Skip to content
This repository has been archived by the owner on Nov 3, 2023. It is now read-only.

Commit

Permalink
Fixed a critical vulnerability of the install tool (see #6855)
Browse files Browse the repository at this point in the history
  • Loading branch information
leofeyer committed Apr 7, 2014
1 parent ba3fead commit d455035
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 48 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Contao Open Source CMS Changelog
================================

Version 2.11.17 (2014-04-07)
----------------------------

### Fixed
Fixed a critical vulnerability of the install tool (see #6855).


Version 2.11.16 (2014-02-13)
----------------------------

Expand Down
58 changes: 40 additions & 18 deletions contao/install.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
* Initialize the system
*/
define('TL_MODE', 'BE');
define('TL_INSTALL', true);
require_once('../system/initialize.php');


Expand Down Expand Up @@ -68,14 +69,6 @@ public function __construct()
$GLOBALS['TL_CONFIG']['showHelp'] = false;
$GLOBALS['TL_CONFIG']['displayErrors'] = true;

// Remove the pathconfig.php file if TL_PATH is wrong (see #5428)
if (($strPath = preg_replace('/\/contao\/[^\/]*$/i', '', $this->Environment->requestUri)) != TL_PATH)
{
$objFile = new File('system/config/pathconfig.php');
$objFile->delete();
$this->reload();
}

// Static URLs
$this->setStaticUrl('TL_FILES_URL', $GLOBALS['TL_CONFIG']['staticFiles']);
$this->setStaticUrl('TL_SCRIPT_URL', $GLOBALS['TL_CONFIG']['staticSystem']);
Expand Down Expand Up @@ -214,16 +207,6 @@ public function run()
}


/**
* Check the websitePath
*/
if ($GLOBALS['TL_CONFIG']['websitePath'] !== null && !preg_match('/^' . preg_quote(TL_PATH, '/') . '\/contao\/' . preg_quote(basename(__FILE__), '/') . '/', $this->Environment->requestUri))
{
$this->Config->delete("\$GLOBALS['TL_CONFIG']['websitePath']");
$this->reload();
}


/**
* Make the user accept the LGPL license
*/
Expand Down Expand Up @@ -291,6 +274,12 @@ public function run()
}


/**
* Store the relative path
*/
$this->storeRelativePath();


/**
* Set the install script password
*/
Expand Down Expand Up @@ -943,6 +932,39 @@ protected function setAuthCookie()
}


/**
* Store the relative path
*/
protected function storeRelativePath()
{
if (TL_PATH === null)
{
return;
}

if (file_exists(TL_ROOT . '/system/config/pathconfig.php'))
{
$strPath = include TL_ROOT . '/system/config/pathconfig.php';

if (TL_PATH == $strPath)
{
return;
}
}

try
{
$objFile = new File('system/config/pathconfig.php');
$objFile->write("<?php\n\n// Relative path to the installation\nreturn " . var_export(TL_PATH, true) . ";\n");
$objFile->close();
}
catch (Exception $e)
{
log_message($e->getMessage());
}
}


/**
* Output the template file and exit
*/
Expand Down
2 changes: 1 addition & 1 deletion system/constants.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
* the web browser reload those resources after a Contao update.
*/
define('VERSION', '2.11');
define('BUILD', '16');
define('BUILD', '17');
define('LONG_TERM_SUPPORT', true);
define('CODEMIRROR', '2.2');
define('DATEPICKER', '2.1.1');
Expand Down
37 changes: 8 additions & 29 deletions system/initialize.php
Original file line number Diff line number Diff line change
Expand Up @@ -67,21 +67,19 @@
*/
$objEnvironment = Environment::getInstance();

if (file_exists(TL_ROOT . '/system/config/pathconfig.php'))
if (file_exists(TL_ROOT . '/system/config/pathconfig.php') && !defined('TL_INSTALL'))
{
define('TL_PATH', include TL_ROOT . '/system/config/pathconfig.php');
}
elseif (TL_MODE == 'BE')
{
define('TL_PATH', preg_replace('/\/contao\/[^\/]*$/i', '', $objEnvironment->requestUri));
define('TL_PATH', preg_replace('/\/contao\/[a-z]+\.php$/i', '', $objEnvironment->scriptName));
}
else
{
define('TL_PATH', null); // cannot be reliably determined
}

$GLOBALS['TL_CONFIG']['websitePath'] = TL_PATH; // backwards compatibility


/**
* Start the session
Expand All @@ -98,6 +96,12 @@
$objToken = RequestToken::getInstance();


/**
* Set the website path (backwards compatibility)
*/
$GLOBALS['TL_CONFIG']['websitePath'] = TL_PATH;


/**
* Set error_reporting
*/
Expand All @@ -112,31 +116,6 @@
@date_default_timezone_set($GLOBALS['TL_CONFIG']['timeZone']);


/**
* Store the relative path
*
* Only store this value if the temp directory is writable and the local
* configuration file exists, otherwise it will initialize a Files object and
* prevent the install tool from loading the Safe Mode Hack (see #3215).
*/
if (TL_PATH !== null && !file_exists(TL_ROOT . '/system/config/pathconfig.php'))
{
if (is_writable(TL_ROOT . '/system/tmp') && file_exists(TL_ROOT . '/system/config/localconfig.php'))
{
try
{
$objFile = new File('system/config/pathconfig.php');
$objFile->write("<?php\n\n// Relative path to the installation\nreturn '" . TL_PATH . "';\n");
$objFile->close();
}
catch (Exception $e)
{
log_message($e->getMessage());
}
}
}


/**
* Set the mbstring encoding
*/
Expand Down
3 changes: 3 additions & 0 deletions system/modules/rep_base/RepositorySettings.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@

// valid core versions in descending order
define('REPOSITORY_COREVERSIONS',
'30020099,30020099;'. // 3.2.9 stable
'30020089,30020089;'. // 3.2.8 stable
'30020079,30020079;'. // 3.2.7 stable
'30020069,30020069;'. // 3.2.6 stable
'30020059,30020059;'. // 3.2.5 stable
Expand Down Expand Up @@ -70,6 +72,7 @@
'30000009,30000009;'. // 3.0.0 stable
'30000006,30000006;'. // 3.0.0 RC1
'30000003,30000003;'. // 3.0.0 beta1
'20110179,20110179;'. // 2.11.17 stable
'20110169,20110169;'. // 2.11.16 stable
'20110159,20110159;'. // 2.11.15 stable
'20110149,20110149;'. // 2.11.14 stable
Expand Down

0 comments on commit d455035

Please sign in to comment.