mirror of
https://github.com/Combodo/iTop.git
synced 2026-07-13 18:26:39 +02:00
N°9654 - Reduce surface attack on config file rights during setup (#932)
This commit is contained in:
@@ -67,7 +67,34 @@ if (SetupUtils::IsSessionSetupTokenValid()) {
|
||||
$oWizard->Run();
|
||||
} else {
|
||||
SetupUtils::ExitMaintenanceMode(false);
|
||||
// Force initializing the setup
|
||||
$oWizard->Start();
|
||||
|
||||
$sConfigFile = utils::GetConfigFilePath(ITOP_DEFAULT_ENV);
|
||||
if (file_exists($sConfigFile)) {
|
||||
// The configuration file already exists
|
||||
if (!is_writable($sConfigFile)) {
|
||||
SetupUtils::ExitReadOnlyMode(false); // Reset readonly mode in case of problem
|
||||
SetupUtils::EraseSetupToken();
|
||||
$sRelativePath = utils::GetConfigFilePathRelative(ITOP_DEFAULT_ENV);
|
||||
$oP = new SetupPage('Installation Cannot Continue');
|
||||
$oP->add("<h2>Fatal error</h2>\n");
|
||||
$oP->error("<b>Error:</b> the configuration file '".$sRelativePath."' already exists and cannot be overwritten.");
|
||||
$oP->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".$sRelativePath."</b>' can be modified by the web server.");
|
||||
|
||||
$sButtonsHtml = <<<HTML
|
||||
<button type="button" class="ibo-button ibo-is-regular ibo-is-primary" onclick="window.location.reload()">Reload</button>
|
||||
HTML;
|
||||
$oP->p($sButtonsHtml);
|
||||
|
||||
$oP->output();
|
||||
// Prevent token creation
|
||||
exit;
|
||||
} else {
|
||||
chmod($sConfigFile, 0440);
|
||||
}
|
||||
}
|
||||
|
||||
SetupUtils::CreateSetupToken();
|
||||
|
||||
// Start the setup
|
||||
$oWizard->Start();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user