mirror of
https://github.com/Combodo/iTop.git
synced 2026-05-21 16:22:20 +02:00
N°1877 & N°2012: Fix regression backup link on setup, security hardening
This commit is contained in:
Stephen Abello
@@ -121,9 +121,11 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past
|
|||||||
$sOperation = Utils::ReadParam('operation', '');
|
$sOperation = Utils::ReadParam('operation', '');
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath()))
|
$sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
|
||||||
|
if (!file_exists(APPROOT.'data/setup/authent') || $sAuthent !== file_get_contents(APPROOT.'data/setup/authent'))
|
||||||
{
|
{
|
||||||
throw new Exception('Setup operations are not allowed outside of the setup');
|
throw new SecurityException('Setup operations are not allowed outside of the setup');
|
||||||
|
SetupPage::log_error("Setup operations are not allowed outside of the setup");
|
||||||
}
|
}
|
||||||
|
|
||||||
switch($sOperation)
|
switch($sOperation)
|
||||||
|
|||||||
@@ -2,8 +2,9 @@ function WizardAsyncAction(sActionCode, oParams, OnErrorFunction)
|
|||||||
{
|
{
|
||||||
var sStepClass = $('#_class').val();
|
var sStepClass = $('#_class').val();
|
||||||
var sStepState = $('#_state').val();
|
var sStepState = $('#_state').val();
|
||||||
|
var sAuthent = $('#authent_token').val();
|
||||||
|
|
||||||
var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, params: oParams };
|
var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, authent : sAuthent, params: oParams };
|
||||||
|
|
||||||
var ErrorFn = OnErrorFunction;
|
var ErrorFn = OnErrorFunction;
|
||||||
$(document).ajaxError(function(event, request, settings) {
|
$(document).ajaxError(function(event, request, settings) {
|
||||||
@@ -23,20 +24,20 @@ function WizardUpdateButtons()
|
|||||||
{
|
{
|
||||||
if (CanMoveForward())
|
if (CanMoveForward())
|
||||||
{
|
{
|
||||||
$("#btn_next").removeAttr("disabled");
|
$("#btn_next").prop("disabled", false);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$("#btn_next").attr("disabled", "disabled");
|
$("#btn_next").prop("disabled", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (CanMoveBackward())
|
if (CanMoveBackward())
|
||||||
{
|
{
|
||||||
$("#btn_back").removeAttr("disabled");
|
$("#btn_back").prop("disabled", false);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$("#btn_back").attr("disabled", "disabled");
|
$("#btn_back").prop("disabled", true);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -57,6 +57,13 @@ class WizStepWelcome extends WizardStep
|
|||||||
|
|
||||||
public function ProcessParams($bMoveForward = true)
|
public function ProcessParams($bMoveForward = true)
|
||||||
{
|
{
|
||||||
|
if (!file_exists(APPROOT.'data/setup'))
|
||||||
|
{
|
||||||
|
mkdir(APPROOT.'data/setup');
|
||||||
|
}
|
||||||
|
$sUID = hash('sha256', rand());
|
||||||
|
file_put_contents(APPROOT.'data/setup/authent', $sUID);
|
||||||
|
$this->oWizard->SetParameter('authent', $sUID);
|
||||||
return array('class' => 'WizStepInstallOrUpgrade', 'state' => '');
|
return array('class' => 'WizStepInstallOrUpgrade', 'state' => '');
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -284,6 +291,8 @@ class WizStepInstallOrUpgrade extends WizardStep
|
|||||||
$oPage->add('<tr><td colspan="2">');
|
$oPage->add('<tr><td colspan="2">');
|
||||||
$oPage->add($sMySQLDumpMessage.'<br/><span id="backup_info" style="font-size:small;color:#696969;">'.$sMessage.'</span></td></tr>');
|
$oPage->add($sMySQLDumpMessage.'<br/><span id="backup_info" style="font-size:small;color:#696969;">'.$sMessage.'</span></td></tr>');
|
||||||
$oPage->add('</table>');
|
$oPage->add('</table>');
|
||||||
|
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||||
|
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||||
//$oPage->add('</fieldset>');
|
//$oPage->add('</fieldset>');
|
||||||
$oPage->add_ready_script(
|
$oPage->add_ready_script(
|
||||||
<<<EOF
|
<<<EOF
|
||||||
@@ -790,15 +799,17 @@ class WizStepDBParams extends WizardStep
|
|||||||
$oPage->add('<table>');
|
$oPage->add('<table>');
|
||||||
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
|
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
|
||||||
$sTlsCA, $sNewDBName);
|
$sTlsCA, $sNewDBName);
|
||||||
|
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||||
|
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||||
$oPage->add('</table>');
|
$oPage->add('</table>');
|
||||||
$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
|
$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
|
||||||
if ($sCreateDB == 'no')
|
if ($sCreateDB == 'no')
|
||||||
{
|
{
|
||||||
$oPage->add_ready_script('$("#existing_db").attr("checked", "checked");');
|
$oPage->add_ready_script('$("#existing_db").prop("checked", true);');
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oPage->add_ready_script('$("#create_db").attr("checked", "checked");');
|
$oPage->add_ready_script('$("#create_db").prop("checked", true);');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -984,6 +995,8 @@ class WizStepMiscParams extends WizardStep
|
|||||||
$sChecked = ($sSampleData == 'no') ? 'checked ' : '';
|
$sChecked = ($sSampleData == 'no') ? 'checked ' : '';
|
||||||
$oPage->p('<input id="sample_data_no" name="sample_data" type="radio" value="no" '.$sChecked.'><label for="sample_data_no"> I am installing a <b>production</b> instance, create an empty database to start from.');
|
$oPage->p('<input id="sample_data_no" name="sample_data" type="radio" value="no" '.$sChecked.'><label for="sample_data_no"> I am installing a <b>production</b> instance, create an empty database to start from.');
|
||||||
$oPage->add('</fieldset>');
|
$oPage->add('</fieldset>');
|
||||||
|
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||||
|
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||||
$oPage->add_ready_script(
|
$oPage->add_ready_script(
|
||||||
<<<EOF
|
<<<EOF
|
||||||
$('#application_url').bind('change keyup', function() { WizardUpdateButtons(); } );
|
$('#application_url').bind('change keyup', function() { WizardUpdateButtons(); } );
|
||||||
@@ -2228,6 +2241,9 @@ EOF
|
|||||||
$sJSONData = json_encode($aInstallParams);
|
$sJSONData = json_encode($aInstallParams);
|
||||||
$oPage->add('<input type="hidden" id="installer_parameters" value="'.htmlentities($sJSONData, ENT_QUOTES, 'UTF-8').'"/>');
|
$oPage->add('<input type="hidden" id="installer_parameters" value="'.htmlentities($sJSONData, ENT_QUOTES, 'UTF-8').'"/>');
|
||||||
|
|
||||||
|
$sAuthentToken = $this->oWizard->GetParameter('authent', '');
|
||||||
|
$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
|
||||||
|
|
||||||
if (!$this->CheckDependencies())
|
if (!$this->CheckDependencies())
|
||||||
{
|
{
|
||||||
$oPage->error($this->sDependencyIssue);
|
$oPage->error($this->sDependencyIssue);
|
||||||
@@ -2240,7 +2256,8 @@ EOF
|
|||||||
$("#btn_next").bind("click.install", function(event) {
|
$("#btn_next").bind("click.install", function(event) {
|
||||||
$('#summary').hide();
|
$('#summary').hide();
|
||||||
$('#installation_progress').show();
|
$('#installation_progress').show();
|
||||||
$(this).attr("disabled", "disabled"); event.preventDefault(); ExecuteStep("");
|
$(this).prop("disabled", true);
|
||||||
|
event.preventDefault(); ExecuteStep("");
|
||||||
});
|
});
|
||||||
$("#wiz_form").data("installation_status", "not started")
|
$("#wiz_form").data("installation_status", "not started")
|
||||||
EOF
|
EOF
|
||||||
@@ -2482,14 +2499,14 @@ class WizStepDone extends WizardStep
|
|||||||
$oPage->ok("The installation completed successfully.");
|
$oPage->ok("The installation completed successfully.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false))
|
if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false) && $this->oWizard->GetParameter('authent', false))
|
||||||
{
|
{
|
||||||
$sBackupDestination = $this->oWizard->GetParameter('db_backup_path', '');
|
$sBackupDestination = $this->oWizard->GetParameter('db_backup_path', '');
|
||||||
if (file_exists($sBackupDestination.'.tar.gz'))
|
if (file_exists($sBackupDestination.'.tar.gz'))
|
||||||
{
|
{
|
||||||
// To mitigate security risks: pass only the filename without the extension, the download will add the extension itself
|
// To mitigate security risks: pass only the filename without the extension, the download will add the extension itself
|
||||||
$oPage->p('Your backup is ready');
|
$oPage->p('Your backup is ready');
|
||||||
$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone¶ms[backup]='.urlencode($sBackupDestination).'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;"> Download '.basename($sBackupDestination).'</a>');
|
$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone¶ms[backup]='.urlencode($sBackupDestination).'&authent='.$this->oWizard->GetParameter('authent','').'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;"> Download '.basename($sBackupDestination).'</a>');
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user