From 6b5cc7ca4b8999324fbb1ed37570accaad0ea65a Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen@apinc.org>
Date: Mon, 18 Feb 2019 10:39:57 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B01877=20&=20N=C2=B02012:=20Fix=20regressi?=
 =?UTF-8?q?on=20backup=20link=20on=20setup,=20security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 setup/ajax.dataloader.php       |  6 ++++--
 setup/setup.js                  | 11 ++++++-----
 setup/wizardsteps.class.inc.php | 29 +++++++++++++++++++++++------
 3 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php
index 381a3dcc6..0d03fc365 100644
--- a/setup/ajax.dataloader.php
+++ b/setup/ajax.dataloader.php
@@ -121,9 +121,11 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT");    // Date in the past
 $sOperation = Utils::ReadParam('operation', '');
 try
 {
-	if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath()))
+	$sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+	if (!file_exists(APPROOT.'data/setup/authent') || $sAuthent !== file_get_contents(APPROOT.'data/setup/authent'))
 	{
-		throw new Exception('Setup operations are not allowed outside of the setup');
+		throw new SecurityException('Setup operations are not allowed outside of the setup');
+		SetupPage::log_error("Setup operations are not allowed outside of the setup");
 	}
 
 	switch($sOperation)
diff --git a/setup/setup.js b/setup/setup.js
index d81e013fe..1144936e9 100644
--- a/setup/setup.js
+++ b/setup/setup.js
@@ -2,8 +2,9 @@ function WizardAsyncAction(sActionCode, oParams, OnErrorFunction)
 {
 	var sStepClass = $('#_class').val();
 	var sStepState = $('#_state').val();
+	var sAuthent = $('#authent_token').val();
 	
-	var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, params: oParams };
+	var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, authent : sAuthent, params: oParams };
 	
 	var ErrorFn = OnErrorFunction;
 	$(document).ajaxError(function(event, request, settings) {
@@ -23,20 +24,20 @@ function WizardUpdateButtons()
 {
 	if (CanMoveForward())
 	{
-		$("#btn_next").removeAttr("disabled");
+		$("#btn_next").prop("disabled", false);
 	}
 	else
 	{
-		$("#btn_next").attr("disabled", "disabled");		
+		$("#btn_next").prop("disabled", true);		
 	}
 
 	if (CanMoveBackward())
 	{
-		$("#btn_back").removeAttr("disabled");
+		$("#btn_back").prop("disabled", false);
 	}
 	else
 	{
-		$("#btn_back").attr("disabled", "disabled");		
+		$("#btn_back").prop("disabled", true);		
 	}
 }
 
diff --git a/setup/wizardsteps.class.inc.php b/setup/wizardsteps.class.inc.php
index e2fb58cd6..cd75dfd6b 100644
--- a/setup/wizardsteps.class.inc.php
+++ b/setup/wizardsteps.class.inc.php
@@ -57,6 +57,13 @@ class WizStepWelcome extends WizardStep
 	
 	public function ProcessParams($bMoveForward = true)
 	{
+		if (!file_exists(APPROOT.'data/setup'))
+		{
+			mkdir(APPROOT.'data/setup');
+		}
+		$sUID = hash('sha256', rand());
+		file_put_contents(APPROOT.'data/setup/authent', $sUID);
+		$this->oWizard->SetParameter('authent', $sUID);
 		return array('class' => 'WizStepInstallOrUpgrade', 'state' => '');
 	}
 	
@@ -284,6 +291,8 @@ class WizStepInstallOrUpgrade extends WizardStep
 		$oPage->add('<tr><td colspan="2">');
 		$oPage->add($sMySQLDumpMessage.'<br/><span id="backup_info" style="font-size:small;color:#696969;">'.$sMessage.'</span></td></tr>');
 		$oPage->add('</table>');
+		$sAuthentToken = $this->oWizard->GetParameter('authent', '');
+		$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
 		//$oPage->add('</fieldset>');
 		$oPage->add_ready_script(
 <<<EOF
@@ -790,15 +799,17 @@ class WizStepDBParams extends WizardStep
 		$oPage->add('<table>');
 		SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
 			$sTlsCA, $sNewDBName);
+		$sAuthentToken = $this->oWizard->GetParameter('authent', '');
+		$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
 		$oPage->add('</table>');
 		$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
 		if ($sCreateDB == 'no')
 		{
-			$oPage->add_ready_script('$("#existing_db").attr("checked", "checked");');
+			$oPage->add_ready_script('$("#existing_db").prop("checked", true);');
 		}
 		else
 		{
-			$oPage->add_ready_script('$("#create_db").attr("checked", "checked");');
+			$oPage->add_ready_script('$("#create_db").prop("checked", true);');
 		}		
 	}
 	
@@ -984,6 +995,8 @@ class WizStepMiscParams extends WizardStep
         $sChecked = ($sSampleData == 'no') ? 'checked ' : '';
         $oPage->p('<input id="sample_data_no" name="sample_data" type="radio" value="no" '.$sChecked.'><label for="sample_data_no">&nbsp;I am installing a <b>production</b> instance, create an empty database to start from.');
 		$oPage->add('</fieldset>');
+		$sAuthentToken = $this->oWizard->GetParameter('authent', '');
+		$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
 		$oPage->add_ready_script(
 <<<EOF
 		$('#application_url').bind('change keyup', function() { WizardUpdateButtons(); } );
@@ -2227,7 +2240,10 @@ EOF
 		
 		$sJSONData = json_encode($aInstallParams);
 		$oPage->add('<input type="hidden" id="installer_parameters" value="'.htmlentities($sJSONData, ENT_QUOTES, 'UTF-8').'"/>');
-
+		
+		$sAuthentToken = $this->oWizard->GetParameter('authent', '');
+		$oPage->add('<input type="hidden" id="authent_token" value="'.$sAuthentToken.'"/>');
+		
 		if (!$this->CheckDependencies())
 		{
 			$oPage->error($this->sDependencyIssue);
@@ -2240,7 +2256,8 @@ EOF
 	$("#btn_next").bind("click.install", function(event) {
 			$('#summary').hide();
 			$('#installation_progress').show();
-			$(this).attr("disabled", "disabled"); event.preventDefault(); ExecuteStep("");
+			$(this).prop("disabled", true);
+			 event.preventDefault(); ExecuteStep("");
 	});
 	$("#wiz_form").data("installation_status", "not started")
 EOF
@@ -2482,14 +2499,14 @@ class WizStepDone extends WizardStep
 			$oPage->ok("The installation completed successfully.");
 		}
 
-		if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false))
+		if (($this->oWizard->GetParameter('mode', '') == 'upgrade') && $this->oWizard->GetParameter('db_backup', false) && $this->oWizard->GetParameter('authent', false))
 		{
 			$sBackupDestination = $this->oWizard->GetParameter('db_backup_path', '');
 			if (file_exists($sBackupDestination.'.tar.gz'))
 			{
 				// To mitigate security risks: pass only the filename without the extension, the download will add the extension itself
 				$oPage->p('Your backup is ready');
-				$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone&params[backup]='.urlencode($sBackupDestination).'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;">&nbsp;Download '.basename($sBackupDestination).'</a>');
+				$oPage->p('<a style="background:transparent;" href="'.utils::GetAbsoluteUrlAppRoot().'setup/ajax.dataloader.php?operation=async_action&step_class=WizStepDone&params[backup]='.urlencode($sBackupDestination).'&authent='.$this->oWizard->GetParameter('authent','').'" target="_blank"><img src="../images/tar.png" style="border:0;vertical-align:middle;">&nbsp;Download '.basename($sBackupDestination).'</a>');
 			}
 			else
 			{