opensourcemirror
/
dokuwiki
mirror of https://github.com/splitbrain/dokuwiki.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #3368 from splitbrain/fix3363 

do not repeat successful security checks. fixes #3363
This commit is contained in:
Andreas Gohr 2021-03-04 12:48:36 +01:00 committed by GitHub
parent a8b6eaa91e b68a7721c6
commit 86491c6cdd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
inc/Ui/Admin.php
View File

@ -28,9 +28,10 @@ class Admin extends Ui {
$this->menu = $this->getPluginList();
echo '<div class="ui-admin">';
echo p_locale_xhtml('admin');
$this->showSecurityCheck();
$this->showMenu('admin');
$this->showMenu('manager');
$this->showSecurityCheck();
$this->showVersion();
$this->showMenu('other');
echo '</div>';
@ -75,16 +76,15 @@ class Admin extends Ui {
* it verifies either:
* 'savedir' has been moved elsewhere, or
* has protection to prevent the webserver serving files from it
*
* The actual check is carried out via JavaScript. See behaviour.js
*/
protected function showSecurityCheck() {
global $conf;
if(substr($conf['savedir'], 0, 2) !== './') return;
$img = DOKU_URL . $conf['savedir'] .
'/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
echo '<a style="border:none; float:right;"
href="http://www.dokuwiki.org/security#web_access_security">
<img src="' . $img . '" alt="Your data directory seems to be protected properly."
onerror="this.parentNode.style.display=\'none\'" /></a>';
echo '<div id="security__check" data-src="' . $img . '"></div>';
}
/**

1
inc/lang/en/lang.php
View File

@ -171,6 +171,7 @@ $lang['js']['media_done_btn'] = 'Done';
$lang['js']['media_drop'] = 'Drop files here to upload';
$lang['js']['media_cancel'] = 'remove';
$lang['js']['media_overwrt'] = 'Overwrite existing files';
$lang['js']['data_insecure'] = 'WARNING: It seems your data directory is not properly secured. Please read about <a href="https://www.dokuwiki.org/security#web_access_security">Web Access Security in DokuWiki</a>.';
$lang['rssfailed'] = 'An error occurred while fetching this feed: ';
$lang['nothingfound'] = 'Nothing was found.';

31
lib/scripts/behaviour.js
View File

@ -56,6 +56,7 @@ var dw_behaviour = {
dw_behaviour.checkWindowsShares();
dw_behaviour.subscription();
dw_behaviour.pageRestoreConfirm();
dw_behaviour.securityCheck();
dw_behaviour.revisionBoxHandler();
jQuery(document).on('click','#page__revisions input[type=checkbox]',
@ -204,6 +205,36 @@ var dw_behaviour = {
}
});
}
},
/**
* Check that access to the data directory is properly secured
*
* A successful check (a 403 error was returned when loading the image) is saved
* to session storage and not repeated again until the next browser session. This
* avoids overeager security bans (see #3363)
*/
securityCheck: function () {
var $checkDiv = jQuery('#security__check');
if (!$checkDiv.length) return;
if (sessionStorage.getItem('dw-security-check:' + DOKU_BASE)) {
// check was already executed successfully
$checkDiv.remove();
return;
}
var img = new Image();
img.onerror = function () {
// successful check will not be repeated during session
$checkDiv.remove();
sessionStorage.setItem('dw-security-check:' + DOKU_BASE, true);
}
img.onload = function () {
// check failed, display a warning message
$checkDiv.html(LANG.data_insecure);
$checkDiv.addClass('error');
}
img.src = $checkDiv.data('src') + '?t=' + Date.now();
}
};

9
lib/tpl/dokuwiki/css/_admin.less
View File

@ -61,4 +61,13 @@
clear: right;
float: left;
}
/* data directory security check */
#security__check {
float: right;
max-width: 20em;
}
[dir=rtl] & #admin__version {
float: left;
}
}