Support for ip bans in Apache 2.4 without compat module

docs/pages/comcode_custom/EN/sup_professional_upgrading.txt

@@ -106,8 +106,16 @@ Additionally you can upload and run the first two steps of Composr's installer a
 ! † {$INC,step_num}{$GET,step_num}
 | Create [tt]<webroot>/<codename>/_temp[/tt] and put a [tt].htaccess[/tt] file in it
 | [code="htaccess"]
-order deny,allow
-deny from all
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
+	Order Allow,Deny
+	Deny from all
+</IfModule>
+
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+	Require all denied
+</IfModule>
 [/code]
 |-
 ! &dagger; {$INC,step_num}{$GET,step_num}

docs/pages/comcode_custom/EN/tut_security.txt

@@ -479,10 +479,20 @@ To provide additional protection beyond the master password you may want to set
 
 Follows are sample access rules for an Apache [tt].htaccess[/tt] file to provide a temporary access block:
 [code="htaccess"]
-<FilesMatch ^((rootkit_detection|upgrader|uninstall|data/upgrader2|config_editor|code_editor)\.php)$>
-	Order allow,deny
-	Deny from all
-</FilesMatch>
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
+	<FilesMatch ^((rootkit_detection|upgrader|uninstall|data/upgrader2|config_editor|code_editor)\.php)$>
+		Order Allow,Deny
+		Deny from all
+	</FilesMatch>
+</IfModule>
+
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+	<FilesMatch ^((rootkit_detection|upgrader|uninstall|data/upgrader2|config_editor|code_editor)\.php)$>
+		Require all denied
+	</FilesMatch>
+</IfModule>
 [/code]
 
 For IIS, the [tt]web.config[/tt] file's [tt]hiddenSegments[/tt] can be extended:

install.php

@@ -3129,10 +3129,22 @@ function test_htaccess($conn)
     /*REWRITE RULES END*/
 
     $clauses[] = <<<END
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
 order allow,deny
 allow from all
 # IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
 # deny from xxx.xx.x.x (leave this comment here!)
+</IfModule>
+
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+<RequireAll>
+require all granted
+# IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
+# require not ip xxx.xx.x.x (leave this comment here!)
+</RequireAll>
+</IfModule>
 END;
 
     $base = str_replace('\\', '/', dirname(cms_srv('SCRIPT_NAME')));

plain.htaccess

@@ -87,8 +87,19 @@ RewriteRule ^([^/\&\?]+)\.htm$ index.php\?page=$1 [L,QSA]
 </IfModule>
 
 
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
 order allow,deny
 allow from all
 # IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
 # deny from xxx.xx.x.x (leave this comment here!)
+</IfModule>
 
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+<RequireAll>
+require all granted
+# IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
+# require not ip xxx.xx.x.x (leave this comment here!)
+</RequireAll>
+</IfModule>

recommended.htaccess

@@ -159,7 +159,19 @@ RewriteRule ^([^/\&\?]+)\.htm$ index.php\?page=$1 [L,QSA]
 </IfModule>
 
 
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
 order allow,deny
 allow from all
 # IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
 # deny from xxx.xx.x.x (leave this comment here!)
+</IfModule>
+
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+<RequireAll>
+require all granted
+# IP bans go here (leave this comment here! If this file is writeable, Composr will write in IP bans below, in sync with its own DB-based banning - this makes DOS/hack attack prevention stronger)
+# require not ip xxx.xx.x.x (leave this comment here!)
+</RequireAll>
+</IfModule>

sources/failure.php

@@ -769,13 +769,19 @@ function add_ip_ban($ip, $descrip = '', $ban_until = null, $ban_positive = true)
     $GLOBALS['SITE_DB']->query_insert('banned_ip', array('ip' => $ip, 'i_descrip' => $descrip, 'i_ban_until' => $ban_until, 'i_ban_positive' => $ban_positive ? 1 : 0), false, true); // To stop weird race-like conditions
     persistent_cache_delete('IP_BANS');
     if ((is_writable_wrap(get_file_base() . '/.htaccess')) && (is_null($ban_until))) {
-        $original_contents = cms_file_get_contents_safe(get_file_base() . '/.htaccess');
+        $contents = unixify_line_format(cms_file_get_contents_safe(get_file_base() . '/.htaccess'));
         $ip_cleaned = str_replace('*', '', $ip);
         $ip_cleaned = str_replace('..', '.', $ip_cleaned);
         $ip_cleaned = str_replace('..', '.', $ip_cleaned);
-        if (strpos($original_contents, "\n" . 'deny from ' . $ip_cleaned) === false) {
+        if ((stripos($contents, "\n" . 'deny from ' . $ip_cleaned) === false) && (stripos($contents, "\n" . 'require not ip ' . $ip_cleaned) === false)) {
             require_code('files');
-            $contents = str_replace('# deny from xxx.xx.x.x (leave this comment here!)', '# deny from xxx.xx.x.x (leave this comment here!)' . "\n" . 'deny from ' . $ip_cleaned, $original_contents);
+
+            // < Apache 2.4
+            $contents = str_ireplace('# deny from xxx.xx.x.x (leave this comment here!)', '# deny from xxx.xx.x.x (leave this comment here!)' . "\n" . 'deny from ' . $ip_cleaned, $contents);
+
+            // >= Apache 2.4
+            $contents = str_ireplace('# require not ip xxx.xx.x.x (leave this comment here!)', '# require not ip xxx.xx.x.x (leave this comment here!)' . "\n" . 'require not ip ' . $ip_cleaned, $contents);
+
             cms_file_put_contents_safe(get_file_base() . '/.htaccess', $contents, FILE_WRITE_FIX_PERMISSIONS | FILE_WRITE_SYNC_FILE);
         }
     }
@@ -797,14 +803,19 @@ function remove_ip_ban($ip)
     $GLOBALS['SITE_DB']->query_delete('banned_ip', array('ip' => $ip), '', 1);
     persistent_cache_delete('IP_BANS');
     if (is_writable_wrap(get_file_base() . '/.htaccess')) {
-        $contents = cms_file_get_contents_safe(get_file_base() . '/.htaccess');
+        $contents = unixify_line_format(cms_file_get_contents_safe(get_file_base() . '/.htaccess'));
         $ip_cleaned = str_replace('*', '', $ip);
         $ip_cleaned = str_replace('..', '.', $ip_cleaned);
         $ip_cleaned = str_replace('..', '.', $ip_cleaned);
         if (trim($ip_cleaned) != '') {
             require_code('files');
-            $contents = str_replace("\n" . 'deny from ' . $ip_cleaned . "\n", "\n", $contents);
-            $contents = str_replace("\r" . 'deny from ' . $ip_cleaned . "\r", "\r", $contents); // Just in case
+
+            // < Apache 2.4
+            $contents = str_ireplace("\n" . 'deny from ' . $ip_cleaned . "\n", "\n", $contents);
+
+            // >= Apache 2.4
+            $contents = str_ireplace("\n" . 'require not ip ' . $ip_cleaned . "\n", "\n", $contents);
+
             cms_file_put_contents_safe(get_file_base() . '/.htaccess', $contents, FILE_WRITE_FIX_PERMISSIONS | FILE_WRITE_SYNC_FILE);
         }
     }

sources/form_templates.php

@@ -1511,7 +1511,7 @@ function make_previewable_url_absolute($url)
             }
 
             $htaccess_path = $image_path . '/.htaccess';
-            if ((is_file($htaccess_path)) && (strpos(file_get_contents($htaccess_path), 'deny from all') !== false)) {
+            if ((is_file($htaccess_path)) && (stripos(file_get_contents($htaccess_path), 'deny from all') !== false) && (stripos(file_get_contents($htaccess_path), 'require not ip') !== false)) {
                 return array($_url, $is_image);
             }
 

sources/global3.php

@@ -2234,10 +2234,10 @@ function ip_banned($ip, $force_db = false, $handle_uncertainties = false)
     global $SITE_INFO;
     if ((!$force_db) && (((isset($SITE_INFO['known_suexec'])) && ($SITE_INFO['known_suexec'] == '1')) || (is_writable_wrap(get_file_base() . '/.htaccess')))) {
         $bans = array();
-        $ban_count = preg_match_all('#\ndeny from (.*)#', cms_file_get_contents_safe(get_file_base() . '/.htaccess'), $bans);
+        $ban_count = preg_match_all('#\n(deny from|require not ip) (.*)#i', cms_file_get_contents_safe(get_file_base() . '/.htaccess'), $bans);
         $ip_bans = array();
         for ($i = 0; $i < $ban_count; $i++) {
-            $ip_bans[] = array('ip' => $bans[1][$i]);
+            $ip_bans[$bans[1][$i]] = array('ip' => $bans[1][$i]);
         }
     } else {
         $ip_bans = function_exists('persistent_cache_get') ? persistent_cache_get('IP_BANS') : null;

sources_custom/hooks/systems/addon_registry/cns_tapatalk.php

@@ -207,10 +207,20 @@ public function get_description()
 If a [tt]mobiquo/logging.dat[/tt] file exists and is writable then full logging will be written to it.
 Never use this on a live site as it is not secure, unless you limit access via an [tt]data_custom/.htaccess[/tt] file:
 [code]
-<Files logging.dat>
-Order Allow,Deny
-Deny from all
-</Files>
+# < Apache 2.4
+<IfModule !mod_authz_core.c>
+    <Files logging.dat>
+        Order Allow,Deny
+        Deny from all
+    </Files>
+</IfModule>
+
+# >= Apache 2.4
+<IfModule mod_authz_core.c>
+    <Files logging.dat>
+        Require all denied
+    </Files>
+</IfModule>
 [/code]
 (don\'t blindingly trust this, test you cannot download the file by URL)