N°5462 Add a setup check to verify if directory-level configuration files (.htaccess and web.config) are used by the server

2026-02-13 07:24:13 +01:00 · 2022-08-24 16:33:54 +02:00
parent 7a6a3d1ac0
commit d78a25ee4e
5 changed files with 40 additions and 0 deletions
--- a/setup/permissions-test-folder/.htaccess
+++ b/setup/permissions-test-folder/.htaccess
@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
--- a/setup/permissions-test-folder/permissions-test-subfolder/permissions-test-file
+++ b/setup/permissions-test-folder/permissions-test-subfolder/permissions-test-file
--- a/setup/permissions-test-folder/web.config
+++ b/setup/permissions-test-folder/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
+      </requestFiltering>
+      <authorization>
+        <deny users="*" /> <!-- Denies all users -->
+      </authorization>
+    </security>
+  </system.webServer>
+</configuration>
--- a/setup/setup.js
+++ b/setup/setup.js
@@ -51,4 +51,17 @@ function ExecuteStep(sStep)
 		$('#wiz_form').data('installation_status', 'error');
 		WizardUpdateButtons();
 	} );
+}
+
+function CheckDirectoryConfFilesPermissions(sWikiVersion){
+	$.ajax('permissions-test-folder/permissions-test-subfolder/permissions-test-file',
+		{
+		statusCode: {
+			200: function() {
+				$('#details').prepend('<div class="message message-warning"><span class="message-title">Security issue:</span> iTop is bundled with directory-level configuration files. You must check that those files will be read by your web server (eg.' +
+					'AllowOverride directive should be set to <code>All</code> for Apache HTTP Server) <a href="https://www.itophub.io/wiki/page?id='+sWikiVersion+'%3Ainstall%3Asecurity#secure_critical_directories_access" target="_blank">see documentation</a>.</div>');
+				$('<span class="text-warning"> and 1 Security issue</span>').insertBefore('h2.message button:first');
+			}
+		}
+	});
 }
--- a/setup/wizardsteps.class.inc.php
+++ b/setup/wizardsteps.class.inc.php
@@ -161,6 +161,7 @@ HTML
 			$oPage->p('Sorry, the installation cannot continue. Please fix the errors and reload this page to launch the installation again.');
 			$oPage->p('<button type="button" onclick="window.location.reload()">Reload</button>');
 		}
+		$oPage->add_ready_script('CheckDirectoryConfFilesPermissions("'.utils::GetItopVersionWikiSyntax().'")');
 	}

 	public function CanMoveForward()