Lock down web access to var/uploads, var/tmp and var/logs using .htac…

…cess Fixes ticket #587.
gallery · Jan 31, 2010 · c2a7a6a · c2a7a6a
1 parent 79a1365
commit c2a7a6a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php
@@ -204,6 +204,9 @@ static function install() {
 
     foreach (array("albums", "logs", "modules", "resizes", "thumbs", "tmp", "uploads") as $dir) {
       @mkdir(VARPATH . $dir);
+      if (in_array($dir, array("logs", "tmp", "uploads"))) {
+        self::_protect_directory(VARPATH . $dir);
+      }
     }
 
     access::register_permission("view", "View");
@@ -284,7 +287,7 @@ static function install() {
     // @todo this string needs to be picked up by l10n_scanner
     module::set_var("gallery", "credits", "Powered by <a href=\"%url\">Gallery %version</a>");
     module::set_var("gallery", "simultaneous_upload_limit", 5);
-    module::set_version("gallery", 23);
+    module::set_version("gallery", 25);
   }
 
   static function upgrade($version) {
@@ -494,7 +497,7 @@ static function upgrade($version) {
       module::set_version("gallery", $version = 23);
     }
 
-    if ($version = 23) {
+    if ($version == 23) {
       $db->query("CREATE TABLE {failed_logins} (
                   `id` int(9) NOT NULL auto_increment,
                   `count` int(9) NOT NULL,
@@ -504,6 +507,13 @@ static function upgrade($version) {
                   DEFAULT CHARSET=utf8;");
       module::set_version("gallery", $version = 24);
     }
+
+    if ($version == 24) {
+      foreach (array("logs", "tmp", "uploads") as $dir) {
+        self::_protect_directory(VARPATH . $dir);
+      }
+      module::set_version("gallery", $version = 25);
+    }
   }
 
   static function uninstall() {
@@ -528,4 +538,12 @@ static function uninstall() {
       system("/bin/rm -rf " . VARPATH . $entry);
     }
   }
+
+  static function _protect_directory($dir) {
+    $fp = @fopen("$dir/.htaccess", "w+");
+    fwrite($fp, "DirectoryIndex .htaccess\nSetHandler Gallery_Security_Do_Not_Remove\n" .
+           "Options None\n<IfModule mod_rewrite.c>\nRewriteEngine off\n</IfModule>\n" .
+           "Order allow,deny\nDeny from all\n");
+    fclose($fp);
+  }
 }
diff --git a/modules/gallery/module.info b/modules/gallery/module.info
@@ -1,3 +1,3 @@
 name = "Gallery 3"
 description = "Gallery core application"
-version = 24
+version = 25