Further hardening of Xerte

- Really switch off extract and archive in elfinder - Change session id each time authitaction context is changed
thexerteproject · Dec 6, 2023 · 6415656 · 6415656
1 parent 54e1bcc
commit 6415656
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 10 deletions.
diff --git a/editor/elfinder/browse.php b/editor/elfinder/browse.php
@@ -164,15 +164,8 @@
                     // navbarfolder menu
                     navbar : ['open', '|', 'copy', 'cut', 'paste', 'duplicate', '|', 'rm', '|', 'mkdir', '|', 'info'],
 
-                    // current directory menu
-                    //cwd    : ['reload', 'back', '|', 'upload', 'mkdir', 'mkfile', 'paste', '|', 'info'],
                     cwd    : ['reload', '|', 'upload', 'mkdir', 'paste', '|', 'info'],
 
-                    // current directory file menu
-                    //files  : [
-                    //    'getfile', '|','open', 'quicklook', '|', 'download', '|', 'copy', 'cut', 'paste', 'duplicate', '|',
-                    //    'rm', '|', 'edit', 'rename', 'resize', '|', 'archive', 'extract', '|', 'info'
-                    //]
                     files  : [
                         'getfile', '|','quicklook', '|', 'download', '|', 'copy', 'cut', 'paste', 'duplicate', '|',
                         'rm', '|', 'edit', 'rename', 'resize', '|', 'info'

diff --git a/editor/elfinder/php/connector.php b/editor/elfinder/php/connector.php
@@ -99,9 +99,10 @@ function sanitizeName($cmd, $result, $args, $elfinder)
             'tmbURL'        => $rooturl . "/media/.tmb",
             'tmbCrop'       => false,
             'uploadDeny' => array('text/x-php','application/x-php'),
+            'disabled'      => array('archive', 'extract', 'forward', 'netmount', 'netunmount', 'zipdl'),
             'attributes' => array(
                 array( // hide readmes
-                    'pattern' => '/(readme\.txt)|\.(html|php|php5|php*|py|pl|sh)$/i',
+                    'pattern' => '/(readme\.txt)|\.(html|php|php5|php*|phtml|phar|py|pl|sh)$/i',
                     'read'   => false,
                     'write'  => false,
                     'locked' => true,

diff --git a/logout.php b/logout.php
@@ -43,5 +43,5 @@
     _debug("Single Logout");
     $authmech->logout();
 }
-
+session_regenerate_id(true);
 session_destroy();
diff --git a/management.php b/management.php
@@ -188,7 +188,7 @@ function mgt_page($xerte_toolkits_site, $extra)
         $authmech = Xerte_Authentication_Factory::create($xerte_toolkits_site->authentication_method);
     }
     if (($_POST["login"] == $xerte_toolkits_site->admin_username) && (hash('sha256', $_POST["password"]) == $xerte_toolkits_site->admin_password)) {
-
+        session_regenerate_id(true);
         $_SESSION['toolkits_logon_id'] = "site_administrator";
 
         $msg = "Admin user logged in successfully from " . $_SERVER['REMOTE_ADDR'];

diff --git a/website_code/php/login_library.php b/website_code/php/login_library.php
@@ -459,6 +459,9 @@ function login_processing($exit = true) {
       if (empty($errors)) {
         if ($authmech->check()) {
           $success = $authmech->login($_POST['login'], $_POST['password']);
+          if ($success) {
+            session_regenerate_id(true);
+          }
         }
         $errors = $authmech->getErrors();
       }
@@ -527,3 +530,5 @@ function login_processing2($firstname = false, $surname = false, $username = fal
   $msg = "User " . $_SESSION['toolkits_logon_username'] . " logged in successfully from " . $_SERVER['REMOTE_ADDR'];
   receive_message($_SESSION['toolkits_logon_username'], "SYSTEM", "LOGINS", "Successful login", $msg);
 }
+
+