From da76fc70bb743d8c9a5b687ee6b872db34e7ac8b Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Mon, 7 Jan 2019 16:46:29 +0100
Subject: [PATCH 1/2] =?UTF-8?q?N=C2=B01933:=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/utils.inc.php            | 13 ++++++++++++-
 setup/ajax.dataloader.php            |  5 +++--
 setup/email.test.php                 |  4 ++--
 setup/wizardcontroller.class.inc.php |  5 +++--
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/application/utils.inc.php b/application/utils.inc.php
index 0f43d5b76..2f4f4e551 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -1135,7 +1135,7 @@ class utils
 		}
 	}
 	/**
-	 * Get target configuration file name (including full path)
+	 * @return string target configuration file name (including full path)
 	 */
 	public static function GetConfigFilePath($sEnvironment = null)
 	{
@@ -1145,6 +1145,17 @@ class utils
 		}
 		return APPCONF.$sEnvironment.'/'.ITOP_CONFIG_FILE;
 	}
+	/**
+	 * @return string target configuration file name (including relative path)
+	 */
+	public static function GetConfigFilePathRelative($sEnvironment = null)
+	{
+		if (is_null($sEnvironment))
+		{
+			$sEnvironment = self::GetCurrentEnvironment();
+		}
+		return "conf/".$sEnvironment.'/'.ITOP_CONFIG_FILE;
+	}
 
     /**
      * @return string the absolute URL to the modules root path
diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php
index 6dc61f7cc..381a3dcc6 100644
--- a/setup/ajax.dataloader.php
+++ b/setup/ajax.dataloader.php
@@ -149,8 +149,9 @@ try
 			$sConfigFile = utils::GetConfigFilePath();
 			if (file_exists($sConfigFile) && !is_writable($sConfigFile) && $oStep->RequiresWritableConfig())
 			{
-				$oPage->error("<b>Error:</b> the configuration file '".$sConfigFile."' already exists and cannot be overwritten.");
-				$oPage->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".realpath($sConfigFile)."</b>' can be modified by the web server.");
+				$sRelativePath = utils::GetConfigFilePathRelative();
+				$oPage->error("<b>Error:</b> the configuration file '".$sRelativePath."' already exists and cannot be overwritten.");
+				$oPage->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".$sRelativePath."</b>' can be modified by the web server.");
 				$oPage->output();
 			}
 			else
diff --git a/setup/email.test.php b/setup/email.test.php
index da19a4880..e03bfc62f 100644
--- a/setup/email.test.php
+++ b/setup/email.test.php
@@ -124,7 +124,7 @@ function CheckEmailSetting($oP)
 		$oP->info("SMTP configuration (from config-itop.php): host: $sHost, port: $sPort, user: $sDisplayUserName, password: $sDisplayPassword, encryption: $sDisplayEncryption.");
 		if (($sHost == 'localhost') && ($sPort == '25') && ($sUserName == '') && ($sPassword == '') )
 		{
-			$oP->warning("The default settings may not be suitable for your environment. You may want to ajust these values by editing iTop's configuration file (".APPROOT."conf/production/config-itop.php).");
+			$oP->warning("The default settings may not be suitable for your environment. You may want to adjust these values by editing iTop's configuration file (".utils::GetConfigFilePathRelative().").");
 		}
 		break;
 		
@@ -134,7 +134,7 @@ function CheckEmailSetting($oP)
 		break;
 		
 		case 'LogFile':
-		$oP->warning("iTop is configured to use the <b>LogFile</b> transport: emails will <em>not</em> be sent but logged to the file: '".APPROOT."/log/mail.log'.");
+		$oP->warning("iTop is configured to use the <b>LogFile</b> transport: emails will <em>not</em> be sent but logged to the file: 'log/mail.log'.");
 		$bRet = true;
 		break;
 		
diff --git a/setup/wizardcontroller.class.inc.php b/setup/wizardcontroller.class.inc.php
index 8b9636cef..0eaf8009e 100644
--- a/setup/wizardcontroller.class.inc.php
+++ b/setup/wizardcontroller.class.inc.php
@@ -173,10 +173,11 @@ class WizardController
 				// The configuration file already exists
 				if (!is_writable($sConfigFile))
 				{
+					$sRelativePath = utils::GetConfigFilePathRelative();
 					$oP = new SetupPage('Installation Cannot Continue');
 					$oP->add("<h2>Fatal error</h2>\n");
-					$oP->error("<b>Error:</b> the configuration file '".$sConfigFile."' already exists and cannot be overwritten.");
-					$oP->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".realpath($sConfigFile)."</b>' can be modified by the web server.");
+					$oP->error("<b>Error:</b> the configuration file '".$sRelativePath."' already exists and cannot be overwritten.");
+					$oP->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".$sRelativePath."</b>' can be modified by the web server.");
 					$oP->p('<button type="button" onclick="window.location.reload()">Reload</button>');
 					$oP->output();
 					return;

From 05bcfbe4c3b5adc52eb377e485db0b00016aa1f6 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Wed, 9 Jan 2019 10:44:21 +0100
Subject: [PATCH 2/2] :memo: Update install.txt for 2.5.x

---
 install.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install.txt b/install.txt
index 0153f65e1..3aa6f8e8c 100644
--- a/install.txt
+++ b/install.txt
@@ -1,3 +1,3 @@
 For installation instructions, please refer to:
 
-https://wiki.openitop.org/doku.php?id=2_4_0:install:start
\ No newline at end of file
+https://wiki.openitop.org/doku.php?id=2_5_0:install:start