diff options
author | Matthieu Aubry <mattab@users.noreply.github.com> | 2016-08-23 04:16:54 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-08-23 04:16:54 +0300 |
commit | 58d7fb3f8065eaee299396fc2347ecdb8f9bdc77 (patch) | |
tree | 54abe04737a53ae35615eb853b27f1290304ae5f | |
parent | c941d6ade984c9705c864796891dc0589dad3911 (diff) |
Create index.htm files in all tmp/ sub-folder as an additional safety net (#10414)
* Create index.htm files in tmp/ folder as safe net
* UI test
* silent fail
* fix unit test
* Minor Improvement to description
* Fix release checklist
* Fix release checklist
* UI test
* UI test logic
* Actually make methods public to keep BC
-rw-r--r-- | core/Filesystem.php | 35 | ||||
-rw-r--r-- | core/Updates/2.15.0-b4.php | 25 | ||||
-rw-r--r-- | core/Updates/2.16.1-b3.php | 25 | ||||
-rw-r--r-- | core/Updates/2.16.3-b1.php (renamed from core/Updates/2.3.0-rc2.php) | 11 | ||||
-rw-r--r-- | core/Updates/2.4.0-b2.php | 27 | ||||
-rw-r--r-- | core/Version.php | 2 | ||||
-rw-r--r-- | plugins/Installation/Controller.php | 3 | ||||
-rw-r--r-- | plugins/Installation/ServerFilesGenerator.php | 25 | ||||
-rw-r--r-- | tests/PHPUnit/Integration/ReleaseCheckListTest.php | 7 | ||||
-rw-r--r-- | tests/PHPUnit/Unit/FilesystemTest.php | 21 | ||||
m--------- | tests/UI/expected-ui-screenshots | 0 | ||||
-rw-r--r-- | tests/UI/specs/Installation_spec.js | 14 | ||||
-rw-r--r-- | tests/index.html | 3 |
13 files changed, 99 insertions, 99 deletions
diff --git a/core/Filesystem.php b/core/Filesystem.php index c22a4d0b21..585246a0cd 100644 --- a/core/Filesystem.php +++ b/core/Filesystem.php @@ -94,6 +94,8 @@ class Filesystem // enough! we're not going to make the directory world-writeable } } + + self::createIndexFilesToPreventDirectoryListing($path); } /** @@ -443,8 +445,7 @@ class Filesystem */ private static function getChmodForPath($path) { - $pathIsTmp = StaticContainer::get('path.tmp'); - if (strpos($path, $pathIsTmp) === 0) { + if (self::isPathWithinTmpFolder($path)) { // tmp/* folder return 0750; } @@ -504,4 +505,34 @@ class Filesystem return true; } + + /** + * @param $path + * @return bool + */ + private static function isPathWithinTmpFolder($path) + { + $pathIsTmp = StaticContainer::get('path.tmp'); + $isPathWithinTmpFolder = strpos($path, $pathIsTmp) === 0; + return $isPathWithinTmpFolder; + } + + /** + * in tmp/ (sub-)folder(s) we create empty index.htm|php files + * + * @param $path + */ + private static function createIndexFilesToPreventDirectoryListing($path) + { + if (!self::isPathWithinTmpFolder($path)) { + return; + } + $filesToCreate = array( + $path . '/index.htm', + $path . '/index.php' + ); + foreach ($filesToCreate as $file) { + @file_put_contents($file, 'Nothing to see here.'); + } + } } diff --git a/core/Updates/2.15.0-b4.php b/core/Updates/2.15.0-b4.php deleted file mode 100644 index 132c331981..0000000000 --- a/core/Updates/2.15.0-b4.php +++ /dev/null @@ -1,25 +0,0 @@ -<?php -/** - * Piwik - free/libre analytics platform - * - * @link http://piwik.org - * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later - * - */ -namespace Piwik\Updates; - -use Piwik\Plugins\Installation\ServerFilesGenerator; -use Piwik\Updates; -use Piwik\Updater; - -/** - */ -class Updates_2_15_0_b4 extends Updates -{ - public function doUpdate(Updater $updater) - { - // added .ttf whitelisted file for apache webserver - ServerFilesGenerator::deleteHtAccessFiles(); - ServerFilesGenerator::createHtAccessFiles(); - } -} diff --git a/core/Updates/2.16.1-b3.php b/core/Updates/2.16.1-b3.php deleted file mode 100644 index cb46053660..0000000000 --- a/core/Updates/2.16.1-b3.php +++ /dev/null @@ -1,25 +0,0 @@ -<?php -/** - * Piwik - free/libre analytics platform - * - * @link http://piwik.org - * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later - * - */ -namespace Piwik\Updates; - -use Piwik\Plugins\Installation\ServerFilesGenerator; -use Piwik\Updates; -use Piwik\Updater; - -/** - */ -class Updates_2_16_1_b3 extends Updates -{ - public function doUpdate(Updater $updater) - { - // added .eot whitelisted file for apache webserver - ServerFilesGenerator::deleteHtAccessFiles(); - ServerFilesGenerator::createHtAccessFiles(); - } -}
\ No newline at end of file diff --git a/core/Updates/2.3.0-rc2.php b/core/Updates/2.16.3-b1.php index c24cb2578d..5501588d2c 100644 --- a/core/Updates/2.3.0-rc2.php +++ b/core/Updates/2.16.3-b1.php @@ -6,20 +6,17 @@ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later * */ + namespace Piwik\Updates; use Piwik\Plugins\Installation\ServerFilesGenerator; -use Piwik\Updates; use Piwik\Updater; +use Piwik\Updates as PiwikUpdates; -/** - */ -class Updates_2_3_0_rc2 extends Updates +class Updates_2_16_3_b1 extends PiwikUpdates { public function doUpdate(Updater $updater) { - ServerFilesGenerator::deleteHtAccessFiles(); - - ServerFilesGenerator::createHtAccessFiles(); + ServerFilesGenerator::createFilesForSecurity(); } } diff --git a/core/Updates/2.4.0-b2.php b/core/Updates/2.4.0-b2.php deleted file mode 100644 index 16d09d0379..0000000000 --- a/core/Updates/2.4.0-b2.php +++ /dev/null @@ -1,27 +0,0 @@ -<?php -/** - * Piwik - free/libre analytics platform - * - * @link http://piwik.org - * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later - * - */ -namespace Piwik\Updates; - -use Piwik\Plugins\Installation\ServerFilesGenerator; -use Piwik\Updates; -use Piwik\Updater; - -/** - */ -class Updates_2_4_0_b2 extends Updates -{ - public function doUpdate(Updater $updater) - { - ServerFilesGenerator::deleteWebConfigFiles(); - ServerFilesGenerator::createWebConfigFiles(); - - ServerFilesGenerator::deleteHtAccessFiles(); - ServerFilesGenerator::createHtAccessFiles(); - } -} diff --git a/core/Version.php b/core/Version.php index aed84dbae4..d2214508d3 100644 --- a/core/Version.php +++ b/core/Version.php @@ -20,7 +20,7 @@ final class Version * The current Piwik version. * @var string */ - const VERSION = '2.16.2'; + const VERSION = '2.16.3-b1'; public function isStableVersion($version) { diff --git a/plugins/Installation/Controller.php b/plugins/Installation/Controller.php index f75477f659..7262afd503 100644 --- a/plugins/Installation/Controller.php +++ b/plugins/Installation/Controller.php @@ -300,6 +300,8 @@ class Controller extends \Piwik\Plugin\ControllerAdmin { $this->checkPiwikIsNotInstalled(); + ServerFilesGenerator::createFilesForSecurity(); + $siteIdsCount = Access::doAsSuperUser(function () { return count(APISitesManager::getInstance()->getAllSitesId()); }); @@ -720,4 +722,5 @@ class Controller extends \Piwik\Plugin\ControllerAdmin return $result; }); } + } diff --git a/plugins/Installation/ServerFilesGenerator.php b/plugins/Installation/ServerFilesGenerator.php index 927f403ccb..58e11e877f 100644 --- a/plugins/Installation/ServerFilesGenerator.php +++ b/plugins/Installation/ServerFilesGenerator.php @@ -13,6 +13,17 @@ use Piwik\SettingsServer; class ServerFilesGenerator { + public static function createFilesForSecurity() + { + self::deleteHtAccessFiles(); + self::createHtAccessFiles(); + + self::deleteWebConfigFiles(); + self::createWebConfigFiles(); + + self::createWebRootFiles(); + } + /** * Generate Apache .htaccess files to restrict access * .htaccess files are created on all webservers even Nginx, as sometimes Nginx knows how to handle .htaccess files @@ -64,11 +75,6 @@ class ServerFilesGenerator } } - public static function createHtAccessDenyAll($path) - { - self::createHtAccess($path, $overwrite = false, self::getDenyAllHtaccessContent()); - } - /** * Create .htaccess file in specified directory * @@ -83,6 +89,8 @@ class ServerFilesGenerator protected static function createHtAccess($path, $overwrite = true, $content) { $file = $path . '/.htaccess'; + + $content = "# This file is auto generated by Piwik, do not edit directly\n# Please report any issue or improvement directly to the Piwik team.\n\n" . $content; if ($overwrite || !file_exists($file)) { @file_put_contents($file, $content); } @@ -93,7 +101,7 @@ class ServerFilesGenerator * * Note: for IIS 7 and above */ - public static function createWebConfigFiles() + protected static function createWebConfigFiles() { if (!SettingsServer::isIIS()) { return; @@ -183,7 +191,10 @@ class ServerFilesGenerator '/favicon.ico', ); foreach ($filesToCreate as $file) { - @file_put_contents(PIWIK_DOCUMENT_ROOT . $file, ''); + $path = PIWIK_DOCUMENT_ROOT . $file; + if(!file_exists($path)) { + @file_put_contents($path, ''); + } } } diff --git a/tests/PHPUnit/Integration/ReleaseCheckListTest.php b/tests/PHPUnit/Integration/ReleaseCheckListTest.php index 265f60c372..d42a310626 100644 --- a/tests/PHPUnit/Integration/ReleaseCheckListTest.php +++ b/tests/PHPUnit/Integration/ReleaseCheckListTest.php @@ -257,6 +257,7 @@ class ReleaseCheckListTest extends \PHPUnit_Framework_TestCase { $files = Filesystem::globr(PIWIK_INCLUDE_PATH, '*.php'); + $tested = 0; foreach($files as $file) { // skip files in these folders if (strpos($file, '/libs/') !== false) { @@ -279,7 +280,10 @@ class ReleaseCheckListTest extends \PHPUnit_Framework_TestCase $start = fgets($handle, strlen($expectedStart) + 1 ); $this->assertEquals($start, $expectedStart, "File $file does not start with $expectedStart"); + $tested++; } + + $this->assertGreaterThan(2000, $tested, 'should have tested at least thousand of php files'); } public function test_jsfilesDoNotContainFakeSpaces() @@ -494,7 +498,8 @@ class ReleaseCheckListTest extends \PHPUnit_Framework_TestCase || strpos($file, "tests/resources/Updater/") !== false || strpos($file, "Twig/Tests/") !== false || strpos($file, "processed/") !== false - || strpos($file, "/vendor/") !== false; + || strpos($file, "/vendor/") !== false + || (strpos($file, "tmp/") !== false && strpos($file, 'index.php') !== false); $isLib = strpos($file, "lib/xhprof") !== false || strpos($file, "phpunit/phpunit") !== false; return ($isIniFile && $isIniFileInTests) || $isTestResultFile || $isLib; diff --git a/tests/PHPUnit/Unit/FilesystemTest.php b/tests/PHPUnit/Unit/FilesystemTest.php index 86894d13e1..1c2d69d69f 100644 --- a/tests/PHPUnit/Unit/FilesystemTest.php +++ b/tests/PHPUnit/Unit/FilesystemTest.php @@ -93,6 +93,8 @@ class FilesystemTest extends \PHPUnit_Framework_TestCase '/DataTable/Bridges.php', '/DataTable/DataTableInterface.php', '/DataTable/Filter', + '/DataTable/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Manager.php', '/DataTable/Map.php', '/DataTable/Renderer', @@ -100,17 +102,26 @@ class FilesystemTest extends \PHPUnit_Framework_TestCase '/DataTable/Row', '/DataTable/Row.php', '/DataTable/Simple.php', + '/DataTable/Filter/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Filter/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Renderer/Console.php', '/DataTable/Renderer/Csv.php', '/DataTable/Renderer/Html.php', + '/DataTable/Renderer/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Renderer/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Renderer/Json.php', '/DataTable/Renderer/Php.php', '/DataTable/Renderer/Rss.php', '/DataTable/Renderer/Tsv.php', '/DataTable/Renderer/Xml', '/DataTable/Renderer/Xml.php', + '/DataTable/Renderer/Xml/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Renderer/Xml/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Renderer/Xml/Other.php', - '/DataTable/Row/DataTableSummaryRow.php' + '/DataTable/Row/DataTableSummaryRow.php', + '/DataTable/Row/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Row/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + ), $result); } @@ -121,12 +132,18 @@ class FilesystemTest extends \PHPUnit_Framework_TestCase $this->assertEquals(array( '/DataTable/Filter', '/DataTable/Row', + '/DataTable/Filter/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Filter/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Renderer/Json.php', '/DataTable/Renderer/Php.php', '/DataTable/Renderer/Rss.php', '/DataTable/Renderer/Xml', + '/DataTable/Renderer/Xml/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Renderer/Xml/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing '/DataTable/Renderer/Xml/Other.php', '/DataTable/Row/DataTableSummaryRow.php', + '/DataTable/Row/index.htm', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing + '/DataTable/Row/index.php', // this was is created as side effect of "Target files" being within the tmp/ folder, @see createIndexFilesToPreventDirectoryListing ), $result); } @@ -137,7 +154,7 @@ class FilesystemTest extends \PHPUnit_Framework_TestCase // make sure there is a difference between those folders $result = Filesystem::directoryDiff($source, $target); - $this->assertCount(8, $result); + $this->assertCount(14, $result); Filesystem::unlinkTargetFilesNotPresentInSource($source, $target); diff --git a/tests/UI/expected-ui-screenshots b/tests/UI/expected-ui-screenshots -Subproject de03748b515438b7a4c0d2fc6852e35d2714cb6 +Subproject d5689fd6b53879aa18b9ed40851e4d9160d6601 diff --git a/tests/UI/specs/Installation_spec.js b/tests/UI/specs/Installation_spec.js index 3ddfdc3587..bc24ec0248 100644 --- a/tests/UI/specs/Installation_spec.js +++ b/tests/UI/specs/Installation_spec.js @@ -51,8 +51,22 @@ describe("Installation", function () { }, done); }); + var pageUrl; + it("should have already created a tmp/sessions/index.htm file to prevent directory listing", function (done) { + expect.screenshot('nothing_to_see_here').to.be.capture(function (page) { + pageUrl = page.getCurrentUrl(); + + // page.load will load by default the proxy ie. http://localhost/piwik/tests/PHPUnit/proxy/ + // but we need here to check in: http://localhost/piwik/tmp/sessions/ + page.load("../../../tmp/sessions/index.htm"); + + }, done); + }); + it("should display the database setup page when next is clicked on the system check page", function (done) { expect.screenshot("db_setup").to.be.capture(function (page) { + page.load(pageUrl); + page.click('.next-step .btn'); }, done); }); diff --git a/tests/index.html b/tests/index.html index 9078a41907..ac14989274 100644 --- a/tests/index.html +++ b/tests/index.html @@ -6,8 +6,7 @@ <ul> <li><a href="https://github.com/piwik/piwik/blob/master/tests/README.md">Setup PHPUnit tests</a></li> - <li><a href="javascript/">Run piwik.js Javascript unit & integration tests</a>. <br/><i>Note: the Javascript tests - are not executed in Jenkins so must be run manually on major browsers after any change to piwik.js</i></li> + <li><a href="javascript/">Run piwik.js Javascript unit & integration tests</a>. <br/></li> </ul> <p>If you are new to the wonderful world of testing, <a href='https://github.com/piwik/piwik/blob/master/tests/README.md'>see the README</a> for an introduction.</p> |