composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-06-12 10:52:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°9654 - Reduce surface attack on config file rights during setup (#932)

Browse Source
This commit is contained in:
Lenaick
2026-06-09 16:56:58 +02:00
committed by GitHub
parent f48efbbd03
commit 733eea8a78
15 changed files with 46 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
setup/wizardcontroller.class.inc.php
View File

@@ -195,30 +195,6 @@ class WizardController
{
SetupLog::Info("=== Setup screen: ".$oStep->GetTitle().' ('.get_class($oStep).')');
$oPage = new SetupPage($oStep->GetTitle());
if ($oStep->RequiresWritableConfig()) {
$sConfigFile = utils::GetConfigFilePath(ITOP_DEFAULT_ENV);
if (file_exists($sConfigFile)) {
// The configuration file already exists
if (!is_writable($sConfigFile)) {
SetupUtils::ExitReadOnlyMode(false); // Reset readonly mode in case of problem
SetupUtils::EraseSetupToken();
$sRelativePath = utils::GetConfigFilePathRelative(ITOP_DEFAULT_ENV);
$oP = new SetupPage('Installation Cannot Continue');
$oP->add("<h2>Fatal error</h2>\n");
$oP->error("<b>Error:</b> the configuration file '".$sRelativePath."' already exists and cannot be overwritten.");
$oP->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".$sRelativePath."</b>' can be modified by the web server.");
$sButtonsHtml = <<<HTML
<button type="button" class="ibo-button ibo-is-regular ibo-is-primary" onclick="window.location.reload()">Reload</button>
HTML;
$oP->p($sButtonsHtml);
$oP->output();
// Prevent token creation
exit;
}
}
}
$oPage->LinkScriptFromAppRoot('setup/setup.js');
$oPage->add('<form id="wiz_form" class="ibo-setup--wizard" method="post">');
$oPage->add('<div class="ibo-setup--wizard--content">');