N°5462 Add a setup check to verify if directory-level configuration files (.htaccess and web.config) are used by the server

2026-02-13 07:24:13 +01:00 · 2022-08-24 16:33:54 +02:00
parent f923ac879f
commit 14facb4d6c
5 changed files with 40 additions and 0 deletions
--- a/setup/permissions-test-folder/.htaccess
+++ b/setup/permissions-test-folder/.htaccess
@@ -0,0 +1,13 @@
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
 </ifModule>
 # Apache 2.2
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
 </ifModule>
 # Apache 2.2 and 2.4
 IndexIgnore *
--- a/setup/permissions-test-folder/permissions-test-subfolder/permissions-test-file
+++ b/setup/permissions-test-folder/permissions-test-subfolder/permissions-test-file
--- a/setup/permissions-test-folder/web.config
+++ b/setup/permissions-test-folder/web.config
@@ -0,0 +1,13 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
  <system.webServer>
    <security>
      <requestFiltering>
         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
      </requestFiltering>
      <authorization>
        <deny users="*" /> <!-- Denies all users -->
      </authorization>
    </security>
  </system.webServer>
 </configuration>
--- a/setup/setup.js
+++ b/setup/setup.js
@@ -53,4 +53,17 @@ function ExecuteStep(sStep)
 	} );
 }
 function CheckDirectoryConfFilesPermissions(sWikiVersion){
 	$.ajax('permissions-test-folder/permissions-test-subfolder/permissions-test-file',
 		{
 		statusCode: {
 			200: function() {
 				$('#details').prepend('<div class="message message-warning"><span class="message-title">Security issue:</span> iTop is bundled with directory-level configuration files. You must check that those files will be read by your web server (eg. ' +
 					'AllowOverride directive should be set to <code>All</code> for Apache HTTP Server) <a href="https://www.itophub.io/wiki/page?id='+sWikiVersion+'%3Ainstall%3Asecurity#secure_critical_directories_access" target="_blank">see documentation</a>.</div>');
 				$('<span class="text-warning"> and 1 Security issue</span>').insertBefore('h2.message button:first');
 			}
 		}
 	});
 }
 CombodoTooltip.InitAllNonInstantiatedTooltips();
--- a/setup/wizardsteps.class.inc.php
+++ b/setup/wizardsteps.class.inc.php
@@ -165,6 +165,7 @@ HTML
 			$oPage->p('Sorry, the installation cannot continue. Please fix the errors and reload this page to launch the installation again.');
 			$oPage->p('<button type="button" onclick="window.location.reload()">Reload</button>');
 		}
 		$oPage->add_ready_script('CheckDirectoryConfFilesPermissions("'.utils::GetItopVersionWikiSyntax().'")');
 	}
 	public function CanMoveForward()