Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve checks on read files directory #3650

Merged
merged 1 commit into from Mar 1, 2018
Merged

Improve checks on read files directory #3650

merged 1 commit into from Mar 1, 2018

Conversation

trasher
Copy link
Contributor

@trasher trasher commented Mar 1, 2018

Q A
Bug fix? yes/no
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes

Two things:
1- display a warning when checks cannot be done. User is aware of potential issue; it's up to him.
2- try to guess host (I almost never user localhost myself; and I guess most of the time called URI will not be localhost only).

remicollet
remicollet approved these changes Mar 1, 2018
View reviewed changes
inc/config.class.php
if (isset($_SERVER['HTTPS'])) {
$protocol = 'https';
}
$uri = $protocol . '://' . $_SERVER['SERVER_NAME'] . $CFG_GLPI['root_doc'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed using server_name may be required for vhost/ssl, but mays be different from the client side (where is it retrieved) and from the server side.... btw no perfect solution... will need a JS check from the client

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is not perfect; but maybe a bit better than just test localhost without https ;)

inc/config.class.php
} else {
echo "<td><img src='".$CFG_GLPI['root_doc']."/pics/warning_min.png'>".
"<p class='red'>".__('Web access to the files directory, should not be allowed')."<br/>".
__('Automatic checks cannot be done; please review .htaccess file and the web server configuration.')."</p></td></tr>";
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, there is tons of false positive... btw, ok to raise admin attention

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totaly agree... But this will permit to get rid of "files directory is insecure". We all agree that the way to go is to store files outside the webroot ;)

@trasher trasher merged commit 732777f into glpi-project:9.2/bugfixes Mar 1, 2018
@trasher trasher deleted the improve-checkfiles branch March 1, 2018 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@remicollet remicollet remicollet approved these changes

@orthagh orthagh Awaiting requested review from orthagh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@trasher @remicollet