Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/matomo-org/matomo.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/plugins/Installation
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/Installation')
-rw-r--r--plugins/Installation/Controller.php20
-rw-r--r--plugins/Installation/FormDatabaseSetup.php12
-rw-r--r--plugins/Installation/ServerFilesGenerator.php134
3 files changed, 153 insertions, 13 deletions
diff --git a/plugins/Installation/Controller.php b/plugins/Installation/Controller.php
index 5df88f94f4..106023195d 100644
--- a/plugins/Installation/Controller.php
+++ b/plugins/Installation/Controller.php
@@ -18,6 +18,7 @@ use Piwik\Config;
use Piwik\DataAccess\ArchiveTableCreator;
use Piwik\Db\Adapter;
use Piwik\Db;
+use Piwik\Filesystem;
use Piwik\Http;
use Piwik\Piwik;
use Piwik\Plugins\LanguagesManager\LanguagesManager;
@@ -63,6 +64,16 @@ class Controller extends \Piwik\Controller\Admin
Piwik_PostEvent('InstallationController.construct', array($this));
}
+ protected static function initServerFilesForSecurity()
+ {
+ if (Common::isIIS()) {
+ ServerFilesGenerator::createWebConfigFiles();
+ } else {
+ ServerFilesGenerator::createHtAccessFiles();
+ }
+ ServerFilesGenerator::createWebRootFiles();
+ }
+
/**
* Get installation steps
*
@@ -720,12 +731,7 @@ class Controller extends \Piwik\Controller\Admin
$infos['can_auto_update'] = Piwik::canAutoUpdate();
- if (Common::isIIS()) {
- Piwik::createWebConfigFiles();
- } else {
- Piwik::createHtAccessFiles();
- }
- Piwik::createWebRootFiles();
+ self::initServerFilesForSecurity();
$infos['phpVersion_minimum'] = $piwik_minimumPHPVersion;
$infos['phpVersion'] = PHP_VERSION;
@@ -858,7 +864,7 @@ class Controller extends \Piwik\Controller\Admin
}
// check if filesystem is NFS, if it is file based sessions won't work properly
- $infos['is_nfs'] = Piwik::checkIfFileSystemIsNFS();
+ $infos['is_nfs'] = Filesystem::checkIfFileSystemIsNFS();
// determine whether there are any errors/warnings from the checks done above
$infos['has_errors'] = false;
diff --git a/plugins/Installation/FormDatabaseSetup.php b/plugins/Installation/FormDatabaseSetup.php
index 71f4643c8a..84efb6e698 100644
--- a/plugins/Installation/FormDatabaseSetup.php
+++ b/plugins/Installation/FormDatabaseSetup.php
@@ -10,14 +10,14 @@
*/
namespace Piwik\Plugins\Installation;
-use Piwik\Db\Adapter;
-use Piwik\Piwik;
-use Piwik\Common;
-use Piwik\QuickForm2;
use Exception;
-use HTML_QuickForm2_Rule;
use HTML_QuickForm2_DataSource_Array;
use HTML_QuickForm2_Factory;
+use HTML_QuickForm2_Rule;
+use Piwik\Db\Adapter;
+use Piwik\Filesystem;
+use Piwik\Piwik;
+use Piwik\QuickForm2;
use Zend_Db_Adapter_Exception;
/**
@@ -309,7 +309,7 @@ class FormDatabaseSetup_Rule_checkValidFilename extends HTML_QuickForm2_Rule
{
$prefix = $this->owner->getValue();
return empty($prefix)
- || Common::isValidFilename($prefix);
+ || Filesystem::isValidFilename($prefix);
}
}
diff --git a/plugins/Installation/ServerFilesGenerator.php b/plugins/Installation/ServerFilesGenerator.php
new file mode 100644
index 0000000000..2fbf591a21
--- /dev/null
+++ b/plugins/Installation/ServerFilesGenerator.php
@@ -0,0 +1,134 @@
+<?php
+/**
+ * Piwik - Open source web analytics
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ *
+ * @category Piwik_Plugins
+ * @package Installation
+ */
+namespace Piwik\Plugins\Installation;
+
+use Piwik\Filesystem;
+
+class ServerFilesGenerator
+{
+
+ /**
+ * Generate Apache .htaccess files to restrict access
+ */
+ public static function createHtAccessFiles()
+ {
+ // deny access to these folders
+ $directoriesToProtect = array(
+ '/config',
+ '/core',
+ '/lang',
+ '/tmp',
+ );
+ foreach ($directoriesToProtect as $directoryToProtect) {
+ Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true);
+ }
+
+ // Allow/Deny lives in different modules depending on the Apache version
+ $allow = "<IfModule mod_access.c>\nAllow from all\n</IfModule>\n<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nAllow from all\n</IfModule>\n</IfModule>\n<IfModule mod_access_compat>\nAllow from all\n</IfModule>\n";
+ $deny = "<IfModule mod_access.c>\nDeny from all\n</IfModule>\n<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nDeny from all\n</IfModule>\n</IfModule>\n<IfModule mod_access_compat>\nDeny from all\n</IfModule>\n";
+
+ // more selective allow/deny filters
+ $allowAny = "<Files \"*\">\n" . $allow . "Satisfy any\n</Files>\n";
+ $allowStaticAssets = "<Files ~ \"\\.(test\.php|gif|ico|jpg|png|svg|js|css|swf)$\">\n" . $allow . "Satisfy any\n</Files>\n";
+ $denyDirectPhp = "<Files ~ \"\\.(php|php4|php5|inc|tpl|in|twig)$\">\n" . $deny . "</Files>\n";
+
+ $directoriesToProtect = array(
+ '/js' => $allowAny,
+ '/libs' => $denyDirectPhp . $allowStaticAssets,
+ '/vendor' => $denyDirectPhp . $allowStaticAssets,
+ '/plugins' => $denyDirectPhp . $allowStaticAssets,
+ '/misc/user' => $denyDirectPhp . $allowStaticAssets,
+ );
+ foreach ($directoriesToProtect as $directoryToProtect => $content) {
+ Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true, $content);
+ }
+ }
+
+ /**
+ * Generate IIS web.config files to restrict access
+ *
+ * Note: for IIS 7 and above
+ */
+ public static function createWebConfigFiles()
+ {
+ @file_put_contents(PIWIK_INCLUDE_PATH . '/web.config',
+ '<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <hiddenSegments>
+ <add segment="config" />
+ <add segment="core" />
+ <add segment="lang" />
+ <add segment="tmp" />
+ </hiddenSegments>
+ <fileExtensions>
+ <add fileExtension=".tpl" allowed="false" />
+ <add fileExtension=".twig" allowed="false" />
+ <add fileExtension=".php4" allowed="false" />
+ <add fileExtension=".php5" allowed="false" />
+ <add fileExtension=".inc" allowed="false" />
+ <add fileExtension=".in" allowed="false" />
+ </fileExtensions>
+ </requestFiltering>
+ </security>
+ <directoryBrowse enabled="false" />
+ <defaultDocument>
+ <files>
+ <remove value="index.php" />
+ <add value="index.php" />
+ </files>
+ </defaultDocument>
+ </system.webServer>
+</configuration>');
+
+ // deny direct access to .php files
+ $directoriesToProtect = array(
+ '/libs',
+ '/vendor',
+ '/plugins',
+ );
+ foreach ($directoriesToProtect as $directoryToProtect) {
+ @file_put_contents(PIWIK_INCLUDE_PATH . $directoryToProtect . '/web.config',
+ '<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <denyUrlSequences>
+ <add sequence=".php" />
+ </denyUrlSequences>
+ </requestFiltering>
+ </security>
+ </system.webServer>
+</configuration>');
+ }
+ }
+
+ /**
+ * Generate default robots.txt, favicon.ico, etc to suppress
+ * 404 (Not Found) errors in the web server logs, if Piwik
+ * is installed in the web root (or top level of subdomain).
+ *
+ * @see misc/crossdomain.xml
+ */
+ public static function createWebRootFiles()
+ {
+ $filesToCreate = array(
+ '/robots.txt',
+ '/favicon.ico',
+ );
+ foreach ($filesToCreate as $file) {
+ @file_put_contents(PIWIK_DOCUMENT_ROOT . $file, '');
+ }
+ }
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-21 09:02:10 +0300