Make archive.sh not accessible via http

[anonymous-matomo-user]

In the documentation http://piwik.org/docs/setup-auto-archiving/ should be a hint to place the archive.sh on another place than the document root. If it is in the document root everybody can download it and get the secret(?) api key.

[robocoder]

Should also add a .htaccess file (Deny from all) for those who don’t RTM.

Also, in misc/cron/archive.sh, add ‘month’ to:

```
for period in day week year; do
```

[anonymous-matomo-user]

“Deny from all” only restricts access on servers that recognise .htaccess. But better than nothing …

[mattab]

I totally agree with this and this should be fixed in the next release.
Ideally we shouldn’t need to edit this file at all, so the file wouldn’t contain any sensitive info:
- we should guess where the local php-cli sits (I think there are some unix commands to do that?)
- we should get the md5 password from config/config.ini.php
- call the piwik api: UsersManager.getTokenAuth (userLogin, md5Password) to get the token_auth

if you want to submit a patch to do that in shell in archive.sh that would be great :-)

vipsoft, we don’t need to add month as year archives all month and them sum months in the year to get the year data.

[pebosi]

Attachment: first step is to get php5 path, or? :)
[get_php5_path.patch](http://issues.piwik.org/attachments/599/get_php5_path.patch)

[mattab]

also we should update the documentation on http://piwik.org/docs/setup-auto-archiving/ when done (and clarify the last section, now override config file values should be done in config.ini.php

[mattab]

to get current path of archive script automatically (to read config file)

http://fritzthomas.com/open-source/linux/384-how-to-get-the-absolute-path-within-the-running-bash-script/

[pebosi]

Attachment: here’s a new version of archive.sh file, please review it. if i should create a patch, please ask.
[archive.sh.txt](http://issues.piwik.org/attachments/599/archive.sh.txt)

[pebosi]

what i dont like on my version is getting username and password but not found an easier way yet…

[robocoder]

Assuming the superuser section appears first in the config file, an alternative is to use sed, e.g.,

```
PIWIK_SUPERUSER=`sed ‘/^login = /!d;s///;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = /!d;s///;q’ $PIWIK_CONFIG`
```

Or if these are double quoted:

```
PIWIK_SUPERUSER=`sed ‘/^login = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
```

[mattab]

code should be solid indeed, works for

```
login=root
login = root
login = “root”
login =root (with tab)
```

note:
- login & password cannot contain double quote, they would be encoded as " so it’s safe to sed out any double quote.
– I don’t think we can assume the [superuser] will be first, other sections containing password keys could be there below. However I think it can be done easily, by getting the line number of the [superuser] string using`
grep`, then grepping content from this line number using

```
tail -n+15 file # returns all lines after 15th line
```

[mattab]

also, code could error if login is empty, or if password length <> 32

[robocoder]

This delays the match until it sees the [superuser] section, and ignores whitespace and double quotes.

```
PIWIK_SUPERUSER=`sed ‘/^\[superuser\]/,$!d;/^login[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^\[superuser\]/,$!d;/^password[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
```

It’s not bulletproof, but if the [superuser] section isn’t properly configured, the user has a bigger problem than archive.sh not working.

[pebosi]

Attachment: patch file with vipsoft sed version
[599_sed.patch](http://issues.piwik.org/attachments/599/599_sed.patch)

[pebosi]

Attachment: forget to remove cat. new version
[599_sed_2.patch](http://issues.piwik.org/attachments/599/599_sed_2.patch)

[mattab]

(In ⁹⁹⁰) – fixes #599 Make archive.sh not accessible via http; patch by pebosi and vipsoft!