mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-13 15:34:12 +01:00
N°1877 & N°2012: Fix regression backup link on setup, security hardening
This commit is contained in:
Stephen Abello
@@ -121,9 +121,11 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past
|
||||
$sOperation = Utils::ReadParam('operation', '');
|
||||
try
|
||||
{
|
||||
if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath()))
|
||||
$sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
|
||||
if (!file_exists(APPROOT.'data/setup/authent') || $sAuthent !== file_get_contents(APPROOT.'data/setup/authent'))
|
||||
{
|
||||
throw new Exception('Setup operations are not allowed outside of the setup');
|
||||
throw new SecurityException('Setup operations are not allowed outside of the setup');
|
||||
SetupPage::log_error("Setup operations are not allowed outside of the setup");
|
||||
}
|
||||
|
||||
switch($sOperation)
|
||||
|
||||
@@ -2,8 +2,9 @@ function WizardAsyncAction(sActionCode, oParams, OnErrorFunction)
|
||||
{
|
||||
var sStepClass = $('#_class').val();
|
||||
var sStepState = $('#_state').val();
|
||||
var sAuthent = $('#authent_token').val();
|
||||
|
||||
var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, params: oParams };
|
||||
var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, authent : sAuthent, params: oParams };
|
||||
|
||||
var ErrorFn = OnErrorFunction;
|
||||
$(document).ajaxError(function(event, request, settings) {
|
||||
@@ -23,20 +24,20 @@ function WizardUpdateButtons()
|
||||
{
|
||||
if (CanMoveForward())
|
||||
{
|
||||
$("#btn_next").removeAttr("disabled");
|
||||
$("#btn_next").prop("disabled", false);
|
||||
}
|
||||
else
|
||||
{
|
||||
$("#btn_next").attr("disabled", "disabled");
|
||||
$("#btn_next").prop("disabled", true);
|
||||
}
|
||||
|
||||
if (CanMoveBackward())
|
||||
{
|
||||
$("#btn_back").removeAttr("disabled");
|
||||
$("#btn_back").prop("disabled", false);
|
||||
}
|
||||
else
|
||||
{
|
||||
$("#btn_back").attr("disabled", "disabled");
|
||||
$("#btn_back").prop("disabled", true);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -57,6 +57,13 @@ class WizStepWelcome extends WizardStep
|
||||
|
||||
public function ProcessParams($bMoveForward = true)
|
||||
{
|
||||
if (!file_exists(APPROOT.'data/setup'))
|
||||
{
|
||||
mkdir(APPROOT.'data/setup');
|
||||
}
|
||||
$sUID = hash('sha256', rand());
|
||||
file_put_contents(APPROOT.'data/setup/authent', $sUID);
|
||||
$this->oWizard->SetParameter('authent', $sUID);
|
||||
return array('class' => 'WizStepInstallOrUpgrade', 'state' => '');
|
||||
}
|
||||
|
||||
@@ -284,6 +291,8 @@ class WizStepInstallOrUpgrade extends WizardStep
|
||||
$oPage->add('<tr><td colspan="2">');
|
||||
$oPage->add($sMySQLDumpMessage.'<br/><span id="backup_info" style="font-size:small;color:#696969;">'.$sMessage.'</span></td></tr>');
|
||||
$oPage->add('</table>');
|
||||
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||
//$oPage->add('</fieldset>');
|
||||
$oPage->add_ready_script(
|
||||
<<<EOF
|
||||
@@ -790,15 +799,17 @@ class WizStepDBParams extends WizardStep
|
||||
$oPage->add('<table>');
|
||||
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
|
||||
$sTlsCA, $sNewDBName);
|
||||
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||
$oPage->add('</table>');
|
||||
$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
|
||||
if ($sCreateDB == 'no')
|
||||
{
|
||||
$oPage->add_ready_script('$("#existing_db").attr("checked", "checked");');
|
||||
$oPage->add_ready_script('$("#existing_db").prop("checked", true);');
|
||||
}
|
||||
else
|
||||
{
|
||||
$oPage->add_ready_script('$("#create_db").attr("checked", "checked");');
|
||||
$oPage->add_ready_script('$("#create_db").prop("checked", true);');
|
||||
}
|
||||
}
|
||||
|
||||
@@ -984,6 +995,8 @@ class WizStepMiscParams extends WizardStep
|
||||
$sChecked = ($sSampleData == 'no') ? 'checked ' : '';
|
||||
$oPage->p('<input id="sample_data_no" name="sample_data" type="radio" value="no" '.$sChecked.'><label for="sample_data_no"> I am installing a <b>production</b> instance, create an empty database to start from.');
|
||||
$oPage->add('</fieldset>');
|
||||
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||
$oPage->add_ready_script(
|
||||
<<<EOF
|
||||
$('#application_url').bind('change keyup', function() { WizardUpdateButtons(); } );
|
||||
@@ -2227,7 +2240,10 @@ EOF
|
||||
|
||||
$sJSONData = json_encode($aInstallParams);
|
||||
$oPage->add('<input type="hidden" id="installer_parameters" value="'.htmlentities($sJSONData, ENT_QUOTES, 'UTF-8').'"/>');
|
||||
|
||||
|
||||
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||
|
||||
if (!$this->CheckDependencies())
|
||||
{
|
||||
$oPage->error($this->sDependencyIssue);
|
||||
@@ -2240,7 +2256,8 @@ EOF
|
||||
$("#btn_next").bind("click.install", function(event) {
|
||||
$('#summary').hide();
|
||||
$('#installation_progress').show();
|
||||
$(this).attr("disabled", "disabled"); event.preventDefault(); ExecuteStep("");
|
||||
$(this).prop("disabled", true);
|
||||
event.preventDefault(); ExecuteStep("");
|
||||
});
|
||||
$("#wiz_form").data("installation_status", "not started")
|
||||
EOF
|
||||
@@ -2482,14 +2499,14 @@ class WizStepDone extends WizardStep
|
||||
$oPage->ok("The installation completed successfully.");
|
||||
}
|
||||
|
||||
if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false))
|
||||
if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false) && $this->oWizard->GetParameter('authent', false))
|
||||
{
|
||||
$sBackupDestination = $this->oWizard->GetParameter('db_backup_path', '');
|
||||
if (file_exists($sBackupDestination.'.tar.gz'))
|
||||
{
|
||||
// To mitigate security risks: pass only the filename without the extension, the download will add the extension itself
|
||||
$oPage->p('Your backup is ready');
|
||||
$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone¶ms[backup]='.urlencode($sBackupDestination).'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;"> Download '.basename($sBackupDestination).'</a>');
|
||||
$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone¶ms[backup]='.urlencode($sBackupDestination).'&authent='.$this->oWizard->GetParameter('authent','').'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;"> Download '.basename($sBackupDestination).'</a>');
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user