diff options
Diffstat (limited to 'plugins/Installation')
-rw-r--r-- | plugins/Installation/Controller.php | 20 | ||||
-rw-r--r-- | plugins/Installation/FormDatabaseSetup.php | 12 | ||||
-rw-r--r-- | plugins/Installation/ServerFilesGenerator.php | 134 |
3 files changed, 153 insertions, 13 deletions
diff --git a/plugins/Installation/Controller.php b/plugins/Installation/Controller.php index 5df88f94f4..106023195d 100644 --- a/plugins/Installation/Controller.php +++ b/plugins/Installation/Controller.php @@ -18,6 +18,7 @@ use Piwik\Config; use Piwik\DataAccess\ArchiveTableCreator; use Piwik\Db\Adapter; use Piwik\Db; +use Piwik\Filesystem; use Piwik\Http; use Piwik\Piwik; use Piwik\Plugins\LanguagesManager\LanguagesManager; @@ -63,6 +64,16 @@ class Controller extends \Piwik\Controller\Admin Piwik_PostEvent('InstallationController.construct', array($this)); } + protected static function initServerFilesForSecurity() + { + if (Common::isIIS()) { + ServerFilesGenerator::createWebConfigFiles(); + } else { + ServerFilesGenerator::createHtAccessFiles(); + } + ServerFilesGenerator::createWebRootFiles(); + } + /** * Get installation steps * @@ -720,12 +731,7 @@ class Controller extends \Piwik\Controller\Admin $infos['can_auto_update'] = Piwik::canAutoUpdate(); - if (Common::isIIS()) { - Piwik::createWebConfigFiles(); - } else { - Piwik::createHtAccessFiles(); - } - Piwik::createWebRootFiles(); + self::initServerFilesForSecurity(); $infos['phpVersion_minimum'] = $piwik_minimumPHPVersion; $infos['phpVersion'] = PHP_VERSION; @@ -858,7 +864,7 @@ class Controller extends \Piwik\Controller\Admin } // check if filesystem is NFS, if it is file based sessions won't work properly - $infos['is_nfs'] = Piwik::checkIfFileSystemIsNFS(); + $infos['is_nfs'] = Filesystem::checkIfFileSystemIsNFS(); // determine whether there are any errors/warnings from the checks done above $infos['has_errors'] = false; diff --git a/plugins/Installation/FormDatabaseSetup.php b/plugins/Installation/FormDatabaseSetup.php index 71f4643c8a..84efb6e698 100644 --- a/plugins/Installation/FormDatabaseSetup.php +++ b/plugins/Installation/FormDatabaseSetup.php @@ -10,14 +10,14 @@ */ namespace Piwik\Plugins\Installation; -use Piwik\Db\Adapter; -use Piwik\Piwik; -use Piwik\Common; -use Piwik\QuickForm2; use Exception; -use HTML_QuickForm2_Rule; use HTML_QuickForm2_DataSource_Array; use HTML_QuickForm2_Factory; +use HTML_QuickForm2_Rule; +use Piwik\Db\Adapter; +use Piwik\Filesystem; +use Piwik\Piwik; +use Piwik\QuickForm2; use Zend_Db_Adapter_Exception; /** @@ -309,7 +309,7 @@ class FormDatabaseSetup_Rule_checkValidFilename extends HTML_QuickForm2_Rule { $prefix = $this->owner->getValue(); return empty($prefix) - || Common::isValidFilename($prefix); + || Filesystem::isValidFilename($prefix); } } diff --git a/plugins/Installation/ServerFilesGenerator.php b/plugins/Installation/ServerFilesGenerator.php new file mode 100644 index 0000000000..2fbf591a21 --- /dev/null +++ b/plugins/Installation/ServerFilesGenerator.php @@ -0,0 +1,134 @@ +<?php +/** + * Piwik - Open source web analytics + * + * @link http://piwik.org + * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later + * + * @category Piwik_Plugins + * @package Installation + */ +namespace Piwik\Plugins\Installation; + +use Piwik\Filesystem; + +class ServerFilesGenerator +{ + + /** + * Generate Apache .htaccess files to restrict access + */ + public static function createHtAccessFiles() + { + // deny access to these folders + $directoriesToProtect = array( + '/config', + '/core', + '/lang', + '/tmp', + ); + foreach ($directoriesToProtect as $directoryToProtect) { + Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true); + } + + // Allow/Deny lives in different modules depending on the Apache version + $allow = "<IfModule mod_access.c>\nAllow from all\n</IfModule>\n<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nAllow from all\n</IfModule>\n</IfModule>\n<IfModule mod_access_compat>\nAllow from all\n</IfModule>\n"; + $deny = "<IfModule mod_access.c>\nDeny from all\n</IfModule>\n<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nDeny from all\n</IfModule>\n</IfModule>\n<IfModule mod_access_compat>\nDeny from all\n</IfModule>\n"; + + // more selective allow/deny filters + $allowAny = "<Files \"*\">\n" . $allow . "Satisfy any\n</Files>\n"; + $allowStaticAssets = "<Files ~ \"\\.(test\.php|gif|ico|jpg|png|svg|js|css|swf)$\">\n" . $allow . "Satisfy any\n</Files>\n"; + $denyDirectPhp = "<Files ~ \"\\.(php|php4|php5|inc|tpl|in|twig)$\">\n" . $deny . "</Files>\n"; + + $directoriesToProtect = array( + '/js' => $allowAny, + '/libs' => $denyDirectPhp . $allowStaticAssets, + '/vendor' => $denyDirectPhp . $allowStaticAssets, + '/plugins' => $denyDirectPhp . $allowStaticAssets, + '/misc/user' => $denyDirectPhp . $allowStaticAssets, + ); + foreach ($directoriesToProtect as $directoryToProtect => $content) { + Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true, $content); + } + } + + /** + * Generate IIS web.config files to restrict access + * + * Note: for IIS 7 and above + */ + public static function createWebConfigFiles() + { + @file_put_contents(PIWIK_INCLUDE_PATH . '/web.config', + '<?xml version="1.0" encoding="UTF-8"?> +<configuration> + <system.webServer> + <security> + <requestFiltering> + <hiddenSegments> + <add segment="config" /> + <add segment="core" /> + <add segment="lang" /> + <add segment="tmp" /> + </hiddenSegments> + <fileExtensions> + <add fileExtension=".tpl" allowed="false" /> + <add fileExtension=".twig" allowed="false" /> + <add fileExtension=".php4" allowed="false" /> + <add fileExtension=".php5" allowed="false" /> + <add fileExtension=".inc" allowed="false" /> + <add fileExtension=".in" allowed="false" /> + </fileExtensions> + </requestFiltering> + </security> + <directoryBrowse enabled="false" /> + <defaultDocument> + <files> + <remove value="index.php" /> + <add value="index.php" /> + </files> + </defaultDocument> + </system.webServer> +</configuration>'); + + // deny direct access to .php files + $directoriesToProtect = array( + '/libs', + '/vendor', + '/plugins', + ); + foreach ($directoriesToProtect as $directoryToProtect) { + @file_put_contents(PIWIK_INCLUDE_PATH . $directoryToProtect . '/web.config', + '<?xml version="1.0" encoding="UTF-8"?> +<configuration> + <system.webServer> + <security> + <requestFiltering> + <denyUrlSequences> + <add sequence=".php" /> + </denyUrlSequences> + </requestFiltering> + </security> + </system.webServer> +</configuration>'); + } + } + + /** + * Generate default robots.txt, favicon.ico, etc to suppress + * 404 (Not Found) errors in the web server logs, if Piwik + * is installed in the web root (or top level of subdomain). + * + * @see misc/crossdomain.xml + */ + public static function createWebRootFiles() + { + $filesToCreate = array( + '/robots.txt', + '/favicon.ico', + ); + foreach ($filesToCreate as $file) { + @file_put_contents(PIWIK_DOCUMENT_ROOT . $file, ''); + } + } +}
\ No newline at end of file |