Merge pull request #3368 from splitbrain/fix3363
do not repeat successful security checks. fixes #3363
This commit is contained in:
commit
86491c6cdd
|
@ -28,9 +28,10 @@ class Admin extends Ui {
|
||||||
$this->menu = $this->getPluginList();
|
$this->menu = $this->getPluginList();
|
||||||
echo '<div class="ui-admin">';
|
echo '<div class="ui-admin">';
|
||||||
echo p_locale_xhtml('admin');
|
echo p_locale_xhtml('admin');
|
||||||
$this->showSecurityCheck();
|
|
||||||
$this->showMenu('admin');
|
$this->showMenu('admin');
|
||||||
$this->showMenu('manager');
|
$this->showMenu('manager');
|
||||||
|
$this->showSecurityCheck();
|
||||||
$this->showVersion();
|
$this->showVersion();
|
||||||
$this->showMenu('other');
|
$this->showMenu('other');
|
||||||
echo '</div>';
|
echo '</div>';
|
||||||
|
@ -75,16 +76,15 @@ class Admin extends Ui {
|
||||||
* it verifies either:
|
* it verifies either:
|
||||||
* 'savedir' has been moved elsewhere, or
|
* 'savedir' has been moved elsewhere, or
|
||||||
* has protection to prevent the webserver serving files from it
|
* has protection to prevent the webserver serving files from it
|
||||||
|
*
|
||||||
|
* The actual check is carried out via JavaScript. See behaviour.js
|
||||||
*/
|
*/
|
||||||
protected function showSecurityCheck() {
|
protected function showSecurityCheck() {
|
||||||
global $conf;
|
global $conf;
|
||||||
if(substr($conf['savedir'], 0, 2) !== './') return;
|
if(substr($conf['savedir'], 0, 2) !== './') return;
|
||||||
$img = DOKU_URL . $conf['savedir'] .
|
$img = DOKU_URL . $conf['savedir'] .
|
||||||
'/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
|
'/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
|
||||||
echo '<a style="border:none; float:right;"
|
echo '<div id="security__check" data-src="' . $img . '"></div>';
|
||||||
href="http://www.dokuwiki.org/security#web_access_security">
|
|
||||||
<img src="' . $img . '" alt="Your data directory seems to be protected properly."
|
|
||||||
onerror="this.parentNode.style.display=\'none\'" /></a>';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -171,6 +171,7 @@ $lang['js']['media_done_btn'] = 'Done';
|
||||||
$lang['js']['media_drop'] = 'Drop files here to upload';
|
$lang['js']['media_drop'] = 'Drop files here to upload';
|
||||||
$lang['js']['media_cancel'] = 'remove';
|
$lang['js']['media_cancel'] = 'remove';
|
||||||
$lang['js']['media_overwrt'] = 'Overwrite existing files';
|
$lang['js']['media_overwrt'] = 'Overwrite existing files';
|
||||||
|
$lang['js']['data_insecure'] = 'WARNING: It seems your data directory is not properly secured. Please read about <a href="https://www.dokuwiki.org/security#web_access_security">Web Access Security in DokuWiki</a>.';
|
||||||
|
|
||||||
$lang['rssfailed'] = 'An error occurred while fetching this feed: ';
|
$lang['rssfailed'] = 'An error occurred while fetching this feed: ';
|
||||||
$lang['nothingfound'] = 'Nothing was found.';
|
$lang['nothingfound'] = 'Nothing was found.';
|
||||||
|
|
|
@ -56,6 +56,7 @@ var dw_behaviour = {
|
||||||
dw_behaviour.checkWindowsShares();
|
dw_behaviour.checkWindowsShares();
|
||||||
dw_behaviour.subscription();
|
dw_behaviour.subscription();
|
||||||
dw_behaviour.pageRestoreConfirm();
|
dw_behaviour.pageRestoreConfirm();
|
||||||
|
dw_behaviour.securityCheck();
|
||||||
|
|
||||||
dw_behaviour.revisionBoxHandler();
|
dw_behaviour.revisionBoxHandler();
|
||||||
jQuery(document).on('click','#page__revisions input[type=checkbox]',
|
jQuery(document).on('click','#page__revisions input[type=checkbox]',
|
||||||
|
@ -204,6 +205,36 @@ var dw_behaviour = {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check that access to the data directory is properly secured
|
||||||
|
*
|
||||||
|
* A successful check (a 403 error was returned when loading the image) is saved
|
||||||
|
* to session storage and not repeated again until the next browser session. This
|
||||||
|
* avoids overeager security bans (see #3363)
|
||||||
|
*/
|
||||||
|
securityCheck: function () {
|
||||||
|
var $checkDiv = jQuery('#security__check');
|
||||||
|
if (!$checkDiv.length) return;
|
||||||
|
if (sessionStorage.getItem('dw-security-check:' + DOKU_BASE)) {
|
||||||
|
// check was already executed successfully
|
||||||
|
$checkDiv.remove();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
var img = new Image();
|
||||||
|
img.onerror = function () {
|
||||||
|
// successful check will not be repeated during session
|
||||||
|
$checkDiv.remove();
|
||||||
|
sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
|
||||||
|
}
|
||||||
|
img.onload = function () {
|
||||||
|
// check failed, display a warning message
|
||||||
|
$checkDiv.html(LANG.data_insecure);
|
||||||
|
$checkDiv.addClass('error');
|
||||||
|
}
|
||||||
|
img.src = $checkDiv.data('src') + '?t=' + Date.now();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -61,4 +61,13 @@
|
||||||
clear: right;
|
clear: right;
|
||||||
float: left;
|
float: left;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* data directory security check */
|
||||||
|
#security__check {
|
||||||
|
float: right;
|
||||||
|
max-width: 20em;
|
||||||
|
}
|
||||||
|
[dir=rtl] & #admin__version {
|
||||||
|
float: left;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue