
+ // check failed, display a warning message
+ $checkDiv.html(LANG.data_insecure);
+ $checkDiv.addClass('error');
+ }
+ img.src = $checkDiv.data('src') + '?t=' + Date.now();
}
};
diff --git a/lib/tpl/dokuwiki/css/_admin.less b/lib/tpl/dokuwiki/css/_admin.less
index 38ca4bc63..115861203 100644
--- a/lib/tpl/dokuwiki/css/_admin.less
+++ b/lib/tpl/dokuwiki/css/_admin.less
@@ -61,4 +61,13 @@
clear: right;
float: left;
}
+
+ /* data directory security check */
+ #security__check {
+ float: right;
+ max-width: 20em;
+ }
+ [dir=rtl] & #admin__version {
+ float: left;
+ }
}