From a97c8be31a96a41b18a4e0afccceb3dd9e40a502 Mon Sep 17 00:00:00 2001 From: bruno DA SILVA Date: Tue, 15 Oct 2019 11:45:52 +0200 Subject: [PATCH] 2498 - restrict access to assets into env-* this is done by adding a .htaccess file on a per module basis. NB: if there is already a .htaccess file, it is kept as it, so you can see this commit as adding a "default" htaccess. --- setup/compiler.class.inc.php | 55 +++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/setup/compiler.class.inc.php b/setup/compiler.class.inc.php index 488e80f01..2fc52b3a9 100644 --- a/setup/compiler.class.inc.php +++ b/setup/compiler.class.inc.php @@ -224,6 +224,27 @@ class MFCompiler $aWebservicesFiles = array(); $iStart = strlen(realpath(APPROOT)); $sRelFinalTargetDir = substr($sFinalTargetDir, strlen(APPROOT)); + + $sModuleDesignHtaccessFileName = $sTempTargetDir.'/core/module_designs/.htaccess'; + // every xml files present in here must not be publicly accessible + $sModuleDesignHtaccessFileContent = << + Order deny,allow + Deny from all + + +EOF; + SetupUtils::builddir(dirname($sModuleDesignHtaccessFileName)); + $ret = file_put_contents($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent); + if ($ret === false) + { + $iLen = strlen($sModuleDesignHtaccessFileContent); + $fFree = @disk_free_space(dirname($sModuleDesignHtaccessFileName)); + $aErr = error_get_last(); + throw new Exception("Failed to write '$sModuleDesignHtaccessFileName'. Last error: '{$aErr['message']}', content to write: $iLen bytes, available free space on disk: $fFree."); + } + unset($sModuleDesignHtaccessFileContent, $sModuleDesignHtaccessFileName); + foreach($aModules as $foo => $oModule) { $sModuleName = $oModule->GetName(); @@ -245,6 +266,38 @@ class MFCompiler // Push the other module files SetupUtils::copydir($sModuleRootDir, $sTempTargetDir.'/'.$sRelativeDir, $bUseSymbolicLinks); + + $sModuleHtaccessFileName = $sTempTargetDir.'/'.$sRelativeDir.'/.htaccess'; + if (!file_exists($sModuleHtaccessFileName)) + { + // if no .htaccess is present, add a generic one prohibiting access to potentially sensible files (ie: even if it is quite a bad practice, it may happen that a developer put a secret into the xml) + $sModuleHtaccessFileContent = << + Order deny,allow + Deny from all + + + + Order deny,allow + Deny from all + + + + Order deny,allow + Deny from all + + +EOF; + $ret = file_put_contents($sModuleHtaccessFileName, $sModuleHtaccessFileContent); + if ($ret === false) + { + $iLen = strlen($sModuleHtaccessFileContent); + $fFree = @disk_free_space(dirname($sModuleHtaccessFileName)); + $aErr = error_get_last(); + throw new Exception("Failed to write '$sModuleHtaccessFileName'. Last error: '{$aErr['message']}', content to write: $iLen bytes, available free space on disk: $fFree."); + } + SetupLog::Warning("Added a generic .htaccess into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");; + } } else { @@ -252,7 +305,7 @@ class MFCompiler $sRealRelativeDir = ''; } $aModulesInfo[$sModuleName] = array('root_dir' => $sRealRelativeDir, 'version' => $sModuleVersion); - + $sCompiledCode = ''; $oConstants = $this->oFactory->ListConstants($sModuleName);