Permalink
Browse files

Update behavior of allow_php

The old allow_php TRUE option has been removed. It always had warnings
but even so it doesn't really have a point.

The old allow_php 'auto' behavior is what now happens when allow_php
is set to TRUE, except updated to work with the user system. Basically,
users with access to / are considered trusted to have control over the
entire server; other users aren't trusted.
  • Loading branch information...
Zarel committed Feb 28, 2014
1 parent b8d5231 commit 16801f57d56089de2d3cfcb381a74c9bc1bea5f0
Showing with 18 additions and 18 deletions.
  1. +9 −9 admin.lib.php
  2. +7 −8 config-sample.inc.php
  3. +0 −1 fileman.lib.php
  4. +2 −0 session.lib.php
View
@@ -91,9 +91,9 @@ function update_config()
/*** MANUAL INSTALLATION INSTRUCTIONS: ********************************
*
* 1. Edit this config file to suit your needs
- * 2. CHMOD cache/ to 777
- * 3. CHMOD persist.inc.php and config.inc.php to 777
- * 4. Log in using the username \'Admin\' and no password
+ * 2. If not writable by PHP, CHMOD cache/ to 777
+ * 3. If not writable by PHP, CHMOD persist.inc.php, config.inc.php to 666
+ * 4. Log in using the username 'Admin' and no password
* 5. Go to Account Settings and set a password
*
*** ABOUT DIRECT MODE: ***********************************************
@@ -105,9 +105,9 @@ function update_config()
* To install using direct mode, you\'ll need to install manually
* (remember to set $manual_install above to TRUE, and $write_method
* to \'direct\'). In direct mode, you\'ll need to either CHMOD any
- * folders you want File Manager to manage to 777, or you\'ll need to
+ * folders you want Filecharger to manage to 777, or you\'ll need to
* run PHP as a user with write permissions to all folders you want
- * File Manager to access.
+ * Filecharger to access.
*
**********************************************************************/
@@ -151,9 +151,9 @@ function update_config()
$isauth = '.persist_tophp($isauth).';
/* Whether or not you allow PHP.
- * Notice: PHP cannot be controlled yet, so this is VERY VERY insecure
- * if $presub isn\'t blank. Leave FALSE unless you\'re absolutely
- * sure you know what you\'re doing.
+ * Notice: PHP allows you to do anything the account running PHP can do,
+ * so this gives users full control over your website.
+ * Leave FALSE unless you\'re absolutely sure you know what you\'re doing.
*/
$allow_php = '.persist_tophp($allow_php).';
@@ -194,7 +194,7 @@ function update_config()
$ftp_password = '.persist_tophp($ftp_password).';
$ftp_prepath = '.persist_tophp($ftp_prepath).';
$ftp_ftps = '.persist_tophp($ftp_ftps).';
-?>';
+';
$file = @fopen('config.inc.php','w');
if ($file === false) return false;
$works = @fwrite($file,$configdata);
View
@@ -7,8 +7,8 @@
/*** MANUAL INSTALLATION INSTRUCTIONS: ********************************
*
* 1. Edit this config file to suit your needs
- * 2. CHMOD cache/ to 777
- * 3. CHMOD persist.inc.php and config.inc.php to 777
+ * 2. If not writable by PHP, CHMOD cache/ to 777
+ * 3. If not writable by PHP, CHMOD persist.inc.php, config.inc.php to 666
* 4. Log in using the username 'Admin' and no password
* 5. Go to Account Settings and set a password
*
@@ -21,9 +21,9 @@
* To install using direct mode, you'll need to install manually
* (remember to set $manual_install above to TRUE, and $write_method
* to 'direct'). In direct mode, you'll need to either CHMOD any
- * folders you want File Manager to manage to 777, or you'll need to
+ * folders you want Filecharger to manage to 777, or you'll need to
* run PHP as a user with write permissions to all folders you want
- * File Manager to access.
+ * Filecharger to access.
*
**********************************************************************/
@@ -67,9 +67,9 @@
$isauth = NULL;
/* Whether or not you allow PHP.
- * Notice: PHP cannot be controlled yet, so this is VERY VERY insecure
- * if $presub isn't blank. Leave FALSE unless you're absolutely
- * sure you know what you're doing.
+ * Notice: PHP allows you to do anything the account running PHP can do,
+ * so this gives users full control over your website.
+ * Leave FALSE unless you're absolutely sure you know what you're doing.
*/
$allow_php = FALSE;
@@ -109,4 +109,3 @@
$ftp_password = 'password';
$ftp_prepath = 'public_html/';
$ftp_ftps = false;
-?>
View
@@ -144,7 +144,6 @@ function onreldate($time)
$file = '';
$fullurl = $preurl.$presub.$postsub.$file;
-if ($presub && $allow_php==='auto') $allow_php = $false;
$allow_php = ($allow_php?TRUE:FALSE);
//====================
View
@@ -140,6 +140,8 @@ function upriv($type)
unset($i);
$presub = ($user['priv']==127?'':$user['psub']);
+if ($presub) $allow_php = $false;
+
if ($_POST['login'] && dname2name($_POST['uname'])==='guest' && !$_PERSIST['users'][0]['priv'])
$status = $_PERSIST['users'][0]['priv']?'gli':'gad';

0 comments on commit 16801f5

Please sign in to comment.